CentOS 7 SSSD AD with Samba Share
I followed this site's tutorial to install SSSD (without WinBind) to join a Windows Server 2008 domain. And it is a great success. Before that I was trying to use Zentyal to set up share folders but no luck ... Zentyal always show errors ...
I wanted to use GUI to complete the job but when I failed in Webmin Samba and Zentyal, the only option I left is to set up one by one with command, and implement the smb.conf by hand. Luckily the tutorial can join the domain without any problems, and I can setup the Samba share.
Here is the smb.conf
[global]
workgroup = ADDOMAIN
server string = Samba Server Version %v
security = ads
# encrypt passwords = yes
# passdb backend = tdbsam
idmap config * : backend = tdb
realm = addomain.tld
access based share enum = yes
# this is just a member server
domain master = no
local master = no
preferred master = no
# in my test network I could not get AD authentication for smb shares to work
# without adding "kerberos method = secrets and keytab"
kerberos method = secrets and keytab
# Add the IPs / network ranges / subnets allowed acces to the server in general.
# this is not a nesessary entry but in general a good idea.
# hosts allow = 127. your local network info
# log files split per-machine:
log file = /var/log/samba/log.%m
# enable the following line to debug:
# log level = 3
# maximum size of 50KB per log file, then rotate:
max log size = 50
# Not interested in printers
load printers = no
cups options = raw
# This stops an annoying message from appearing in logs
printcap name = /dev/null
# File Shares under valid users I put a group if you create a group for samba in # active directory and add users to it those users will be able to access smb
# shares from this server over the network.
[guest]
comment = guest
path = /home/samba/guest
public = yes
readonly = no
writable = yes
guest ok = yes
[admin]
comment = admin
path = /home/samba/admin
public = no
readonly = no
writable = yes
guest ok = no
valid users = @"admingp@addomain.tld"
There is a user, ADDOMAINadmintest (or admintest@addomain.tld) login a Windows PC and try to access the "Admin" share folder but couldn't grant access. The log says "NT_STATUS_ACCESS_DENIED". But I am sure that the account is in the group.
To make sure the AD and the user info is synced to my CentOS 7, I changed the valid users from @"admingp@addomain.tld" to "admintest@addomain.tld". The user can access the share folder.
Then what I tried to troubleshoot is, use the id command. I have modified the sssd.conf no need to use full qualified name. So ...
# id admintest
uid=821800500(admintest) gid=821800513(domain users) groups=821800513(domain users)
This is simply strange. Yeah this account is in the domain users but it still have some other groups which belong to including the "admingp".
Then I used the "getent" command to show group members.
# getent group admingp
admingp:*:821808307:administrator,admintest,ben, ... (etc)
There it is, admintest is in the group. Because it also in the domain users group and I try again to modify the smb.conf, the valid users changed to @"domain users@addomain.tld" and guess what? The share folder is accessible.
So I can conclude that the smb.conf is fine, the AD authentication is fine. But as you noticed, id admintest only displays the first matched group. The others are skipped so I can't set the share folder with Group Permission. And I have dozens of groups and dozens of share folders there I can't simply implement it one by one.
And I final test for the id command. The Linux account "support" belongs to 2 groups. One is "support" itself and the other is "wheel".
# id support
uid=1000(support) gid=1000(support) groups=1000(support),10(wheel)
Linux users aren't affected. So ... what went wrong? I have attached the sssd.conf here. Please have a look.
[sssd]
domains = addomain.tld
config_file_version = 2
services = nss, pam
[domain/addomain.tld]
ad_domain = addomain.tld
krb5_realm = ADDOMAIN.TLD
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
# use_fully_qualified_names = True
# fallback_homedir = /home/%u@%d
use_fully_qualified_names = False
fallback_homedir = /home/%u
enumerate = True
access_provider = simple
# access_provider = ldap
Thanks very much in advanced.
centos samba cifs sssd
asked Nov 1 '17 at 4:04
AkiEruAkiEru
10113
add a comment |
I followed this site's tutorial to install SSSD (without WinBind) to join a Windows Server 2008 domain. And it is a great success. Before that I was trying to use Zentyal to set up share folders but no luck ... Zentyal always show errors ...
I wanted to use GUI to complete the job but when I failed in Webmin Samba and Zentyal, the only option I left is to set up one by one with command, and implement the smb.conf by hand. Luckily the tutorial can join the domain without any problems, and I can setup the Samba share.
Here is the smb.conf
[global]
workgroup = ADDOMAIN
server string = Samba Server Version %v
security = ads
# encrypt passwords = yes
# passdb backend = tdbsam
idmap config * : backend = tdb
realm = addomain.tld
access based share enum = yes
# this is just a member server
domain master = no
local master = no
preferred master = no
# in my test network I could not get AD authentication for smb shares to work
# without adding "kerberos method = secrets and keytab"
kerberos method = secrets and keytab
# Add the IPs / network ranges / subnets allowed acces to the server in general.
# this is not a nesessary entry but in general a good idea.
# hosts allow = 127. your local network info
# log files split per-machine:
log file = /var/log/samba/log.%m
# enable the following line to debug:
# log level = 3
# maximum size of 50KB per log file, then rotate:
max log size = 50
# Not interested in printers
load printers = no
cups options = raw
# This stops an annoying message from appearing in logs
printcap name = /dev/null
# File Shares under valid users I put a group if you create a group for samba in # active directory and add users to it those users will be able to access smb
# shares from this server over the network.
[guest]
comment = guest
path = /home/samba/guest
public = yes
readonly = no
writable = yes
guest ok = yes
[admin]
comment = admin
path = /home/samba/admin
public = no
readonly = no
writable = yes
guest ok = no
valid users = @"admingp@addomain.tld"
There is a user, ADDOMAINadmintest (or admintest@addomain.tld) login a Windows PC and try to access the "Admin" share folder but couldn't grant access. The log says "NT_STATUS_ACCESS_DENIED". But I am sure that the account is in the group.
To make sure the AD and the user info is synced to my CentOS 7, I changed the valid users from @"admingp@addomain.tld" to "admintest@addomain.tld". The user can access the share folder.
Then what I tried to troubleshoot is, use the id command. I have modified the sssd.conf no need to use full qualified name. So ...
# id admintest
uid=821800500(admintest) gid=821800513(domain users) groups=821800513(domain users)
This is simply strange. Yeah this account is in the domain users but it still have some other groups which belong to including the "admingp".
Then I used the "getent" command to show group members.
# getent group admingp
admingp:*:821808307:administrator,admintest,ben, ... (etc)
There it is, admintest is in the group. Because it also in the domain users group and I try again to modify the smb.conf, the valid users changed to @"domain users@addomain.tld" and guess what? The share folder is accessible.
So I can conclude that the smb.conf is fine, the AD authentication is fine. But as you noticed, id admintest only displays the first matched group. The others are skipped so I can't set the share folder with Group Permission. And I have dozens of groups and dozens of share folders there I can't simply implement it one by one.
And I final test for the id command. The Linux account "support" belongs to 2 groups. One is "support" itself and the other is "wheel".
# id support
uid=1000(support) gid=1000(support) groups=1000(support),10(wheel)
Linux users aren't affected. So ... what went wrong? I have attached the sssd.conf here. Please have a look.
[sssd]
domains = addomain.tld
config_file_version = 2
services = nss, pam
[domain/addomain.tld]
ad_domain = addomain.tld
krb5_realm = ADDOMAIN.TLD
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
# use_fully_qualified_names = True
# fallback_homedir = /home/%u@%d
use_fully_qualified_names = False
fallback_homedir = /home/%u
enumerate = True
access_provider = simple
# access_provider = ldap
Thanks very much in advanced.
centos samba cifs sssd
asked Nov 1 '17 at 4:04
AkiEruAkiEru
10113
add a comment |
I followed this site's tutorial to install SSSD (without WinBind) to join a Windows Server 2008 domain. And it is a great success. Before that I was trying to use Zentyal to set up share folders but no luck ... Zentyal always show errors ...
I wanted to use GUI to complete the job but when I failed in Webmin Samba and Zentyal, the only option I left is to set up one by one with command, and implement the smb.conf by hand. Luckily the tutorial can join the domain without any problems, and I can setup the Samba share.
Here is the smb.conf
[global]
workgroup = ADDOMAIN
server string = Samba Server Version %v
security = ads
# encrypt passwords = yes
# passdb backend = tdbsam
idmap config * : backend = tdb
realm = addomain.tld
access based share enum = yes
# this is just a member server
domain master = no
local master = no
preferred master = no
# in my test network I could not get AD authentication for smb shares to work
# without adding "kerberos method = secrets and keytab"
kerberos method = secrets and keytab
# Add the IPs / network ranges / subnets allowed acces to the server in general.
# this is not a nesessary entry but in general a good idea.
# hosts allow = 127. your local network info
# log files split per-machine:
log file = /var/log/samba/log.%m
# enable the following line to debug:
# log level = 3
# maximum size of 50KB per log file, then rotate:
max log size = 50
# Not interested in printers
load printers = no
cups options = raw
# This stops an annoying message from appearing in logs
printcap name = /dev/null
# File Shares under valid users I put a group if you create a group for samba in # active directory and add users to it those users will be able to access smb
# shares from this server over the network.
[guest]
comment = guest
path = /home/samba/guest
public = yes
readonly = no
writable = yes
guest ok = yes
[admin]
comment = admin
path = /home/samba/admin
public = no
readonly = no
writable = yes
guest ok = no
valid users = @"admingp@addomain.tld"
There is a user, ADDOMAINadmintest (or admintest@addomain.tld) login a Windows PC and try to access the "Admin" share folder but couldn't grant access. The log says "NT_STATUS_ACCESS_DENIED". But I am sure that the account is in the group.
To make sure the AD and the user info is synced to my CentOS 7, I changed the valid users from @"admingp@addomain.tld" to "admintest@addomain.tld". The user can access the share folder.
Then what I tried to troubleshoot is, use the id command. I have modified the sssd.conf no need to use full qualified name. So ...
# id admintest
uid=821800500(admintest) gid=821800513(domain users) groups=821800513(domain users)
This is simply strange. Yeah this account is in the domain users but it still have some other groups which belong to including the "admingp".
Then I used the "getent" command to show group members.
# getent group admingp
admingp:*:821808307:administrator,admintest,ben, ... (etc)
There it is, admintest is in the group. Because it also in the domain users group and I try again to modify the smb.conf, the valid users changed to @"domain users@addomain.tld" and guess what? The share folder is accessible.
So I can conclude that the smb.conf is fine, the AD authentication is fine. But as you noticed, id admintest only displays the first matched group. The others are skipped so I can't set the share folder with Group Permission. And I have dozens of groups and dozens of share folders there I can't simply implement it one by one.
And I final test for the id command. The Linux account "support" belongs to 2 groups. One is "support" itself and the other is "wheel".
# id support
uid=1000(support) gid=1000(support) groups=1000(support),10(wheel)
Linux users aren't affected. So ... what went wrong? I have attached the sssd.conf here. Please have a look.
[sssd]
domains = addomain.tld
config_file_version = 2
services = nss, pam
[domain/addomain.tld]
ad_domain = addomain.tld
krb5_realm = ADDOMAIN.TLD
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
# use_fully_qualified_names = True
# fallback_homedir = /home/%u@%d
use_fully_qualified_names = False
fallback_homedir = /home/%u
enumerate = True
access_provider = simple
# access_provider = ldap
Thanks very much in advanced.
centos samba cifs sssd
asked Nov 1 '17 at 4:04
AkiEruAkiEru
10113
I followed this site's tutorial to install SSSD (without WinBind) to join a Windows Server 2008 domain. And it is a great success. Before that I was trying to use Zentyal to set up share folders but no luck ... Zentyal always show errors ...
I wanted to use GUI to complete the job but when I failed in Webmin Samba and Zentyal, the only option I left is to set up one by one with command, and implement the smb.conf by hand. Luckily the tutorial can join the domain without any problems, and I can setup the Samba share.
Here is the smb.conf
[global]
workgroup = ADDOMAIN
server string = Samba Server Version %v
security = ads
# encrypt passwords = yes
# passdb backend = tdbsam
idmap config * : backend = tdb
realm = addomain.tld
access based share enum = yes
# this is just a member server
domain master = no
local master = no
preferred master = no
# in my test network I could not get AD authentication for smb shares to work
# without adding "kerberos method = secrets and keytab"
kerberos method = secrets and keytab
# Add the IPs / network ranges / subnets allowed acces to the server in general.
# this is not a nesessary entry but in general a good idea.
# hosts allow = 127. your local network info
# log files split per-machine:
log file = /var/log/samba/log.%m
# enable the following line to debug:
# log level = 3
# maximum size of 50KB per log file, then rotate:
max log size = 50
# Not interested in printers
load printers = no
cups options = raw
# This stops an annoying message from appearing in logs
printcap name = /dev/null
# File Shares under valid users I put a group if you create a group for samba in # active directory and add users to it those users will be able to access smb
# shares from this server over the network.
[guest]
comment = guest
path = /home/samba/guest
public = yes
readonly = no
writable = yes
guest ok = yes
[admin]
comment = admin
path = /home/samba/admin
public = no
readonly = no
writable = yes
guest ok = no
valid users = @"admingp@addomain.tld"
There is a user, ADDOMAINadmintest (or admintest@addomain.tld) login a Windows PC and try to access the "Admin" share folder but couldn't grant access. The log says "NT_STATUS_ACCESS_DENIED". But I am sure that the account is in the group.
To make sure the AD and the user info is synced to my CentOS 7, I changed the valid users from @"admingp@addomain.tld" to "admintest@addomain.tld". The user can access the share folder.
Then what I tried to troubleshoot is, use the id command. I have modified the sssd.conf no need to use full qualified name. So ...
# id admintest
uid=821800500(admintest) gid=821800513(domain users) groups=821800513(domain users)
This is simply strange. Yeah this account is in the domain users but it still have some other groups which belong to including the "admingp".
Then I used the "getent" command to show group members.
# getent group admingp
admingp:*:821808307:administrator,admintest,ben, ... (etc)
There it is, admintest is in the group. Because it also in the domain users group and I try again to modify the smb.conf, the valid users changed to @"domain users@addomain.tld" and guess what? The share folder is accessible.
So I can conclude that the smb.conf is fine, the AD authentication is fine. But as you noticed, id admintest only displays the first matched group. The others are skipped so I can't set the share folder with Group Permission. And I have dozens of groups and dozens of share folders there I can't simply implement it one by one.
And I final test for the id command. The Linux account "support" belongs to 2 groups. One is "support" itself and the other is "wheel".
# id support
uid=1000(support) gid=1000(support) groups=1000(support),10(wheel)
Linux users aren't affected. So ... what went wrong? I have attached the sssd.conf here. Please have a look.
[sssd]
domains = addomain.tld
config_file_version = 2
services = nss, pam
[domain/addomain.tld]
ad_domain = addomain.tld
krb5_realm = ADDOMAIN.TLD
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
# use_fully_qualified_names = True
# fallback_homedir = /home/%u@%d
use_fully_qualified_names = False
fallback_homedir = /home/%u
enumerate = True
access_provider = simple
# access_provider = ldap
Thanks very much in advanced.
centos samba cifs sssd
centos samba cifs sssd
asked Nov 1 '17 at 4:04
AkiEruAkiEru
10113
asked Nov 1 '17 at 4:04
AkiEruAkiEru
10113
asked Nov 1 '17 at 4:04
AkiEruAkiEru
10113
asked Nov 1 '17 at 4:04
AkiEruAkiEru
10113
asked Nov 1 '17 at 4:04
AkiEruAkiEru
10113
10113
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I have same issue here... Finally I use the winbind instead of sssd for samba share and AD joining...
answered 9 mins ago
GaryGary
1
New contributor
Gary is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f401753%2fcentos-7-sssd-ad-with-samba-share%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I have same issue here... Finally I use the winbind instead of sssd for samba share and AD joining...
answered 9 mins ago
GaryGary
1
New contributor
Gary is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have same issue here... Finally I use the winbind instead of sssd for samba share and AD joining...
answered 9 mins ago
GaryGary
1
New contributor
Gary is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have same issue here... Finally I use the winbind instead of sssd for samba share and AD joining...
answered 9 mins ago
GaryGary
1
New contributor
Gary is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I have same issue here... Finally I use the winbind instead of sssd for samba share and AD joining...
answered 9 mins ago
GaryGary
1
New contributor
Gary is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 9 mins ago
GaryGary
1
New contributor
Gary is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 9 mins ago
GaryGary
1
answered 9 mins ago
GaryGary
1
1
New contributor
Gary is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Gary is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Gary is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f401753%2fcentos-7-sssd-ad-with-samba-share%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
