[Samba] Cannot browse mode 0700 directories from Windows with security=ads

Ian Collier Ian.Collier at cs.ox.ac.uk
Mon Apr 18 16:48:25 UTC 2016 

On Fri, Apr 15, 2016 at 11:43:03PM +0100, Rowland penny wrote:
> Lets see if I can describe how it is supposed to work:

> You run smbd, this gives you fileserving  capabilities but you need users &
> groups. The users & groups in /etc/passwd and /etc/group are unknown to
> Samba, so you need to make them known to Samba. You can do this in few ways,
> but when you use 'security = ADS' , it is usually done by getting them from
> AD. You can do this with sssd or by running winbind, or by using nlscd. The
> first two ways can be done without modifying AD, but the last would require
> you to add uidNumber & gidNumber attributes.

nslcd is running, in fact.  However, the AD server does not have uidNumber
and gidNumber attributes for the users in question.  Maybe this is part
of the problem?

I'm confused as to how it is so nearly working at the moment, however.
There must be some translation going on between the Windows users who
log in and the Unix file permissions.  Indeed, "wbinfo -S" can give me
the Unix uid of a Windows user.

The problem we have is that Unix group permissions are not being respected.
I think that "force group = +groupname" goes most of the way to remedy
this, but it's a hack.  But again, why does that work if the Unix groups
are unknown to Samba?

Advice from elsewhere was to use "username map script = /bin/echo".
Could you explain what that actually does?  As noted in the beginning,
this does actually solve the group access problem but now forbids
people from accessing private files that they own.

> Have you tried setting up the machine as a standalone server instead ?
> commenting the 'security' line in smb.conf will do this. The only downside
> to this would that you would have to keep the passwords in sync and add all
> the users to Samba on the standalone machine with 'smbpasswd -a user'

That is a *really big* downside, to be honest.  The reason for using
security=ads is so that our Windows users can use their existing
credentials to access the service.  Also, our passwd file contains
over a thousand users.  The majority of them won't use Samba, but...
which ones?

Ian Collier.

More information about the samba mailing list