[Samba] smb won't allow users from other ou share access
pgoetz at math.utexas.edu
Fri Mar 4 17:34:43 UTC 2022
On 3/4/22 11:18, Rowland Penny via samba wrote:
> On Fri, 2022-03-04 at 10:59 -0600, Patrick Goetz via samba wrote:
>> On 3/3/22 17:47, Fuhriman, Nathanael [US] (SP) (Contr) via samba
>>> I have samba setup to share files on a system using SSSD hooked to
>>> AD for user accounts. Some users are able to access the shares and
>>> other are not. I finally narrowed it down to users that are in a
>>> specific OU in AD. Those in that OU can access the shares. All
>>> others are denied access. For examples users in OU=employees are
>>> able to access but users in OU=contractors are not able to access.
>> From your description my suspicion is that a GPO is responsible for
>> this, not Samba. What OU to suspect depends on how your network is
>> configured; i.e. are all the shares coming from the same file
>> Does that file server have GPO-based access restrictions to that OU?
> Could be a GPO but doubtful
I'm unsure on this point because I haven't tried this, but it's entirely
possible to restrict access to a domain-bound server using a security
group. The question is whether or not this can be made to apply to
shares coming from that server.
>> If it's not that, comb through your /etc/sssd/sssd.conf file looking
>> anything that references that OU.
>> It could be samba if you have these restrictions embedded in your
>> /etc/samba/smb.conf file, but I'm assuming you've checked for this
> As far as I am aware, Samba has nothing to restrict the search base in
> smb.conf, but I seem to remember that sssd has.
I thought the problem was access to a share, not searching the database
-- is there a connection here I'm missing? Samba does allow
restrictions to groups:
valid users = @my_special_group
Maybe it doesn't make sense to have OU based restrictions in smb.conf
(this would be handy, of course), but they might have OU based security
More information about the samba