1

I've been trying to get this to work reliable for some time. Heres the breakdown:

Centos 7 with SSSD auth to Active Directory (fully functional) here is the sssd.conf file:


[sssd]
domains = example
config_file_version = 2
services = nss, pam


[domain/example]
realmd_tags = manages-system joined-with-samba 
enumerate = false
cache_credentials = false
id_provider = ldap
auth_provider = ldap
ldap_schema = ad
ldap_uri = ldaps://example.edu
ldap_search_base = dc=example,dc=edu
ldap_default_bind_dn = CN=useraccount, OU=people, DC=example,Dc=edu
ldap_default_authtok_type = password
ldap_default_authtok = 
ldap_user_search_base = ou=People,ou=example,dc=edu
ldap_user_name = sAMAccountName
ldap_user_object_class = person
ldap_user_member_of = memberOf
ldap_user_uid_number = uidnumber
ldap_user_gid_number = gidnumber
ldap_user_fullname = displayName
ldap_group_search_base =dc=example,dc=edu
ldap_group_object_class = group
ldap_group_name = sAMAccountName
tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
override_homedir = /home/%u

With this i'm able to log in with ad credentials and see UID/GIDs from the AD tree.

The problem arises when i try to integrate samba shares that also auth against sssd/pam which seems to not work properly.

here is by basic smb.conf file:


[global]
workgroup = EXAMPLE 
server string = Samba Server Version %v 
log file = /var/log/samba/log.%m 
 log level = 7
max log size = 50 


security = ads 
encrypt passwords = yes 
passdb backend = tdbsam 
realm = example.edu 



vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes



load printers = no 
cups options = raw 



printcap name = /dev/null 
[myshare] 
comment = My shared folder 
path = /var/myshare 
public = no 
writable = yes 
guest ok = no 
write list = testuser
read list = @"testgroup"

Ultimately i feel like i'm missing something simple here, or maybe its not possible. I've set the folder perms to 0770 root:testgroup. ultimately i'd like to have the windows users that are connecting be able to edit the permissions through ntfs if at all possible as well.

The reason i'm using sssd instead of winbind for this is i need the UID/GIDs to pull from AD (for nfs mounts and such) and it never seemed to be 100% correct 100% of the time.

Any help on this would be greatly appreciated!

Errol
  • 19
  • 1
  • 6
  • Any update from your side? Did you finally accomplish this task? – Manuel Faux Jan 05 '16 at 10:56
  • [sssd] services = nss, pam, autofs might be required for the automount of the shares to work ... But I've a question for you: how did you produce the certificates for the CentOS machiens so that they can query AD's LDAP ? – louigi600 May 30 '17 at 08:59
  • seems like no solution and lots of people coming here. i also found this, might help someone. in the end there is some forcing of permissions going on, in winbind though. https://www.youtube.com/watch?v=LSShUG75pWw – frisbee23 Sep 27 '19 at 10:10

0 Answers0