LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 10-31-2012, 01:11 PM   #1
HowellBP
LQ Newbie
 
Registered: Sep 2008
Location: Chicago, IL
Distribution: Ubuntu
Posts: 3

Rep: Reputation: 0
Samba, SSSD, Active Directory 2008 R2 and ACLs on Windows clients


I want a samba setup that authenticates users against AD and allows group members to manage their own permissions. I'm halfway there; as a Domain Admin, I can set permissions on folders within the samba share. However, two things happen when I right-click on a share, select "Properties" and "Security."

1. I get entries that show "unix user\username" instead of "DOMAINNAME\username", and "unix group\group" in place of "DOMAINNAME\group":
Screen Shot 2012-10-31 at 12.02.03 PM.png

2. Any domain-level permissions (e.g. adding a domain group like "DOMAINNAME\accounting") doesn't resolve properly:
Screen Shot 2012-10-31 at 12.02.35 PM.png

How do I a.) show "DOMAINNAME\user|group" instead of "unix user|group\user|group", and b.) resolve the SID to the domain entry? Every solution I've come across thus far have gotten me part of the way there, but broken something else. If I can resolve domain identities properly, I can't manage the ACLs, just view them. If I throw winbind into the mix, it clashes with SSSD for some reason and prevents me from logging into the share from Windows.

My setup:
Debian Wheezy, authenticated using SSSD (Kerberos) to Active Directory 2008 R2
Samba 3.6.6, also authenticating to Active Directory 2008 R2

Testparm:
Code:
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[Shared]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
	workgroup = DOMAINNAME
	realm = DOMAINNAME.COM
	server string = %h Samba %v
	security = ADS
	log file = /var/log/samba/log.%m
	unix extensions = No
	socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
	os level = 1
	local master = No
	domain master = No
	dns proxy = No
	panic action = /usr/share/samba/panic-action %d
	idmap config * : backend = tdb
	valid users = "@Domain Users"
	inherit permissions = Yes
	inherit acls = Yes
	map acl inherit = Yes
	delete veto files = Yes
	veto files = /*.DS_Store/Network Trash Folder/Temporary Items/*.nilfs/*.Apple*/
	map archive = No
	map readonly = no
	store dos attributes = Yes

[homes]
	comment = Home Directories
	read only = No
	create mask = 0640
	directory mask = 0750

[Shared]
	comment = Share
	path = /brick/shared
	admin users = "@Domain Admins"
	read only = No
	acl group control = Yes
	create mask = 0664
	directory mask = 0775
	guest ok = Yes
sssd.conf:
Code:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = domainname.com

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/domainname.com]
enumerate = true
cache_credentials = true

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5

ldap_uri = ldap://ldap.domainname.com/
ldap_search_base = DC=domainname,DC=com
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

ldap_schema = rfc2307bis
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_gecos = displayName
ldap_group_object_class = group
ldap_force_upper_case_realm = True
ldap_user_search_base = cn=Users,dc=domainname,dc=com
ldap_user_modify_timestamp = whenChanged
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_shell = loginShell
ldap_group_modify_timestamp = whenChanged
ldap_group_name = sAMAccountName
ldap_group_gid_number = gidNumber

krb5_realm = DOMAINNAME.COM
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15
I can attach any relevant logging info if someone wants to point me in the right direction. Any help would be appreciated.
 
Old 09-04-2013, 11:27 AM   #2
yangou
LQ Newbie
 
Registered: Feb 2010
Posts: 13

Rep: Reputation: 2
Hi HowellBP

It's been a year since your post but did you find a solution? I am facing the same problem.

Thanks
 
Old 10-07-2013, 03:37 PM   #3
HowellBP
LQ Newbie
 
Registered: Sep 2008
Location: Chicago, IL
Distribution: Ubuntu
Posts: 3

Original Poster
Rep: Reputation: 0
No, never got this working properly. Apparently it's not possible.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Winbind / KRB / SSSD / Active Directory Howto? rrue Linux - Server 2 10-11-2012 01:48 PM
How do i get a Linux distribution to work with Windows 2008 Active Directory baronobeefdip Linux - Networking 11 01-17-2012 11:48 AM
Bind DNS and Active Directory (Windows 2008) wirekof Linux - Server 3 01-04-2012 06:35 PM
Connecting Linux VM to Windows 2008 Active Directory user9999 Linux - Newbie 1 01-18-2011 03:46 AM
Having Problems with Active Directory with Windows Server 2008 PatrickBEN Linux - Server 1 05-31-2008 04:18 AM


All times are GMT -5. The time now is 07:52 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration