[Samba] (no subject)
rpenny at samba.org
Fri Jun 14 14:53:30 UTC 2019
On 14/06/2019 15:31, Denis Cardon via samba wrote:
> Hi Ryan,
>> Sorry for the repost: my message delivery was set to digest, and that
>> hard to manage use for conversation. I changed that setting. So starting
>> clean with the same subject...
>> I don't care about SSSD or whether it's even on the machine or not.
>> now, it's only used by the machine for login. It isn't used by Samba,
>> and I
>> am very careful to let libwbclient-sssd nowhere near the system to avoid
>> the problems that causes.
>> I have looked into the idmap_rid backend, and I do not understand how it
>> could be helpful here. I'm not saying I think it isn't; I'm just
>> saying I
>> don't understand. If I'm missing something, please do help if you can.
>> What I essentially need, which is accomplished by the configuration
>> in the
>> wiki article I provided for old Samba versions when winbindd is not
>> used is:
>> 1. Windows user attempts to access share with credentials from either
>> already having logged in on a machine with a domain account or by
>> "Connect using different credentials" to spontaneously login with a
>> 2. Samba (with winbindd) performs authentication of username %U against
>> Active Directory domain EXAMPLE.COM, effectively authenticating
>> 3. If authentication fails, stop. If authentication succeeds, ignore
>> groups and everything else from the AD server, because that server is
>> *only* to be used for authentication of %U. Continue processing.
>> 4. Use username %U to query the LDAP server at ldap.mydomain.com for
>> GID, and UNIX groups.
> you can achieve the same thing in copying your uidnumber/gidnumber in
> the AD attribute and use rfc2307 idmap module on your member server.
>> 5. Given information returned from step 4, check user authorization
>> share definition requirements and permit access for user with UID and
>> set as per LDAP lookup.
>> And it's essentially just:
> I'd say it isn't, in the sense that you want to have share definition
> authorization, which are enforced by Samba (which then would require
> Samba to know about group membership et al.). If you don't have any
> share authorization, then UI guess you should be able to use
> filesystem UGO/ACL restriction (as per the wiki page you mentionned).
Totally agree and I don't think the method on that page is relevant any
more, I don't think it will work either, it was written for use with
Samba 3.3.x at most.
More information about the samba