[Samba] Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)

Peter Serbe peter at serbe.ch
Thu Jan 15 01:52:03 MST 2015

 On Tue, Jan 13, 2015 at 2:32 PM, Thomas Burger <tburger at eritron.de> wrote:
> What works:
> - getfacl / setfacl setting with domain object names.
> My issue:
> Authorization is not working. For example:
> - Write list / read list / valid users options in smb.conf are not
> honored. 
> - Skipped the samba authorization and moved this to the filesystem level.
> Set the acl to the appropriate AD groups with the appropriate level results
> in the same issue. 

This is not normal. Have You declared the RFC2307 unix attributes? 
I do this (on my home network, but anyway, I have different users 
with different privileges) and it works great. 

If You absolutely don't want to use RFC2307, then You have to check, 
that all the users and groups got the same IDs on all Your servers 
(even though there are only two at the moment). This might work with 
Winbind, too, but You have to do some configuration, too (to complicated 
for me, I am also not an expert). 

If You start using RFC2307*) you should add the Unix ID during the 
creation of the user when You use samba-tool. You could also add 
the Unix ID from windows, but then You have to do it for every single 
user by hand. I guess doing it by hand for the groups would be OK, 
but not for the users - at least if You got hundreds of them. ;-) 

Best regards

*) do a new provisioning if possible, You can also fiddle the attributes 
into an existing domain, but You have to manipulate the LDB database, 
and this is not exactly fun 

More information about the samba mailing list