[Samba] Make a share owned by a service account available to members of an AD group

[Rowland Penny]

On 09/10/15 22:22, Tovey, Mark wrote:
>      So I made the primary group for the testuser account be smbgrp, and it's gidNumber is 30124.  Still nothing.  "getent passwd testuser" returns nothing unless testuser is in the local passwd file, and then it returns the attributes that are in the passwd file, not the AD system.

It always will if you have a local user with the same name as an AD 
user, remove the local user.

On the Unix workstation:
Use the smb.conf from the member server page on the wiki (obviously 
change the realm etc to match yours)

On the DC:
create a new user (one that doesn't exist on the workstation), give that 
user the uidNumber '10000'
Give Domain Users the gidNumber '10000'

Back to the workstation:
flush the winbind cache with 'net flush cache'
run 'net ads testjoin' it should return 'Join is OK'

run 'getent passwd <theNewADuser>'

This should return something like 
'thenewaduser:*:10000:10000::/home/YOURDOMAIN/thenewaduser:/bin/false'

If it doesn't, then you have something else set incorrectly.

Rowland


>      Some time ago I put together a configuration that uses Linux SSSD to communicate with AD.  That allows us to store user account information in AD and authenticate against that.  No local account information is necessary.  It works and does it quite well, but it is a bear to manage, so I try to avoid it (I am planning on switching to an IPA based system instead of my roll-your-own system).
>      I was trying to build this Samba system independent of my SSSD system, but I am wondering if I need to put that between Samba and AD.  That way Samba won't know that it is using AD in the background and will just be using local authentication mechanisms.
>      Does anyone have any experience using Samba in conjunction with SSSD and can offer any advice there?
>      -Mark
>
>
>