[Samba] Guides to AD integration using Win ACL and nested groups

[Rowland Penny]

On Tue, 2021-06-29 at 16:04 +0000, Deas, Jim wrote:
> After joining the domain and dropping all ldap functions, if I run id
> <user at domain> I get a list of all AD groups and what appears to be a
> calculated local proxy with the same group name. If I run id <user>
> Instead, I only see the local proxy. Looking at the idmap config
> seems to support this conclusion. What's strange is running 'getent
> group' on the proxy does not show any users at all. Is this where the
> xattr comes into play via samba?

Do you know anything about Samba ? possibly the older versions ?
If so, forget most of it :-)

Properly set up, Samba makes your AD users & groups into local Unix
users without needing any actual users or groups in /etc/passwd &
/etc/group.

Lets look at what getent passwd returns for myself:
getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

The ID's come from AD (I use the 'ad' backend)

To obtain those results I had to install a few packages and modify
/etc/nsswitch.conf

I use Devuan, so I installed libpam-winbind libnss-winbind libpam-krb5
I modified /etc/nsswitch.conf by adding 'winbind' to the 'passwd' and
'group' lines.

If you are not using a Debian based distro, you need to install the
packages that replace the ones I installed.

> 
> Does that sound correct? Does idmap using RID, mange the nested group
> structure by dynamically creating local flattened groups (but without
> members). 

All that idmap_rid (the winbind 'rid' backend) manages is the Unix
ID's, it does not manage any groups except to give them an ID.

> Is this where samba and xattr comes into play by supplying the access
> context? Does it support advanced Win ACLs like transvers as well? Is
> this the only way to completely support Win ACLs on samba shares?

You can use Windows ACL' (or as near as possible) by setting the
permissions from Windows. You can get pretty close by using 'setfacl'
on Linux.

Rowland