[Samba] Guides to AD integration using Win ACL and nested groups
rpenny at samba.org
Mon Jun 28 14:59:18 UTC 2021
On Mon, 2021-06-28 at 14:23 +0000, Deas, Jim via samba wrote:
> I am having issues understanding the options required to make Samba
> use native Windows ACLs. If I remove WinACL 'everybody' from a
> share's folder, it becomes unavailable even though AD group
> membership should allow it.
> Currently I can use wbinfo to obtain all users and groups from Win AD
> which I believe confirms winbind is working correctly
Yes that confirms that winbind can contact AD, it doesn't confirm that
your OS knows who your AD users are.
> (using ad backend , should I be using rid?)
> Currently running 'net rpc group list' I only see Guest,
> Administrators and Users. (Do I need to create local AD groups?)
Ah, that sort of confirms it, I do not think you have added any
uidNUmber or gidNumber attributes to AD. No, do not create any local
users or groups.
> Share is stored on an ext4fs with xattr and I see the security
> information being written to the folder and file xattr when changed
> from Windows's AD manager.
> I'm sure I am crossing the streams here a bit, is there a good guide
> showing the use of Windows ACLs exclusively outside of sssd
> (including nested groups so I believe sssd is out)
If you want shares, then sssd is definitely out.
> I have downloaded 'Setting up a Share Using Windows ACLs" from the
> SambaWiki but I must be misinterpreting the contents.
Have you read this:
> Here is the config:
> workgroup = MYGROUP
> security = ADS
> realm = MYREALM.COM
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> server signing = no
> strict sync = no
> min protocol = SMB2
> ea support = yes
> log level = 1 auth:5 winbind:5
> log file = /var/log/samba.log
> idmap config * : backend = tdb
> idmap config * : range = 500 - 9999
Don't use that range, it means that you cannot have any local users.
More information about the samba