On Thu, Dec 15, 2016 at 10:28:06PM -0000, [email protected] wrote: > Hello all, hope all is well/happy holidays > > Checked on the samba list and they directed me here..... > My issue is valid users in smb.conf containing an AD group > > I have tried this on systems running cent7u2 and ubuntu trusty. These systems > are running sssd. I can login with AD users and chown/chgrp file with AD > groups. However, I can't get AD groups to work with valid users in the > smb.conf for restricting share access. If I just set individual AD users, > works just fine. > > Also locally everything works as expected. For example I can chown a folder > to be owned by an AD group with 2770. I can login into the host via > passwd/kerberos ticket and chdir into that directly without issue, below the > user in question is part of MC-Services, apologies not trying to be overly > obvious. > > drwxrwsr-x 3 appadmin MC-Services 4096 Dec 15 14:47 logs > > Again singly listed AD users work with valid users. This kind of abstraction > is nice so I don't have to tweak FS perms to "match" shared out access. Right > now with the local FS perms above I can get into the share If I have the > share setup as below > > [logs] > comment = Server Logs > path = /logs > writable = no > valid users = jsmith > printable = no > > So seems samba can handle the users, but not AD groups or can't get the > info/membership for the AD groups. If I change the owner of the dir to be > completely owned by appadmin, the testing user can no longer get into the > share, make sense. > > Any thoughts/help would be greatly appreciated. > thanks and regards > > some info on samba vers on the centos host > > samba-common-4.2.3-12.el7_2.noarch > samba-common-tools-4.2.3-12.el7_2.x86_64 > samba-common-libs-4.2.3-12.el7_2.x86_64 > samba-4.2.3-12.el7_2.x86_64 > samba-libs-4.2.3-12.el7_2.x86_64 > samba-client-libs-4.2.3-12.el7_2.x86_64 > > [root@Xsamba]# smbd -V > Version 4.2.3 > > > >>>Here is the SAMBA config > > [global] > workgroup = mc > server string = Samba Server Version %v > log file = /var/log/samba/log.%m > max log size = 50 > security = ads > bind interfaces only = yes > interfaces=192.168.99.0/24 > dedicated keytab file=/etc/krb5.keytab > password server = 192.168.1.2 192.168.1.3 > realm = MC.FOO.COM > passdb backend = tdbsam > map to guest = Bad Uid > > > [homes] > comment = Home Directories > browseable = no > writable = yes > > [logs] > comment = Server Logs > path = /logs > writable = no > #valid users = jsmith > valid users = @"MC\MC-Services" > printable = no
Is there anything related in the samba logs? You might need to increase the log level to get more details? How does the sssd.conf look like? Does "getent group 'MC\MC-Services'" return the expected group? bye, Sumit > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
