[Samba] Guides to AD integration using Win ACL and nested groups

Rowland Penny rpenny at samba.org
Mon Jun 28 14:59:18 UTC 2021 

On Mon, 2021-06-28 at 14:23 +0000, Deas, Jim via samba wrote:
> I am having issues understanding the options required to make Samba
> use native Windows ACLs. If I remove WinACL 'everybody' from a
> share's folder, it becomes unavailable even though AD group
> membership should allow it.
> 
> Currently I can use wbinfo to obtain all users and groups from Win AD
> which I believe confirms winbind is working correctly

Yes that confirms that winbind can contact AD, it doesn't confirm that
your OS knows who your AD users are.

>  (using ad backend , should I be using rid?)

Very probably.

> Currently running 'net rpc group list' I only see Guest,
> Administrators and Users. (Do I need to create local AD groups?)

Ah, that sort of confirms it, I do not think you have added any
uidNUmber or gidNumber attributes to AD. No, do not create any local
users or groups.

> Share is stored on an ext4fs with xattr and I see the security
> information being written to the folder and file xattr when changed
> from Windows's AD manager.
> 
> I'm sure I am crossing the streams here a bit, is there a good guide
> showing the use of Windows ACLs exclusively outside of sssd
> (including nested groups so I believe sssd is out)

If you want shares, then sssd is definitely out.

> I have downloaded 'Setting up a Share Using Windows ACLs" from the
> SambaWiki but I must be misinterpreting the contents.

Have you read this:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

> 
> Here is the config:
> 
> [global]
>         workgroup = MYGROUP
>         security = ADS
>         realm = MYREALM.COM
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = secrets and keytab
> 
>         server signing = no
>         strict sync = no
>         min protocol = SMB2
>         ea support = yes
> 
>         log level = 1 auth:5 winbind:5
>         log file = /var/log/samba.log
>         idmap config * : backend = tdb
>         idmap config * : range = 500 - 9999

Don't use that range, it means that you cannot have any local users.

Rowland

More information about the samba mailing list