[Samba] Allow access to a share for only one machine account

steve steve at steve-ss.com
Mon Apr 21 05:02:54 MDT 2014 

On Mon, 2014-04-21 at 10:04 +0100, Rowland Penny wrote:
> On 20/04/14 21:14, Danny Fedor wrote:
> > I have two domain controllers running ubuntu (12.04 and 13.10) both with
> > samba (4.1.6 and 4.1.7) installed and running (and with sssd on both
> > machines to retrieve uid/gid from AD). I wish to set a share on ubuntu2 in
> > the way so it could be accessible only from ubuntu1 (and by any user from
> > ubuntu1, for instance by local root).
> >
> > I have found this solution though I'm not sure it solves my issue:
> > http://community.centrify.com/t5/Centrify-enabled-Samba/How-to-allow-Windows-machine-accounts-to-connect-to-a-share-as/td-p/11834
> >
> > Anyway, it does not work -- klist doesn't return any ticket for the machine
> > account on either ubuntu1 or ubuntu2 (yet both machines are listed in AD in
> > the group "Domain Computers") if I'm logged as a local user (if I log in as
> > a domain user, than klist correctly shows a ticket for my user account, but
> > still none for the machine).
> >
> > Is there any other, better way to set this up?
> >
> >
> >
> > --
> > View this message in context: http://samba.2283325.n4.nabble.com/Allow-access-to-a-share-for-only-one-machine-account-tp4664550.html
> > Sent from the Samba - General mailing list archive at Nabble.com.
> I think that you are misunderstanding how Samba 4 in AD mode works, you 
> can have local users and you can have domain users, but the two cannot 
> meet ;-)
> 
> You can have a local user on ubuntu1 and a local user with the same name 
> on ubuntu2, but they would not be the same user! you might think they 
> are the same user, but as far as ubuntu1 & ubuntu2 are concerned, they 
> are different.
> 
> You need to forget local users, put everybody into AD, use rfc2307 
> attributes, create an AD group for the users that need to access the 
> share, then use setfacl to set up the access to the share.
> 
> Rowland

Hi
With sssd, the machine is the first to request a tgt which it then uses
for ldap/. Nontheless, on domain user login it requests another for DNS/
and host/. In our case, the last use of the tgt is for cifs/.

Maybe the OP is not seeing the ticket requests because he has too low a
debug? d3 works well without too much verbosidad.

HTH
Steve

More information about the samba mailing list