[Samba] Not using AD group when writing file
Carl Carpenter
ccarpenter at hillcountry.org
Tue Dec 16 15:58:34 MST 2014
On Tue, Dec 16, 2014 at 4:31 PM, Carl Carpenter <ccarpenter at hillcountry.org>
wrote:
>
>
>
> On Tue, Dec 16, 2014 at 3:18 PM, Carl Carpenter <
> ccarpenter at hillcountry.org> wrote:
>
>> On 16/12/14 20:47, Carl Carpenter wrote:
>>
>> On 16/12/14 17:35, Carl Carpenter wrote:
>>
>> Forgot to mention that the permissions are also incorrect. They are
>> supposed to be 775 but come out as 744.
>>
>> Carl Carpenter
>> Director, Information Services
>> Hill Country MHDD Centers
>> (830)258-5414 or ext. 2038
>>
>>
>> On 12/11/2014 4:13 PM, Carl Carpenter wrote:
>>
>> Per your request
>>
>> [global]
>> workgroup = HCCMHMRC
>> realm = HILLCOUNTRY.LOCAL
>> server string = Samba Server Version %v
>> security = ADS
>> log file = /var/log/samba/log.%m
>> max log size = 50
>> wins server = 192.168.0.7
>> default service = global
>> template homedir = /home/HCCMHMRC
>> template shell = /bin/bash
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> idmap config * : range = 16777216-33554431
>> idmap config * : backend = tdb
>> cups options = raw
>>
>> [Intranet]
>> path = /home/Intranet
>> valid users = @intranet
>> read only = No
>>
>> Not sure what you mean by ACL on the folder but here's this:
>>
>> drwxrwxr-x 6 apache intranet 4096 Dec 10 14:34 Intranet
>>
>> Carl Carpenter
>> Director, Information Services
>> Hill Country MHDD Centers
>> (830)258-5414 or ext. 2038
>>
>>
>> On 12/11/2014 3:50 PM, Marc Muehlfeld wrote:
>>
>> Hello Carl,
>>
>> Am 11.12.2014 um 22:18 schrieb Carl Carpenter:
>>
>> Trying to get Samba configured correctly. Am using Active Directory for
>> authentication and that seems to be working correctly. When creating a
>> Share, Security and Access Control list the AD users and groups. If I
>> take
>> my name out of the AD group, can't access the share. Put my name in the
>> group and I can access it. However, when I write a file to the folder,
>> while it shows my username, it shows domain users as the group instead of
>> the group name. I had this working on Centos 6.6 and am using the same
>> instructions this time. I'm sure I'm missing a setting somewhere but
>> don't
>> know what. Haven't been able to find anything on the web that addresses
>> it. Any assistance will be appreciated.
>>
>> Can you please show us your smb.conf [global] and the share config? And
>> also please the ACLs on this folder.
>>
>>
>> Regards,
>> Marc
>>
>>
>>
>> Hi, Are you using sssd as well ? otherwise there doesn't seem to be
>> anything to get the user & group ID numbers.
>>
>> Also, to get the ACL's run this command:
>>
>> getfacl /home/Intranet
>>
>> Rowland
>>
>> =================================================
>> No, I'm not using sssd. I used authconfig to set up the initial
>> authentication configuration. Followed exactly the same steps I used for
>> Centos 6/Samba 3.x and it worked perfectly.
>>
>> getfacl /home/Intranet
>> getfacl: Removing leading '/' from absolute path names
>> # file: home/Intranet
>> # owner: apache
>> # group: intranet
>> user::rwx
>> group::rwx
>> other::r-x
>>
>>
>>
>> I think that you may be using sssd, but anyway, does 'getent <a domain
>> user>' show anything.
>>
>> Rowland
>>
>> =============================================
>> # getent apacheldap
>> Unknown database: apacheldap
>> Try `getent --help' or `getent --usage' for more information.
>>
>> oops
>>
>> 'getent passwd <a domain user>'
>>
>> Rowland
>>
>>
> getent passwd apacheldap
> apacheldap:*:16777671:16777216:Apacheldap:/home/HCCMHMRC:/bin/bash
> --
>
> OK, I am willing to bet, if you open /etc/nsswitch.conf in your
> favourite editor, you will find these two lines:
>
> passwd: files sss
> group: files sss
>
> I am also fairly sure that '16777216' is the ID number for 'Domain Users'
>
> To connect to the share, the user would have to be a member of the
> 'intranet' group, but once connected, anything that the users saves will
> be saved as <user>:<primarygroup>.
>
> I would suggest that you go and have a look here: https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>
> Use windows permissions on the share instead of Linux acl's.
>
> Rowland
>
> You are partially correct. Actually, nsswitch has
passwd: files sss winbind
group: files sss winbind
I will check out the referenced article. Thanks.
--
Carl Carpenter
Director, Information Services
Hill Country MHDD Centers
(830)258-5414 or ext. 2038
More information about the samba
mailing list