[Samba] Secondary groups not recognized by Samba
Rowland Penny
rowlandpenny241155 at gmail.com
Thu Jul 2 14:27:16 UTC 2015
On 02/07/15 15:06, Nick K wrote:
> I am running Samba 4.1.12 with SSSD 1.12.2 on RHEL 7.1. I have joined my
> system to a Win 2008r2 domain. I have added the necessary unix attributes
> to all relevant users and groups. When I add a domain group to a
> directory, either as the primary group or as an ACL, I can access the share
> locally from the server, but cannot access the share from a Windows system
> via the SMB share. If I change the account primary group on our domain
> controller, then everything works. Basically, the only domain group that
> Samba allows is Domain Users since that is the default primary group on our
> accounts.
>
> Kerberos tickets are successfully generated and running test LDAP queries
> are successful.
>
>
>> getent group netmon_deviceconfigs
> netmon_deviceconfigs:*:16784931:nkuser,wkadmin,nkadmin,wkuser
>
>> getent passwd nkuser
> nkuser:*:16781645:16777729:K, Nick:/home/USERS/nkuser:/bin/bash
>
>> getent group Domain\ Users
> domain users:*:16777729:nkuser,cdscan20,cdscan19,cdscan18,.....
>
>
> Anybody have any recommendations? I've been buried in this for two days!
> :) Configs are below:
>
>
>
> #!==============================================================
> sssd.conf
> #!==============================================================
> [sssd]
> domains = mydomain.com
> config_file_version = 2
> services = nss, pam, pac
>
> [domain/mydomain.com]
> ad_server = dc01.mydomain.com
> ad_domain = mydomain.com
> krb5_realm = MYDOMAIN.COM
> cache_credentials = True
> id_provider = ad
> auth_provider = ad
> chpass_provider = ad
> access_provider = ad
> ldap_schema = ad
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = False
> fallback_homedir = /home/%d/%u
> ldap_search_base = dc=mydomain,dc=com?subtree?
> ldap_group_search_base = dc=mydomain,dc=com?subtree?(objectClass=group)
> ldap_user_search_base = dc=mydomain,dc=com?subtree?(objectClass=user)
> ldap_group_member = member
>
>
> #!==============================================================
> smb.conf
> #!==============================================================
> # ----------------------- Network-Related Options -------------------------
> workgroup = MYWORKGROUP
> client signing = yes
> client use spnego = yes
> kerberos method = secrets and keytab
> netbios name = MGMT01
> # ----------------------- Domain Members Options ------------------------
> security = ads
> realm = MYDOMAIN.COM
> # ----------------------- Share Definitions -------------------------
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
> create mask = 0660
> directory mask = 0770
> [share]
> browseable = yes
> writeable = yes
> path = /var/shared
> inherit permissions = no
> inherit acls = yes
> inherit owner = no
> acl group control = yes
> #!==============================================================
> krb5.conf
> #!==============================================================
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = MYDOMAIN.COM
> dns_lookup_realm = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> MYDOMAIN.COM = {
> kdc = dc01.mydomain.com
> admin_server = dc01.mydomain.com
> }
>
> [domain_realm]
> mydomain.com = MYDOMAIN.COM
> .mydomain.com = MYDOMAIN.COM
Have a look here:
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
Rowland
More information about the samba
mailing list