[Samba] using AD groups in "username map"
Matthias Leopold
matthias.leopold at meduniwien.ac.at
Wed Feb 21 08:29:20 UTC 2018
Am 2018-02-20 um 17:47 schrieb Rowland Penny via samba:
> On Tue, 20 Feb 2018 17:06:32 +0100
> Matthias Leopold <matthias.leopold at meduniwien.ac.at> wrote:
>
>>
>>
>> Am 2018-02-19 um 17:39 schrieb Rowland Penny via samba:
>>> On Mon, 19 Feb 2018 17:03:31 +0100
>>> Matthias Leopold via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi,
>>>>
>>>> i'm trying to setup Samba 4.6 on CentOS 7.4 as a Domain Member of a
>>>> Windows 2012R2 Domain Controller with AD. To administer share
>>>> security i have to use the "username map" feature. This works when
>>>> i enumerate individual AD users there. When i want to use AD
>>>> groups it only works with "primary" groups. This way i can't use
>>>> the "Domain Admins" group from AD there, since "primary" group
>>>> (unix style) of all AD users is "Domain Users".
>>>>
>>>> I'm using the "rid" idmap backend, where i can't change linux
>>>> primary group membership of AD users (to my experience). I know i
>>>> can change linux primary group membership with the "ad" idmap
>>>> backend, but also only when using the Unix extensions in AD
>>>> (changing Windows primary group has no effect and is deprecated
>>>> anyway). I want to avoid this and don't want to believe this is
>>>> necessary in the first place.
>>>>
>>>> Some configuration details:
>>>>
>>>> smb.conf:
>>>> security = ADS
>>>> passdb backend = tdbsam
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 3000-7999
>>>> idmap config MYDOMAIN : backend = rid
>>>> idmap config MYDOMAIN : range = 10000-999999
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>> username map = /etc/samba/user.map
>>>
>>> Is that your entire smb.conf ?
>>>
>>>>
>>>> /etc/samba/user.map:
>>>> !root = "@MYDOMAIN\Domain Admins" "@MYDOMAIN\domain admins"
>>>
>>> I have never tried to map a group to a User, but in any case you
>>> don't need to ;-)
>>>
>>> You are using the 'rid' backend, so 'Domain Admins' gets a group
>>> ID, or to put it another way, the underlying Unix OS knows who
>>> 'Domain Admins' is.
>>> Have you read this:
>>>
>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>
>> This is the documentation i have been following. I was trying to use
>> "acl_xattr:ignore system acls = yes" for the first time. This doesn't
>> seem to work (as i expected). When i use the default
>> "acl_xattr:ignore system acls = no" everything is fine and i don't
>> have to use a "username map".
>>
>> thx
>> matthias
>>
>
> Hmm, bit of a catch 22 situation here, to use members of 'Domain
> Admins' to set the ACLs on a share directory, the group for the share
> directory must be 'Domain Admins', but if you tell Samba to ignore the
> system acls, then 'Domain Admins' will not have permission on the
> share.
I initially intuitively thought so too, but stubbornly (and stupidly)
kept wondering why it "didn't work". Thanks for demonstrating a way how
to use "acl_xattr:ignore system acls = yes", but i'll stick to the
default now, i don't have a real reason to change it
Regards
Matthias
More information about the samba
mailing list