[Samba] Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)

Peter Serbe peter at serbe.ch
Fri Jan 16 08:01:47 MST 2015

Rowland Penny schrieb am 15.01.2015 22:00:

> For samba4 active directory, read microsoft AD, so you don't have to 
> provision anything else, you just need to learn how to properly use what 
> you already have.
> Rowland

Rowland is right, of course. But(!) things might be simpler with the 
RFC2307 attributes. 

Without the attributes You need to set the permissions from windows. 
So first all the users could read/write/see everything. Then You 
would set the attributes on Windows to restrict things to Your liking. 

With the RFC2307 attributes You can use ACLs directly on the file system. 
You might also be able to use the ACLs without RFC2307, but there might 
be inconsistencies between the different servers. But in the end, both 
options will do pretty much the same. 

It might be possible to have Winbind do the job. Once I tried that, but 
most likely due to a personal lack of experience I did not succeed. 
I managed to do it using the RFC2307 attributes anyway. If You have 
enough time, I'd give it a try. IIRC You did set up sssd, which makes 
good use of RFC2307.

Best regards

More information about the samba mailing list