[SSSD-users] sssd + samba valid users

[js16uy]

Hello all, hope all is well/happy holidays

Checked on the samba list and they directed me here.....
My issue is valid users in smb.conf containing an AD group

I have tried this on systems running cent7u2 and ubuntu trusty. These systems 
are running sssd. I can login with AD users and chown/chgrp file with AD 
groups. However, I can't get AD groups to work with valid users in the smb.conf 
for restricting share access. If I just set individual AD users, works just 
fine.

Also locally everything works as expected. For example I can chown a folder to 
be owned by an AD group with 2770. I can login into the host via 
passwd/kerberos ticket and chdir into that directly without issue, below the 
user in question is part of MC-Services, apologies not trying to be overly 
obvious.

drwxrwsr-x   3 appadmin MC-Services  4096 Dec 15 14:47 logs

Again singly listed AD users work with valid users. This kind of abstraction is 
nice so I don't have to tweak FS perms to "match" shared out access. Right now 
with the local FS perms above I can get into the share If I have the share 
setup as below

[logs]
        comment = Server Logs
        path = /logs
        writable = no
        valid users = jsmith
        printable = no

So seems samba can handle the users, but not AD groups or can't get the 
info/membership for the AD groups. If I change the owner of the dir to be 
completely owned by appadmin, the testing user can no longer get into the 
share, make sense.

Any thoughts/help would be greatly appreciated.
thanks and regards

some info on samba vers on the centos host

samba-common-4.2.3-12.el7_2.noarch
samba-common-tools-4.2.3-12.el7_2.x86_64
samba-common-libs-4.2.3-12.el7_2.x86_64
samba-4.2.3-12.el7_2.x86_64
samba-libs-4.2.3-12.el7_2.x86_64
samba-client-libs-4.2.3-12.el7_2.x86_64

[root@Xsamba]# smbd -V
Version 4.2.3


>>>Here is the SAMBA config

[global]
        workgroup = mc
        server string = Samba Server Version %v
        log file = /var/log/samba/log.%m
        max log size = 50
        security = ads
        bind interfaces only = yes
        interfaces=192.168.99.0/24
        dedicated keytab file=/etc/krb5.keytab
        password server = 192.168.1.2 192.168.1.3
        realm = MC.FOO.COM
        passdb backend = tdbsam
        map to guest = Bad Uid


[homes]
        comment = Home Directories
        browseable = no
        writable = yes

[logs]
        comment = Server Logs
        path = /logs
        writable = no
        #valid users = jsmith
        valid users = @"MC\MC-Services"
        printable = no


_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org