[Samba] Not using AD group when writing file

Carl Carpenter ccarpenter at hillcountry.org
Tue Dec 16 15:58:34 MST 2014


On Tue, Dec 16, 2014 at 4:31 PM, Carl Carpenter <ccarpenter at hillcountry.org>
wrote:
>
>
>
> On Tue, Dec 16, 2014 at 3:18 PM, Carl Carpenter <
> ccarpenter at hillcountry.org> wrote:
>
>> On 16/12/14 20:47, Carl Carpenter wrote:
>>
>> On 16/12/14 17:35, Carl Carpenter wrote:
>>
>> Forgot to mention that the permissions are also incorrect.  They are
>> supposed to be 775 but come out as 744.
>>
>> Carl Carpenter
>> Director, Information Services
>> Hill Country MHDD Centers
>> (830)258-5414 or ext. 2038
>>
>>
>> On 12/11/2014 4:13 PM, Carl Carpenter wrote:
>>
>> Per your request
>>
>>     [global]
>>           workgroup = HCCMHMRC
>>           realm = HILLCOUNTRY.LOCAL
>>           server string = Samba Server Version %v
>>           security = ADS
>>           log file = /var/log/samba/log.%m
>>           max log size = 50
>>           wins server = 192.168.0.7
>>           default service = global
>>           template homedir = /home/HCCMHMRC
>>           template shell = /bin/bash
>>           winbind enum users = Yes
>>           winbind enum groups = Yes
>>           winbind use default domain = Yes
>>           idmap config * : range = 16777216-33554431
>>           idmap config * : backend = tdb
>>           cups options = raw
>>
>> [Intranet]
>>           path = /home/Intranet
>>           valid users = @intranet
>>           read only = No
>>
>> Not sure what you mean by ACL on the folder but here's this:
>>
>> drwxrwxr-x   6 apache intranet 4096 Dec 10 14:34 Intranet
>>
>> Carl Carpenter
>> Director, Information Services
>> Hill Country MHDD Centers
>> (830)258-5414 or ext. 2038
>>
>>
>> On 12/11/2014 3:50 PM, Marc Muehlfeld wrote:
>>
>> Hello Carl,
>>
>> Am 11.12.2014 um 22:18 schrieb Carl Carpenter:
>>
>> Trying to get Samba configured correctly.  Am using Active Directory for
>> authentication and that seems to be working correctly.  When creating a
>> Share, Security and Access Control list the AD users and groups.  If I
>> take
>> my name out of the AD group, can't access the share.  Put my name in the
>> group and I can access it.  However, when I write a file to the folder,
>> while it shows my username, it shows domain users as the group instead of
>> the group name.  I had this working on Centos 6.6 and am using the same
>> instructions this time.  I'm sure I'm missing a setting somewhere but
>> don't
>> know what.  Haven't been able to find anything on the web that addresses
>> it.  Any assistance will be appreciated.
>>
>> Can you please show us your smb.conf [global] and the share config? And
>> also please the ACLs on this folder.
>>
>>
>> Regards,
>> Marc
>>
>>
>>
>> Hi, Are you using sssd as well ? otherwise there doesn't seem to be
>> anything to get the user & group ID numbers.
>>
>> Also, to get the ACL's run this command:
>>
>> getfacl /home/Intranet
>>
>> Rowland
>>
>> =================================================
>> No, I'm not using sssd.  I used authconfig to set up the initial
>> authentication configuration.  Followed exactly the same steps I used for
>> Centos 6/Samba 3.x and it worked perfectly.
>>
>> getfacl /home/Intranet
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/Intranet
>> # owner: apache
>> # group: intranet
>> user::rwx
>> group::rwx
>> other::r-x
>>
>>
>>
>> I think that you may be using sssd, but anyway, does 'getent <a domain
>> user>' show anything.
>>
>> Rowland
>>
>> =============================================
>> # getent apacheldap
>> Unknown database: apacheldap
>> Try `getent --help' or `getent --usage' for more information.
>>
>> oops
>>
>> 'getent passwd <a domain user>'
>>
>> Rowland
>>
>>
> getent passwd apacheldap
> apacheldap:*:16777671:16777216:Apacheldap:/home/HCCMHMRC:/bin/bash
> --
>
> OK, I am willing to bet, if you open /etc/nsswitch.conf in your
> favourite editor, you will find these two lines:
>
> passwd:    files sss
> group:      files sss
>
> I am also fairly sure that '16777216' is the ID number for 'Domain Users'
>
> To connect to the share, the user would have to be a member of the
> 'intranet' group, but once connected, anything that the users saves will
> be saved as <user>:<primarygroup>.
>
> I would suggest that you go and have a look here: https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>
> Use windows permissions on the share instead of Linux acl's.
>
> Rowland
>
> You are partially correct.  Actually, nsswitch has
passwd:  files sss winbind
group:     files sss winbind

I will check out the referenced article.  Thanks.
-- 

Carl Carpenter
Director, Information Services
Hill Country MHDD Centers
(830)258-5414 or ext. 2038


More information about the samba mailing list