[Samba] Make a share owned by a service account available to members of an AD group

Tovey, Mark MTovey at go2uti.com
Fri Oct 9 19:57:11 UTC 2015 

    No joy.  I added winbind to the passwd, shadow, and group lines and it is still not working.  I also switched back to ad instead of rid (I deleted the Samba database files in /var/lib/samba and rejoined the domain when I switched), and still the same.  If the account exists locally I can authenticate against AD and map the share.  No local account and it fails.
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of John Yocum
Sent: Friday, October 9, 2015 12:37 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Make a share owned by a service account available to members of an AD group

On 10/09/2015 12:31 PM, Tovey, Mark wrote:
>     The only way it seems to work is if I do have both the local and AD user with the same name.  But my goal here is to not require that, to have the AD account only.
>     I have applied Unix attributes to the users.  testuser uidNumber = 30089 and gidNumber = 100.  However, when I try to query with wbinfo, I was unable to look that up:
> 
> wbinfo -i "DEVELOPMENT\testuser"
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> 
>     I get the same result regardless of if the account is in the local passwd file or not.
>     I switched to “rid” and now I can successfully query for the testuser account:
> 
> wbinfo -i "DEVELOPMENT\testuser"
> testuser:*:36385:30513::/home/testuser:/bin/bash
> 
>     but the uidNumber and gidNumber do not match what is in AD.  And it still will not allow the testuser account to map the share unless the account exists in the local passwd file.  It is getting the password from AD, but only if the account exists in the local system too.
>     -Mark
> 
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
> MTovey at go2uti.com | O / C +1 503 953-1389
> 


Do you have winbind listed in your nsswitch.conf? If not, you'll need that so the OS itself will see the AD users.

--
John Yocum, Systems Administrator, DEOHS

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list