[Samba] Make a share owned by a service account available to members of an AD group

Rowland Penny rowlandpenny241155 at gmail.com
Fri Oct 9 20:15:40 UTC 2015 

On 09/10/15 20:57, Tovey, Mark wrote:
>      No joy.  I added winbind to the passwd, shadow, and group lines and it is still not working.  I also switched back to ad instead of rid (I deleted the Samba database files in /var/lib/samba and rejoined the domain when I switched), and still the same.  If the account exists locally I can authenticate against AD and map the share.  No local account and it fails.
>      -Mark
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design
> UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
> MTovey at go2uti.com | O / C +1 503 953-1389
>
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of John Yocum
> Sent: Friday, October 9, 2015 12:37 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Make a share owned by a service account available to members of an AD group
>
> On 10/09/2015 12:31 PM, Tovey, Mark wrote:
>>      The only way it seems to work is if I do have both the local and AD user with the same name.  But my goal here is to not require that, to have the AD account only.
>>      I have applied Unix attributes to the users.  testuser uidNumber = 30089 and gidNumber = 100.  However, when I try to query with wbinfo, I was unable to look that up:
>>
>> wbinfo -i "DEVELOPMENT\testuser"
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>
>>      I get the same result regardless of if the account is in the local passwd file or not.
>>      I switched to “rid” and now I can successfully query for the testuser account:
>>
>> wbinfo -i "DEVELOPMENT\testuser"
>> testuser:*:36385:30513::/home/testuser:/bin/bash
>>
>>      but the uidNumber and gidNumber do not match what is in AD.  And it still will not allow the testuser account to map the share unless the account exists in the local passwd file.  It is getting the password from AD, but only if the account exists in the local system too.
>>      -Mark
>>
>> ________________________________________________________________
>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>> MTovey at go2uti.com | O / C +1 503 953-1389
>>
>
> Do you have winbind listed in your nsswitch.conf? If not, you'll need that so the OS itself will see the AD users.
>
> --
> John Yocum, Systems Administrator, DEOHS
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Until you can get 'getent passwd username' to return the users info, it 
will never work and I can assure it will work if everything is setup 
correctly.
Can you post:
smb.conf
/etc/resolv.conf
/etc/krb5.conf
The result of 'net ads testjoin'

Rowland

More information about the samba mailing list