[Samba] Make a share owned by a service account available to members of an AD group

Rowland Penny rowlandpenny241155 at gmail.com
Fri Oct 9 19:56:57 UTC 2015 

On 09/10/15 20:31, Tovey, Mark wrote:
>      The only way it seems to work is if I do have both the local and AD user with the same name.  But my goal here is to not require that, to have the AD account only.

To do what you want you need to use winbind (other ways if doing it are 
available, but this is the samba mailing list) and then use either the 
'ad' or 'rid' backend, this way your AD users become Unix users.

>      I have applied Unix attributes to the users.  testuser uidNumber = 30089 and gidNumber = 100.  However, when I try to query with wbinfo, I was unable to look that up:
>
> wbinfo -i "DEVELOPMENT\testuser"
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

Two things, have you added a gidNumber to Domain Users ? (do not use 
100, this is the Unix users group and is outside the range set in 
smb.conf) and you should be using getent not wbinfo. wbinfo works 
directly on winbind, getent doesn't, try 'getent passwd testuser'

>
>      I get the same result regardless of if the account is in the local passwd file or not.
>      I switched to “rid” and now I can successfully query for the testuser account:
>
> wbinfo -i "DEVELOPMENT\testuser"
> testuser:*:36385:30513::/home/testuser:/bin/bash
>
>      but the uidNumber and gidNumber do not match what is in AD.

Using the 'rid' backend it never will, this is the beauty behind the 
'ad' backend, you set the users uidNumber in AD and you will get that 
number everywhere, but you also need to give Domain Users a gidNumber or 
winbind will not work. whatever numbers you use *must* be inside the 
range you set in smb.conf i.e. if you have 'idmap config EXAMPLE:range = 
10000-99999' , your numbers must be above 9999 but below 100000.

>   And it still will not allow the testuser account to map the share unless the account exists in the local passwd file.  It is getting the password from AD, but only if the account exists in the local system too.

You need to remove any local users that you want to be in AD (oh and 
don't try and get creative and put Unix system users in AD, they belong 
in /etc/passwd) , run 'net cache flush' , run 'getent passwd <ADuser>' 
(replace <ADuser> with an AD username that has a uidNumber), if this 
returns the users details, you should then be able to chown the share to 
belong to the user.

Once you have got this far, I would suggest reading more on the samba 
wiki, especially about creating shares and setting the ACLs

Rowland

>      -Mark
>
>

More information about the samba mailing list