[Samba] (no subject)

Rowland penny rpenny at samba.org
Fri Jun 14 14:53:30 UTC 2019 

On 14/06/2019 15:31, Denis Cardon via samba wrote:
> Hi Ryan,
>
>> Sorry for the repost: my message delivery was set to digest, and that 
>> was
>> hard to manage use for conversation. I changed that setting. So starting
>> clean with the same subject...
>>
>> I don't care about SSSD or whether it's even on the machine or not. 
>> Right
>> now, it's only used by the machine for login. It isn't used by Samba, 
>> and I
>> am very careful to let libwbclient-sssd nowhere near the system to avoid
>> the problems that causes.
>>
>> I have looked into the idmap_rid backend, and I do not understand how it
>> could be helpful here. I'm not saying I think it isn't; I'm just 
>> saying I
>> don't understand. If I'm missing something, please do help if you can.
>>
>> What I essentially need, which is accomplished by the configuration 
>> in the
>> wiki article I provided for old Samba versions when winbindd is not 
>> used is:
>>
>> 1. Windows user attempts to access share with credentials from either
>> already having logged in on a machine with a domain account or by 
>> employing
>> "Connect using different credentials" to spontaneously login with a 
>> domain
>> account.
>>
>> 2. Samba (with winbindd) performs authentication of username %U against
>> Active Directory domain EXAMPLE.COM, effectively authenticating 
>> EXAMPLE.COM
>> \%U
>>
>> 3. If authentication fails, stop. If authentication succeeds, ignore 
>> SID,
>> groups and everything else from the AD server, because that server is
>> *only* to be used for authentication of %U. Continue processing.
>>
>> 4. Use username %U to query the LDAP server at ldap.mydomain.com for 
>> UID,
>> GID, and UNIX groups.
>
> you can achieve the same thing in copying your uidnumber/gidnumber in 
> the AD attribute and use rfc2307 idmap module on your member server.
>
>> 5. Given information returned from step 4, check user authorization 
>> against
>> share definition requirements and permit access for user with UID and 
>> GID
>> set as per LDAP lookup.
>>
>> And it's essentially just:
>>
>> https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP
>
> I'd say it isn't, in the sense that you want to have share definition 
> authorization, which are enforced by Samba (which then would require 
> Samba to know about group membership et al.). If you don't have any 
> share authorization, then UI guess you should be able to use 
> filesystem UGO/ACL restriction (as per the wiki page you mentionned).

Totally agree and I don't think the method on that page is relevant any 
more, I don't think it will work either, it was written for use with 
Samba 3.3.x at most.

Rowland

More information about the samba mailing list