Web lists-archives.com

Re: [Samba] using AD groups in "username map"




On Tue, 20 Feb 2018 17:06:32 +0100
Matthias Leopold <matthias.leopold@xxxxxxxxxxxxxxxx> wrote:

> 
> 
> Am 2018-02-19 um 17:39 schrieb Rowland Penny via samba:
> > On Mon, 19 Feb 2018 17:03:31 +0100
> > Matthias Leopold via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > 
> >> Hi,
> >>
> >> i'm trying to setup Samba 4.6 on CentOS 7.4 as a Domain Member of a
> >> Windows 2012R2 Domain Controller with AD. To administer share
> >> security i have to use the "username map" feature. This works when
> >> i enumerate individual AD users there. When i want to use AD
> >> groups it only works with "primary" groups. This way i can't use
> >> the "Domain Admins" group from AD there, since "primary" group
> >> (unix style) of all AD users is "Domain Users".
> >>
> >> I'm using the "rid" idmap backend, where i can't change linux
> >> primary group membership of AD users (to my experience). I know i
> >> can change linux primary group membership with the "ad" idmap
> >> backend, but also only when using the Unix extensions in AD
> >> (changing Windows primary group has no effect and is deprecated
> >> anyway). I want to avoid this and don't want to believe this is
> >> necessary in the first place.
> >>
> >> Some configuration details:
> >>
> >> smb.conf:
> >> security = ADS
> >> passdb backend = tdbsam
> >> idmap config * : backend = tdb
> >> idmap config * : range = 3000-7999
> >> idmap config MYDOMAIN : backend = rid
> >> idmap config MYDOMAIN : range = 10000-999999
> >> winbind enum users  = yes
> >> winbind enum groups = yes
> >> username map = /etc/samba/user.map
> > 
> > Is that your entire smb.conf ?
> > 
> >>
> >> /etc/samba/user.map:
> >> !root = "@MYDOMAIN\Domain Admins" "@MYDOMAIN\domain admins"
> > 
> > I have never tried to map a group to a User, but in any case you
> > don't need to ;-)
> > 
> > You are using the 'rid' backend, so 'Domain Admins' gets a group
> > ID, or to put it another way, the underlying Unix OS knows who
> > 'Domain Admins' is.
> > Have you read this:
> > 
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> This is the documentation i have been following. I was trying to use 
> "acl_xattr:ignore system acls = yes" for the first time. This doesn't 
> seem to work (as i expected). When i use the default
> "acl_xattr:ignore system acls = no" everything is fine and i don't
> have to use a "username map".
> 
> thx
> matthias
> 

Hmm, bit of a catch 22 situation here, to use members of 'Domain
Admins' to set the ACLs on a share directory, the group for the share
directory must be 'Domain Admins', but if you tell Samba to ignore the
system acls, then 'Domain Admins' will not have permission on the
share.

I have never used 'acl_xattr:ignore system acls = yes' myself, so I
don't know of a workaround, I have ideas, so I will go and test them.

Watch this space ;-)

Rowland
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba