Hi,
I have a debian 9 (stretch) samba domain member. I am using sssd rather than
winbind and also managing samba with ctdb as this will eventually run in a
clustered environment. I have inherited the configuration for this that has
only been previously tested with public shares. I am not a sysadmin, I am
primarily a java developer and the task of making this work has fallen to me.
I need the domain admins or at least the domain administrator to be able to
alter ownership of shares from windows and set ACL's on shares and subfolders.
My first attempts where on debian 8 and I could not administer the shares from
windows or assign ACL's. If I changed the ownership on the samba domain member
to 'administrator@smb.local:domain admins@smb.local' I could appear to do some
administration. I could set ownership and ACL's on the share and sub folders.
However these appeared only in windows and the acl's were never set on the inux
side.
Some reading lead me to believe that I needed to use libwbclient-sssd to make
this work. Hence the move to debian 9.
In debian 9 I ran into the same issue when using the samba libwbclient. I can
set acl's from the command line on debian and windows does detect these, but
setting the acl's from windows doesn't appear to work.
When I changed to use the libwbclient-sssd things got worse. I can't logon to
the shares as the auth appears to be ntlmssp. If I used smbclient -k the auth
is krb5 but logon still fails. Both these work with the samba libwbclient and
the usernames and passwords are correct.
So I have multiple problems...
acl's cannot be set from windows onto the debian shares
libwbclient-sssd doesn't support ntlm and logon fails with krb5
My questions are
1. Is it possible for a domain administrator to set acl's from windows onto
samba shares?
2. Has anyone a got a configuration with sssd where a domain administrator can
set acl's from windows onto samba shares?
3. How can I force all clients to use krb5 rather than ntlm?
The full config I am using is listed below
debian_version = 9.0
apt-get install ctdb
apt-get install samba
apt-get install sssd
apt-get install libwbclient-sssd
apt-get install smbclient
apt-get install libkrb5-dev
apt-get install libkrb5-3
apt-get install libsasl2-modules-gssapi-mit
#########################################################
cat /etc/samba/smb.conf
[global]
workgroup = SMB
server string = SMB Gateway
map to guest = bad uid
clustering = yes
server max protocol = SMB2_10
#================== ACL support =====================
store dos attributes = Yes
dos filemode = Yes
vfs objects = acl_xattr
#================== Added to try and prevent ntlm auth =====================
client lanman auth = no
lanman auth = no
ntlm auth = no
client NTLMv2 auth = no
#================== Performance Options =====================
socket options = TCP_NODELAY
max xmit = 262144
deadtime = 15
smb2 max read = 8388608
smb2 max trans = 8388608
smb2 max write = 8388608
dbwrap_tdb_mutexes:* = yes
min receivefile size = 131072
aio read size = 16384
aio write size = 16384
write cache size = 262144
#==================== Logging Options =================
log file = /var/log/samba/log.%m
max log size = 50
log level = 10
#========= Standalone / Domain Server Options =========
security = ads
#================ Domain Members Options ==============
realm = SMB.local
kerberos method = system keytab
#================ fix file issues ==============
dos filemode = yes
unix extensions = no
#================ No printers ==================
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#======================= Shares =======================
[share2]
path = /var/testshares/share2
writeable = True
#########################################################
cat /etc/krb5.conf
[libdefaults]
default_realm = SMB.LOCAL
#########################################################
cat /etc/nsswitch.conf
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files
hosts: files dns sss
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
#########################################################
cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = SMB.local
services = nss, pam
debug_level = 9
[nss]
debug_level = 9
[pam]
debug_level = 9
[domain/SMB.local]
debug_level = 9
default_shell = /bin/bash
krb5_realm = SMB.LOCAL
id_provider = ad
access_provider = ad
cache_credentials = true
use_fully_qualified_names = true
krb5_store_password_if_offline = true
ad_gpo_access_control = disabled
#########################################################
cat /etc/sysconfig/ctdb
# Options to ctdbd, read by ctdbd_wrapper(1)
#
# See ctdbd.conf(5) for more information about CTDB configuration variables.
# Shared recovery lock file to avoid split brain. No default.
#
# Do NOT run CTDB without a recovery lock file unless you know exactly
# what you are doing.
CTDB_RECOVERY_LOCK=/tmp/ctdb.lock
# List of nodes in the cluster. Default is below.
CTDB_NODES=/etc/ctdb/nodes
# List of public addresses for providing NAS services. No default.
CTDB_PUBLIC_ADDRESSES=/etc/ctdb/public_addresses
# What services should CTDB manage? Default is none.
CTDB_MANAGES_SAMBA=yes
# CTDB_MANAGES_WINBIND=yes
# CTDB_MANAGES_NFS=yes
# Raise the file descriptor limit for CTDB?
ulimit -n 10000
# Default is to use the log file below instead of syslog.
CTDB_LOGFILE=/var/log/log.ctdb
CTDB_SYSLOG=no
# Default log level is ERR. NOTICE is a little more verbose.
CTDB_DEBUGLEVEL=NOTICE
# Set some CTDB tunable variables during CTDB startup?
# CTDB_SET_TraverseTimeout=60
CTDB_SERVICE_SMB=smbd
#########################################################
cat /etc/ctdb/nodes
127.0.0.1
#########################################################
ctdb public_addresses is empty
#########################################################
testparm -s
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[share]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
# Global parameters
[global]
realm = SMB.LOCAL
server string = SMB Gateway
workgroup = SMB
log file = /var/log/samba/log.%m
max log size = 50
clustering = Yes
disable spoolss = Yes
load printers = No
printcap name = /dev/null
max xmit = 262144
min receivefile size = 131072
server max protocol = SMB2
unix extensions = No
client NTLMv2 auth = No
kerberos method = system keytab
map to guest = Bad Uid
security = ADS
deadtime = 15
dbwrap_tdb_mutexes:* = yes
idmap config * : backend = tdb
store dos attributes = Yes
dos filemode = Yes
printing = bsd
aio read size = 16384
aio write size = 16384
write cache size = 262144
vfs objects = acl_xattr
[share]
path = /var/testshares/share3
read only = No
#########################################################
domain successfully joined with
net ads join -Uadministrator%password
dns successfully registered with
net ads dns register stretch.smb.local 192.168.1.156 -Uadministrator%password
getent passed administrator@SMB.local
administrator@SMB.local:*:778800500:778800513:Administrator:/:/bin/bash
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
