Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 10-31-2012, 12:11 PM   #1
LQ Newbie
Registered: Sep 2008
Location: Chicago, IL
Distribution: Ubuntu
Posts: 3

Rep: Reputation: 0
Samba, SSSD, Active Directory 2008 R2 and ACLs on Windows clients

I want a samba setup that authenticates users against AD and allows group members to manage their own permissions. I'm halfway there; as a Domain Admin, I can set permissions on folders within the samba share. However, two things happen when I right-click on a share, select "Properties" and "Security."

1. I get entries that show "unix user\username" instead of "DOMAINNAME\username", and "unix group\group" in place of "DOMAINNAME\group":
Click image for larger version

Name:	Screen Shot 2012-10-31 at 12.02.03 PM.png
Views:	99
Size:	9.0 KB
ID:	11120

2. Any domain-level permissions (e.g. adding a domain group like "DOMAINNAME\accounting") doesn't resolve properly:
Click image for larger version

Name:	Screen Shot 2012-10-31 at 12.02.35 PM.png
Views:	77
Size:	7.3 KB
ID:	11121

How do I a.) show "DOMAINNAME\user|group" instead of "unix user|group\user|group", and b.) resolve the SID to the domain entry? Every solution I've come across thus far have gotten me part of the way there, but broken something else. If I can resolve domain identities properly, I can't manage the ACLs, just view them. If I throw winbind into the mix, it clashes with SSSD for some reason and prevents me from logging into the share from Windows.

My setup:
Debian Wheezy, authenticated using SSSD (Kerberos) to Active Directory 2008 R2
Samba 3.6.6, also authenticating to Active Directory 2008 R2

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[Shared]"
Loaded services file OK.
Press enter to see a dump of your service definitions

	workgroup = DOMAINNAME
	server string = %h Samba %v
	security = ADS
	log file = /var/log/samba/log.%m
	unix extensions = No
	os level = 1
	local master = No
	domain master = No
	dns proxy = No
	panic action = /usr/share/samba/panic-action %d
	idmap config * : backend = tdb
	valid users = "@Domain Users"
	inherit permissions = Yes
	inherit acls = Yes
	map acl inherit = Yes
	delete veto files = Yes
	veto files = /*.DS_Store/Network Trash Folder/Temporary Items/*.nilfs/*.Apple*/
	map archive = No
	map readonly = no
	store dos attributes = Yes

	comment = Home Directories
	read only = No
	create mask = 0640
	directory mask = 0750

	comment = Share
	path = /brick/shared
	admin users = "@Domain Admins"
	read only = No
	acl group control = Yes
	create mask = 0664
	directory mask = 0775
	guest ok = Yes
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains =

filter_groups = root
filter_users = root
reconnection_retries = 3

reconnection_retries = 3

enumerate = true
cache_credentials = true

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5

ldap_uri = ldap://
ldap_search_base = DC=domainname,DC=com
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

ldap_schema = rfc2307bis
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_gecos = displayName
ldap_group_object_class = group
ldap_force_upper_case_realm = True
ldap_user_search_base = cn=Users,dc=domainname,dc=com
ldap_user_modify_timestamp = whenChanged
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_shell = loginShell
ldap_group_modify_timestamp = whenChanged
ldap_group_name = sAMAccountName
ldap_group_gid_number = gidNumber

krb5_realm = DOMAINNAME.COM
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15
I can attach any relevant logging info if someone wants to point me in the right direction. Any help would be appreciated.
Old 09-04-2013, 10:27 AM   #2
LQ Newbie
Registered: Feb 2010
Location: London
Distribution: Fedora 25
Posts: 25

Rep: Reputation: 2
Hi HowellBP

It's been a year since your post but did you find a solution? I am facing the same problem.

Old 10-07-2013, 02:37 PM   #3
LQ Newbie
Registered: Sep 2008
Location: Chicago, IL
Distribution: Ubuntu
Posts: 3

Original Poster
Rep: Reputation: 0
No, never got this working properly. Apparently it's not possible.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Winbind / KRB / SSSD / Active Directory Howto? rrue Linux - Server 2 10-11-2012 12:48 PM
How do i get a Linux distribution to work with Windows 2008 Active Directory baronobeefdip Linux - Networking 11 01-17-2012 10:48 AM
Bind DNS and Active Directory (Windows 2008) wirekof Linux - Server 3 01-04-2012 05:35 PM
Connecting Linux VM to Windows 2008 Active Directory user9999 Linux - Newbie 1 01-18-2011 02:46 AM
Having Problems with Active Directory with Windows Server 2008 PatrickBEN Linux - Server 1 05-31-2008 03:18 AM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 02:23 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration