Go Back   The UNIX and Linux Forums > Operating Systems > Linux > Red Hat
How to Map AD groups to Samba share? How to Map AD groups to Samba share?
Forums Search Forums Register Forum RulesMan PagesAlbums FAQ Members Calendar Search Today's Posts Mark Forums Read


Red Hat Red Hat is the world's leading open source technology solutions provider with offerings including Red Hat Enterprise Linux (RHEL), Fedora, open source applications, security and systems management, virtualization, and Services Oriented Architecture (SOA) solutions.

Reply    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 01-04-2013
Registered User
  
Join Date: Apr 2011
Posts: 26
Thanks: 0
Thanked 0 Times in 0 Posts
How to Map AD groups to Samba share?
I am setup a samba share server which is authenticating from Active Directory.

I am able to access the share with AD user but not able to access when group defined in "valid users" parameters.

below are the steps i performed.

In smb.conf

Code:
[global]
workgroup = QASLABS
password server = WIN-60I6H2BG237.qaslabs.net
realm = QASLABS.NET
preferred master = no
security = ADS
idmap backend = ad
idmap uid = 100-20000000
idmap gid = 100-20000000
winbind separator = +
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
preferred master = no
server string = Linux Test Machine
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
netbios name = smbad
hosts allow = 127.0.0.1 192.16.17.0/24
passdb backend = tdbsam
template homedir = /home/%U
winbind nss info = rfc2307
 
[Data]
comment = Directory for storing Data
path= /opt/data
valid users = @NETWORK+itadmin NETWORK+testadmin
#valid users = @"QASLABS.NET\\itadmin"
writeable = yes
browseable=yes
create mask = 775
directory mask = 775
hosts allow = 127.0.0.1 192.16.17.0/24

In /etc/nsswitch.conf

Code:
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns wins
bootparams: nisplus [NOTFOUND=return] files
ethers: db files
netmasks: files
networks: files
protocols: db files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus

On executing the wbinfo -u i am getting the user list from AD

Code:
[root@smbad ~]# wbinfo -u
administrator
guest
krbtgt
testdev
testadmin
testhr
testqa
testit
testcmt
testsupp
testituser

On executing the wbinfo -u i am getting the user list from AD. But groups i created on AD is not displaying in this list [i.e itadmin]

Code:
[root@smbad ~]# wbinfo -g
BUILTIN+administrators
BUILTIN+users
SMBAD+itadmin
domain computers
domain controllers
domain admins
domain users
domain guests
group policy creator owners
read-only domain controllers
dnsupdateproxy
cert publishers
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
dnsadmins
schema admins
enterprise admins
enterprise read-only domain controllers

Please help on how to map AD group to samba so that group permissions can be setup on samba
Last edited by Scott; 01-16-2013 at 08:19 AM.. Reason: Code tags
Sponsored Links
    #2  
Old 01-07-2013
Registered User
  
Join Date: Apr 2011
Posts: 26
Thanks: 0
Thanked 0 Times in 0 Posts
Any help on this will appreciate.
Sponsored Links
    #3  
Old 01-09-2013
Registered User
  
Join Date: Apr 2011
Posts: 26
Thanks: 0
Thanked 0 Times in 0 Posts
After changing the parameters in /etc/smb.conf i am able to view users/groups i created on AD.

/etc/samba/smb.conf

Code:
workgroup = QASLABS
server string = Samba Server Version %v
password server = adserver.qaslabs.net
realm = QASLABS.NET
preferred master = no
security = ADS
;idmap backend = ad
idmap uid = 500-20000000
idmap gid = 500-20000000
winbind separator = +
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
preferred master = no
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
;netbios name = smbad
hosts allow = 127.0.0.1 192.16.17.0/24
passdb backend = tdbsam
template homedir = /home/%U
;winbind nss info = rfc2307

On executing the wbinfo i am able to view the AD users created by me.

Code:
[root@smbad samba]# wbinfo -u
administrator
guest
krbtgt
tlit
usrit
tladmin
usradmin
tlcmt
usrcmt
tldev
usrdev
tlhr
usrhr
tlqa
usrqa
tlsupp
usrsupp

and on executing the wbinfo with -g i am able to view the AD groups created by me.

Code:
[root@smbad samba]# wbinfo -g
BUILTIN+administrators
BUILTIN+users
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
dnsadmins
dnsupdateproxy
itadmin
ituser
admadmin
adminuser
cmtadmin
cmtuser
devadmin
devuser
hradmin
hruser
qaadmin
qauser
suppadmin
suppuser

I am also able to test the ad users with password

Code:
[root@smbad samba]# wbinfo -a tladmin%Password1
plaintext password authentication succeeded
challenge/response password authentication succeeded

But now the issue is when i am accessing the samba share using these usernames i am not able to login to share and below error is coming in logs file.

Code:
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2013/01/10 02:04:28, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2013/01/10 02:04:28, 2] auth/auth.c:check_ntlm_password(319)
check_ntlm_password: Authentication for user [itusr] -> [itusr] FAILED with error NT_STATUS_NO_SUCH_USER
[2013/01/10 02:04:28, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2013/01/10 02:04:28, 3] smbd/process.c:timeout_processing(1382)
timeout_processing: End of file from client (client has disconnected).
[2013/01/10 02:04:28, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0

Also on login to the AD user from putty it is not accepting passwords.

Code:
[admin@smbad ~]$ su tladmin
Password:
su: incorrect password

Where as on login to AD user from putty from root account i am able to login [Password not prompted from switching from root user to AD user]

Please help me on this.

Thanks in advance..
Last edited by Scott; 01-16-2013 at 08:21 AM.. Reason: Code tags
    #4  
Old 01-16-2013
Registered User
  
Join Date: Apr 2011
Posts: 26
Thanks: 0
Thanked 0 Times in 0 Posts
I am able to solve this issue now and AD groups are reflected with samba permissions.
Sponsored Links
Reply

Tags
active directory, ad, group, map, samba

« How to set password for file using vim in Linux/redhat? | SSL Certificate Renewal on Tomcat »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
samba issue: one samba share without password prompting and the others with. ideal2545 Solaris 0 01-12-2012 02:45 PM
Script to automatically map samba shares as network drive barrydocks Windows & DOS: Issues & Discussions 4 02-11-2011 03:01 PM
Auto map network drive using SAMBA with batch file unassassinable Linux 0 10-13-2010 12:53 PM
Map AIX share genesis211 SuSE 2 01-25-2010 06:12 PM
samba user.map file sagar_evc UNIX for Dummies Questions & Answers 2 10-13-2009 09:17 AM



All times are GMT -4. The time now is 07:49 AM.

The UNIX and Linux Forums - Where There is a Shell There is a Way RSS Feeds - Contact Us - The UNIX and Linux Forums - Where There is a Shell There is a Way - Archive - Botnik - Top
SEO by vBSEO
The UNIX and Linux Forums Content Copyright ©1993-2013. All Rights Reserved.
Forum Operations by The UNIX and Linux Forums
Powered by: vBulletin, Copyright ©2000 - 2006, Jelsoft Enterprises Limited.