[Samba] valid users with AD group

Rowland Penny rpenny at samba.org
Thu Dec 15 20:09:51 UTC 2016


On Thu, 15 Dec 2016 13:50:09 -0600
jsl6uy js16uy via samba <samba at lists.samba.org> wrote:

> Hello all, hope all is well/happy holidays
> 
> Issues with an old thread out there, valid users containing an AD
> group
> 
> Have tried this on systems running cent7u2 and ubuntu trusty. These
> systems are running sssd. I can login with AD users and chown/chgrp
> file with AD groups. However, I can't get AD groups to work with
> valid users for restricting share access. If I just set individual AD
> users, works just fine.
> I did troll thru googles and this mailing list, but many posts were
> leveraging winbind or winbind and older versions of samba. Faqs and
> docs led me to try several variants for vaild users =
> 
> @"MC\MC-Services"
> @"MC\\MC-Services"
> @MC-Services
> MC-Services
> 
> Any thoughts/help would be greatly appreciated.
> thanks and regards
> 
> 
> some samba vers on the centos host
> samba-common-4.2.3-12.el7_2.noarch
> samba-common-tools-4.2.3-12.el7_2.x86_64
> samba-common-libs-4.2.3-12.el7_2.x86_64
> samba-4.2.3-12.el7_2.x86_64
> samba-libs-4.2.3-12.el7_2.x86_64
> samba-client-libs-4.2.3-12.el7_2.x86_64
> 
> [root at Xsamba]# smbd -V
> Version 4.2.3
> 
> 
> >>>Here is the config
> 
> [global]
>         workgroup = mc
>         server string = Samba Server Version %v
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         security = ads
>         bind interfaces only = yes
>         interfaces=192.168.99.0/24
>         dedicated keytab file=/etc/krb5.keytab
>         password server = 192.168.1.2 192.168.1.3
>         realm = MC.FOO.COM
>         passdb backend = tdbsam
>         map to guest = Bad Uid
> 
> 
> [homes]
>         comment = Home Directories
>         browseable = no
>         writable = yes
> 
> [logs]
>         comment = Server Logs
>         path = /logs
>         writable = no
>         #valid users = jsmith
>         valid users = @"MC\MC-Services"
>         printable = no
> ~

Is the Samba machine joined to the domain ?
If so, then stop trying to get 'valid users' to work and use windows
ACLs instead :

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

Other than that, as you are using sssd, I suggest you try the
sssd-users mailing list. sssd has nothing to do with Samba.

Rowland



More information about the samba mailing list