Discussion:
Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)
(too old to reply)
Thomas Burger
2015-01-13 09:02:42 UTC
Permalink
Hello all,

after spending the last days fighting and researching I hope someone can
point me to an solution here.

Even if I am using Debian / Ubuntu since years I wouldn´t consider
myself as a Linux professional. I have some experience though.

What I try to accomplish:
- Centrally administrated groups for file services. Right now it is only
one server but there will be more.

Setup:
- System 1: Ubuntu 14.04 LTS as Active Directory Controller with Samba
4.1 (Sernet package)
- System 2: Ubuntu 14.04 LTS as Member server.

What works:
- DNS & NTP
- Kerberos integration via Keytab file. SSSD 1.11.5 uses "id_provider =
ad" for this.
- getting AD members and groups via getent passwd and getent group
- Authentication with a domain user on "System 2" via SSH
- Authentication on Samba instance "Server 2" via AD-Users.
- getfacl / setfacl setting with domain object names.

My issue:
Authorization is not working. For example:
- Write list / read list / valid users options in smb.conf are not
honored. Either I have all users being able to access everything or they
can login to the server but if accessing the share this will fail.
- Skipped the samba authorization and moved this to the filesystem
level. Set the acl to the appropriate AD groups with the appropriate
level results in the same issue. I also getting an "access denied" if I
try to access the folder from within the SSH-session of an AD user. The
user is in the group though.

My guesses:
Option 1: Somehow groups populated through SSSD are not being used for
authorization. Neither for Samba share definition nor for the filesystem.
I recognized that the IDs of "objects" coming from the AD are very high like
User: guest:*:1994200501:1994200514:Guest:/:
Group: domain admins:*:1994200512:administrator

Option 2: in samba logs I can see, that the user authenticates with a
"primary" group id but I am missing the "other groups". Is that expected?
[2015/01/12 22:23:51.235050, 2]
../source3/smbd/service.c:848(make_connection_snum)
workstation (ipv4:x.y.z.y:63206) connect to service share1 initially
as user >myuser< (uid=1994201119, gid=1994200513) (pid 1790)
ID reflects the domain users: domain users:*:1994200513:


My Questions:
Why is it not working? Do I have a conceptual issue?
If it is related to the IDs, how can I "lower" them. ID-Mapping is
active already.

I also tried an installation with winbind but the situation kept the
same. After that system has been reinstalled to ensure that everything
is cleaned up properly.

Any help is greatly appreciated!

Thomas



KRB5 conf:
[libdefaults]
default_realm = MYDOMAIN.DE
dns_lookup_realm = false
dns_lookup_kdc = true

# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true

[realms]
MYDOMAIN.DE = {
kdc = DC
admin_server = DC
}
[domain_realm]
.mydomain.de = MYDOMAIN.DE

[login]
krb4_convert = true
krb4_get_tickets = false
sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = mydomain.de

[nss]

[pam]

[domain/mydomain.de]
id_provider = ad
access_provider = ad
ad_hostname = dc.mydomain.de
ad_server = dc.mydomain.de
ad_domain = mydomain.de
enumerate = true
krb5_keytab=/etc/krb5.sssd.keytab
smb.conf
[global]
#### GLOBAL SETTINGS
netbios name = SERVER2
server string = SERVER2
workgroup = MYDOMAIN
realm = MYDOMAIN.DE
server role = MEMBER SERVER

#### SECURITY SETTINGS
security = ads
allow trusted domains = Yes
map untrusted to domain = Yes
encrypt passwords = yes
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2

#### SERVER SETTINGS
dns proxy = yes
domain master = no
local master = no
preferred master = no
os level = 0
follow symlinks = yes
veto files = /.DS_Store/Thumbs.db/thumbs.db/
server min protocol = SMB2
server max protocol = SMB3

#### PRINTING
disable spoolss = yes
load printers = no
idmap_ldb:use rfc2307 = yes

#### LOGGING
log level = 2
username level = 3
log file = /var/log/samba/log.%m
max log size = 50
syslog only = no
syslog = 2
panic action = /usr/share/samba/panic-action %d

######## SHARES
[share1]
path = /share/share1
browsable = yes
read only = no
guest ok = no
# The access control is configured on the file system level.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://li
Hans-Kristian Bakke
2015-01-14 17:03:04 UTC
Permalink
sssd-ad can't provide proper ID-mapping for internal Samba fileserver
use until sssd 1.12 where the following functionality was introduced:

* SSSD provides an ID-mapping plugin for cifs-utils so that Windows
SIDs can be mapped onto POSIX IDs and/or names without requiring
Winbind and using the same code as the SSSD uses for identity
information.

Hence you have to have winbind installed and setup for samba
fileserver use in sssd < 1.12.X. You should not install libpam-winbind
and libnss-winbind, as you will still use sssd-ad for all
authentication purposes in the system. Winbind is there only to
resolve Windows SIDs for Samba fileserver purposes.

This should be sufficient:
---
apt-get install winbind
---

And something like this added to your samba config (from my own):
---
# Winbind configuration. Remove winbind when sssd-ad 1.12.1
arrives to jessie
winbind cache time = 300
winbind enum users = no
winbind enum groups = no
winbind expand groups = 5
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = no
winbind nss info = rfc2307
idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : range = 300000-499999
---

Since you really got to have identical ID-mapping in both sssd-ad and
winbind there is really no good way to do that other than using
centrally stored rfc2307 properties in AD. To use this in sssd-ad you
also have to have this in your sssd.conf in you domain section:
----
ldap_id_mapping = false
----

I made a powershell script to automatically add all the properties to
AD for everything.

Hope this was of some help for you.

Regards,
Hans-Kristian
Post by Thomas Burger
Hello all,
after spending the last days fighting and researching I hope someone can
point me to an solution here.
Even if I am using Debian / Ubuntu since years I wouldn´t consider myself as
a Linux professional. I have some experience though.
- Centrally administrated groups for file services. Right now it is only one
server but there will be more.
- System 1: Ubuntu 14.04 LTS as Active Directory Controller with Samba 4.1
(Sernet package)
- System 2: Ubuntu 14.04 LTS as Member server.
- DNS & NTP
- Kerberos integration via Keytab file. SSSD 1.11.5 uses "id_provider = ad"
for this.
- getting AD members and groups via getent passwd and getent group
- Authentication with a domain user on "System 2" via SSH
- Authentication on Samba instance "Server 2" via AD-Users.
- getfacl / setfacl setting with domain object names.
- Write list / read list / valid users options in smb.conf are not honored.
Either I have all users being able to access everything or they can login to
the server but if accessing the share this will fail.
- Skipped the samba authorization and moved this to the filesystem level.
Set the acl to the appropriate AD groups with the appropriate level results
in the same issue. I also getting an "access denied" if I try to access the
folder from within the SSH-session of an AD user. The user is in the group
though.
Option 1: Somehow groups populated through SSSD are not being used for
authorization. Neither for Samba share definition nor for the filesystem.
I recognized that the IDs of "objects" coming from the AD are very high like
Group: domain admins:*:1994200512:administrator
Option 2: in samba logs I can see, that the user authenticates with a
"primary" group id but I am missing the "other groups". Is that expected?
[2015/01/12 22:23:51.235050, 2]
../source3/smbd/service.c:848(make_connection_snum)
workstation (ipv4:x.y.z.y:63206) connect to service share1 initially as
user >myuser< (uid=1994201119, gid=1994200513) (pid 1790)
Why is it not working? Do I have a conceptual issue?
If it is related to the IDs, how can I "lower" them. ID-Mapping is active
already.
I also tried an installation with winbind but the situation kept the same.
After that system has been reinstalled to ensure that everything is cleaned
up properly.
Any help is greatly appreciated!
Thomas
[libdefaults]
default_realm = MYDOMAIN.DE
dns_lookup_realm = false
dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
MYDOMAIN.DE = {
kdc = DC
admin_server = DC
}
[domain_realm]
.mydomain.de = MYDOMAIN.DE
[login]
krb4_convert = true
krb4_get_tickets = false
sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = mydomain.de
[nss]
[pam]
[domain/mydomain.de]
id_provider = ad
access_provider = ad
ad_hostname = dc.mydomain.de
ad_server = dc.mydomain.de
ad_domain = mydomain.de
enumerate = true
krb5_keytab=/etc/krb5.sssd.keytab
smb.conf
[global]
#### GLOBAL SETTINGS
netbios name = SERVER2
server string = SERVER2
workgroup = MYDOMAIN
realm = MYDOMAIN.DE
server role = MEMBER SERVER
#### SECURITY SETTINGS
security = ads
allow trusted domains = Yes
map untrusted to domain = Yes
encrypt passwords = yes
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
#### SERVER SETTINGS
dns proxy = yes
domain master = no
local master = no
preferred master = no
os level = 0
follow symlinks = yes
veto files = /.DS_Store/Thumbs.db/thumbs.db/
server min protocol = SMB2
server max protocol = SMB3
#### PRINTING
disable spoolss = yes
load printers = no
idmap_ldb:use rfc2307 = yes
#### LOGGING
log level = 2
username level = 3
log file = /var/log/samba/log.%m
max log size = 50
syslog only = no
syslog = 2
panic action = /usr/share/samba/panic-action %d
######## SHARES
[share1]
path = /share/share1
browsable = yes
read only = no
guest ok = no
# The access control is configured on the file system level.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options
Ashish Yadav
2015-01-15 04:58:17 UTC
Permalink
Hi,
Post by Thomas Burger
Hello all,
after spending the last days fighting and researching I hope someone can
point me to an solution here.
Even if I am using Debian / Ubuntu since years I wouldn´t consider myself
as a Linux professional. I have some experience though.
- Centrally administrated groups for file services. Right now it is only
one server but there will be more.
- System 1: Ubuntu 14.04 LTS as Active Directory Controller with Samba 4.1
(Sernet package)
- System 2: Ubuntu 14.04 LTS as Member server.
- DNS & NTP
- Kerberos integration via Keytab file. SSSD 1.11.5 uses "id_provider =
ad" for this.
- getting AD members and groups via getent passwd and getent group
- Authentication with a domain user on "System 2" via SSH
- Authentication on Samba instance "Server 2" via AD-Users.
- getfacl / setfacl setting with domain object names.
- Write list / read list / valid users options in smb.conf are not
honored. Either I have all users being able to access everything or they
can login to the server but if accessing the share this will fail.
- Skipped the samba authorization and moved this to the filesystem level.
Set the acl to the appropriate AD groups with the appropriate level results
in the same issue. I also getting an "access denied" if I try to access the
folder from within the SSH-session of an AD user. The user is in the group
though.
Option 1: Somehow groups populated through SSSD are not being used for
authorization. Neither for Samba share definition nor for the filesystem.
I recognized that the IDs of "objects" coming from the AD are very high like
Group: domain admins:*:1994200512:administrator
Option 2: in samba logs I can see, that the user authenticates with a
"primary" group id but I am missing the "other groups". Is that expected?
[2015/01/12 22:23:51.235050, 2] ../source3/smbd/service.c:848(
make_connection_snum)
workstation (ipv4:x.y.z.y:63206) connect to service share1 initially as
user >myuser< (uid=1994201119, gid=1994200513) (pid 1790)
Why is it not working? Do I have a conceptual issue?
If it is related to the IDs, how can I "lower" them. ID-Mapping is active
already.
I also tried an installation with winbind but the situation kept the same.
After that system has been reinstalled to ensure that everything is cleaned
up properly.
I have done the setting up the Ubuntu 12.04.5 client using Winbind and
lowering the uid and gid mapping so that it is easy to handle,

My smb.conf is like this,

workgroup = INTRA
security = ADS
realm = INTRA.EXAMPLE.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 Client %h
template homedir = /home/%U
template shell = /bin/bash
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind normalize names = Yes
idmap config * : backend = rid
idmap uid = 5000-4000000000
idmap gid = 5000-4000000000

After that join the Domain using "net ads join -U <Domain Admin>".

Then restart "Samaba and winbind services".

After that make changes into nsswitch.conf so that it should look like,

passwd: compat winbind
group: compat winbind

After that "id <Domain User>" should work and uid/gid should be showing
lower number.


--Regards
Ashishkumar S. Yadav
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options
Peter Serbe
2015-01-15 08:52:03 UTC
Permalink
...
Post by Thomas Burger
- getfacl / setfacl setting with domain object names.
- Write list / read list / valid users options in smb.conf are not
honored.
...
Post by Thomas Burger
- Skipped the samba authorization and moved this to the filesystem level.
Set the acl to the appropriate AD groups with the appropriate level results
in the same issue.
This is not normal. Have You declared the RFC2307 unix attributes?
I do this (on my home network, but anyway, I have different users
with different privileges) and it works great.

If You absolutely don't want to use RFC2307, then You have to check,
that all the users and groups got the same IDs on all Your servers
(even though there are only two at the moment). This might work with
Winbind, too, but You have to do some configuration, too (to complicated
for me, I am also not an expert).

If You start using RFC2307*) you should add the Unix ID during the
creation of the user when You use samba-tool. You could also add
the Unix ID from windows, but then You have to do it for every single
user by hand. I guess doing it by hand for the groups would be OK,
but not for the users - at least if You got hundreds of them. ;-)

Best regards
Peter



*) do a new provisioning if possible, You can also fiddle the attributes
into an existing domain, but You have to manipulate the LDB database,
and this is not exactly fun
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Thomas Burger
2015-01-15 20:52:17 UTC
Permalink
Post by Peter Serbe
...
Post by Thomas Burger
- getfacl / setfacl setting with domain object names.
- Write list / read list / valid users options in smb.conf are not
honored.
...
Post by Thomas Burger
- Skipped the samba authorization and moved this to the filesystem level.
Set the acl to the appropriate AD groups with the appropriate level results
in the same issue.
This is not normal. Have You declared the RFC2307 unix attributes?
I do this (on my home network, but anyway, I have different users
with different privileges) and it works great.
If You absolutely don't want to use RFC2307, then You have to check,
that all the users and groups got the same IDs on all Your servers
(even though there are only two at the moment). This might work with
Winbind, too, but You have to do some configuration, too (to complicated
for me, I am also not an expert).
If You start using RFC2307*) you should add the Unix ID during the
creation of the user when You use samba-tool. You could also add
the Unix ID from windows, but then You have to do it for every single
user by hand. I guess doing it by hand for the groups would be OK,
but not for the users - at least if You got hundreds of them. ;-)
Best regards
Peter
*) do a new provisioning if possible, You can also fiddle the attributes
into an existing domain, but You have to manipulate the LDB database,
and this is not exactly fun
First thank you Peter, Ashishkumar and Hans-Kristian for your hints. I
will test them on weekend and report results.
Post by Peter Serbe
Post by Thomas Burger
This is not normal. Have You declared the RFC2307 unix attributes?
Is it working like described in the following article?
https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC

I was not aware that I need to do this since I am not using a Microsoft AD.
Provisioning a new AD forest is not comfortable but anything else than a
big issue because my environment is anything but large yet.

Everybody have a good one
Thomas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-01-15 21:00:45 UTC
Permalink
Post by Thomas Burger
Post by Peter Serbe
...
Post by Thomas Burger
- getfacl / setfacl setting with domain object names.
- Write list / read list / valid users options in smb.conf are not
honored.
...
Post by Thomas Burger
- Skipped the samba authorization and moved this to the filesystem level.
Set the acl to the appropriate AD groups with the appropriate level results
in the same issue.
This is not normal. Have You declared the RFC2307 unix attributes?
I do this (on my home network, but anyway, I have different users
with different privileges) and it works great.
If You absolutely don't want to use RFC2307, then You have to check,
that all the users and groups got the same IDs on all Your servers
(even though there are only two at the moment). This might work with
Winbind, too, but You have to do some configuration, too (to complicated
for me, I am also not an expert).
If You start using RFC2307*) you should add the Unix ID during the
creation of the user when You use samba-tool. You could also add
the Unix ID from windows, but then You have to do it for every single
user by hand. I guess doing it by hand for the groups would be OK,
but not for the users - at least if You got hundreds of them. ;-)
Best regards
Peter
*) do a new provisioning if possible, You can also fiddle the attributes
into an existing domain, but You have to manipulate the LDB database,
and this is not exactly fun
First thank you Peter, Ashishkumar and Hans-Kristian for your hints. I
will test them on weekend and report results.
Post by Peter Serbe
Post by Thomas Burger
This is not normal. Have You declared the RFC2307 unix attributes?
Is it working like described in the following article?
https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
I was not aware that I need to do this since I am not using a
Microsoft AD.
For samba4 active directory, read microsoft AD, so you don't have to
provision anything else, you just need to learn how to properly use what
you already have.

Rowland
Post by Thomas Burger
Provisioning a new AD forest is not comfortable but anything else than
a big issue because my environment is anything but large yet.
Everybody have a good one
Thomas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Peter Serbe
2015-01-16 15:01:47 UTC
Permalink
Rowland Penny schrieb am 15.01.2015 22:00:

[RFC2307]
Post by Rowland Penny
For samba4 active directory, read microsoft AD, so you don't have to
provision anything else, you just need to learn how to properly use what
you already have.
Rowland
Rowland is right, of course. But(!) things might be simpler with the
RFC2307 attributes.

Without the attributes You need to set the permissions from windows.
So first all the users could read/write/see everything. Then You
would set the attributes on Windows to restrict things to Your liking.

With the RFC2307 attributes You can use ACLs directly on the file system.
You might also be able to use the ACLs without RFC2307, but there might
be inconsistencies between the different servers. But in the end, both
options will do pretty much the same.

It might be possible to have Winbind do the job. Once I tried that, but
most likely due to a personal lack of experience I did not succeed.
I managed to do it using the RFC2307 attributes anyway. If You have
enough time, I'd give it a try. IIRC You did set up sssd, which makes
good use of RFC2307.

Best regards
Peter
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Continue reading on narkive:
Loading...