[Samba] Make a share owned by a service account available to members of an AD group
Tovey, Mark
MTovey at go2uti.com
Fri Oct 9 19:31:33 UTC 2015
The only way it seems to work is if I do have both the local and AD user with the same name. But my goal here is to not require that, to have the AD account only.
I have applied Unix attributes to the users. testuser uidNumber = 30089 and gidNumber = 100. However, when I try to query with wbinfo, I was unable to look that up:
wbinfo -i "DEVELOPMENT\testuser"
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
I get the same result regardless of if the account is in the local passwd file or not.
I switched to “rid” and now I can successfully query for the testuser account:
wbinfo -i "DEVELOPMENT\testuser"
testuser:*:36385:30513::/home/testuser:/bin/bash
but the uidNumber and gidNumber do not match what is in AD. And it still will not allow the testuser account to map the share unless the account exists in the local passwd file. It is getting the password from AD, but only if the account exists in the local system too.
-Mark
________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389
________________________________________________________________
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
Sent: Friday, October 9, 2015 11:36 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Make a share owned by a service account available to members of an AD group
On 09/10/15 18:54, Tovey, Mark wrote:
>
> Got it. I changed that section as follows:
>
> idmap config *:backend = tdb
>
> idmap config *:range = 5000-29999
>
> idmap config DEVELOPMENT:backend = ad
>
> idmap config DEVELOPMENT:schema_mode = rfc2307
>
> idmap config DEVELOPMENT:range = 30000-99999
>
> It did not change the “map to guest = Bad Uid” issue, however.
> The error I see in the log file is “check_ntlm_password:
> Authentication for user [testuser] -> [testuser] FAILED with error
> NT_STATUS_NO_SUCH_USER”. If I add the testuser account to the Linux
> system’s passwd file, then I see “check_ntlm_password: authentication
> for user [testuser] -> [testuser] -> [testuser] succeeded”. The
> testuser account does not have a password on the Linux system, the
> password exists only in the AD system. So, I am able to map the share
> to my workstation using the testuser account only when the testuser
> account exists in both the AD system and the Linux system, which is
> what I am trying to avoid. I want to have the testuser account be in
> the AD system only.
>
> The documentation for “map to guest = Bad Uid” states: “user
> logins which are successfully authenticated but which have no valid
> Unix user account should be mapped to the defined guest account.” The
> guest account is set to “nobody” and it does exist in the passwd file,
> but the mapping does not seem to be occurring. Am I misunderstanding
> the meaning here? Or perhaps how the guest account functions?
>
> -Mark
>
> ________________________________________________________________
>
> Mark Tovey - UNIX Engineer | Service Strategy & Design
>
> UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>
> MTovey at go2uti.com | O / C +1 503 953-1389
>
You cannot have a local user and an AD user with the same name, so I would suggest removing the local user. I know you have set up the 'ad'
backend in smb.conf but have you given any of your users a uidNumber attribute (and Domain Users a gidNumber) ? these numbers need to be inside the range set in your smb.conf. If you haven't done this, then either do so, or change this line 'idmap config DEVELOPMENT:backend = ad' to 'idmap config DEVELOPMENT:backend = rid'
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list