[Samba] Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)
Peter Serbe
peter at serbe.ch
Thu Jan 15 01:52:03 MST 2015
On Tue, Jan 13, 2015 at 2:32 PM, Thomas Burger <tburger at eritron.de> wrote:
> What works:
...
> - getfacl / setfacl setting with domain object names.
>
> My issue:
> Authorization is not working. For example:
> - Write list / read list / valid users options in smb.conf are not
> honored.
...
> - Skipped the samba authorization and moved this to the filesystem level.
> Set the acl to the appropriate AD groups with the appropriate level results
> in the same issue.
This is not normal. Have You declared the RFC2307 unix attributes?
I do this (on my home network, but anyway, I have different users
with different privileges) and it works great.
If You absolutely don't want to use RFC2307, then You have to check,
that all the users and groups got the same IDs on all Your servers
(even though there are only two at the moment). This might work with
Winbind, too, but You have to do some configuration, too (to complicated
for me, I am also not an expert).
If You start using RFC2307*) you should add the Unix ID during the
creation of the user when You use samba-tool. You could also add
the Unix ID from windows, but then You have to do it for every single
user by hand. I guess doing it by hand for the groups would be OK,
but not for the users - at least if You got hundreds of them. ;-)
Best regards
Peter
*) do a new provisioning if possible, You can also fiddle the attributes
into an existing domain, but You have to manipulate the LDB database,
and this is not exactly fun
More information about the samba
mailing list