Re: [Samba] Grant only one AD group to samba share ?
>Which version of Samba are you using? Samba version 3.5.11 >What does the idmap backend configuration for winbind look like? Well.. I'm not really sure what that is (I inherited this project). In smb.conf all he has here is: idmap uid = 1-2 idmap gid=1-2 I don't see idmap backend = set at all in here. That is probably a big part of the problem isn't it? >Does testparm yield any errors? ERROR: the 'winbind separator' parameter must be a single character.Hmm.. I just changed that to a single \ , and our existing authentication service still works fine, but the share behaves no differently. The extra \ was probably in error from this file being edited with sed. >Do getent group and wbinfo -g return the expected results? getent group shows all of the local linux groups on this machine - no AD groups. Is that expected? wbinfo -g shows the windows groups fine, the only thing that's odd is is all of the groups on this domain show in lower case. They may or may not be that way in their AD, I can't see for sure. (We are forcing a linux machine into someones windows network ) >Are nsswitch.conf and PAM configured for authentication? For what kind of authentication? /etc/nsswitch and /etc/pam/* are untouched from the defaults. All that has really been setup so far is an apache service that uses mod_auth_ntlm_winbind to authenticate users of a webpage to their DC. We are now trying to expand that samba/winbind stack over into sharing a folder. So, we probably do need to look at modifying those files, and id mapping, to have a samba share authenticate against the DC. Right? For some reason I figured this part would just work since the join already happened. Thanks again! -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Tuesday, May 22, 2012 14:51 To: Newman, John W Cc: samba@lists.samba.org Subject: Re:[Samba] Grant only one AD group to samba share ? A few questions that might narrow things - Which version of Samba are you using? What does the idmap backend configuration for winbind look like? Does testparm yield any errors? Do getent group and wbinfo -g return the expected results? Are nsswitch.conf and PAM configured for authentication? http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm On 05/22/2012 1:01 PM, Newman, John W wrote: > Thanks.. > > Unfortunately neither suggestion worked > > chgrp still just says "invalid group" > > valid users = @"DOMAIN\\My Group" behaves the same as I described in the OP. > Valid credentials = access denied ; invalid credentials = invalid name or > bad password.I already tried all sorts of things in valid users, but > nothing is the magic string I need. > > Any other ideas? > > Thanks for the help so far, much appreciated!! > > -Original Message- > From: samba-boun...@lists.samba.org > [mailto:samba-boun...@lists.samba.org] On Behalf Of steve > Sent: Tuesday, May 22, 2012 04:59 > To: samba@lists.samba.org > Subject: Re: [Samba] Grant only one AD group to samba share ? > > On 21/05/12 23:36, Dale Schroeder wrote: >> On 05/21/2012 3:42 PM, Newman, John W wrote: > >>> Thanks for the suggestion, but .. that doesn't work ... >>> >>> >>> chgrp My\ Group /media/share >>> chgrp: invalid group: `My Group' >>> >>> >>> "My Group" is a windows AD group, not a local linux group. The >>> machine is "joined" to the windows domain through "net ads join", >>> but I don't think the security is that tightly integrated. I don't >>> have windows groups mapped to linux groups I've created or anything like >>> that. >>> chgrp is expecting a linux group. Right? >>> >>> Probably I am missing something, or you guys need more information. >>> Any thoughts? > Hi > Sorry. I forgot about winbind (we use nss-pam-ldapd). With winbind running > that should read: > > chgrp MYDAOMAIN\\My\ Group /media/share > > Cheers, > Steve > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Grant only one AD group to samba share ?
Thanks.. Unfortunately neither suggestion worked chgrp still just says "invalid group" valid users = @"DOMAIN\\My Group" behaves the same as I described in the OP. Valid credentials = access denied ; invalid credentials = invalid name or bad password.I already tried all sorts of things in valid users, but nothing is the magic string I need. Any other ideas? Thanks for the help so far, much appreciated!! -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of steve Sent: Tuesday, May 22, 2012 04:59 To: samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? On 21/05/12 23:36, Dale Schroeder wrote: > On 05/21/2012 3:42 PM, Newman, John W wrote: >> Thanks for the suggestion, but .. that doesn't work ... >> >> >> chgrp My\ Group /media/share >> chgrp: invalid group: `My Group' >> >> >> "My Group" is a windows AD group, not a local linux group. The >> machine is "joined" to the windows domain through "net ads join", but >> I don't think the security is that tightly integrated. I don't have >> windows groups mapped to linux groups I've created or anything like that. >> chgrp is expecting a linux group. Right? >> >> Probably I am missing something, or you guys need more information. >> Any thoughts? Hi Sorry. I forgot about winbind (we use nss-pam-ldapd). With winbind running that should read: chgrp MYDAOMAIN\\My\ Group /media/share Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Grant only one AD group to samba share ?
OK, I definitely am missing something. the group IDs do seem to work somewhat, but perhaps I just have the wrong syntax. I keep going back to these two lines that he put there a long time ago: winbind separator = \\ winbind use default domain = yes I see others using & or % or @ ... wbinfo -Y $(wbinfo -n "`wbinfo -g | grep Group`" | cut -d " " -f 1) 10005 so the SID mapping is somehow happening. It's weird though as each time I call that with a different group name, the 1 number just goes up by one. Like it is making up the unix IDs as it goes and perhaps something isn't set right. Shouldn't all of the AD groups be tied to a unix ID automatically, and not just making them up one at a time? Anyway, I'm not sure if that relates to my real problem here or not. I understand the nix security model pretty well ... windows not so much .. and bringing windows permissions into a nix machine, not at all!! :D This was all set up by another dev who is no longer in our department, I am trying to make sense of it and enhance it. Steve's suggestion below is probably correct to set the permissions on the share how I need, but what am I missing to get that chgrp command to work right? Thanks -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Newman, John W Sent: Monday, May 21, 2012 15:43 To: 'steve'; samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? Thanks for the suggestion, but .. that doesn't work ... chgrp My\ Group /media/share chgrp: invalid group: `My Group' "My Group" is a windows AD group, not a local linux group. The machine is "joined" to the windows domain through "net ads join", but I don't think the security is that tightly integrated. I don't have windows groups mapped to linux groups I've created or anything like that.chgrp is expecting a linux group. Right? Probably I am missing something, or you guys need more information. Any thoughts? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of steve Sent: Monday, May 21, 2012 11:57 To: samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? On 05/21/2012 05:20 PM, Newman, John W wrote: > All, > > On my ubuntu linux machine here, I already have samba set up and > configured with winbind to perform authentication against the local windows > domain controller. Thankfully that part is all working fine - that was > supposed to be the hard part. The issue I have now is: I need to grant > members of a certain AD group access to share (this was supposed to be easy, > but is not working) sanity check of winbind (sample output): > $ wbinfo -g > MYDOMAIN\domain admins > MYDOMAIN\domain users > MYDOMAIN\my group > MYDOMAIN\my group2 > Looks good. I need to grant all users in "my group" access to the share, all > others shouldn't even see it. > > [share] >comment = Testing >path = /media/share >guest ok = no >read only = yes >valid users = @"MYDOMAIN\My Group" >browseable = no >locking = no > If I put guest ok = yes, everything works fine. If I turn it to no, I get an > authentication prompt. Answering it with invalid credentials comes back with > "invalid user name or bad password", vs valid credentials says "access > denied". So I know that the authentication with the domain controller is > working fine, but limiting access to that group only is not. > > The group name has a space in it which probably isn't helping. I have tried > many different combinations, but nothing seems to work. What is the proper > syntax for this? We have winbind separator=\ earlier in tthinkhe config file > -- is that part of the problem maybe? >valid users = @"MYDOMAIN\My Group" >valid users = "@MYDOMAIN\My Group" >valid users = "MYDOMAIN\My Group" > etc > nothing seems to work. My methodology for testing this is fine as soon as i > put guest ok =yes, the share still works. What's the right syntax for valid > users= "My Domain\My Group"?Any thoughts? > Thanks, > John Hi You don't really need smb.conf to get group only entry. Just have smb.conf with: [share] comment = Testing path = /media/share read only = No chgrp My\ Group /media/share chmod 0770 /media/share chmod g+s /media/share setfacl -d -Rm g::rw /media/share Now, only members of My Group can get into the share, no matter what you have in smb.conf. Once inside, any files created therein become group rw for My Group members. HTH Steve -- To unsubscribe from this list go to
Re: [Samba] Grant only one AD group to samba share ?
Thanks for the suggestion, but .. that doesn't work ... chgrp My\ Group /media/share chgrp: invalid group: `My Group' "My Group" is a windows AD group, not a local linux group. The machine is "joined" to the windows domain through "net ads join", but I don't think the security is that tightly integrated. I don't have windows groups mapped to linux groups I've created or anything like that.chgrp is expecting a linux group. Right? Probably I am missing something, or you guys need more information. Any thoughts? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of steve Sent: Monday, May 21, 2012 11:57 To: samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? On 05/21/2012 05:20 PM, Newman, John W wrote: > All, > > On my ubuntu linux machine here, I already have samba set up and > configured with winbind to perform authentication against the local windows > domain controller. Thankfully that part is all working fine - that was > supposed to be the hard part. The issue I have now is: I need to grant > members of a certain AD group access to share (this was supposed to be easy, > but is not working) sanity check of winbind (sample output): > $ wbinfo -g > MYDOMAIN\domain admins > MYDOMAIN\domain users > MYDOMAIN\my group > MYDOMAIN\my group2 > Looks good. I need to grant all users in "my group" access to the share, all > others shouldn't even see it. > > [share] >comment = Testing >path = /media/share >guest ok = no >read only = yes >valid users = @"MYDOMAIN\My Group" >browseable = no >locking = no > If I put guest ok = yes, everything works fine. If I turn it to no, I get an > authentication prompt. Answering it with invalid credentials comes back with > "invalid user name or bad password", vs valid credentials says "access > denied". So I know that the authentication with the domain controller is > working fine, but limiting access to that group only is not. > > The group name has a space in it which probably isn't helping. I have tried > many different combinations, but nothing seems to work. What is the proper > syntax for this? We have winbind separator=\ earlier in tthinkhe config file > -- is that part of the problem maybe? >valid users = @"MYDOMAIN\My Group" >valid users = "@MYDOMAIN\My Group" >valid users = "MYDOMAIN\My Group" > etc > nothing seems to work. My methodology for testing this is fine as soon as i > put guest ok =yes, the share still works. What's the right syntax for valid > users= "My Domain\My Group"?Any thoughts? > Thanks, > John Hi You don't really need smb.conf to get group only entry. Just have smb.conf with: [share] comment = Testing path = /media/share read only = No chgrp My\ Group /media/share chmod 0770 /media/share chmod g+s /media/share setfacl -d -Rm g::rw /media/share Now, only members of My Group can get into the share, no matter what you have in smb.conf. Once inside, any files created therein become group rw for My Group members. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Grant only one AD group to samba share ?
All, On my ubuntu linux machine here, I already have samba set up and configured with winbind to perform authentication against the local windows domain controller. Thankfully that part is all working fine - that was supposed to be the hard part. The issue I have now is: I need to grant members of a certain AD group access to share (this was supposed to be easy, but is not working) sanity check of winbind (sample output): $ wbinfo -g MYDOMAIN\domain admins MYDOMAIN\domain users MYDOMAIN\my group MYDOMAIN\my group2 Looks good. I need to grant all users in "my group" access to the share, all others shouldn't even see it. [share] comment = Testing path = /media/share guest ok = no read only = yes valid users = @"MYDOMAIN\My Group" browseable = no locking = no If I put guest ok = yes, everything works fine. If I turn it to no, I get an authentication prompt. Answering it with invalid credentials comes back with "invalid user name or bad password", vs valid credentials says "access denied". So I know that the authentication with the domain controller is working fine, but limiting access to that group only is not. The group name has a space in it which probably isn't helping. I have tried many different combinations, but nothing seems to work. What is the proper syntax for this? We have winbind separator=\ earlier in the config file -- is that part of the problem maybe? valid users = @"MYDOMAIN\My Group" valid users = "@MYDOMAIN\My Group" valid users = "MYDOMAIN\My Group" etc nothing seems to work. My methodology for testing this is fine as soon as i put guest ok =yes, the share still works. What's the right syntax for valid users= "My Domain\My Group"?Any thoughts? Thanks, John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
