[Samba] Using AD groups for samba access
- Date: Mon, 12 May 2008 15:49:42 +0100 (BST)
- From: Ewan Roche <e.roche@xxxxxxxx>
- Subject: [Samba] Using AD groups for samba access
Hi,
I'm trying to use AD groups to control access to samba exported disk
space. The model is as follows:
A unix group "ad_samba_group" owns the space to be exported. This group has
no members. There is an AD group "test-ad-group" that has as members the
people who are to be able to access the space. All users who access the
space have local (nis) unix accounts. The machine serving the space is a
member of the active directory
I was hoping that by setting up a group mapping between the AD and unix
group that any member of the AD group would be able to access the space
owned by the (mapped) unix group. Alas this does not seem to be the case.
My questions are:
Is this model actually possible?
How does the group mapping work and is winbind required for it?
Are there any magic ingredients required for smb.conf ?
Is there a saner way to achieve this?
I'm really trying to avoid using the winbind group/user mapping
functionality as it maps every group in the AD to a unix group and would
involve manually editing the winbindd_idmap.tdb to get the correct GID and
UID assignment which is critical.
The details are
[Samba 3.0.28-35]
[RHEL 5 2.6.18-53.1.14.el5 #1 SMP x86_64]
The following SID was put in with net groupmap and is obtained from the
AD.
[root@nas-test samba]# net groupmap list verbose
test-ad-group
SID : S-1-5-21-861567501-1417001333-682003330-319925
Unix gid : 273021
Unix group: ad_samba_group
Group type: Domain Group
Comment : Domain Unix group
[root@nas-test samba]# cat /etc/samba/smb.conf
[global]
workgroup = ED
realm = ED.AC.UK
netbios name = NAS-TEST
log file = /var/log/samba/%m.log
max log size = 1000
log level = 3
security = ADS
encrypt passwords = yes
password server = aviemore.ucs.ed.ac.uk
wins server = 129.215.13.14
dns proxy = yes
#=========== Share Definitions =======
[test2]
comment = AD permissions test
path = /data/test2
valid users = @ad_samba_group
msdfs root = yes
public = no
writable = yes
If I try and connect to the share I get the following error
ristretto > smbclient //nas-test.ecdf.ed.ac.uk/test2 -W ED
Password:
Domain=[ED] OS=[Unix] Server=[Samba 3.0.28-SerNet-RedHat]
tree connect failed: NT_STATUS_ACCESS_DENIED
The interesting bits of the logfile seem to be:
[2008/05/12 12:14:50, 3] auth/auth.c:check_ntlm_password(221)
check_ntlm_password: Checking password for unmapped user
[ED]\[eroche]@[RISTRETTO] with the new password interface
[2008/05/12 12:14:50, 3] auth/auth.c:check_ntlm_password(224)
check_ntlm_password: mapped user is: [ED]\[eroche]@[RISTRETTO]
..
..
[2008/05/12 12:14:50, 3] lib/util_sid.c:string_to_sid(223)
string_to_sid: Sid @ad_samba_group does not start with 'S-'.
..
..
[2008/05/12 12:14:50, 2] smbd/service.c:make_connection_snum(616)
user 'eroche' (from session setup) not permitted to access this share
(test2)
[2008/05/12 12:14:50, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/reply.c(514) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
Thanks
Ewan
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba