-   Linux - Server (
-   -   Samba, SSSD, Active Directory 2008 R2 and ACLs on Windows clients (

HowellBP 10-31-2012 12:11 PM

Samba, SSSD, Active Directory 2008 R2 and ACLs on Windows clients
2 Attachment(s)
I want a samba setup that authenticates users against AD and allows group members to manage their own permissions. I'm halfway there; as a Domain Admin, I can set permissions on folders within the samba share. However, two things happen when I right-click on a share, select "Properties" and "Security."

1. I get entries that show "unix user\username" instead of "DOMAINNAME\username", and "unix group\group" in place of "DOMAINNAME\group":
Attachment 11120

2. Any domain-level permissions (e.g. adding a domain group like "DOMAINNAME\accounting") doesn't resolve properly:
Attachment 11121

How do I a.) show "DOMAINNAME\user|group" instead of "unix user|group\user|group", and b.) resolve the SID to the domain entry? Every solution I've come across thus far have gotten me part of the way there, but broken something else. If I can resolve domain identities properly, I can't manage the ACLs, just view them. If I throw winbind into the mix, it clashes with SSSD for some reason and prevents me from logging into the share from Windows.

My setup:
Debian Wheezy, authenticated using SSSD (Kerberos) to Active Directory 2008 R2
Samba 3.6.6, also authenticating to Active Directory 2008 R2


Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[Shared]"
Loaded services file OK.
Press enter to see a dump of your service definitions

        workgroup = DOMAINNAME
        realm = DOMAINNAME.COM
        server string = %h Samba %v
        security = ADS
        log file = /var/log/samba/log.%m
        unix extensions = No
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
        os level = 1
        local master = No
        domain master = No
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb
        valid users = "@Domain Users"
        inherit permissions = Yes
        inherit acls = Yes
        map acl inherit = Yes
        delete veto files = Yes
        veto files = /*.DS_Store/Network Trash Folder/Temporary Items/*.nilfs/*.Apple*/
        map archive = No
        map readonly = no
        store dos attributes = Yes

        comment = Home Directories
        read only = No
        create mask = 0640
        directory mask = 0750

        comment = Share
        path = /brick/shared
        admin users = "@Domain Admins"
        read only = No
        acl group control = Yes
        create mask = 0664
        directory mask = 0775
        guest ok = Yes


config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains =

filter_groups = root
filter_users = root
reconnection_retries = 3

reconnection_retries = 3

enumerate = true
cache_credentials = true

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5

ldap_uri = ldap://
ldap_search_base = DC=domainname,DC=com
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

ldap_schema = rfc2307bis
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_gecos = displayName
ldap_group_object_class = group
ldap_force_upper_case_realm = True
ldap_user_search_base = cn=Users,dc=domainname,dc=com
ldap_user_modify_timestamp = whenChanged
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_shell = loginShell
ldap_group_modify_timestamp = whenChanged
ldap_group_name = sAMAccountName
ldap_group_gid_number = gidNumber

krb5_realm = DOMAINNAME.COM
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15

I can attach any relevant logging info if someone wants to point me in the right direction. Any help would be appreciated.

yangou 09-04-2013 10:27 AM

Hi HowellBP

It's been a year since your post but did you find a solution? I am facing the same problem.


HowellBP 10-07-2013 02:37 PM

No, never got this working properly. Apparently it's not possible.

All times are GMT -5. The time now is 04:21 AM.