[Samba] Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)
rowlandpenny at googlemail.com
Thu Jan 15 14:00:45 MST 2015
On 15/01/15 20:52, Thomas Burger wrote:
> On 15.01.15 09:52, Peter Serbe wrote:
>> On Tue, Jan 13, 2015 at 2:32 PM, Thomas Burger <tburger at eritron.de>
>>> What works:
>>> - getfacl / setfacl setting with domain object names.
>>> My issue:
>>> Authorization is not working. For example:
>>> - Write list / read list / valid users options in smb.conf are not
>>> - Skipped the samba authorization and moved this to the filesystem
>>> Set the acl to the appropriate AD groups with the appropriate level
>>> in the same issue.
>> This is not normal. Have You declared the RFC2307 unix attributes?
>> I do this (on my home network, but anyway, I have different users
>> with different privileges) and it works great.
>> If You absolutely don't want to use RFC2307, then You have to check,
>> that all the users and groups got the same IDs on all Your servers
>> (even though there are only two at the moment). This might work with
>> Winbind, too, but You have to do some configuration, too (to complicated
>> for me, I am also not an expert).
>> If You start using RFC2307*) you should add the Unix ID during the
>> creation of the user when You use samba-tool. You could also add
>> the Unix ID from windows, but then You have to do it for every single
>> user by hand. I guess doing it by hand for the groups would be OK,
>> but not for the users - at least if You got hundreds of them. ;-)
>> Best regards
>> *) do a new provisioning if possible, You can also fiddle the attributes
>> into an existing domain, but You have to manipulate the LDB database,
>> and this is not exactly fun
> First thank you Peter, Ashishkumar and Hans-Kristian for your hints. I
> will test them on weekend and report results.
> Peter, could you please explain how I can accomplish this:
> >>This is not normal. Have You declared the RFC2307 unix attributes?
> Is it working like described in the following article?
> I was not aware that I need to do this since I am not using a
> Microsoft AD.
For samba4 active directory, read microsoft AD, so you don't have to
provision anything else, you just need to learn how to properly use what
you already have.
> Provisioning a new AD forest is not comfortable but anything else than
> a big issue because my environment is anything but large yet.
> Everybody have a good one
More information about the samba