[Samba] using AD groups in "username map"
Matthias Leopold
matthias.leopold at meduniwien.ac.at
Mon Feb 19 16:03:31 UTC 2018
Hi,
i'm trying to setup Samba 4.6 on CentOS 7.4 as a Domain Member of a
Windows 2012R2 Domain Controller with AD. To administer share security i
have to use the "username map" feature. This works when i enumerate
individual AD users there. When i want to use AD groups it only works
with "primary" groups. This way i can't use the "Domain Admins" group
from AD there, since "primary" group (unix style) of all AD users is
"Domain Users".
I'm using the "rid" idmap backend, where i can't change linux primary
group membership of AD users (to my experience). I know i can change
linux primary group membership with the "ad" idmap backend, but also
only when using the Unix extensions in AD (changing Windows primary
group has no effect and is deprecated anyway). I want to avoid this and
don't want to believe this is necessary in the first place.
Some configuration details:
smb.conf:
security = ADS
passdb backend = tdbsam
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 10000-999999
winbind enum users = yes
winbind enum groups = yes
username map = /etc/samba/user.map
/etc/samba/user.map:
!root = "@MYDOMAIN\Domain Admins" "@MYDOMAIN\domain admins"
-> this doesn't work!
/etc/nsswitch.conf:
passwd: files winbind
group: files winbind
# sudo -u 'MYDOMAIN\mleopo53' id
uid=13627(MYDOMAIN\mleopo53) gid=10513(MYDOMAIN\domain users)
groups=10513(MYDOMAIN\domain
users),3000(BUILTIN\administrators),3001(BUILTIN\users),10512(MYDOMAIN\domain
admins),10572(MYDOMAIN\denied rodc password replication
group),13627(MYDOMAIN\mleopo53)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
How can i solve this?
--
Matthias Leopold
IT Systems & Communications
Medizinische Universität Wien
Spitalgasse 23 / BT 88 /Ebene 00
A-1090 Wien
Tel: +43 1 40160-21241
Fax: +43 1 40160-921200
More information about the samba
mailing list