CentOS 7 SSSD AD with Samba Share












0















I followed this site's tutorial to install SSSD (without WinBind) to join a Windows Server 2008 domain. And it is a great success. Before that I was trying to use Zentyal to set up share folders but no luck ... Zentyal always show errors ...



I wanted to use GUI to complete the job but when I failed in Webmin Samba and Zentyal, the only option I left is to set up one by one with command, and implement the smb.conf by hand. Luckily the tutorial can join the domain without any problems, and I can setup the Samba share.





Here is the smb.conf



[global]
workgroup = ADDOMAIN
server string = Samba Server Version %v
security = ads
# encrypt passwords = yes
# passdb backend = tdbsam
idmap config * : backend = tdb
realm = addomain.tld
access based share enum = yes

# this is just a member server
domain master = no
local master = no
preferred master = no

# in my test network I could not get AD authentication for smb shares to work
# without adding "kerberos method = secrets and keytab"
kerberos method = secrets and keytab

# Add the IPs / network ranges / subnets allowed acces to the server in general.
# this is not a nesessary entry but in general a good idea.
# hosts allow = 127. your local network info

# log files split per-machine:
log file = /var/log/samba/log.%m

# enable the following line to debug:
# log level = 3
# maximum size of 50KB per log file, then rotate:
max log size = 50

# Not interested in printers
load printers = no
cups options = raw

# This stops an annoying message from appearing in logs
printcap name = /dev/null

# File Shares under valid users I put a group if you create a group for samba in # active directory and add users to it those users will be able to access smb
# shares from this server over the network.

[guest]
comment = guest
path = /home/samba/guest
public = yes
readonly = no
writable = yes
guest ok = yes

[admin]
comment = admin
path = /home/samba/admin
public = no
readonly = no
writable = yes
guest ok = no
valid users = @"admingp@addomain.tld"


There is a user, ADDOMAINadmintest (or admintest@addomain.tld) login a Windows PC and try to access the "Admin" share folder but couldn't grant access. The log says "NT_STATUS_ACCESS_DENIED". But I am sure that the account is in the group.



To make sure the AD and the user info is synced to my CentOS 7, I changed the valid users from @"admingp@addomain.tld" to "admintest@addomain.tld". The user can access the share folder.



Then what I tried to troubleshoot is, use the id command. I have modified the sssd.conf no need to use full qualified name. So ...



# id admintest

uid=821800500(admintest) gid=821800513(domain users) groups=821800513(domain users)


This is simply strange. Yeah this account is in the domain users but it still have some other groups which belong to including the "admingp".



Then I used the "getent" command to show group members.



# getent group admingp
admingp:*:821808307:administrator,admintest,ben, ... (etc)


There it is, admintest is in the group. Because it also in the domain users group and I try again to modify the smb.conf, the valid users changed to @"domain users@addomain.tld" and guess what? The share folder is accessible.



So I can conclude that the smb.conf is fine, the AD authentication is fine. But as you noticed, id admintest only displays the first matched group. The others are skipped so I can't set the share folder with Group Permission. And I have dozens of groups and dozens of share folders there I can't simply implement it one by one.



And I final test for the id command. The Linux account "support" belongs to 2 groups. One is "support" itself and the other is "wheel".



# id support
uid=1000(support) gid=1000(support) groups=1000(support),10(wheel)


Linux users aren't affected. So ... what went wrong? I have attached the sssd.conf here. Please have a look.



[sssd]
domains = addomain.tld
config_file_version = 2
services = nss, pam

[domain/addomain.tld]
ad_domain = addomain.tld
krb5_realm = ADDOMAIN.TLD
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True

# use_fully_qualified_names = True
# fallback_homedir = /home/%u@%d

use_fully_qualified_names = False
fallback_homedir = /home/%u

enumerate = True
access_provider = simple
# access_provider = ldap


Thanks very much in advanced.










share|improve this question



























    0















    I followed this site's tutorial to install SSSD (without WinBind) to join a Windows Server 2008 domain. And it is a great success. Before that I was trying to use Zentyal to set up share folders but no luck ... Zentyal always show errors ...



    I wanted to use GUI to complete the job but when I failed in Webmin Samba and Zentyal, the only option I left is to set up one by one with command, and implement the smb.conf by hand. Luckily the tutorial can join the domain without any problems, and I can setup the Samba share.





    Here is the smb.conf



    [global]
    workgroup = ADDOMAIN
    server string = Samba Server Version %v
    security = ads
    # encrypt passwords = yes
    # passdb backend = tdbsam
    idmap config * : backend = tdb
    realm = addomain.tld
    access based share enum = yes

    # this is just a member server
    domain master = no
    local master = no
    preferred master = no

    # in my test network I could not get AD authentication for smb shares to work
    # without adding "kerberos method = secrets and keytab"
    kerberos method = secrets and keytab

    # Add the IPs / network ranges / subnets allowed acces to the server in general.
    # this is not a nesessary entry but in general a good idea.
    # hosts allow = 127. your local network info

    # log files split per-machine:
    log file = /var/log/samba/log.%m

    # enable the following line to debug:
    # log level = 3
    # maximum size of 50KB per log file, then rotate:
    max log size = 50

    # Not interested in printers
    load printers = no
    cups options = raw

    # This stops an annoying message from appearing in logs
    printcap name = /dev/null

    # File Shares under valid users I put a group if you create a group for samba in # active directory and add users to it those users will be able to access smb
    # shares from this server over the network.

    [guest]
    comment = guest
    path = /home/samba/guest
    public = yes
    readonly = no
    writable = yes
    guest ok = yes

    [admin]
    comment = admin
    path = /home/samba/admin
    public = no
    readonly = no
    writable = yes
    guest ok = no
    valid users = @"admingp@addomain.tld"


    There is a user, ADDOMAINadmintest (or admintest@addomain.tld) login a Windows PC and try to access the "Admin" share folder but couldn't grant access. The log says "NT_STATUS_ACCESS_DENIED". But I am sure that the account is in the group.



    To make sure the AD and the user info is synced to my CentOS 7, I changed the valid users from @"admingp@addomain.tld" to "admintest@addomain.tld". The user can access the share folder.



    Then what I tried to troubleshoot is, use the id command. I have modified the sssd.conf no need to use full qualified name. So ...



    # id admintest

    uid=821800500(admintest) gid=821800513(domain users) groups=821800513(domain users)


    This is simply strange. Yeah this account is in the domain users but it still have some other groups which belong to including the "admingp".



    Then I used the "getent" command to show group members.



    # getent group admingp
    admingp:*:821808307:administrator,admintest,ben, ... (etc)


    There it is, admintest is in the group. Because it also in the domain users group and I try again to modify the smb.conf, the valid users changed to @"domain users@addomain.tld" and guess what? The share folder is accessible.



    So I can conclude that the smb.conf is fine, the AD authentication is fine. But as you noticed, id admintest only displays the first matched group. The others are skipped so I can't set the share folder with Group Permission. And I have dozens of groups and dozens of share folders there I can't simply implement it one by one.



    And I final test for the id command. The Linux account "support" belongs to 2 groups. One is "support" itself and the other is "wheel".



    # id support
    uid=1000(support) gid=1000(support) groups=1000(support),10(wheel)


    Linux users aren't affected. So ... what went wrong? I have attached the sssd.conf here. Please have a look.



    [sssd]
    domains = addomain.tld
    config_file_version = 2
    services = nss, pam

    [domain/addomain.tld]
    ad_domain = addomain.tld
    krb5_realm = ADDOMAIN.TLD
    realmd_tags = manages-system joined-with-samba
    cache_credentials = True
    id_provider = ad
    krb5_store_password_if_offline = True
    default_shell = /bin/bash
    ldap_id_mapping = True

    # use_fully_qualified_names = True
    # fallback_homedir = /home/%u@%d

    use_fully_qualified_names = False
    fallback_homedir = /home/%u

    enumerate = True
    access_provider = simple
    # access_provider = ldap


    Thanks very much in advanced.










    share|improve this question

























      0












      0








      0








      I followed this site's tutorial to install SSSD (without WinBind) to join a Windows Server 2008 domain. And it is a great success. Before that I was trying to use Zentyal to set up share folders but no luck ... Zentyal always show errors ...



      I wanted to use GUI to complete the job but when I failed in Webmin Samba and Zentyal, the only option I left is to set up one by one with command, and implement the smb.conf by hand. Luckily the tutorial can join the domain without any problems, and I can setup the Samba share.





      Here is the smb.conf



      [global]
      workgroup = ADDOMAIN
      server string = Samba Server Version %v
      security = ads
      # encrypt passwords = yes
      # passdb backend = tdbsam
      idmap config * : backend = tdb
      realm = addomain.tld
      access based share enum = yes

      # this is just a member server
      domain master = no
      local master = no
      preferred master = no

      # in my test network I could not get AD authentication for smb shares to work
      # without adding "kerberos method = secrets and keytab"
      kerberos method = secrets and keytab

      # Add the IPs / network ranges / subnets allowed acces to the server in general.
      # this is not a nesessary entry but in general a good idea.
      # hosts allow = 127. your local network info

      # log files split per-machine:
      log file = /var/log/samba/log.%m

      # enable the following line to debug:
      # log level = 3
      # maximum size of 50KB per log file, then rotate:
      max log size = 50

      # Not interested in printers
      load printers = no
      cups options = raw

      # This stops an annoying message from appearing in logs
      printcap name = /dev/null

      # File Shares under valid users I put a group if you create a group for samba in # active directory and add users to it those users will be able to access smb
      # shares from this server over the network.

      [guest]
      comment = guest
      path = /home/samba/guest
      public = yes
      readonly = no
      writable = yes
      guest ok = yes

      [admin]
      comment = admin
      path = /home/samba/admin
      public = no
      readonly = no
      writable = yes
      guest ok = no
      valid users = @"admingp@addomain.tld"


      There is a user, ADDOMAINadmintest (or admintest@addomain.tld) login a Windows PC and try to access the "Admin" share folder but couldn't grant access. The log says "NT_STATUS_ACCESS_DENIED". But I am sure that the account is in the group.



      To make sure the AD and the user info is synced to my CentOS 7, I changed the valid users from @"admingp@addomain.tld" to "admintest@addomain.tld". The user can access the share folder.



      Then what I tried to troubleshoot is, use the id command. I have modified the sssd.conf no need to use full qualified name. So ...



      # id admintest

      uid=821800500(admintest) gid=821800513(domain users) groups=821800513(domain users)


      This is simply strange. Yeah this account is in the domain users but it still have some other groups which belong to including the "admingp".



      Then I used the "getent" command to show group members.



      # getent group admingp
      admingp:*:821808307:administrator,admintest,ben, ... (etc)


      There it is, admintest is in the group. Because it also in the domain users group and I try again to modify the smb.conf, the valid users changed to @"domain users@addomain.tld" and guess what? The share folder is accessible.



      So I can conclude that the smb.conf is fine, the AD authentication is fine. But as you noticed, id admintest only displays the first matched group. The others are skipped so I can't set the share folder with Group Permission. And I have dozens of groups and dozens of share folders there I can't simply implement it one by one.



      And I final test for the id command. The Linux account "support" belongs to 2 groups. One is "support" itself and the other is "wheel".



      # id support
      uid=1000(support) gid=1000(support) groups=1000(support),10(wheel)


      Linux users aren't affected. So ... what went wrong? I have attached the sssd.conf here. Please have a look.



      [sssd]
      domains = addomain.tld
      config_file_version = 2
      services = nss, pam

      [domain/addomain.tld]
      ad_domain = addomain.tld
      krb5_realm = ADDOMAIN.TLD
      realmd_tags = manages-system joined-with-samba
      cache_credentials = True
      id_provider = ad
      krb5_store_password_if_offline = True
      default_shell = /bin/bash
      ldap_id_mapping = True

      # use_fully_qualified_names = True
      # fallback_homedir = /home/%u@%d

      use_fully_qualified_names = False
      fallback_homedir = /home/%u

      enumerate = True
      access_provider = simple
      # access_provider = ldap


      Thanks very much in advanced.










      share|improve this question














      I followed this site's tutorial to install SSSD (without WinBind) to join a Windows Server 2008 domain. And it is a great success. Before that I was trying to use Zentyal to set up share folders but no luck ... Zentyal always show errors ...



      I wanted to use GUI to complete the job but when I failed in Webmin Samba and Zentyal, the only option I left is to set up one by one with command, and implement the smb.conf by hand. Luckily the tutorial can join the domain without any problems, and I can setup the Samba share.





      Here is the smb.conf



      [global]
      workgroup = ADDOMAIN
      server string = Samba Server Version %v
      security = ads
      # encrypt passwords = yes
      # passdb backend = tdbsam
      idmap config * : backend = tdb
      realm = addomain.tld
      access based share enum = yes

      # this is just a member server
      domain master = no
      local master = no
      preferred master = no

      # in my test network I could not get AD authentication for smb shares to work
      # without adding "kerberos method = secrets and keytab"
      kerberos method = secrets and keytab

      # Add the IPs / network ranges / subnets allowed acces to the server in general.
      # this is not a nesessary entry but in general a good idea.
      # hosts allow = 127. your local network info

      # log files split per-machine:
      log file = /var/log/samba/log.%m

      # enable the following line to debug:
      # log level = 3
      # maximum size of 50KB per log file, then rotate:
      max log size = 50

      # Not interested in printers
      load printers = no
      cups options = raw

      # This stops an annoying message from appearing in logs
      printcap name = /dev/null

      # File Shares under valid users I put a group if you create a group for samba in # active directory and add users to it those users will be able to access smb
      # shares from this server over the network.

      [guest]
      comment = guest
      path = /home/samba/guest
      public = yes
      readonly = no
      writable = yes
      guest ok = yes

      [admin]
      comment = admin
      path = /home/samba/admin
      public = no
      readonly = no
      writable = yes
      guest ok = no
      valid users = @"admingp@addomain.tld"


      There is a user, ADDOMAINadmintest (or admintest@addomain.tld) login a Windows PC and try to access the "Admin" share folder but couldn't grant access. The log says "NT_STATUS_ACCESS_DENIED". But I am sure that the account is in the group.



      To make sure the AD and the user info is synced to my CentOS 7, I changed the valid users from @"admingp@addomain.tld" to "admintest@addomain.tld". The user can access the share folder.



      Then what I tried to troubleshoot is, use the id command. I have modified the sssd.conf no need to use full qualified name. So ...



      # id admintest

      uid=821800500(admintest) gid=821800513(domain users) groups=821800513(domain users)


      This is simply strange. Yeah this account is in the domain users but it still have some other groups which belong to including the "admingp".



      Then I used the "getent" command to show group members.



      # getent group admingp
      admingp:*:821808307:administrator,admintest,ben, ... (etc)


      There it is, admintest is in the group. Because it also in the domain users group and I try again to modify the smb.conf, the valid users changed to @"domain users@addomain.tld" and guess what? The share folder is accessible.



      So I can conclude that the smb.conf is fine, the AD authentication is fine. But as you noticed, id admintest only displays the first matched group. The others are skipped so I can't set the share folder with Group Permission. And I have dozens of groups and dozens of share folders there I can't simply implement it one by one.



      And I final test for the id command. The Linux account "support" belongs to 2 groups. One is "support" itself and the other is "wheel".



      # id support
      uid=1000(support) gid=1000(support) groups=1000(support),10(wheel)


      Linux users aren't affected. So ... what went wrong? I have attached the sssd.conf here. Please have a look.



      [sssd]
      domains = addomain.tld
      config_file_version = 2
      services = nss, pam

      [domain/addomain.tld]
      ad_domain = addomain.tld
      krb5_realm = ADDOMAIN.TLD
      realmd_tags = manages-system joined-with-samba
      cache_credentials = True
      id_provider = ad
      krb5_store_password_if_offline = True
      default_shell = /bin/bash
      ldap_id_mapping = True

      # use_fully_qualified_names = True
      # fallback_homedir = /home/%u@%d

      use_fully_qualified_names = False
      fallback_homedir = /home/%u

      enumerate = True
      access_provider = simple
      # access_provider = ldap


      Thanks very much in advanced.







      centos samba cifs sssd






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 1 '17 at 4:04









      AkiEruAkiEru

      10113




      10113






















          1 Answer
          1






          active

          oldest

          votes


















          0














          I have same issue here... Finally I use the winbind instead of sssd for samba share and AD joining...





          share








          New contributor




          Gary is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.




















            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "106"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f401753%2fcentos-7-sssd-ad-with-samba-share%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            I have same issue here... Finally I use the winbind instead of sssd for samba share and AD joining...





            share








            New contributor




            Gary is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.

























              0














              I have same issue here... Finally I use the winbind instead of sssd for samba share and AD joining...





              share








              New contributor




              Gary is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.























                0












                0








                0







                I have same issue here... Finally I use the winbind instead of sssd for samba share and AD joining...





                share








                New contributor




                Gary is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.










                I have same issue here... Finally I use the winbind instead of sssd for samba share and AD joining...






                share








                New contributor




                Gary is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.








                share


                share






                New contributor




                Gary is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.









                answered 9 mins ago









                GaryGary

                1




                1




                New contributor




                Gary is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.





                New contributor





                Gary is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.






                Gary is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Unix & Linux Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f401753%2fcentos-7-sssd-ad-with-samba-share%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    CARDNET

                    Boot-repair Failure: Unable to locate package grub-common:i386

                    Aws NAT - Aws IGW- Aws router