[Samba] Make a share owned by a service account available to members of an AD group

Rowland Penny rowlandpenny241155 at gmail.com
Fri Oct 9 08:18:52 UTC 2015 

On 08/10/15 23:20, Tovey, Mark wrote:
>      I have a requirement where I need to make a directory tree on a Linux system available to a group of users that authenticate against an AD system.  I have successfully joined my system to our AD domain and I am able to manage access to  a share with a security group in AD, so long as the group members also have accounts on the Linux system.  I need to be able to set it up so that the user accounts do not need to exist on the Linux system, simply adding them to the AD security group is enough to grant them access to the share (providing that they properly authenticate).  In addition, I want to map the members of the AD group to a specific account that is on the Linux server, and this account will be the owner of the share's directory tree and its contents.
>      The goal here is for application management.  The members of the AD group will be moving documents into and out of the application, and the application needs to be able to read and write to the share.  So far I have not been able to get the group members to application account mapping to function.
>      One other requirement is that I need to be able to support multiple share on one server, each with a different owner, so setting guest account to an application account is not going to work.
>      Below is the configuration I have cobbled together from various posts and from reading the documentation:
>
> [global]
>          server string = Samba Server Version %v
>
>          log file = /var/log/samba/log.%m
>          max log size = 500
>
>          log level = 3
>
>          workgroup = DEVELOPMENT
>          realm = DEVELOPMENT.MYDOMAIN.COM
>          security = ADS
>          password server = adserv.development.go2uti.com
>          passdb backend = tdbsam
>
>          domain master = no
>         local master = no
>          preferred master = no
>
>          disable netbios = yes
>          dns proxy = no
>
>          dedicated keytab file = /etc/krb5.keytab
>          kerberos method = secrets and keytab
>
>          idmap config *:backend = tdb
>          idmap config *:range = 5000-50000
>          idmap config DEVELOPMENT:backend = ad
>          idmap config DEVELOPMENT:schema_mode = rfc2307
>          idmap config DEVELOPMENT:range = 10000-99999

Lets deal with this problem first, the first range (*) is for the 
well-known RIDs, the second (DEVELOPMENT) is for your users & groups. 
these ranges must *not* overlap, yours do!

Rowland

>
>          winbind nss info = rfc2307
>          winbind trusted domains only = no
>          winbind use default domain = yes
>          winbind enum users  = yes
>          winbind enum groups = yes
>          winbind refresh tickets = Yes
>          winbind normalize names = Yes
>
>          map untrusted to domain = yes
>          map to guest = Bad Uid
>          username map = /etc/samba/users.map
>
>          load printers = no
>          printcap name = /dev/null
>          printing = bsd
>
>
> [data]
>          path = /opt/app/data
>          read only = no
>          writable = yes
>          browseable = no
>          hide dot files = yes
>          hide special files = yes
>          valid users = @DEVELOPMENT\smbgrp
>          write list = @DEVELOPMENT\smbgrp
>
>      And the contents of the users.map file:
>
> appacct = @DEVELOPMENT\smbgrp
>
>      I am using Samba  4.0.0 on an OEL 6.5 server (RHEL 6.5 equivalent).
>      And help will be greatly appreciated.
>      Thanks,
>      -Mark
>
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design
> UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
> MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389
>

More information about the samba mailing list