[Samba] Secondary groups not recognized by Samba

Rowland Penny rowlandpenny241155 at gmail.com
Thu Jul 2 15:34:39 UTC 2015 

On 02/07/15 16:17, Nick K wrote:
> Thanks.  I did see this article  once and have added the config
 > options to my smb.conf with no difference.  This article is centered
 > around ACLs, but my issue isn't specific to ACLs.  Whether I set an
 > ACL (setfacl) or change the directory's group ownership (chown), it
 > only works with Domain Users or the whatever group an account has set
 > as their primary group in Active Directory.  This only seems to be
 > the case from windows systems accessing the SMB share.  From the
 > Linux shell, permissions work perfectly whether they are local or
 > domain groups.
 >
 > Nick
 >
 >
 >
 >
 >
 > On Thu, Jul 2, 2015 at 10:27 AM, Rowland Penny
 > <rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>>
 > wrote:
 >
 > On 02/07/15 15:06, Nick K wrote:
 >
 > I am running Samba 4.1.12 with SSSD 1.12.2 on RHEL 7.1.  I have
 > joined my system to a Win 2008r2 domain.  I have added the necessary
 > unix attributes to all relevant users and groups.  When I add a
 > domain group to a directory, either as the primary group or as an
 > ACL, I can access the share locally from the server, but cannot
 > access the share from a Windows system via the SMB share.  If I
 > change the account primary group on our domain controller, then
 > everything works.  Basically, the only domain group that Samba allows
 > is Domain Users since that is the default primary group on our
 > accounts.
 >
 > Kerberos tickets are successfully generated and running test LDAP
 > queries are successful.
 >
 >
 > getent group netmon_deviceconfigs
 >
 > netmon_deviceconfigs:*:16784931:nkuser,wkadmin,nkadmin,wkuser
 >
 > getent passwd nkuser
 >
 > nkuser:*:16781645:16777729:K, Nick:/home/USERS/nkuser:/bin/bash
 >
 > getent group Domain\ Users
 >
 > domain users:*:16777729:nkuser,cdscan20,cdscan19,cdscan18,.....
 >
 >
 > Anybody have any recommendations?  I've been buried in this for two
 > days! :)  Configs are below:
 >
 >
 >
 > #!==============================================================
 > sssd.conf
 > #!==============================================================
 > [sssd] domains = mydomain.com <http://mydomain.com>
 > config_file_version = 2 services = nss, pam, pac
 >
 > [domain/mydomain.com <http://mydomain.com>] ad_server =
 > dc01.mydomain.com <http://dc01.mydomain.com> ad_domain = mydomain.com
 > <http://mydomain.com> krb5_realm = MYDOMAIN.COM
 > <http://MYDOMAIN.COM> cache_credentials = True id_provider = ad
 > auth_provider = ad chpass_provider = ad access_provider = ad
 > ldap_schema = ad krb5_store_password_if_offline = True default_shell
 > = /bin/bash ldap_id_mapping = False fallback_homedir = /home/%d/%u
 > ldap_search_base = dc=mydomain,dc=com?subtree? ldap_group_search_base
 > = dc=mydomain,dc=com?subtree?(objectClass=group)
 > ldap_user_search_base =
 > dc=mydomain,dc=com?subtree?(objectClass=user) ldap_group_member =
 > member
 >
 >
 > #!==============================================================
 > smb.conf
 > #!============================================================== #
 > ----------------------- Network-Related Options
 > ------------------------- workgroup = MYWORKGROUP client signing =
 > yes client use spnego = yes kerberos method = secrets and keytab
 > netbios name = MGMT01 # ----------------------- Domain Members
 > Options ------------------------ security = ads realm = MYDOMAIN.COM
 > <http://MYDOMAIN.COM> # ----------------------- Share Definitions
 > ------------------------- [homes] comment = Home Directories
 > browseable = no writable = yes create mask = 0660 directory mask =
 > 0770 [share] browseable = yes writeable = yes path = /var/shared
 > inherit permissions = no inherit acls = yes inherit owner = no acl
 > group control = yes
 > #!==============================================================
 > krb5.conf
 > #!==============================================================
 > [logging] default = FILE:/var/log/krb5libs.log kdc =
 > FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
 >
 > [libdefaults] default_realm = MYDOMAIN.COM <http://MYDOMAIN.COM>
 > dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d
 > forwardable = true rdns = false default_ccache_name =
 > KEYRING:persistent:%{uid}
 >
 > [realms] MYDOMAIN.COM <http://MYDOMAIN.COM> = { kdc =
 > dc01.mydomain.com <http://dc01.mydomain.com> admin_server =
 > dc01.mydomain.com <http://dc01.mydomain.com> }
 >
 > [domain_realm] mydomain.com <http://mydomain.com> = MYDOMAIN.COM
 > <http://MYDOMAIN.COM> .mydomain.com <http://mydomain.com> =
 > MYDOMAIN.COM <http://MYDOMAIN.COM>
 >
 >
 > Have a look here:
 > 
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
 >
 >
 >
Rowland
>
 > -- To unsubscribe from this list go to the following URL and read
 > the instructions: https://lists.samba.org/mailman/options/samba
 >
 >

You should either use Unix permissions or windows ACLs, don't try and 
use both. If you only have windows users, set 'acl_xattr:ignore system 
acl = yes' and only set the permissions from windows.


Rowland

More information about the samba mailing list