Web lists-archives.com

[Samba] using AD groups in "username map"




Hi,

i'm trying to setup Samba 4.6 on CentOS 7.4 as a Domain Member of a Windows 2012R2 Domain Controller with AD. To administer share security i have to use the "username map" feature. This works when i enumerate individual AD users there. When i want to use AD groups it only works with "primary" groups. This way i can't use the "Domain Admins" group from AD there, since "primary" group (unix style) of all AD users is "Domain Users".

I'm using the "rid" idmap backend, where i can't change linux primary group membership of AD users (to my experience). I know i can change linux primary group membership with the "ad" idmap backend, but also only when using the Unix extensions in AD (changing Windows primary group has no effect and is deprecated anyway). I want to avoid this and don't want to believe this is necessary in the first place.

Some configuration details:

smb.conf:
security = ADS
passdb backend = tdbsam
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 10000-999999
winbind enum users  = yes
winbind enum groups = yes
username map = /etc/samba/user.map

/etc/samba/user.map:
!root = "@MYDOMAIN\Domain Admins" "@MYDOMAIN\domain admins"
-> this doesn't work!

/etc/nsswitch.conf:
passwd:     files winbind
group:      files winbind

# sudo -u 'MYDOMAIN\mleopo53' id
uid=13627(MYDOMAIN\mleopo53) gid=10513(MYDOMAIN\domain users) groups=10513(MYDOMAIN\domain users),3000(BUILTIN\administrators),3001(BUILTIN\users),10512(MYDOMAIN\domain admins),10572(MYDOMAIN\denied rodc password replication group),13627(MYDOMAIN\mleopo53) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

How can i solve this?

--
Matthias Leopold
IT Systems & Communications
Medizinische Universität Wien
Spitalgasse 23 / BT 88 /Ebene 00
A-1090 Wien
Tel: +43 1 40160-21241
Fax: +43 1 40160-921200

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba