Samba Question- AD authentication to shares

I’m trying to setup a samba share that is authenticated through Active Directory using winbind.

So far I have things pretty much configured and winbind is working but I just don’t fully understand the mapping of AD groups to local SUSE groups. I’m using winbind nested groups, idmap backend = tdb

In AD I have group WebdevAD
In SUSE I have a group webdevsuse

Folder in SUSE: drwxrwx— root webdevsuse … testfolder

So I’m sharing out the testfolder in samba

[testfolder]
comment = test share
path = /testfolder
read only = No
acl group control = Yes
inherit acls = Yes
browsable = yes

This share is visible on windows 7 clients at this point, just not accessible. If I make the other\world section r_x then anyone can read the contents of the share but can’t modify or add anything to it.

Now from the information I’ve been reading samba has it’s own groups in the tdb database. If you were to open computer manager on a windows client and connect to the samba system it will show you the accounts and groups within it. You can add groups and assign AD user and groups to this group but the group is not a part of the suse groups. It’s not in the /etc/groups file.

So in Samba I have a group WebDev with the AD group WebdevAD as a member.

So at this point there is a AD group as a member of a Samba group but with no link to the SUSE group assigned permissions on the testfolder.

It seems that I might be going about this the wrong way or I’m missing a step somewhere. I have tried to map the samba group to the SUSE group webdevsuse but it just destroyed the mapping to the AD group and rewrote the mapping.

I’m confused on how this is all linked together. Any help would be greatly appreciated.

Thank you

Hi cisaksen,

[QUOTE=cisaksen;15130]I’m trying to setup a samba share that is authenticated through Active Directory using winbind.

So far I have things pretty much configured and winbind is working but I just don’t fully understand the mapping of AD groups to local SUSE groups. I’m using winbind nested groups, idmap backend = tdb

In AD I have group WebdevAD
In SUSE I have a group webdevsuse

Folder in SUSE: drwxrwx— root webdevsuse … testfolder

So I’m sharing out the testfolder in samba

[testfolder]
comment = test share
path = /testfolder
read only = No
acl group control = Yes
inherit acls = Yes
browsable = yes

This share is visible on windows 7 clients at this point, just not accessible. If I make the other\world section r_x then anyone can read the contents of the share but can’t modify or add anything to it.

Now from the information I’ve been reading samba has it’s own groups in the tdb database. If you were to open computer manager on a windows client and connect to the samba system it will show you the accounts and groups within it. You can add groups and assign AD user and groups to this group but the group is not a part of the suse groups. It’s not in the /etc/groups file.

So in Samba I have a group WebDev with the AD group WebdevAD as a member.

So at this point there is a AD group as a member of a Samba group but with no link to the SUSE group assigned permissions on the testfolder.

It seems that I might be going about this the wrong way or I’m missing a step somewhere. I have tried to map the samba group to the SUSE group webdevsuse but it just destroyed the mapping to the AD group and rewrote the mapping.

I’m confused on how this is all linked together. Any help would be greatly appreciated.

Thank you[/QUOTE]

The mappings are configured on the CLI via “net groupmap” invocations. You can check your current mappings via “net groupmap list”, the last value per line tell you the name (or GID number) of the Linux group to which the Samba group is mapped.

What you should see there is a mapping of your Samba group WebDev plus their SID to some Linux group - is that the case and if yes, is it the expected one ()?

From what I recall,

net groupmap add ntgroup="WebDev" unixgroup=webdevsuse type=l

should add the required mapping to your Samba setup (I’m not sure about “type=l”(ocal), you just said you had a “SAMBA group”. If it is a domain group, too, then it’s “type=d”(omain) ).

Winbindd should be able to handle foreign SIDs, too - if the above mapping doesn’t help, how about mapping WebdevAD to webdevsuse? If it is foreign at all… is the SAMBA server is configured as a member server of the AD domain?

Regards,
Jens