[Samba] Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)

Wed Jan 14 21:58:17 MST 2015

Hi,

On Tue, Jan 13, 2015 at 2:32 PM, Thomas Burger <tburger at eritron.de> wrote:

> Hello all,
>
> after spending the last days fighting and researching I hope someone can
> point me to an solution here.
>
> Even if I am using Debian / Ubuntu since years I wouldn´t consider myself
> as a Linux professional. I have some experience though.
>
> What I try to accomplish:
> - Centrally administrated groups for file services. Right now it is only
> one server but there will be more.
>
> Setup:
> - System 1: Ubuntu 14.04 LTS as Active Directory Controller with Samba 4.1
> (Sernet package)
> - System 2: Ubuntu 14.04 LTS as Member server.
>
> What works:
> - DNS & NTP
> - Kerberos integration via Keytab file. SSSD 1.11.5 uses "id_provider =
> ad" for this.
> - getting AD members and groups via getent passwd and getent group
> - Authentication with a domain user on "System 2" via SSH
> - Authentication on Samba instance "Server 2" via AD-Users.
> - getfacl / setfacl setting with domain object names.
>
> My issue:
> Authorization is not working. For example:
> - Write list / read list / valid users options in smb.conf are not
> honored. Either I have all users being able to access everything or they
> can login to the server but if accessing the share this will fail.
> - Skipped the samba authorization and moved this to the filesystem level.
> Set the acl to the appropriate AD groups with the appropriate level results
> in the same issue. I also getting an "access denied" if I try to access the
> folder from within the SSH-session of an AD user. The user is in the group
> though.
>
> My guesses:
> Option 1: Somehow groups populated through SSSD are not being used for
> authorization. Neither for Samba share definition nor for the filesystem.
> I recognized that the IDs of "objects" coming from the AD are very high
> like
> User:  guest:*:1994200501:1994200514:Guest:/:
> Group: domain admins:*:1994200512:administrator
>
> Option 2: in samba logs I can see, that the user authenticates with a
> "primary" group id but I am missing the "other groups". Is that expected?
> [2015/01/12 22:23:51.235050,  2] ../source3/smbd/service.c:848(
> make_connection_snum)
>   workstation (ipv4:x.y.z.y:63206) connect to service share1 initially as
> user >myuser< (uid=1994201119, gid=1994200513) (pid 1790)
> ID reflects the domain users: domain users:*:1994200513:
>
>
> My Questions:
> Why is it not working? Do I have a conceptual issue?
> If it is related to the IDs, how can I "lower" them. ID-Mapping is active
> already.
>
> I also tried an installation with winbind but the situation kept the same.
> After that system has been reinstalled to ensure that everything is cleaned
> up properly.

I have done the setting up the Ubuntu 12.04.5 client using Winbind and
lowering the uid and gid mapping so that it is easy to handle,

My smb.conf is like this,

   workgroup = INTRA
   security = ADS
   realm = INTRA.EXAMPLE.COM
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   server string = Samba 4 Client %h
   template homedir = /home/%U
   template shell = /bin/bash
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   winbind expand groups = 4
   winbind nss info = rfc2307
   winbind refresh tickets = Yes
   winbind normalize names = Yes
   idmap config * : backend = rid
   idmap uid = 5000-4000000000
   idmap gid = 5000-4000000000

After that join the Domain using "net ads join -U <Domain Admin>".

Then restart "Samaba and winbind services".

After that make changes into nsswitch.conf so that it should look like,

passwd:         compat winbind
group:          compat winbind

After that "id <Domain User>" should work and uid/gid should be showing
lower number.

--Regards
Ashishkumar S. Yadav