[Samba] Samba 4 with sssd - primary Windows group membership not honored
Harry Jede
walk2sun at arcor.de
Thu Mar 24 11:46:00 UTC 2016
Hi Joe,
> Greetings!
>
> I am working with Samba 4 as a domain member fileserver (not a domain
> controller, just a normal ads member fileserver). Operating system
> is Centos 7. SSSD is configured and pulling information correctly.
>
> I had to work around a bug that wasn't fixed in a released version,
> so I am using a recent copy from git.. smbd -V:
> Version 4.5.0pre1-GIT-c06058a
>
> I'm relying on Windows ACLs for access control. Many of my ACLs
> reference the Domain Users group. What I'm seeing is that if a user
> has "Domain Users" as their primary group (which is common here)
> that the "Domain Users" group doesn't show up in their list of SIDs.
> If a different group is primary for that user, then "Domain Users"
> will show up in the SID list and Samba will allow access properly
> (though the new primary group won't work correctly)
>
> Is there some magic somewhere that I'm missing with how Samba 4
> treats the primary windows group?
No, I believe the magic you are searching for is nss.
Their is one group which is defined two times, the name of this group is
users. The nss stops searching if a definition is found.
You may have 3 possiblities:
1) change the order in /etc/nsswitch.conf
*Not recommended*
2) rename/delete users in /etc/group
*Not really recommended* but will work
3) use an other group name for users in ad and map Domain Users
to this group, choose a gid other then 100
> It's definitely hard to keep
> straight which parts of the system are responsible for SID mapping
> and management once you add in winbind and sssd..
>
> Any pointers would be very appreciated. If there is any debug output
> that I can provide, I would be happy to..
>
> Thanks!
>
> Joe
>
> --
> *Joseph Dickson*
> Director of IT Systems, Evolve Tele-Services, Inc.
--
Regards
Harry Jede
More information about the samba
mailing list