[Samba] valid users with AD group

jsl6uy js16uy js16uy at gmail.com
Thu Dec 15 21:28:16 UTC 2016

understood sir
I will hit them up. Locally everything works. For example I can chown a
folder to be owned by an AD group with 2770. I can't access that share,
when setup similarly to the way it is setup in the link you directed me to.
However I can login into the host via passwd/kerberos ticket and chdir into
that directly without issue, below the user is part of MC-Services,
apologies not trying to be overly obvious.

drwxrwsr-x   3 appadmin MC-Services  4096 Dec 15 14:47 logs

The other prep work/pre reqs in that link all work/comply on the testing
system. the system knows about AD users and groups and the MACHINE ACCOUNT
works/trusted in AD. I can leverage auto.smb to "walk" to cifs shares like

It seems like I need to get that info to samba, however, I know you stated
to move away from valid users, but singly listed AD users work with valid
users. This kind of abstraction is nice so I don't have to tweak FS perms
to "match" shared out access. Right now with the local FS perms above I can
get into the share If I have the share setup as below

        comment = Server Logs
        path = /logs
        writable = no
        valid users = jsmith
        printable = no

So seems samba can handle the users, but not info or can't get the info for
the AD groups and/or the members of those AD groups. If I change the owner
of the dir to be completely owned by appadmin, the testing user can no
longer get into the share, make sense.

So with samba on this host I can connect to an shared out directory that
does not other/o access if a group the user is part of can access the
directory if I list out that user singly as shown above.

So its just this AD group mapping that is the issue

I know long, just trying to better state where I'm at, further confusions
on my end

thanks again sir

On Thu, Dec 15, 2016 at 2:40 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Thu, 15 Dec 2016 14:31:25 -0600
> jsl6uy js16uy <js16uy at gmail.com> wrote:
> > Thanks very much for the quick response/info sir
> > Server is joined to the domain, which, I think, the info I listed
> > demonstrates, apologies if not
> >
> > sssd has nothing to do with Samba.
> > >>I somewhat understand that sir. I listed mainly to provide info on
> > >>auth
> > methods and services on the host. In case not listing affected
> > diagnosis, and just in case samba did something different interacting
> > on system with sss as a source for user/group accounting info
> >
> What I was trying to get across is, because you are using sssd, Samba
> isn't doing the authentication and this could be a large part of your
> problem. This is the Samba mailing list and we do not have the
> information and expertise to deal with sssd problems.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list