Web lists-archives.com

Re: [Samba] using AD groups in "username map"






Am 2018-02-19 um 17:39 schrieb Rowland Penny via samba:
On Mon, 19 Feb 2018 17:03:31 +0100
Matthias Leopold via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi,

i'm trying to setup Samba 4.6 on CentOS 7.4 as a Domain Member of a
Windows 2012R2 Domain Controller with AD. To administer share
security i have to use the "username map" feature. This works when i
enumerate individual AD users there. When i want to use AD groups it
only works with "primary" groups. This way i can't use the "Domain
Admins" group from AD there, since "primary" group (unix style) of
all AD users is "Domain Users".

I'm using the "rid" idmap backend, where i can't change linux primary
group membership of AD users (to my experience). I know i can change
linux primary group membership with the "ad" idmap backend, but also
only when using the Unix extensions in AD (changing Windows primary
group has no effect and is deprecated anyway). I want to avoid this
and don't want to believe this is necessary in the first place.

Some configuration details:

smb.conf:
security = ADS
passdb backend = tdbsam
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 10000-999999
winbind enum users  = yes
winbind enum groups = yes
username map = /etc/samba/user.map

Is that your entire smb.conf ?


/etc/samba/user.map:
!root = "@MYDOMAIN\Domain Admins" "@MYDOMAIN\domain admins"

I have never tried to map a group to a User, but in any case you don't
need to ;-)

You are using the 'rid' backend, so 'Domain Admins' gets a group ID, or
to put it another way, the underlying Unix OS knows who 'Domain Admins'
is.
Have you read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

This is the documentation i have been following. I was trying to use "acl_xattr:ignore system acls = yes" for the first time. This doesn't seem to work (as i expected). When i use the default "acl_xattr:ignore system acls = no" everything is fine and i don't have to use a "username map".

thx
matthias


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba