On Thu, Dec 15, 2016 at 10:28:06PM -0000, js16uy@gmail.com wrote:
Hello all, hope all is well/happy holidays
Checked on the samba list and they directed me here..... My issue is valid users in smb.conf containing an AD group
I have tried this on systems running cent7u2 and ubuntu trusty. These systems are running sssd. I can login with AD users and chown/chgrp file with AD groups. However, I can't get AD groups to work with valid users in the smb.conf for restricting share access. If I just set individual AD users, works just fine.
Also locally everything works as expected. For example I can chown a folder to be owned by an AD group with 2770. I can login into the host via passwd/kerberos ticket and chdir into that directly without issue, below the user in question is part of MC-Services, apologies not trying to be overly obvious.
drwxrwsr-x 3 appadmin MC-Services 4096 Dec 15 14:47 logs
Again singly listed AD users work with valid users. This kind of abstraction is nice so I don't have to tweak FS perms to "match" shared out access. Right now with the local FS perms above I can get into the share If I have the share setup as below
[logs] comment = Server Logs path = /logs writable = no valid users = jsmith printable = no
So seems samba can handle the users, but not AD groups or can't get the info/membership for the AD groups. If I change the owner of the dir to be completely owned by appadmin, the testing user can no longer get into the share, make sense.
Any thoughts/help would be greatly appreciated. thanks and regards
some info on samba vers on the centos host
samba-common-4.2.3-12.el7_2.noarch samba-common-tools-4.2.3-12.el7_2.x86_64 samba-common-libs-4.2.3-12.el7_2.x86_64 samba-4.2.3-12.el7_2.x86_64 samba-libs-4.2.3-12.el7_2.x86_64 samba-client-libs-4.2.3-12.el7_2.x86_64
[root@Xsamba]# smbd -V Version 4.2.3
Here is the SAMBA config
[global] workgroup = mc server string = Samba Server Version %v log file = /var/log/samba/log.%m max log size = 50 security = ads bind interfaces only = yes interfaces=192.168.99.0/24 dedicated keytab file=/etc/krb5.keytab password server = 192.168.1.2 192.168.1.3 realm = MC.FOO.COM passdb backend = tdbsam map to guest = Bad Uid
[homes] comment = Home Directories browseable = no writable = yes
[logs] comment = Server Logs path = /logs writable = no #valid users = jsmith valid users = @"MC\MC-Services" printable = no
Is there anything related in the samba logs? You might need to increase the log level to get more details?
How does the sssd.conf look like?
Does "getent group 'MC\MC-Services'" return the expected group?
bye, Sumit
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org