[Samba] Grant only one AD group to samba share ?
dale at BriannasSaladDressing.com
Tue May 22 14:53:08 MDT 2012
On 05/22/2012 3:17 PM, Newman, John W wrote:
>> Which version of Samba are you using?
> Samba version 3.5.11
>> What does the idmap backend configuration for winbind look like?
> Well.. I'm not really sure what that is (I inherited this project). In smb.conf all he has here is: idmap uid = 10000-20000 idmap gid=10000-20000 .... I don't see idmap backend = set at all in here. That is probably a big part of the problem isn't it?
It would be using the default tdb backend. You could do a testparm -sv
and grep for idmap and winbind to see all the parameters that are
available. Better still, if you have SWAT and samba-doc installed, you
can easily see the options available for each parameter.
>> Does testparm yield any errors?
> ERROR: the 'winbind separator' parameter must be a single character. Hmm.. I just changed that to a single \ , and our existing authentication service still works fine, but the share behaves no differently. The extra \ was probably in error from this file being edited with sed.
>> Do getent group and wbinfo -g return the expected results?
> getent group shows all of the local linux groups on this machine - no AD groups. Is that expected?
If you have winbind enum groups = Yes, then they should show, otherwise
not. Domains with large numbers of users usually leave this as No (also
winbind enum users).
> wbinfo -g shows the windows groups fine, the only thing that's odd is is all of the groups on this domain show in lower case.
That's normal for winbind.
> They may or may not be that way in their AD, I can't see for sure. (We are forcing a linux machine into someones windows network.... )
>> Are nsswitch.conf and PAM configured for authentication?
> For what kind of authentication? /etc/nsswitch and /etc/pam/* are untouched from the defaults.
In nsswitch.conf, you will need to add winbind to the passwd and group
entries. The article I previously linked (below) has an example PAM
config (/etc/pam.d/login) for winbind.
For completeness, you might also want to look at this:
> All that has really been setup so far is an apache service that uses mod_auth_ntlm_winbind to authenticate users of a webpage to their DC. We are now trying to expand that samba/winbind stack over into sharing a folder. So, we probably do need to look at modifying those files, and id mapping, to have a samba share authenticate against the DC. Right? For some reason I figured this part would just work since the join already happened.
A domain can be joined without winbind, but there are steps to take to
actually use it.
> Thanks again!
> -----Original Message-----
> From: Dale Schroeder [mailto:dale at BriannasSaladDressing.com]
> Sent: Tuesday, May 22, 2012 14:51
> To: Newman, John W
> Cc: samba at lists.samba.org
> Subject: Re:[Samba] Grant only one AD group to samba share ?
> A few questions that might narrow things -
> Which version of Samba are you using?
> What does the idmap backend configuration for winbind look like?
> Does testparm yield any errors?
> Do getent group and wbinfo -g return the expected results?
> Are nsswitch.conf and PAM configured for authentication?
> On 05/22/2012 1:01 PM, Newman, John W wrote:
>> Unfortunately neither suggestion worked
>> chgrp still just says "invalid group"
>> valid users = @"DOMAIN\\My Group" behaves the same as I described in the OP. Valid credentials = access denied ; invalid credentials = invalid name or bad password. I already tried all sorts of things in valid users, but nothing is the magic string I need.
>> Any other ideas?
>> Thanks for the help so far, much appreciated!!
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
>> Sent: Tuesday, May 22, 2012 04:59
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Grant only one AD group to samba share ?
>> On 21/05/12 23:36, Dale Schroeder wrote:
>>> On 05/21/2012 3:42 PM, Newman, John W wrote:
>>>> Thanks for the suggestion, but .. that doesn't work ...
>>>> chgrp My\ Group /media/share
>>>> chgrp: invalid group: `My Group'
>>>> "My Group" is a windows AD group, not a local linux group. The
>>>> machine is "joined" to the windows domain through "net ads join",
>>>> but I don't think the security is that tightly integrated. I don't
>>>> have windows groups mapped to linux groups I've created or anything like that.
>>>> chgrp is expecting a linux group. Right?
>>>> Probably I am missing something, or you guys need more information.
>>>> Any thoughts?
>> Sorry. I forgot about winbind (we use nss-pam-ldapd). With winbind running that should read:
>> chgrp MYDAOMAIN\\My\ Group /media/share
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba