[Samba] Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)

Thomas Burger tburger at eritron.de
Thu Jan 15 13:52:17 MST 2015

On 15.01.15 09:52, Peter Serbe wrote:
>   On Tue, Jan 13, 2015 at 2:32 PM, Thomas Burger <tburger at eritron.de> wrote:
>> What works:
> ...
>> - getfacl / setfacl setting with domain object names.
>> My issue:
>> Authorization is not working. For example:
>> - Write list / read list / valid users options in smb.conf are not
>> honored.
> ...
>> - Skipped the samba authorization and moved this to the filesystem level.
>> Set the acl to the appropriate AD groups with the appropriate level results
>> in the same issue.
> This is not normal. Have You declared the RFC2307 unix attributes?
> I do this (on my home network, but anyway, I have different users
> with different privileges) and it works great.
> If You absolutely don't want to use RFC2307, then You have to check,
> that all the users and groups got the same IDs on all Your servers
> (even though there are only two at the moment). This might work with
> Winbind, too, but You have to do some configuration, too (to complicated
> for me, I am also not an expert).
> If You start using RFC2307*) you should add the Unix ID during the
> creation of the user when You use samba-tool. You could also add
> the Unix ID from windows, but then You have to do it for every single
> user by hand. I guess doing it by hand for the groups would be OK,
> but not for the users - at least if You got hundreds of them. ;-)
> Best regards
> Peter
> *) do a new provisioning if possible, You can also fiddle the attributes
> into an existing domain, but You have to manipulate the LDB database,
> and this is not exactly fun
First thank you Peter, Ashishkumar and Hans-Kristian for your hints. I 
will test them on weekend and report results.

Peter, could you please explain how I can accomplish this:
 >>This is not normal. Have You declared the RFC2307 unix attributes?
Is it working like described in the following article?

I was not aware that I need to do this since I am not using a Microsoft AD.
Provisioning a new AD forest is not comfortable but anything else than a 
big issue because my environment is anything but large yet.

Everybody have a good one

More information about the samba mailing list