Re: [Freeipa-users] IPA, samba, and secondary groups
On 12-03-03 5:56 AM, "Christian Horn" wrote: > Hi, > > On Wed, Feb 29, 2012 at 11:24:25AM -0500, Kelvin Edmison wrote: >> >> I am running into an issue where users cannot access a samba volume if >> their only access is via a secondary group. For example, if testuser's >> primary group is ipausers, and secondary groups include testgroup, and the >> samba mount permissions are adminuser:testgroup:rwxrwx---, then testuser >> cannot read or write to the samba mount. If the testuser is change so that >> its primary group is testgroup, then testuser can access the volume. >> >> In this case, samba is running on a separate CentOS 5 server, configured to >> access IPA via LDAP. It is a requirement that I support >> userid/password-based access to the samba server, as I cannot roll all my >> users onto kerberos right away. >> >> Doe anyone have any insight as to what is going on and how it can be fixed? > > I did see something similiar recently, the ldapsam backend in samba was > used. > You might want to try out 'ldapsam:trusted = no' in smb.conf . That was it exactly. Many thanks for the pointer! Kelvin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA, samba, and secondary groups
Hi, On Wed, Feb 29, 2012 at 11:24:25AM -0500, Kelvin Edmison wrote: > > I am running into an issue where users cannot access a samba volume if > their only access is via a secondary group. For example, if testuser's > primary group is ipausers, and secondary groups include testgroup, and the > samba mount permissions are adminuser:testgroup:rwxrwx---, then testuser > cannot read or write to the samba mount. If the testuser is change so that > its primary group is testgroup, then testuser can access the volume. > > In this case, samba is running on a separate CentOS 5 server, configured to > access IPA via LDAP. It is a requirement that I support > userid/password-based access to the samba server, as I cannot roll all my > users onto kerberos right away. > > Doe anyone have any insight as to what is going on and how it can be fixed? I did see something similiar recently, the ldapsam backend in samba was used. You might want to try out 'ldapsam:trusted = no' in smb.conf . Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA, samba, and secondary groups
On 12-02-29 2:13 PM, "Stephen Gallagher" wrote: > On Wed, 2012-02-29 at 13:49 -0500, Kelvin Edmison wrote: >> >> >> On 12-02-29 1:40 PM, "Stephen Gallagher" wrote: >> >>> On Wed, 2012-02-29 at 11:24 -0500, Kelvin Edmison wrote: Hi all, I am running into an issue where users cannot access a samba volume if their only access is via a secondary group. For example, if testuser's primary group is ipausers, and secondary groups include testgroup, and the samba mount permissions are adminuser:testgroup:rwxrwx---, then testuser cannot read or write to the samba mount. If the testuser is change so that its primary group is testgroup, then testuser can access the volume. In this case, samba is running on a separate CentOS 5 server, configured to access IPA via LDAP. It is a requirement that I support userid/password-based access to the samba server, as I cannot roll all my users onto kerberos right away. Doe anyone have any insight as to what is going on and how it can be fixed? >>> >>> >>> First step would be to make sure that the system is properly looking up >>> the user's secondary groups. >>> >>> Try 'id testuser' and see if 'testgroup' is listed in the output. If >>> it's not, I'll bet you have either a configuration issue or a bug in >>> SSSD somewhere. >>> >>> Also, what version of SSSD are you running? FreeIPA pretty much needs >>> 1.5.x or later nowadays for full feature support. >> >> 'id testuser' returns gid=ipausers and groups=ipausers,testgroup. >> >> SSSD RPM is sssd-1.5.1-37.el5 >> >> I'm no samba expert so it's quite possible I may have botched setup in that >> arena. > > > One more question: was the user added to "testgroup" after logging in? > Does logging out and logging back in resolve the problem? In Linux, > users are only assigned their groups at login time. They don't ever > change memberships until a new session. Unfortunately, it does not resolve the problem. I have even gone to the extent of ensuring that testuser was logged out, and then shutting down sssd, clearing its cache, and restarting it. Should I expect that secondary groups would work in this samba/ipa configuration? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA, samba, and secondary groups
On Wed, 2012-02-29 at 13:49 -0500, Kelvin Edmison wrote: > > > On 12-02-29 1:40 PM, "Stephen Gallagher" wrote: > > > On Wed, 2012-02-29 at 11:24 -0500, Kelvin Edmison wrote: > >> Hi all, > >> > >> I am running into an issue where users cannot access a samba volume if > >> their only access is via a secondary group. For example, if testuser's > >> primary group is ipausers, and secondary groups include testgroup, and the > >> samba mount permissions are adminuser:testgroup:rwxrwx---, then testuser > >> cannot read or write to the samba mount. If the testuser is change so that > >> its primary group is testgroup, then testuser can access the volume. > >> > >> In this case, samba is running on a separate CentOS 5 server, configured to > >> access IPA via LDAP. It is a requirement that I support > >> userid/password-based access to the samba server, as I cannot roll all my > >> users onto kerberos right away. > >> > >> Doe anyone have any insight as to what is going on and how it can be fixed? > > > > > > First step would be to make sure that the system is properly looking up > > the user's secondary groups. > > > > Try 'id testuser' and see if 'testgroup' is listed in the output. If > > it's not, I'll bet you have either a configuration issue or a bug in > > SSSD somewhere. > > > > Also, what version of SSSD are you running? FreeIPA pretty much needs > > 1.5.x or later nowadays for full feature support. > > 'id testuser' returns gid=ipausers and groups=ipausers,testgroup. > > SSSD RPM is sssd-1.5.1-37.el5 > > I'm no samba expert so it's quite possible I may have botched setup in that > arena. One more question: was the user added to "testgroup" after logging in? Does logging out and logging back in resolve the problem? In Linux, users are only assigned their groups at login time. They don't ever change memberships until a new session. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA, samba, and secondary groups
On 12-02-29 1:40 PM, "Stephen Gallagher" wrote: > On Wed, 2012-02-29 at 11:24 -0500, Kelvin Edmison wrote: >> Hi all, >> >> I am running into an issue where users cannot access a samba volume if >> their only access is via a secondary group. For example, if testuser's >> primary group is ipausers, and secondary groups include testgroup, and the >> samba mount permissions are adminuser:testgroup:rwxrwx---, then testuser >> cannot read or write to the samba mount. If the testuser is change so that >> its primary group is testgroup, then testuser can access the volume. >> >> In this case, samba is running on a separate CentOS 5 server, configured to >> access IPA via LDAP. It is a requirement that I support >> userid/password-based access to the samba server, as I cannot roll all my >> users onto kerberos right away. >> >> Doe anyone have any insight as to what is going on and how it can be fixed? > > > First step would be to make sure that the system is properly looking up > the user's secondary groups. > > Try 'id testuser' and see if 'testgroup' is listed in the output. If > it's not, I'll bet you have either a configuration issue or a bug in > SSSD somewhere. > > Also, what version of SSSD are you running? FreeIPA pretty much needs > 1.5.x or later nowadays for full feature support. 'id testuser' returns gid=ipausers and groups=ipausers,testgroup. SSSD RPM is sssd-1.5.1-37.el5 I'm no samba expert so it's quite possible I may have botched setup in that arena. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA, samba, and secondary groups
On Wed, 2012-02-29 at 11:24 -0500, Kelvin Edmison wrote: > Hi all, > > I am running into an issue where users cannot access a samba volume if > their only access is via a secondary group. For example, if testuser's > primary group is ipausers, and secondary groups include testgroup, and the > samba mount permissions are adminuser:testgroup:rwxrwx---, then testuser > cannot read or write to the samba mount. If the testuser is change so that > its primary group is testgroup, then testuser can access the volume. > > In this case, samba is running on a separate CentOS 5 server, configured to > access IPA via LDAP. It is a requirement that I support > userid/password-based access to the samba server, as I cannot roll all my > users onto kerberos right away. > > Doe anyone have any insight as to what is going on and how it can be fixed? First step would be to make sure that the system is properly looking up the user's secondary groups. Try 'id testuser' and see if 'testgroup' is listed in the output. If it's not, I'll bet you have either a configuration issue or a bug in SSSD somewhere. Also, what version of SSSD are you running? FreeIPA pretty much needs 1.5.x or later nowadays for full feature support. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA, samba, and secondary groups
Hi all, I am running into an issue where users cannot access a samba volume if their only access is via a secondary group. For example, if testuser's primary group is ipausers, and secondary groups include testgroup, and the samba mount permissions are adminuser:testgroup:rwxrwx---, then testuser cannot read or write to the samba mount. If the testuser is change so that its primary group is testgroup, then testuser can access the volume. In this case, samba is running on a separate CentOS 5 server, configured to access IPA via LDAP. It is a requirement that I support userid/password-based access to the samba server, as I cannot roll all my users onto kerberos right away. Doe anyone have any insight as to what is going on and how it can be fixed? Thanks, Kelvin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users