Samba 4: share directory for AD group

mac.tieu · 01-20-2013, 02:22 AM

Hi,

I've just installed samba 4 on CentOS 6.3 then follow configuration guide at Samba4/HOWTO/Join a domain as a DC. Everything is going right except I can't share directory to AD group.

- 'getent passwd' show as:

Code:

...
ADDOMAIN\Administrator:*:0:100::/home/ADDOMAIN/Administrator:/bin/false
ADDOMAIN\Guest:*:3000001:3000002::/home/ADDOMAIN/Guest:/bin/false
ADDOMAIN\krbtgt:*:3000004:100::/home/ADDOMAIN/krbtgt:/bin/false

- 'getent group'

Code:

Enterprise Read-only Domain Controllers:*:3000008:
Domain Admins:*:3000009:
Domain Users:*:100:
Domain Guests:*:3000002:
Domain Computers:*:3000010:
Domain Controllers:*:3000011:
Schema Admins:*:3000012:
Enterprise Admins:*:3000013:
Group Policy Creator Owners:*:3000014:
Read-only Domain Controllers:*:3000015:
DnsUpdateProxy:*:3000016:
Writers:*:3000020:

- smb.conf

Code:

[global]
        workgroup = ADDOMAIN
        realm = addomain.com
        netbios name = LINUX-DC
        server role = active directory domain controller
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/addomain.com/scripts
        read only = No
[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[test]
        path = /tmp/writers
        valid users = @"ADDOMAIN\Writers"
        write list = @"ADDOMAIN\Writers"

- Administrator is member of Writer group.

Code:

[root@linux-dc ~]# id administrator
uid=0(root) gid=100(users) groups=0(root),100(users),3000014(Group Policy Creator Owners),3000013(Enterprise Admins),3000009(Domain Admins),3000012(Schema Admins),3000020(Writers)

Problem is: member of group Writers can not access 'test' resource. If I change 'valid users' to: "valid users = ADDOMAIN\Administrator" then I can access sharing directory.
Could you help me to explain what I am doing wrong with this configuration?

Thanks in advanced,
Mac Tieu.

Ser Olmy · 01-21-2013, 11:12 AM

This could be a winbind separator issue. After all, the backslash is usually the escape character in Unix/Linux.

You could try escaping the backslash, like this:

Code:

valid users = @"ADDOMAIN\\Writers"

If that doesn't work, you could try changing the separator to, say, the "+" character with

Code:

winbind separator = +

in the "globals" section and

Code:

valid users = @"ADDOMAIN+Writers"

on the share.

mac.tieu · 01-22-2013, 10:38 AM

Hi,

I've replaced separator to '+' as you guided but no success. After configed log level to 3 in smb.conf to examine log file, I can now access sharing resource by using group SID like:

Code:

valid users = 'S-1-5-21-1233234322-3234673423-5678456734-3457'

Is there any way to use group name instead of 'complex' SID string?

Thanks so much!