Discussion:
[Samba] Grant only one AD group to samba share ?
Newman, John W
2012-05-21 15:20:03 UTC
Permalink
All,

On my ubuntu linux machine here, I already have samba set up and configured with winbind to perform authentication against the local windows domain controller. Thankfully that part is all working fine - that was supposed to be the hard part. The issue I have now is: I need to grant members of a certain AD group access to share (this was supposed to be easy, but is not working)
sanity check of winbind (sample output):
$ wbinfo -g
MYDOMAIN\domain admins
MYDOMAIN\domain users
MYDOMAIN\my group
MYDOMAIN\my group2
Looks good. I need to grant all users in "my group" access to the share, all others shouldn't even see it.

[share]
comment = Testing
path = /media/share
guest ok = no
read only = yes
valid users = @"MYDOMAIN\My Group"
browseable = no
locking = no
If I put guest ok = yes, everything works fine. If I turn it to no, I get an authentication prompt. Answering it with invalid credentials comes back with "invalid user name or bad password", vs valid credentials says "access denied". So I know that the authentication with the domain controller is working fine, but limiting access to that group only is not.

The group name has a space in it which probably isn't helping. I have tried many different combinations, but nothing seems to work. What is the proper syntax for this? We have winbind separator=\ earlier in the config file -- is that part of the problem maybe?
valid users = @"MYDOMAIN\My Group"
valid users = "@MYDOMAIN\My Group"
valid users = "MYDOMAIN\My Group"
etc
nothing seems to work. My methodology for testing this is fine as soon as i put guest ok =yes, the share still works. What's the right syntax for valid users= "My Domain\My Group"? Any thoughts?
Thanks,
John
steve
2012-05-21 15:57:00 UTC
Permalink
Post by Newman, John W
All,
On my ubuntu linux machine here, I already have samba set up and configured with winbind to perform authentication against the local windows domain controller. Thankfully that part is all working fine - that was supposed to be the hard part. The issue I have now is: I need to grant members of a certain AD group access to share (this was supposed to be easy, but is not working)
$ wbinfo -g
MYDOMAIN\domain admins
MYDOMAIN\domain users
MYDOMAIN\my group
MYDOMAIN\my group2
Looks good. I need to grant all users in "my group" access to the share, all others shouldn't even see it.
[share]
comment = Testing
path = /media/share
guest ok = no
read only = yes
browseable = no
locking = no
If I put guest ok = yes, everything works fine. If I turn it to no, I get an authentication prompt. Answering it with invalid credentials comes back with "invalid user name or bad password", vs valid credentials says "access denied". So I know that the authentication with the domain controller is working fine, but limiting access to that group only is not.
The group name has a space in it which probably isn't helping. I have tried many different combinations, but nothing seems to work. What is the proper syntax for this? We have winbind separator=\ earlier in tthinkhe config file -- is that part of the problem maybe?
valid users = "MYDOMAIN\My Group"
etc
nothing seems to work. My methodology for testing this is fine as soon as i put guest ok =yes, the share still works. What's the right syntax for valid users= "My Domain\My Group"? Any thoughts?
Thanks,
John
Hi
You don't really need smb.conf to get group only entry.

Just have smb.conf with:

[share]
comment = Testing
path = /media/share

read only = No

chgrp My\ Group /media/share
chmod 0770 /media/share
chmod g+s /media/share
setfacl -d -Rm g::rw /media/share

Now, only members of My Group can get into the share, no matter what you
have in smb.conf. Once inside, any files created therein become group rw
for My Group members.

HTH
Steve
Newman, John W
2012-05-21 19:42:35 UTC
Permalink
Thanks for the suggestion, but .. that doesn't work ...


chgrp My\ Group /media/share
chgrp: invalid group: `My Group'


"My Group" is a windows AD group, not a local linux group. The machine is "joined" to the windows domain through "net ads join", but I don't think the security is that tightly integrated. I don't have windows groups mapped to linux groups I've created or anything like that. chgrp is expecting a linux group. Right?

Probably I am missing something, or you guys need more information. Any thoughts?


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
Sent: Monday, May 21, 2012 11:57
To: samba at lists.samba.org
Subject: Re: [Samba] Grant only one AD group to samba share ?
Post by Newman, John W
All,
On my ubuntu linux machine here, I already have samba set up and
$ wbinfo -g
MYDOMAIN\domain admins
MYDOMAIN\domain users
MYDOMAIN\my group
MYDOMAIN\my group2
Looks good. I need to grant all users in "my group" access to the share, all others shouldn't even see it.
[share]
comment = Testing
path = /media/share
guest ok = no
read only = yes
browseable = no
locking = no
If I put guest ok = yes, everything works fine. If I turn it to no, I get an authentication prompt. Answering it with invalid credentials comes back with "invalid user name or bad password", vs valid credentials says "access denied". So I know that the authentication with the domain controller is working fine, but limiting access to that group only is not.
The group name has a space in it which probably isn't helping. I have tried many different combinations, but nothing seems to work. What is the proper syntax for this? We have winbind separator=\ earlier in tthinkhe config file -- is that part of the problem maybe?
valid users = "MYDOMAIN\My Group"
etc
nothing seems to work. My methodology for testing this is fine as soon as i put guest ok =yes, the share still works. What's the right syntax for valid users= "My Domain\My Group"? Any thoughts?
Thanks,
John
Hi
You don't really need smb.conf to get group only entry.

Just have smb.conf with:

[share]
comment = Testing
path = /media/share

read only = No

chgrp My\ Group /media/share
chmod 0770 /media/share
chmod g+s /media/share
setfacl -d -Rm g::rw /media/share

Now, only members of My Group can get into the share, no matter what you have in smb.conf. Once inside, any files created therein become group rw for My Group members.

HTH
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Newman, John W
2012-05-21 20:42:52 UTC
Permalink
OK, I definitely am missing something. the group IDs do seem to work somewhat, but perhaps I just have the wrong syntax. I keep going back to these two lines that he put there a long time ago:


winbind separator = \\
winbind use default domain = yes


I see others using & or % or @ ...


wbinfo -Y $(wbinfo -n "`wbinfo -g | grep Group`" | cut -d " " -f 1)
10005

so the SID mapping is somehow happening. It's weird though as each time I call that with a different group name, the 10000 number just goes up by one. Like it is making up the unix IDs as it goes and perhaps something isn't set right. Shouldn't all of the AD groups be tied to a unix ID automatically, and not just making them up one at a time?

Anyway, I'm not sure if that relates to my real problem here or not. I understand the nix security model pretty well ... windows not so much .. and bringing windows permissions into a nix machine, not at all!! :D This was all set up by another dev who is no longer in our department, I am trying to make sense of it and enhance it.

Steve's suggestion below is probably correct to set the permissions on the share how I need, but what am I missing to get that chgrp command to work right?

Thanks

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Newman, John W
Sent: Monday, May 21, 2012 15:43
To: 'steve'; samba at lists.samba.org
Subject: Re: [Samba] Grant only one AD group to samba share ?

Thanks for the suggestion, but .. that doesn't work ...


chgrp My\ Group /media/share
chgrp: invalid group: `My Group'


"My Group" is a windows AD group, not a local linux group. The machine is "joined" to the windows domain through "net ads join", but I don't think the security is that tightly integrated. I don't have windows groups mapped to linux groups I've created or anything like that. chgrp is expecting a linux group. Right?

Probably I am missing something, or you guys need more information. Any thoughts?


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
Sent: Monday, May 21, 2012 11:57
To: samba at lists.samba.org
Subject: Re: [Samba] Grant only one AD group to samba share ?
Post by Newman, John W
All,
On my ubuntu linux machine here, I already have samba set up and
$ wbinfo -g
MYDOMAIN\domain admins
MYDOMAIN\domain users
MYDOMAIN\my group
MYDOMAIN\my group2
Looks good. I need to grant all users in "my group" access to the share, all others shouldn't even see it.
[share]
comment = Testing
path = /media/share
guest ok = no
read only = yes
browseable = no
locking = no
If I put guest ok = yes, everything works fine. If I turn it to no, I get an authentication prompt. Answering it with invalid credentials comes back with "invalid user name or bad password", vs valid credentials says "access denied". So I know that the authentication with the domain controller is working fine, but limiting access to that group only is not.
The group name has a space in it which probably isn't helping. I have tried many different combinations, but nothing seems to work. What is the proper syntax for this? We have winbind separator=\ earlier in tthinkhe config file -- is that part of the problem maybe?
valid users = "MYDOMAIN\My Group"
etc
nothing seems to work. My methodology for testing this is fine as soon as i put guest ok =yes, the share still works. What's the right syntax for valid users= "My Domain\My Group"? Any thoughts?
Thanks,
John
Hi
You don't really need smb.conf to get group only entry.

Just have smb.conf with:

[share]
comment = Testing
path = /media/share

read only = No

chgrp My\ Group /media/share
chmod 0770 /media/share
chmod g+s /media/share
setfacl -d -Rm g::rw /media/share

Now, only members of My Group can get into the share, no matter what you have in smb.conf. Once inside, any files created therein become group rw for My Group members.

HTH
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Dale Schroeder
2012-05-21 21:36:37 UTC
Permalink
Post by Newman, John W
winbind separator = \\
If this separator is in effect, then
valid users = @"MYDOMAIN\\My Group"

Or change to
winbind separator = \

Dale
Post by Newman, John W
winbind use default domain = yes
wbinfo -Y $(wbinfo -n "`wbinfo -g | grep Group`" | cut -d " " -f 1)
10005
so the SID mapping is somehow happening. It's weird though as each time I call that with a different group name, the 10000 number just goes up by one. Like it is making up the unix IDs as it goes and perhaps something isn't set right. Shouldn't all of the AD groups be tied to a unix ID automatically, and not just making them up one at a time?
Anyway, I'm not sure if that relates to my real problem here or not. I understand the nix security model pretty well ... windows not so much .. and bringing windows permissions into a nix machine, not at all!! :D This was all set up by another dev who is no longer in our department, I am trying to make sense of it and enhance it.
Steve's suggestion below is probably correct to set the permissions on the share how I need, but what am I missing to get that chgrp command to work right?
Thanks
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Newman, John W
Sent: Monday, May 21, 2012 15:43
To: 'steve'; samba at lists.samba.org
Subject: Re: [Samba] Grant only one AD group to samba share ?
Thanks for the suggestion, but .. that doesn't work ...
chgrp My\ Group /media/share
chgrp: invalid group: `My Group'
"My Group" is a windows AD group, not a local linux group. The machine is "joined" to the windows domain through "net ads join", but I don't think the security is that tightly integrated. I don't have windows groups mapped to linux groups I've created or anything like that. chgrp is expecting a linux group. Right?
Probably I am missing something, or you guys need more information. Any thoughts?
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
Sent: Monday, May 21, 2012 11:57
To: samba at lists.samba.org
Subject: Re: [Samba] Grant only one AD group to samba share ?
Post by Newman, John W
All,
On my ubuntu linux machine here, I already have samba set up and
$ wbinfo -g
MYDOMAIN\domain admins
MYDOMAIN\domain users
MYDOMAIN\my group
MYDOMAIN\my group2
Looks good. I need to grant all users in "my group" access to the share, all others shouldn't even see it.
[share]
comment = Testing
path = /media/share
guest ok = no
read only = yes
browseable = no
locking = no
If I put guest ok = yes, everything works fine. If I turn it to no, I get an authentication prompt. Answering it with invalid credentials comes back with "invalid user name or bad password", vs valid credentials says "access denied". So I know that the authentication with the domain controller is working fine, but limiting access to that group only is not.
The group name has a space in it which probably isn't helping. I have tried many different combinations, but nothing seems to work. What is the proper syntax for this? We have winbind separator=\ earlier in tthinkhe config file -- is that part of the problem maybe?
valid users = "MYDOMAIN\My Group"
etc
nothing seems to work. My methodology for testing this is fine as soon as i put guest ok =yes, the share still works. What's the right syntax for valid users= "My Domain\My Group"? Any thoughts?
Thanks,
John
Hi
You don't really need smb.conf to get group only entry.
[share]
comment = Testing
path = /media/share
read only = No
chgrp My\ Group /media/share
chmod 0770 /media/share
chmod g+s /media/share
setfacl -d -Rm g::rw /media/share
Now, only members of My Group can get into the share, no matter what you have in smb.conf. Once inside, any files created therein become group rw for My Group members.
HTH
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
2012-05-22 08:59:03 UTC
Permalink
Post by Newman, John W
Thanks for the suggestion, but .. that doesn't work ...
chgrp My\ Group /media/share
chgrp: invalid group: `My Group'
"My Group" is a windows AD group, not a local linux group. The machine
is "joined" to the windows domain through "net ads join", but I don't
think the security is that tightly integrated. I don't have windows
groups mapped to linux groups I've created or anything like that.
chgrp is expecting a linux group. Right?
Probably I am missing something, or you guys need more information.
Any thoughts?
Hi
Sorry. I forgot about winbind (we use nss-pam-ldapd). With winbind
running that should read:

chgrp MYDAOMAIN\\My\ Group /media/share

Cheers,
Steve
Newman, John W
2012-05-22 18:01:14 UTC
Permalink
Thanks..

Unfortunately neither suggestion worked

chgrp still just says "invalid group"

valid users = @"DOMAIN\\My Group" behaves the same as I described in the OP. Valid credentials = access denied ; invalid credentials = invalid name or bad password. I already tried all sorts of things in valid users, but nothing is the magic string I need.

Any other ideas?

Thanks for the help so far, much appreciated!!

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
Sent: Tuesday, May 22, 2012 04:59
To: samba at lists.samba.org
Subject: Re: [Samba] Grant only one AD group to samba share ?
Post by Newman, John W
Thanks for the suggestion, but .. that doesn't work ...
chgrp My\ Group /media/share
chgrp: invalid group: `My Group'
"My Group" is a windows AD group, not a local linux group. The
machine is "joined" to the windows domain through "net ads join", but
I don't think the security is that tightly integrated. I don't have
windows groups mapped to linux groups I've created or anything like that.
chgrp is expecting a linux group. Right?
Probably I am missing something, or you guys need more information.
Any thoughts?
Hi
Sorry. I forgot about winbind (we use nss-pam-ldapd). With winbind running that should read:

chgrp MYDAOMAIN\\My\ Group /media/share

Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Dale Schroeder
2012-05-22 18:50:37 UTC
Permalink
A few questions that might narrow things -

Which version of Samba are you using?
What does the idmap backend configuration for winbind look like?
Does testparm yield any errors?
Do getent group and wbinfo -g return the expected results?
Are nsswitch.conf and PAM configured for authentication?
http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm
Post by Newman, John W
Thanks..
Unfortunately neither suggestion worked
chgrp still just says "invalid group"
Any other ideas?
Thanks for the help so far, much appreciated!!
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
Sent: Tuesday, May 22, 2012 04:59
To: samba at lists.samba.org
Subject: Re: [Samba] Grant only one AD group to samba share ?
Post by Newman, John W
Thanks for the suggestion, but .. that doesn't work ...
chgrp My\ Group /media/share
chgrp: invalid group: `My Group'
"My Group" is a windows AD group, not a local linux group. The
machine is "joined" to the windows domain through "net ads join", but
I don't think the security is that tightly integrated. I don't have
windows groups mapped to linux groups I've created or anything like that.
chgrp is expecting a linux group. Right?
Probably I am missing something, or you guys need more information.
Any thoughts?
Hi
chgrp MYDAOMAIN\\My\ Group /media/share
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Newman, John W
2012-05-22 20:17:52 UTC
Permalink
Post by Dale Schroeder
Which version of Samba are you using?
Samba version 3.5.11
Post by Dale Schroeder
What does the idmap backend configuration for winbind look like?
Well.. I'm not really sure what that is (I inherited this project). In smb.conf all he has here is: idmap uid = 10000-20000 idmap gid=10000-20000 .... I don't see idmap backend = set at all in here. That is probably a big part of the problem isn't it?
Post by Dale Schroeder
Does testparm yield any errors?
ERROR: the 'winbind separator' parameter must be a single character. Hmm.. I just changed that to a single \ , and our existing authentication service still works fine, but the share behaves no differently. The extra \ was probably in error from this file being edited with sed.
Post by Dale Schroeder
Do getent group and wbinfo -g return the expected results?
getent group shows all of the local linux groups on this machine - no AD groups. Is that expected?
wbinfo -g shows the windows groups fine, the only thing that's odd is is all of the groups on this domain show in lower case. They may or may not be that way in their AD, I can't see for sure. (We are forcing a linux machine into someones windows network.... )
Post by Dale Schroeder
Are nsswitch.conf and PAM configured for authentication?
For what kind of authentication? /etc/nsswitch and /etc/pam/* are untouched from the defaults.

All that has really been setup so far is an apache service that uses mod_auth_ntlm_winbind to authenticate users of a webpage to their DC. We are now trying to expand that samba/winbind stack over into sharing a folder. So, we probably do need to look at modifying those files, and id mapping, to have a samba share authenticate against the DC. Right? For some reason I figured this part would just work since the join already happened.

Thanks again!


-----Original Message-----
From: Dale Schroeder [mailto:dale at BriannasSaladDressing.com]
Sent: Tuesday, May 22, 2012 14:51
To: Newman, John W
Cc: samba at lists.samba.org
Subject: Re:[Samba] Grant only one AD group to samba share ?

A few questions that might narrow things -

Which version of Samba are you using?
What does the idmap backend configuration for winbind look like?
Does testparm yield any errors?
Do getent group and wbinfo -g return the expected results?
Are nsswitch.conf and PAM configured for authentication?
http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm
Post by Dale Schroeder
Thanks..
Unfortunately neither suggestion worked
chgrp still just says "invalid group"
Any other ideas?
Thanks for the help so far, much appreciated!!
-----Original Message-----
From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org] On Behalf Of steve
Sent: Tuesday, May 22, 2012 04:59
To: samba at lists.samba.org
Subject: Re: [Samba] Grant only one AD group to samba share ?
Post by Newman, John W
Thanks for the suggestion, but .. that doesn't work ...
chgrp My\ Group /media/share
chgrp: invalid group: `My Group'
"My Group" is a windows AD group, not a local linux group. The
machine is "joined" to the windows domain through "net ads join",
but I don't think the security is that tightly integrated. I don't
have windows groups mapped to linux groups I've created or anything like that.
chgrp is expecting a linux group. Right?
Probably I am missing something, or you guys need more information.
Any thoughts?
Hi
chgrp MYDAOMAIN\\My\ Group /media/share
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Dale Schroeder
2012-05-22 20:53:08 UTC
Permalink
Post by Newman, John W
Post by Dale Schroeder
Which version of Samba are you using?
Samba version 3.5.11
Post by Dale Schroeder
What does the idmap backend configuration for winbind look like?
Well.. I'm not really sure what that is (I inherited this project). In smb.conf all he has here is: idmap uid = 10000-20000 idmap gid=10000-20000 .... I don't see idmap backend = set at all in here. That is probably a big part of the problem isn't it?
It would be using the default tdb backend. You could do a testparm -sv
and grep for idmap and winbind to see all the parameters that are
available. Better still, if you have SWAT and samba-doc installed, you
can easily see the options available for each parameter.
Post by Newman, John W
Post by Dale Schroeder
Does testparm yield any errors?
ERROR: the 'winbind separator' parameter must be a single character. Hmm.. I just changed that to a single \ , and our existing authentication service still works fine, but the share behaves no differently. The extra \ was probably in error from this file being edited with sed.
Post by Dale Schroeder
Do getent group and wbinfo -g return the expected results?
getent group shows all of the local linux groups on this machine - no AD groups. Is that expected?
If you have winbind enum groups = Yes, then they should show, otherwise
not. Domains with large numbers of users usually leave this as No (also
winbind enum users).
Post by Newman, John W
wbinfo -g shows the windows groups fine, the only thing that's odd is is all of the groups on this domain show in lower case.
That's normal for winbind.
Post by Newman, John W
They may or may not be that way in their AD, I can't see for sure. (We are forcing a linux machine into someones windows network.... )
Post by Dale Schroeder
Are nsswitch.conf and PAM configured for authentication?
For what kind of authentication? /etc/nsswitch and /etc/pam/* are untouched from the defaults.
In nsswitch.conf, you will need to add winbind to the passwd and group
entries. The article I previously linked (below) has an example PAM
config (/etc/pam.d/login) for winbind.
For completeness, you might also want to look at this:
http://www.enterprisenetworkingplanet.com/netos/article.php/3487081/Join-Samba-3-to-Your--Active-Directory-Domain.htm
Post by Newman, John W
All that has really been setup so far is an apache service that uses mod_auth_ntlm_winbind to authenticate users of a webpage to their DC. We are now trying to expand that samba/winbind stack over into sharing a folder. So, we probably do need to look at modifying those files, and id mapping, to have a samba share authenticate against the DC. Right? For some reason I figured this part would just work since the join already happened.
A domain can be joined without winbind, but there are steps to take to
actually use it.
Post by Newman, John W
Thanks again!
-----Original Message-----
From: Dale Schroeder [mailto:dale at BriannasSaladDressing.com]
Sent: Tuesday, May 22, 2012 14:51
To: Newman, John W
Cc: samba at lists.samba.org
Subject: Re:[Samba] Grant only one AD group to samba share ?
A few questions that might narrow things -
Which version of Samba are you using?
What does the idmap backend configuration for winbind look like?
Does testparm yield any errors?
Do getent group and wbinfo -g return the expected results?
Are nsswitch.conf and PAM configured for authentication?
http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm
Post by Dale Schroeder
Thanks..
Unfortunately neither suggestion worked
chgrp still just says "invalid group"
Any other ideas?
Thanks for the help so far, much appreciated!!
-----Original Message-----
From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org] On Behalf Of steve
Sent: Tuesday, May 22, 2012 04:59
To: samba at lists.samba.org
Subject: Re: [Samba] Grant only one AD group to samba share ?
Post by Newman, John W
Thanks for the suggestion, but .. that doesn't work ...
chgrp My\ Group /media/share
chgrp: invalid group: `My Group'
"My Group" is a windows AD group, not a local linux group. The
machine is "joined" to the windows domain through "net ads join",
but I don't think the security is that tightly integrated. I don't
have windows groups mapped to linux groups I've created or anything like that.
chgrp is expecting a linux group. Right?
Probably I am missing something, or you guys need more information.
Any thoughts?
Hi
chgrp MYDAOMAIN\\My\ Group /media/share
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
2012-05-23 09:41:21 UTC
Permalink
Post by Newman, John W
Thanks..
Unfortunately neither suggestion worked
chgrp still just says "invalid group"
"invalid group", even though it shows up in wbinfo -g and getent group
says a lot about winbind.
Post by Newman, John W
the OP. Valid credentials = access denied ; invalid credentials =
invalid name or bad password. I already tried all sorts of things in
valid users, but nothing is the magic string I need.
Any other ideas?
Hi
I realise that you may be stuck with winbind as you inherited the
project but it has to be said that it it really is even these days
shrouded in mystery and is inflexible enough to make us have to switch.
To have to suffer this to get a rw share is just too much!

We have never looked back since switching to libnss-ldapd. For someone
at your level, it's a doddle to setup and you get one to one gid:uid
mappings _every_ time. We have a howto we can send off list if you get
fed up. It's for Samba4 though.
Cheers,
Steve
NdK
2012-05-23 20:27:55 UTC
Permalink
Post by Newman, John W
Well.. I'm not really sure what that is (I inherited this project). In smb.conf all he has here is: idmap uid = 10000-20000 idmap gid=10000-20000 .... I don't see idmap backend = set at all in here. That is probably a big part of the problem isn't it?
If you have to keep a consistent uid and gid mapping (not really needed,
unless you use NFS, I think), use another idmap backend. I used RID that
applies a simple formula to the SID to obtain uid and gid consistent
across all the clients accessing an NFS server.
Post by Newman, John W
Post by Dale Schroeder
Are nsswitch.conf and PAM configured for authentication?
For what kind of authentication? /etc/nsswitch and /etc/pam/* are untouched from the defaults.
Edit /etc/nsswitch.conf to include winbind as data source for both
passwd and group info. Once you've done this, you'll be able to use AD
names as standard *nix names, and the reverse mapping will automatically
happen (like when doing an "ls -l").
If you don't do that, you'll keep getting "unknown group".

PS: I prefer to keep "normalize names", that makes AD names lowercase
and replaces spaces with underscores. This is my winbind-related part of
smb.conf:

# Big dir -- I must disable enums. If your dir is small, enable 'em!
winbind enum users = No
winbind enum groups = No
# Allow logon even if network isn't available
winbind offline logon = Yes
# Deep-resolve groups (heavy and slow!)
winbind nested groups = Yes
# *nix-friendly names
winbind normalize names = Yes
winbind refresh tickets = Yes
winbind use default domain = yes
winbind uid = 10000-99999
winbind gid = 10000-99999

idmap domains = PERSONALE STUDENTI
idmap config PERSONALE:backend = rid
idmap config PERSONALE:base_rid = 500
idmap config PERSONALE:range = 100000 - 49999999
idmap config STUDENTI:backend = rid
idmap config STUDENTI:base_rid = 500
idmap config STUDENTI:range = 50000000 - 99999999

BYtE,
Diego.

Continue reading on narkive:
Loading...