How to Map AD groups to Samba share? | Unix Linux Forums | Red Hat

  Go Back    


Red Hat Red Hat is the world's leading open source technology solutions provider with offerings including Red Hat Enterprise Linux (RHEL), Fedora, open source applications, security and systems management, virtualization, and Services Oriented Architecture (SOA) solutions.

How to Map AD groups to Samba share?

Red Hat


Tags
active directory, ad, group, map, samba

Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 01-04-2013
sunnysthakur sunnysthakur is offline
Registered User
 
Join Date: Apr 2011
Last Activity: 22 July 2014, 4:42 AM EDT
Posts: 34
Thanks: 0
Thanked 1 Time in 1 Post
How to Map AD groups to Samba share?

I am setup a samba share server which is authenticating from Active Directory.

I am able to access the share with AD user but not able to access when group defined in "valid users" parameters.

below are the steps i performed.

In smb.conf

Code:
[global]
workgroup = QASLABS
password server = WIN-60I6H2BG237.qaslabs.net
realm = QASLABS.NET
preferred master = no
security = ADS
idmap backend = ad
idmap uid = 100-20000000
idmap gid = 100-20000000
winbind separator = +
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
preferred master = no
server string = Linux Test Machine
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
netbios name = smbad
hosts allow = 127.0.0.1 192.16.17.0/24
passdb backend = tdbsam
template homedir = /home/%U
winbind nss info = rfc2307
 
[Data]
comment = Directory for storing Data
path= /opt/data
valid users = @NETWORK+itadmin NETWORK+testadmin
#valid users = @"QASLABS.NET\\itadmin"
writeable = yes
browseable=yes
create mask = 775
directory mask = 775
hosts allow = 127.0.0.1 192.16.17.0/24

In /etc/nsswitch.conf

Code:
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns wins
bootparams: nisplus [NOTFOUND=return] files
ethers: db files
netmasks: files
networks: files
protocols: db files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus

On executing the wbinfo -u i am getting the user list from AD

Code:
[root@smbad ~]# wbinfo -u
administrator
guest
krbtgt
testdev
testadmin
testhr
testqa
testit
testcmt
testsupp
testituser

On executing the wbinfo -u i am getting the user list from AD. But groups i created on AD is not displaying in this list [i.e itadmin]

Code:
[root@smbad ~]# wbinfo -g
BUILTIN+administrators
BUILTIN+users
SMBAD+itadmin
domain computers
domain controllers
domain admins
domain users
domain guests
group policy creator owners
read-only domain controllers
dnsupdateproxy
cert publishers
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
dnsadmins
schema admins
enterprise admins
enterprise read-only domain controllers

Please help on how to map AD group to samba so that group permissions can be setup on samba

Last edited by Scott; 01-16-2013 at 08:19 AM.. Reason: Code tags
Sponsored Links
    #2  
Old 01-07-2013
sunnysthakur sunnysthakur is offline
Registered User
 
Join Date: Apr 2011
Last Activity: 22 July 2014, 4:42 AM EDT
Posts: 34
Thanks: 0
Thanked 1 Time in 1 Post
Any help on this will appreciate.
Sponsored Links
    #3  
Old 01-09-2013
sunnysthakur sunnysthakur is offline
Registered User
 
Join Date: Apr 2011
Last Activity: 22 July 2014, 4:42 AM EDT
Posts: 34
Thanks: 0
Thanked 1 Time in 1 Post
After changing the parameters in /etc/smb.conf i am able to view users/groups i created on AD.

/etc/samba/smb.conf

Code:
workgroup = QASLABS
server string = Samba Server Version %v
password server = adserver.qaslabs.net
realm = QASLABS.NET
preferred master = no
security = ADS
;idmap backend = ad
idmap uid = 500-20000000
idmap gid = 500-20000000
winbind separator = +
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
preferred master = no
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
;netbios name = smbad
hosts allow = 127.0.0.1 192.16.17.0/24
passdb backend = tdbsam
template homedir = /home/%U
;winbind nss info = rfc2307

On executing the wbinfo i am able to view the AD users created by me.

Code:
[root@smbad samba]# wbinfo -u
administrator
guest
krbtgt
tlit
usrit
tladmin
usradmin
tlcmt
usrcmt
tldev
usrdev
tlhr
usrhr
tlqa
usrqa
tlsupp
usrsupp

and on executing the wbinfo with -g i am able to view the AD groups created by me.

Code:
[root@smbad samba]# wbinfo -g
BUILTIN+administrators
BUILTIN+users
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
dnsadmins
dnsupdateproxy
itadmin
ituser
admadmin
adminuser
cmtadmin
cmtuser
devadmin
devuser
hradmin
hruser
qaadmin
qauser
suppadmin
suppuser

I am also able to test the ad users with password

Code:
[root@smbad samba]# wbinfo -a tladmin%Password1
plaintext password authentication succeeded
challenge/response password authentication succeeded

But now the issue is when i am accessing the samba share using these usernames i am not able to login to share and below error is coming in logs file.

Code:
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2013/01/10 02:04:28, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2013/01/10 02:04:28, 2] auth/auth.c:check_ntlm_password(319)
check_ntlm_password: Authentication for user [itusr] -> [itusr] FAILED with error NT_STATUS_NO_SUCH_USER
[2013/01/10 02:04:28, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2013/01/10 02:04:28, 3] smbd/process.c:timeout_processing(1382)
timeout_processing: End of file from client (client has disconnected).
[2013/01/10 02:04:28, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0

Also on login to the AD user from putty it is not accepting passwords.

Code:
[admin@smbad ~]$ su tladmin
Password:
su: incorrect password

Where as on login to AD user from putty from root account i am able to login [Password not prompted from switching from root user to AD user]

Please help me on this.

Thanks in advance..

Last edited by Scott; 01-16-2013 at 08:21 AM.. Reason: Code tags
    #4  
Old 01-16-2013
sunnysthakur sunnysthakur is offline
Registered User
 
Join Date: Apr 2011
Last Activity: 22 July 2014, 4:42 AM EDT
Posts: 34
Thanks: 0
Thanked 1 Time in 1 Post
I am able to solve this issue now and AD groups are reflected with samba permissions.
Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
samba issue: one samba share without password prompting and the others with. ideal2545 Solaris 0 01-12-2012 02:45 PM
Script to automatically map samba shares as network drive barrydocks Windows & DOS: Issues & Discussions 4 02-11-2011 03:01 PM
Auto map network drive using SAMBA with batch file unassassinable Linux 0 10-13-2010 12:53 PM
Map AIX share genesis211 SuSE 2 01-25-2010 06:12 PM
samba user.map file sagar_evc UNIX for Dummies Questions & Answers 2 10-13-2009 09:17 AM



All times are GMT -4. The time now is 06:33 AM.