[Samba] Samba4 with AD + Linux ACL's - permission problem
andre.aun at gmail.com
Wed Nov 11 10:00:58 UTC 2020
Ronald, thanks for pointing me to the right direction. I will now drive 100
km to get into the customer office, and the first thing I will do is read
I have been scratching my head for some days on this problem. If I consider
only my Samba share (forgetting about NFS, etc), why am I getting a
permission denied error with user1?
Em qua., 11 de nov. de 2020 às 05:50, Rowland penny via samba <
samba at lists.samba.org> escreveu:
> On 11/11/2020 02:40, André Aun via samba wrote:
> > Hi experts,
> > I have a Samba4/AD scenario which is driving me crazy.
> > On some servers, I have the same volume mounted on /share. I am using
> > different servers as gateways to export this content using HTTP, NFS, FTP
> > and CIFS. AD authentication is a must.
> > On the Linux machine where Samba is running, I have joined it to the
> > using PBIS (domainjoin-cli join [DomainName [DomainAccount]). After
> this, I
> > was able to SSH to the server using my AD credentials.
> > Then, I joined Samba as domain member using "net ads join". And user
> > authentication on Samba using AD is working fine. The problem comes
> > Under /share, I hava a complex directory tree. On my Samba setup, what I
> > want is to configure just a single share, and every permission below this
> > share should be managed using Linux ACL's and AD groups. Reason: as I
> > before, I'm exporting this share using other servers and I don't want my
> > customer having to manage smb.conf, httpd.conf, etc... every time he
> > creates a subdirectory.
> > Everything is working fine, until the point I assign a group permission
> > a subdirectory. Example: user1 is a member of more than 20 AD groups,
> > including "srv-admin" (primary group is "domain users"). on Linux, I
> > mkdir /share/dir1
> > chown root:srv-admin /share/dir1
> > chmod 770 /share/dir1
> > ls -ld /share/dir1:
> > drwxrwx---. 4 root srv-admin 4096 Nov 9 15:36 /share/dir1
> > When the user logs in via SSH, he can enter the directory and create
> > as expected. When the user mounts the share via CIFS, he can't enter the
> > directory or create files. Looks like Samba (looking at the logs) is
> > just it's primary group (domain users), not the supplementary groups.
> > Here is my smb.conf:
> > [global]
> > workgroup = MYDOMAIN
> > realm = MYDOMAIN.ORG.BR
> > security = ads
> > idmap config MYDOMAIN:schema-mode rfc2307
> > idmap config MYDOMAIN:range = 15777216-9999999999
> > idmap config MYDOMAIN:backend = ad
> > idmap config * : range = 1000-2000
> > template shell = /bin/bash
> > kerberos method = secrets only
> > winbind use default domain = no
> > winbind offline logon = false
> > netbios name = SAMBA1
> > server string = SAMBA1
> > log level = 3
> > log file = /var/log/samba/%m
> > max log size = 50
> > printcap name = cups
> > winbind enum users = Yes
> > winbind enum groups = Yes
> > vfs objects = acl_xattr
> > map acl inherit = Yes
> > store dos attributes = Yes
> > [ibira]
> > comment = Samba share
> > path = /share
> > browseable = yes
> > read only = no
> > valid users = +"Domain Users"
> > Again, I don't want to use "force group", "write list" etc directives on
> > the Samba share.
> Good, because you cannot use 'force group' etc
> > What I need to do is make Samba understand the Linux
> > ACL's, as if the user was logged in via ssh.
> No, you want to, but logging in via SSH and Samba is different.
> > What am I doing wrong?
> Oh lots, one of which is that you only have one share and you are not
> only sharing it via Samba, you are also sharing it via NFS and they use
> different ACL's.
> Can I suggest you read this:
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba