Hello everybody,
Google as I might, I cannot find any recent discussions on solving this
problem, many times asked, but no solutions have worked for me.
Synopsis of Details:
Centos 5.5 64_bit,
samba3x-common-3.3.8-0.52.el5_5.2
samba3x-winbind-3.3.8-0.52.el5_5.2
WIndows AD 2008.
As all the threads I find are quite old, hopefully things have changed, or
maybe I am wasting time and it is not possible ? Please let me know if this
is the case.
Why does samba+winbind ignore the local unix groups ?
I have joined my samba server to Windows AD.
I have configured a share with the values:
[public_share]
#Perms are 777
path= /home/pub_share
comment = Public_Share
writable= yes
create mask = 775
directory mask = 775
browsable = yes
valid users = @adgroup
If I use a group from Windows AD, there is no problem accessing the share,
but we do not want to add / change groups in AD, we need to add users to our
local /etc/groups as access to Windows AD is very limited and we would
rather control things on the linux side, and use the single sign on from AD
for the users.
If I change valid users to:
valid users = @linuxgroup
And create a user and add them to that group on the samba server, it does
not work, they can ssh into the machine using the local user password OR
their Win AD credentials via winbind, but not access the share via SMB.
id shows all groups the user belongs to in WinAD and /etc/group
getent password
getent group
wbinfo -g
wbinfo -u
All show the correct values I would expect.
Below are my configs if you need more info let me know, I have tried many
things including group maps, adding DOMAIN+user and various other things. If
you have a working SAMBA+AD+WINBIND+LOCALGROUPS I would love to know about
it!
Thanks,
Steve.
CONFIGURATION FILES:
#/etc/smb.conf
[global]
# General name options
log level = 2
workgroup =
netbios name= smb1
server string = samba test server
idmap backend = rid:=5000-1
idmap uid = 1-1
idmap gid = 1-1
security= ads
encrypt passwords = yes
realm = xxx
password server = xxx
os level= 10
# Winbind Stuff - Active Directory
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind separator = +
template shell = /bin/bash
template homedir= /home/%D/%U
obey pam restrictions = yes
# Disabled printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# Extended ACL support
map acl inherit = no
nt acl support = no
[public_share]
path= /home/pub_share
comment = Public_Share
writable= yes
create mask = 775
directory mask = 775
browsable = yes
valid users = @linuxgroup
--
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired pam_env.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid >= 500 quiet
authsufficientpam_krb5.so use_first_pass
authsufficientpam_smb_auth.so use_first_pass nolocal
authsufficientpam_winbind.so use_first_pass auth
krb5_ccache_type=FILE
authrequired pam_deny.so
account required pam_unix.so broken_shadow
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
passwordrequisite pam_cracklib.so try_first_pass retry=3
passwordsufficientpam_unix.so sha256 shadow nullok try_first_pass
use_authtok
passwordsufficientpam_krb5.so use_authtok
passwordsufficientpam_winbind.so use_authtok
passwordrequired pam_deny.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022 silent
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
--
#nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
--
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
