Hello all, hope all is well/happy holidays
Checked on the samba list and they directed me here.....
My issue is valid users in smb.conf containing an AD group
I have tried this on systems running cent7u2 and ubuntu trusty. These systems are running
sssd. I can login with AD users and chown/chgrp file with AD groups. However, I can't
get AD groups to work with valid users in the smb.conf for restricting share access. If I
just set individual AD users, works just fine.
Also locally everything works as expected. For example I can chown a folder to be owned by
an AD group with 2770. I can login into the host via passwd/kerberos ticket and chdir into
that directly without issue, below the user in question is part of MC-Services, apologies
not trying to be overly obvious.
drwxrwsr-x 3 appadmin MC-Services 4096 Dec 15 14:47 logs
Again singly listed AD users work with valid users. This kind of abstraction is nice so I
don't have to tweak FS perms to "match" shared out access. Right now with
the local FS perms above I can get into the share If I have the share setup as below
[logs]
comment = Server Logs
path = /logs
writable = no
valid users = jsmith
printable = no
So seems samba can handle the users, but not AD groups or can't get the
info/membership for the AD groups. If I change the owner of the dir to be completely owned
by appadmin, the testing user can no longer get into the share, make sense.
Any thoughts/help would be greatly appreciated.
thanks and regards
some info on samba vers on the centos host
samba-common-4.2.3-12.el7_2.noarch
samba-common-tools-4.2.3-12.el7_2.x86_64
samba-common-libs-4.2.3-12.el7_2.x86_64
samba-4.2.3-12.el7_2.x86_64
samba-libs-4.2.3-12.el7_2.x86_64
samba-client-libs-4.2.3-12.el7_2.x86_64
[root@Xsamba]# smbd -V
Version 4.2.3
>>Here is the SAMBA config
[global]
workgroup = mc
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
security = ads
bind interfaces only = yes
interfaces=192.168.99.0/24
dedicated keytab file=/etc/krb5.keytab
password server = 192.168.1.2 192.168.1.3
realm =
MC.FOO.COM
passdb backend = tdbsam
map to guest = Bad Uid
[homes]
comment = Home Directories
browseable = no
writable = yes
[logs]
comment = Server Logs
path = /logs
writable = no
#valid users = jsmith
valid users = @"MC\MC-Services"
printable = no