LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Samba 4: share directory for AD group (https://www.linuxquestions.org/questions/linux-server-73/samba-4-share-directory-for-ad-group-4175446433/)

mac.tieu 01-20-2013 02:22 AM

Samba 4: share directory for AD group
 
Hi,

I've just installed samba 4 on CentOS 6.3 then follow configuration guide at Samba4/HOWTO/Join a domain as a DC. Everything is going right except I can't share directory to AD group.

- 'getent passwd' show as:
Code:

...
ADDOMAIN\Administrator:*:0:100::/home/ADDOMAIN/Administrator:/bin/false
ADDOMAIN\Guest:*:3000001:3000002::/home/ADDOMAIN/Guest:/bin/false
ADDOMAIN\krbtgt:*:3000004:100::/home/ADDOMAIN/krbtgt:/bin/false

- 'getent group'
Code:

Enterprise Read-only Domain Controllers:*:3000008:
Domain Admins:*:3000009:
Domain Users:*:100:
Domain Guests:*:3000002:
Domain Computers:*:3000010:
Domain Controllers:*:3000011:
Schema Admins:*:3000012:
Enterprise Admins:*:3000013:
Group Policy Creator Owners:*:3000014:
Read-only Domain Controllers:*:3000015:
DnsUpdateProxy:*:3000016:
Writers:*:3000020:

- smb.conf
Code:

[global]
        workgroup = ADDOMAIN
        realm = addomain.com
        netbios name = LINUX-DC
        server role = active directory domain controller
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/addomain.com/scripts
        read only = No
[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[test]
        path = /tmp/writers
        valid users = @"ADDOMAIN\Writers"
        write list = @"ADDOMAIN\Writers"

- Administrator is member of Writer group.
Code:

[root@linux-dc ~]# id administrator
uid=0(root) gid=100(users) groups=0(root),100(users),3000014(Group Policy Creator Owners),3000013(Enterprise Admins),3000009(Domain Admins),3000012(Schema Admins),3000020(Writers)

Problem is: member of group Writers can not access 'test' resource. If I change 'valid users' to: "valid users = ADDOMAIN\Administrator" then I can access sharing directory.
Could you help me to explain what I am doing wrong with this configuration?

Thanks in advanced,
Mac Tieu.

Ser Olmy 01-21-2013 11:12 AM

This could be a winbind separator issue. After all, the backslash is usually the escape character in Unix/Linux.

You could try escaping the backslash, like this:
Code:

valid users = @"ADDOMAIN\\Writers"
If that doesn't work, you could try changing the separator to, say, the "+" character with
Code:

winbind separator = +
in the "globals" section and
Code:

valid users = @"ADDOMAIN+Writers"
on the share.

mac.tieu 01-22-2013 10:38 AM

Hi,

I've replaced separator to '+' as you guided but no success. After configed log level to 3 in smb.conf to examine log file, I can now access sharing resource by using group SID like:
Code:

valid users = 'S-1-5-21-1233234322-3234673423-5678456734-3457'
Is there any way to use group name instead of 'complex' SID string?

Thanks so much!

celsomagela 05-28-2014 12:48 PM

I tested now, in Samba4 with internal dns: valid users = +"cmpc.leg\adm" and so is working perfectly.(cmpc.leg=realm and adm=group)


All times are GMT -5. The time now is 05:36 PM.