[Samba] Samba winbind on redhat 7

Edouard Guigné eguigne at pasteur-cayenne.fr
Fri Jun 21 14:39:00 UTC 2019 

Hello,

I am facing 2 issues now.
The first one is the more critical for me...

1. When I switch from sssd to winbind with :
# authconfig --enablekrb5 --enablewinbind --enablewinbindauth 
--enablemkhomedir --update

My sftp access did not work. Does it change the way to pass the login ?
I used to connect in sftp with userlogin / userpassword

//var/log/secure ://
/

/Jun 21 11:08:31 [localhost] sshd[17379]: Invalid user sftpuser from 
x.x.x.x port 50187//
//Jun 21 11:08:31 [localhost] sshd[17379]: input_userauth_request: 
invalid user sftpuser [preauth]//
//Jun 21 11:08:31 [localhost] sshd[17379]: pam_unix(sshd:auth): check 
pass; user unknown//
//Jun 21 11:08:31 [localhost] sshd[17379]: pam_unix(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=myhost.mydomain.fr//
//Jun 21 11:08:32 [localhost] sshd[17379]: Failed password for invalid 
user sftpusert from x.x.x.x port 50187 ssh2/

Do I need now to pass MYDOMAIN\userlogin / userpassword or something 
like that ?
How can I check the correct syntax ?
I would like to use userlogin / userpassword for sftp access.


2. Concerning the samba share :
I set permissions for the share "groups" located on /var/datashared for 
"domain admins" (rwx) and "domain users" (r-x)
/var]# getfacl datashared/
# file: datashared/
# owner: root
# group: root
user::rwx
group::r-x
group:MYDOMAIN\134admins\040du\040domaine:rwx
group://MYDOMAIN\134utilisateurs\040du\040domaine:r-x
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group://MYDOMAIN\134admins\040du\040domaine:rwx
default:mask::rwx
default:other::---/

/+ # chmod 0770 /var/datashared/

As you can see acls for "Domain users" are not in default acls

I create a TESTIT folder (on /var/datashared) ; the owner of the is user 
"MYDOMAIN\mydomainadmin"
"mydomainadmin" is part of the "domain admins" group.
/# getfacl TESTIT///
//# file: TESTIT///
//*# owner: MYDOMAIN\*//*mydomainadmin
# group: *//*MYDOMAIN**\134admins\040du\040domaine*
user::rwx
group::r-x
*group:*//*MYDOMAIN**\134admins\040du\040domaine:rwx*
mask::rwx
other::---
default:user::rwx
default:group::r-x
*default:group:*//*MYDOMAIN*//*\134admins\040du\040domaine:rwx*//
//default:mask::rwx//
//default:other::---/

I connect as mydomainadmin on Windows 7, and start to change acls :
I remove "everybody"
and
add group "informatique" with "total control" to security tab of TESTIT

On linux, it shows :
/# getfacl TESTIT///
//# file: TESTIT///
//*# owner: *//*MYDOMAIN\*//*mydomainadmin
# group: *//*MYDOMAIN**\134admins\040du\040domaine*
user::rwx
user://*MYDOMAIN*\//*mydomainadmin*:rwx
group::rwx
*group:*//*MYDOMAIN\134admins\040du\040domaine:rwx
group:*//*MYDOMAIN**\134informatique:rwx*
mask::rwx
other::---
default:user::rwx
*default:user:*//*MYDOMAIN\*//*mydomainadmin**:rwx*
default:group::r-x
*default:group:*//*MYDOMAIN\134admins\040du\040domaine:rwx
default:group:*//*MYDOMAIN*//*\134informatique:rwx*//
//default:mask::rwx//
//default:other::---/

Now, I logon in windows 7 as *usertest *(*primary group is "Domain 
users" *and is part of the group "informatique").
I create a folder TEST in TESTIT and a file test.txt in TESTIT.
I get this acls on TEST folder :
/# getfacl TEST/
# file: TEST/
*# owner: **MYDOMAIN**\**usertest **
**# group: **MYDOMAIN**\134utilisateurs\040du\040domaine*
user::rwx
user:*MYDOMAIN*\usertest :rwx
group::r-x
*group:**MYDOMAIN**\134admins\040du\040domaine:rwx**
**group:**MYDOMAIN**\134utilisateurs\040du\040domaine:r-x**
**group:**MYDOMAIN**\134informatique:rwx*
mask::rwx
other::---
default:user::rwx
*default:user:**MYDOMAIN**\**usertest **:rwx*
default:group::r-x
*default:group:**MYDOMAIN**\134admins\040du\040domaine:rwx**
**default:group:**MYDOMAIN**\134utilisateurs\040du\040domaine:r-x**
**default:group:**MYDOMAIN**\134informatique:rwx*
default:mask::rwx
default:other::---/

Why "*group:MYDOMAIN\134utilisateurs\040du\040domaine:r-x*" and 
"*default:group:MYDOMAIN\134utilisateurs\040du\040domaine:r-x*" are added ?
I was expected to not get these acls... concerning "domain users" but 
the folder TESTIT have no default "Domain users" acls.
Don't want them...
Is there a way to remove this ??

Thank you for all your help,

Edouard

Le 20/06/2019 à 14:16, Edouard Guigné via samba a écrit :
> This way is so easier...
>
> Thank you Rowland
>
> Le 20/06/2019 à 14:01, Rowland penny via samba a écrit :
>> On 20/06/2019 17:54, Edouard Guigné via samba wrote:
>>> My idea is to replace default "cifs_idmap_sss.so" plugin by 
>>> "idmapwb.so" winbind plugin, in order to SSSD becomes a client of 
>>> winbind.
>>> To avoid to change nsswitch.conf :
>>> passwd:     files sss
>>> shadow:     files sss
>>> group:      files sss
>>>
>>> into
>>>
>>> passwd:     files winbind
>>> shadow:     files winbind
>>> group:      files winbind
>>>
>>> because I need an other access in sftp, this is using default sssd.
>>>
>>> I tried mix copnfiguration like :
>>> passwd:     files sss winbind  (or files winbind sss)
>>> shadow:     files sss winbind (or files winbind sss)
>>> group:      files sss winbind (or files winbind sss)
>>>
>>> which gave poor result, very slow access to the share especially 
>>> when click on security tab on windows 7.
>>>
>>>
>>> Le 20/06/2019 à 13:32, Rowland penny via samba a écrit :
>>>> On 20/06/2019 17:19, Edouard Guigné via samba wrote:
>>>>> Hello,
>>>>>
>>>>> I am reading RHEL 7 docs concerning samba integration, and I found 
>>>>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index#winbind 
>>>>>
>>>>>
>>>>> "4.2.4. Switching Between SSSD and Winbind for SMB Share Access
>>>>> This procedure describes how you can switch between SSSD and 
>>>>> Winbind plug-ins that are used for accessing SMB shares from SSSD 
>>>>> clients. "
>>>>>
>>>>> Who is responsible for the developpement of the "Winbind plug-in" 
>>>>> used for accessing SMB shares from SSSD clients ?
>>>>> Samba team or RHEL SSSD team ?
>>
>> Make sure smb.conf is set up correctly
>>
>> authconfig --enablekrb5 --enablewinbind --enablewinbindauth 
>> --enablemkhomedir --update
>>
>> Check that the passwd, group and shadow lines in /etc/nsswitch.conf 
>> look like this:
>>
>> passwd:     files winbind
>> group:      files winbind
>>
>> shadow:   files
>>
>> yum remove sssd*
>>
>> You should be good to go
>>
>>
>

More information about the samba mailing list