[Samba] Make a share owned by a service account available to members of an AD group

Tovey, Mark MTovey at go2uti.com
Sun Oct 11 04:26:01 UTC 2015 

    I looked into using SSSD in between Samba and AD, and it turns out that this is very much an option and is recommended ... as long as I am using EL7.  I am using EL6.  There is a new library, sssd-libwbclient, that creates the interface between Samba and SSSD, but that appears in the SSSD release included with EL7.  The same SSSD release is available for EL6, but for some reason it does not include sssd-libwbclient.  We want to maintain support from our OS vendor, so I need to stick with the version that comes bundled with the OS.  So I guess I will need to see if I can get them to push it out.
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
Sent: Friday, October 9, 2015 2:47 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Make a share owned by a service account available to members of an AD group

On 09/10/15 22:22, Tovey, Mark wrote:
>      So I made the primary group for the testuser account be smbgrp, and it's gidNumber is 30124.  Still nothing.  "getent passwd testuser" returns nothing unless testuser is in the local passwd file, and then it returns the attributes that are in the passwd file, not the AD system.

It always will if you have a local user with the same name as an AD user, remove the local user.

On the Unix workstation:
Use the smb.conf from the member server page on the wiki (obviously change the realm etc to match yours)

On the DC:
create a new user (one that doesn't exist on the workstation), give that user the uidNumber '10000'
Give Domain Users the gidNumber '10000'

Back to the workstation:
flush the winbind cache with 'net flush cache'
run 'net ads testjoin' it should return 'Join is OK'

run 'getent passwd <theNewADuser>'

This should return something like
'thenewaduser:*:10000:10000::/home/YOURDOMAIN/thenewaduser:/bin/false'

If it doesn't, then you have something else set incorrectly.

Rowland


>      Some time ago I put together a configuration that uses Linux SSSD to communicate with AD.  That allows us to store user account information in AD and authenticate against that.  No local account information is necessary.  It works and does it quite well, but it is a bear to manage, so I try to avoid it (I am planning on switching to an IPA based system instead of my roll-your-own system).
>      I was trying to build this Samba system independent of my SSSD system, but I am wondering if I need to put that between Samba and AD.  That way Samba won't know that it is using AD in the background and will just be using local authentication mechanisms.
>      Does anyone have any experience using Samba in conjunction with SSSD and can offer any advice there?
>      -Mark
>
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list