LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 01-04-2013, 12:41 AM   #1
sunnysthakur
Member
 
Registered: Aug 2012
Posts: 40

Rep: Reputation: Disabled
How to Map AD groups to Samba share


I am setup a samba share server which is authenticating from Active Directory.

I am able to access the share with AD user but not able to access when group defined in "valid users" parameters.

below are the steps i performed.

In smb.conf

[global]
workgroup = QASLABS
password server = WIN-60I6H2BG237.qaslabs.net
realm = QASLABS.NET
preferred master = no
security = ADS
idmap backend = ad
idmap uid = 100-20000000
idmap gid = 100-20000000
winbind separator = +
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
preferred master = no
server string = Linux Test Machine
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
netbios name = smbad
hosts allow = 127.0.0.1 192.16.17.0/24
passdb backend = tdbsam
template homedir = /home/%U
winbind nss info = rfc2307

[Data]
comment = Directory for storing Data
path= /opt/data
valid users = @NETWORK+itadmin NETWORK+testadmin
#valid users = @"QASLABS.NET\\itadmin"
writeable = yes
browseable=yes
create mask = 775
directory mask = 775
hosts allow = 127.0.0.1 192.16.17.0/24


In /etc/nsswitch.conf

passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns wins
bootparams: nisplus [NOTFOUND=return] files
ethers: db files
netmasks: files
networks: files
protocols: db files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus

On executing the wbinfo -u i am getting the user list from AD

[root@smbad ~]# wbinfo -u
administrator
guest
krbtgt
testdev
testadmin
testhr
testqa
testit
testcmt
testsupp
testituser

On executing the wbinfo -u i am getting the user list from AD. But groups i created on AD is not displaying in this list [i.e itadmin]

[root@smbad ~]# wbinfo -g
BUILTIN+administrators
BUILTIN+users
SMBAD+itadmin
domain computers
domain controllers
domain admins
domain users
domain guests
group policy creator owners
read-only domain controllers
dnsupdateproxy
cert publishers
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
dnsadmins
schema admins
enterprise admins
enterprise read-only domain controllers

Please help on how to map AD group to samba so that group permissions can be setup on samba
 
Old 01-04-2013, 05:24 AM   #2
vishesh
Member
 
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 649

Rep: Reputation: 66
Confirm your /etc/nsswitch.conf file having following line
++++++++++++++++++++++++++++++++
group: files winbind
+++++++++++++++++++++++++++++++++

Thanks
 
Old 01-05-2013, 03:30 AM   #3
sunnysthakur
Member
 
Registered: Aug 2012
Posts: 40

Original Poster
Rep: Reputation: Disabled
Yes i have added this in nsswitch.conf

passwd: files winbind
shadow: files winbind
group: files winbind
 
Old 01-07-2013, 01:00 AM   #4
sunnysthakur
Member
 
Registered: Aug 2012
Posts: 40

Original Poster
Rep: Reputation: Disabled
Any help on this will appreciate.
 
Old 01-09-2013, 01:32 AM   #5
sunnysthakur
Member
 
Registered: Aug 2012
Posts: 40

Original Poster
Rep: Reputation: Disabled
After changing the parameters in /etc/smb.conf i am able to view users/groups i created on AD.

/etc/samba/smb.conf

workgroup = QASLABS
server string = Samba Server Version %v
password server = adserver.qaslabs.net
realm = QASLABS.NET
preferred master = no
security = ADS
;idmap backend = ad
idmap uid = 500-20000000
idmap gid = 500-20000000
winbind separator = +
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
preferred master = no
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
;netbios name = smbad
hosts allow = 127.0.0.1 192.16.17.0/24
passdb backend = tdbsam
template homedir = /home/%U
;winbind nss info = rfc2307

On executing the wbinfo i am able to view the AD users created by me.

[root@smbad samba]# wbinfo -u
administrator
guest
krbtgt
tlit
usrit
tladmin
usradmin
tlcmt
usrcmt
tldev
usrdev
tlhr
usrhr
tlqa
usrqa
tlsupp
usrsupp


and on executing the wbinfo with -g i am able to view the AD groups created by me.

[root@smbad samba]# wbinfo -g
BUILTIN+administrators
BUILTIN+users
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
dnsadmins
dnsupdateproxy
itadmin
ituser
admadmin
adminuser
cmtadmin
cmtuser
devadmin
devuser
hradmin
hruser
qaadmin
qauser
suppadmin
suppuser


I am also able to test the ad users with password

[root@smbad samba]# wbinfo -a tladmin%Password1
plaintext password authentication succeeded
challenge/response password authentication succeeded

But now the issue is when i am accessing the samba share using these usernames i am not able to login to share and below error is coming in logs file.

setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2013/01/10 02:04:28, 3] smbd/sec_ctx.cop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2013/01/10 02:04:28, 2] auth/auth.c:check_ntlm_password(319)
check_ntlm_password: Authentication for user [itusr] -> [itusr] FAILED with error NT_STATUS_NO_SUCH_USER
[2013/01/10 02:04:28, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2013/01/10 02:04:28, 3] smbd/process.c:timeout_processing(1382)
timeout_processing: End of file from client (client has disconnected).
[2013/01/10 02:04:28, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0


Also on login to the AD user from putty it is not accepting passwords.

[admin@smbad ~]$ su tladmin
Password:
su: incorrect password

Where as on login to AD user from putty from root account i am able to login [Password not prompted from switching from root user to AD user]

Please help me on this.

Thanks in advance..
 
Old 01-16-2013, 07:17 AM   #6
sunnysthakur
Member
 
Registered: Aug 2012
Posts: 40

Original Poster
Rep: Reputation: Disabled
I am able to solve this issue now and AD groups are reflected with samba permissions.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can only map Samba share by IP - not by name: Possible solution Dadoo Linux - Networking 0 08-29-2012 06:52 PM
Cannot Map to a Samba Share from PDA jqu1nn Linux - Server 2 08-24-2008 03:21 PM
Samba PDC + ACL - howto map users and groups on windows clients myers Linux - Networking 0 09-04-2006 03:50 PM
Samba share on slack-current won't map in WinXP dcyfer Slackware 5 07-26-2006 03:19 PM
How do i map samba share in windows xp? ginda Linux - Newbie 3 01-27-2005 12:22 PM


All times are GMT -5. The time now is 06:20 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration