[Samba] Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)
Thomas Burger
tburger at eritron.de
Tue Jan 13 02:02:42 MST 2015
Hello all,
after spending the last days fighting and researching I hope someone can
point me to an solution here.
Even if I am using Debian / Ubuntu since years I wouldn´t consider
myself as a Linux professional. I have some experience though.
What I try to accomplish:
- Centrally administrated groups for file services. Right now it is only
one server but there will be more.
Setup:
- System 1: Ubuntu 14.04 LTS as Active Directory Controller with Samba
4.1 (Sernet package)
- System 2: Ubuntu 14.04 LTS as Member server.
What works:
- DNS & NTP
- Kerberos integration via Keytab file. SSSD 1.11.5 uses "id_provider =
ad" for this.
- getting AD members and groups via getent passwd and getent group
- Authentication with a domain user on "System 2" via SSH
- Authentication on Samba instance "Server 2" via AD-Users.
- getfacl / setfacl setting with domain object names.
My issue:
Authorization is not working. For example:
- Write list / read list / valid users options in smb.conf are not
honored. Either I have all users being able to access everything or they
can login to the server but if accessing the share this will fail.
- Skipped the samba authorization and moved this to the filesystem
level. Set the acl to the appropriate AD groups with the appropriate
level results in the same issue. I also getting an "access denied" if I
try to access the folder from within the SSH-session of an AD user. The
user is in the group though.
My guesses:
Option 1: Somehow groups populated through SSSD are not being used for
authorization. Neither for Samba share definition nor for the filesystem.
I recognized that the IDs of "objects" coming from the AD are very high like
User: guest:*:1994200501:1994200514:Guest:/:
Group: domain admins:*:1994200512:administrator
Option 2: in samba logs I can see, that the user authenticates with a
"primary" group id but I am missing the "other groups". Is that expected?
[2015/01/12 22:23:51.235050, 2]
../source3/smbd/service.c:848(make_connection_snum)
workstation (ipv4:x.y.z.y:63206) connect to service share1 initially
as user >myuser< (uid=1994201119, gid=1994200513) (pid 1790)
ID reflects the domain users: domain users:*:1994200513:
My Questions:
Why is it not working? Do I have a conceptual issue?
If it is related to the IDs, how can I "lower" them. ID-Mapping is
active already.
I also tried an installation with winbind but the situation kept the
same. After that system has been reinstalled to ensure that everything
is cleaned up properly.
Any help is greatly appreciated!
Thomas
KRB5 conf:
>>
[libdefaults]
default_realm = MYDOMAIN.DE
dns_lookup_realm = false
dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
MYDOMAIN.DE = {
kdc = DC
admin_server = DC
}
[domain_realm]
.mydomain.de = MYDOMAIN.DE
[login]
krb4_convert = true
krb4_get_tickets = false
>>
sssd.conf
>>
[sssd]
services = nss, pam
config_file_version = 2
domains = mydomain.de
[nss]
[pam]
[domain/mydomain.de]
id_provider = ad
access_provider = ad
ad_hostname = dc.mydomain.de
ad_server = dc.mydomain.de
ad_domain = mydomain.de
enumerate = true
krb5_keytab=/etc/krb5.sssd.keytab
>>
smb.conf
>>
[global]
#### GLOBAL SETTINGS
netbios name = SERVER2
server string = SERVER2
workgroup = MYDOMAIN
realm = MYDOMAIN.DE
server role = MEMBER SERVER
#### SECURITY SETTINGS
security = ads
allow trusted domains = Yes
map untrusted to domain = Yes
encrypt passwords = yes
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
#### SERVER SETTINGS
dns proxy = yes
domain master = no
local master = no
preferred master = no
os level = 0
follow symlinks = yes
veto files = /.DS_Store/Thumbs.db/thumbs.db/
server min protocol = SMB2
server max protocol = SMB3
#### PRINTING
disable spoolss = yes
load printers = no
idmap_ldb:use rfc2307 = yes
#### LOGGING
log level = 2
username level = 3
log file = /var/log/samba/log.%m
max log size = 50
syslog only = no
syslog = 2
panic action = /usr/share/samba/panic-action %d
######## SHARES
[share1]
path = /share/share1
browsable = yes
read only = no
guest ok = no
# The access control is configured on the file system level.
>>
More information about the samba
mailing list