[Samba] Make a share owned by a service account available to members of an AD group

Tovey, Mark MTovey at go2uti.com
Fri Oct 9 21:42:07 UTC 2015 

Here is my configuration:

smb.conf:

[global]
        server string = Samba Server Version %v

        log file = /var/log/samba/log.%m
        max log size = 500

        log level = 3

        workgroup = DEVTST-CORP
        realm = DEVTST-CORP.GO2UTI.COM
        security = ADS
        password server = sinmdp04.devtst-corp.go2uti.com
        passdb backend = tdbsam

        domain master = no
        local master = no
        preferred master = no

        disable netbios = yes
        dns proxy = no

        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab

        idmap config *:backend = tdb
        idmap config *:range = 5000-29999
        idmap config DEVTST-CORP:backend = ad
        idmap config DEVTST-CORP:schema_mode = rfc2307
        idmap config DEVTST-CORP:range = 30000-99999

        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes
        winbind refresh tickets = Yes
        winbind normalize names = Yes

        map untrusted to domain = yes
        map to guest = Bad Uid
        guest account = nobody

        load printers = no
        printcap name = /dev/null
        printing = bsd


[data]
        path = /opt/app/data
        read only = no
        writable = yes
        browseable = no
        guest ok = yes
        hide dot files = yes
        hide special files = yes
        force user = webserv
        force group = webserv
        create mask = 0644
        directory mask = 0755
        valid users = @DEVTST-CORP\smbgrp
        write list = @DEVTST-CORP\smbgrp


resolv.conf:

domain devtst.go2uti.com
search devtst.go2uti.com devtst-corp.go2uti.com

nameserver 10.240.4.100
nameserver 10.254.4.125
nameserver 10.8.246.38


/krb5.conf:

[logging]
  default = FILE:/var/log/samba/krb5libs.log
  kdc = FILE:/var/log/samba/krb5kdc.log
  admin_server = FILE:/var/log/samba/kadmind.log

[libdefaults]
  default_realm = DEVTST-CORP.GO2UTI.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  forwardable = true

[realms]
  DEVTST-CORP.GO2UTI.COM = {
    kdc = sinmdp04.devtst-corp.go2uti.com:88
    admin_server = sinmdp04.devtst-corp.go2uti.com:749
    default_domain = DEVTST-CORP
  }

[domain_realm]
  .devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM
  devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000

    forwardable = true
    krb4_convert = false
}


net ads testjoin:
Join is OK



________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389



Until you can get 'getent passwd username' to return the users info, it will never work and I can assure it will work if everything is setup correctly.
Can you post:
smb.conf
/etc/resolv.conf
/etc/krb5.conf
The result of 'net ads testjoin'

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list