[Samba] FW: kerberos nfs4's principals and root access

Bruno MACADRÉ bruno.macadre at univ-rouen.fr
Tue Aug 2 15:05:37 UTC 2016

It's ok

So, if I create a httpuser and an httpgroup in my AD and use these at 
owner and group for my apache2 daemon, this one could access to userdirs 
(while permissions granting it) ? But I need to cron 'kinit' to keep 
valid ticket... ?

My local root user always can't access to the share, but my other 
problem seems to be resolved.


Le 02/08/2016 à 16:37, Rowland Penny a écrit :
> On Tue, 2 Aug 2016 16:02:41 +0200
> Bruno MACADRÉ <bruno.macadre at univ-rouen.fr> wrote:
>> ** I truncate my initial mail below for size reason **
>> I've tried your tips but nothing better.... AD users can still
>> accessing share (ouf !!), but local users not more.
>> I can't find where it blocks....
>> Thanks for your help Louis,
>> Greetz,
>> Bruno
>> Le 02/08/2016 à 15:33, L.P.H. van Belle a écrit :
>>> You keep 2 ranges.
>>> One for the “local (linux) users”
>>>      idmap config *:backend = tdb
>>>      idmap config *:range = 11-9999
> Please don't use 'range = 11-9999', it will not do what you think it
> will do. the '*' range is used for the 'BUILTIN' users & groups etc, so
> if you have system users or groups that use an ID in the range
> 11-1000, they will conflict with the Windows well known SIDs.
> You can have local Unix users & groups, you can have AD domain users &
> groups, you can make an AD domain user or group into a Unix user or
> group by adding RFC2307 attributes, but what you cannot do, is to have
> the same user or group name in both /etc/passwd or /etc/group and AD
> i.e. www-data can exist in /etc/passwd but it cannot be in AD at the
> same time.
> To use kerberos, you need an SPN or UPN, this (as far as a Samba AD DC
> is concerned) needs to be stored in AD, so if the user isn't in AD, it
> cannot use kerberos.
> Rowland


  Ingénieur Systèmes et Réseau     | Systems and Network Engineer
  Département Informatique         | Department of computer science
  Responsable Info SER             | SER IT Manager
  Université de Rouen              | University of Rouen
Coordonnées / Contact :
	Université de Rouen
	Faculté des Sciences et Techniques - Madrillet
	Avenue de l'Université
	CS 70012
	76801 St Etienne du Rouvray CEDEX

	Tél : +33 (0)2-32-95-51-86
	Mob : +33 (0)6-74-71-45-64

More information about the samba mailing list