[Samba] Not using AD group when writing file

Rowland Penny rowlandpenny at googlemail.com
Tue Dec 16 15:50:25 MST 2014 

On 16/12/14 22:31, Carl Carpenter wrote:
> On Tue, Dec 16, 2014 at 3:18 PM, Carl Carpenter <ccarpenter at hillcountry.org>
> wrote:
>> On 16/12/14 20:47, Carl Carpenter wrote:
>>
>> On 16/12/14 17:35, Carl Carpenter wrote:
>>
>> Forgot to mention that the permissions are also incorrect.  They are
>> supposed to be 775 but come out as 744.
>>
>> Carl Carpenter
>> Director, Information Services
>> Hill Country MHDD Centers
>> (830)258-5414 or ext. 2038
>>
>>
>> On 12/11/2014 4:13 PM, Carl Carpenter wrote:
>>
>> Per your request
>>
>>      [global]
>>            workgroup = HCCMHMRC
>>            realm = HILLCOUNTRY.LOCAL
>>            server string = Samba Server Version %v
>>            security = ADS
>>            log file = /var/log/samba/log.%m
>>            max log size = 50
>>            wins server = 192.168.0.7
>>            default service = global
>>            template homedir = /home/HCCMHMRC
>>            template shell = /bin/bash
>>            winbind enum users = Yes
>>            winbind enum groups = Yes
>>            winbind use default domain = Yes
>>            idmap config * : range = 16777216-33554431
>>            idmap config * : backend = tdb
>>            cups options = raw
>>
>> [Intranet]
>>            path = /home/Intranet
>>            valid users = @intranet
>>            read only = No
>>
>> Not sure what you mean by ACL on the folder but here's this:
>>
>> drwxrwxr-x   6 apache intranet 4096 Dec 10 14:34 Intranet
>>
>> Carl Carpenter
>> Director, Information Services
>> Hill Country MHDD Centers
>> (830)258-5414 or ext. 2038
>>
>>
>> On 12/11/2014 3:50 PM, Marc Muehlfeld wrote:
>>
>> Hello Carl,
>>
>> Am 11.12.2014 um 22:18 schrieb Carl Carpenter:
>>
>> Trying to get Samba configured correctly.  Am using Active Directory for
>> authentication and that seems to be working correctly.  When creating a
>> Share, Security and Access Control list the AD users and groups.  If I
>> take
>> my name out of the AD group, can't access the share.  Put my name in the
>> group and I can access it.  However, when I write a file to the folder,
>> while it shows my username, it shows domain users as the group instead of
>> the group name.  I had this working on Centos 6.6 and am using the same
>> instructions this time.  I'm sure I'm missing a setting somewhere but
>> don't
>> know what.  Haven't been able to find anything on the web that addresses
>> it.  Any assistance will be appreciated.
>>
>> Can you please show us your smb.conf [global] and the share config? And
>> also please the ACLs on this folder.
>>
>>
>> Regards,
>> Marc
>>
>>
>>
>> Hi, Are you using sssd as well ? otherwise there doesn't seem to be
>> anything to get the user & group ID numbers.
>>
>> Also, to get the ACL's run this command:
>>
>> getfacl /home/Intranet
>>
>> Rowland
>>
>> =================================================
>> No, I'm not using sssd.  I used authconfig to set up the initial
>> authentication configuration.  Followed exactly the same steps I used for
>> Centos 6/Samba 3.x and it worked perfectly.
>>
>> getfacl /home/Intranet
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/Intranet
>> # owner: apache
>> # group: intranet
>> user::rwx
>> group::rwx
>> other::r-x
>>
>>
>>
>> I think that you may be using sssd, but anyway, does 'getent <a domain
>> user>' show anything.
>>
>> Rowland
>>
>> =============================================
>> # getent apacheldap
>> Unknown database: apacheldap
>> Try `getent --help' or `getent --usage' for more information.
>>
>> oops
>>
>> 'getent passwd <a domain user>'
>>
>> Rowland
>>
>>
> getent passwd apacheldap
> apacheldap:*:16777671:16777216:Apacheldap:/home/HCCMHMRC:/bin/bash

OK, I am willing to bet, if you open /etc/nsswitch.conf in your 
favourite editor, you will find these two lines:

passwd:    files sss
group:      files sss

I am also fairly sure that '16777216' is the ID number for 'Domain Users'

To connect to the share, the user would have to be a member of the 
'intranet' group, but once connected, anything that the users saves will 
be saved as <user>:<primarygroup>.

I would suggest that you go and have a look here: 
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs

Use windows permissions on the share instead of Linux acl's.

Rowland

More information about the samba mailing list