Web lists-archives.com

Re: [Samba] using AD groups in "username map"






Am 2018-02-20 um 17:47 schrieb Rowland Penny via samba:
On Tue, 20 Feb 2018 17:06:32 +0100
Matthias Leopold <matthias.leopold@xxxxxxxxxxxxxxxx> wrote:



Am 2018-02-19 um 17:39 schrieb Rowland Penny via samba:
On Mon, 19 Feb 2018 17:03:31 +0100
Matthias Leopold via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi,

i'm trying to setup Samba 4.6 on CentOS 7.4 as a Domain Member of a
Windows 2012R2 Domain Controller with AD. To administer share
security i have to use the "username map" feature. This works when
i enumerate individual AD users there. When i want to use AD
groups it only works with "primary" groups. This way i can't use
the "Domain Admins" group from AD there, since "primary" group
(unix style) of all AD users is "Domain Users".

I'm using the "rid" idmap backend, where i can't change linux
primary group membership of AD users (to my experience). I know i
can change linux primary group membership with the "ad" idmap
backend, but also only when using the Unix extensions in AD
(changing Windows primary group has no effect and is deprecated
anyway). I want to avoid this and don't want to believe this is
necessary in the first place.

Some configuration details:

smb.conf:
security = ADS
passdb backend = tdbsam
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 10000-999999
winbind enum users  = yes
winbind enum groups = yes
username map = /etc/samba/user.map

Is that your entire smb.conf ?


/etc/samba/user.map:
!root = "@MYDOMAIN\Domain Admins" "@MYDOMAIN\domain admins"

I have never tried to map a group to a User, but in any case you
don't need to ;-)

You are using the 'rid' backend, so 'Domain Admins' gets a group
ID, or to put it another way, the underlying Unix OS knows who
'Domain Admins' is.
Have you read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

This is the documentation i have been following. I was trying to use
"acl_xattr:ignore system acls = yes" for the first time. This doesn't
seem to work (as i expected). When i use the default
"acl_xattr:ignore system acls = no" everything is fine and i don't
have to use a "username map".

thx
matthias


Hmm, bit of a catch 22 situation here, to use members of 'Domain
Admins' to set the ACLs on a share directory, the group for the share
directory must be 'Domain Admins', but if you tell Samba to ignore the
system acls, then 'Domain Admins' will not have permission on the
share.

I initially intuitively thought so too, but stubbornly (and stupidly) kept wondering why it "didn't work". Thanks for demonstrating a way how to use "acl_xattr:ignore system acls = yes", but i'll stick to the default now, i don't have a real reason to change it

Regards
Matthias

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba