[Samba] Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)

Thomas Burger tburger at eritron.de
Tue Jan 13 02:02:42 MST 2015

Hello all,

after spending the last days fighting and researching I hope someone can 
point me to an solution here.

Even if I am using Debian / Ubuntu since years I wouldn´t consider 
myself as a Linux professional. I have some experience though.

What I try to accomplish:
- Centrally administrated groups for file services. Right now it is only 
one server but there will be more.

- System 1: Ubuntu 14.04 LTS as Active Directory Controller with Samba 
4.1 (Sernet package)
- System 2: Ubuntu 14.04 LTS as Member server.

What works:
- Kerberos integration via Keytab file. SSSD 1.11.5 uses "id_provider = 
ad" for this.
- getting AD members and groups via getent passwd and getent group
- Authentication with a domain user on "System 2" via SSH
- Authentication on Samba instance "Server 2" via AD-Users.
- getfacl / setfacl setting with domain object names.

My issue:
Authorization is not working. For example:
- Write list / read list / valid users options in smb.conf are not 
honored. Either I have all users being able to access everything or they 
can login to the server but if accessing the share this will fail.
- Skipped the samba authorization and moved this to the filesystem 
level. Set the acl to the appropriate AD groups with the appropriate 
level results in the same issue. I also getting an "access denied" if I 
try to access the folder from within the SSH-session of an AD user. The 
user is in the group though.

My guesses:
Option 1: Somehow groups populated through SSSD are not being used for 
authorization. Neither for Samba share definition nor for the filesystem.
I recognized that the IDs of "objects" coming from the AD are very high like
User:  guest:*:1994200501:1994200514:Guest:/:
Group: domain admins:*:1994200512:administrator

Option 2: in samba logs I can see, that the user authenticates with a 
"primary" group id but I am missing the "other groups". Is that expected?
[2015/01/12 22:23:51.235050,  2] 
   workstation (ipv4:x.y.z.y:63206) connect to service share1 initially 
as user >myuser< (uid=1994201119, gid=1994200513) (pid 1790)
ID reflects the domain users: domain users:*:1994200513:

My Questions:
Why is it not working? Do I have a conceptual issue?
If it is related to the IDs, how can I "lower" them. ID-Mapping is 
active already.

I also tried an installation with winbind but the situation kept the 
same. After that system has been reinstalled to ensure that everything 
is cleaned up properly.

Any help is greatly appreciated!


KRB5 conf:
         default_realm = MYDOMAIN.DE
         dns_lookup_realm = false
         dns_lookup_kdc = true

# The following krb5.conf variables are only for MIT Kerberos.
         krb4_config = /etc/krb.conf
         krb4_realms = /etc/krb.realms
         kdc_timesync = 1
         ccache_type = 4
         forwardable = true
         proxiable = true

# The following libdefaults parameters are only for Heimdal Kerberos.
         v4_instance_resolve = false
         v4_name_convert = {
                 host = {
                         rcmd = host
                         ftp = ftp
                 plain = {
                         something = something-else
         fcc-mit-ticketflags = true

         MYDOMAIN.DE = {
                 kdc = DC
                 admin_server = DC
         .mydomain.de = MYDOMAIN.DE

         krb4_convert = true
         krb4_get_tickets = false

services = nss, pam
config_file_version = 2
domains = mydomain.de



id_provider = ad
access_provider = ad
ad_hostname = dc.mydomain.de
ad_server = dc.mydomain.de
ad_domain = mydomain.de
enumerate = true


     netbios name = SERVER2
     server string = SERVER2
     workgroup = MYDOMAIN
     realm = MYDOMAIN.DE
     server role = MEMBER SERVER

     security = ads
     allow trusted domains = Yes
     map untrusted to domain = Yes
     encrypt passwords = yes
     client use spnego = yes
     client ntlmv2 auth = yes
     restrict anonymous = 2

     dns proxy = yes
     domain master = no
     local master = no
     preferred master = no
     os level = 0
     follow symlinks = yes
     veto files = /.DS_Store/Thumbs.db/thumbs.db/
     server min protocol = SMB2
     server max protocol = SMB3

     #### PRINTING
     disable spoolss = yes
     load printers = no
     idmap_ldb:use rfc2307 = yes

     #### LOGGING
     log level = 2
     username level = 3
     log file = /var/log/samba/log.%m
     max log size = 50
     syslog only = no
     syslog = 2
     panic action = /usr/share/samba/panic-action %d

######## SHARES
     path = /share/share1
     browsable = yes
     read only = no
     guest ok = no
     # The access control is configured on the file system level.


More information about the samba mailing list