Hi,
I have a debian 9 (stretch) samba domain member. I am using sssd rather than winbind and also managing samba with ctdb as this will eventually run in a clustered environment. I have inherited the configuration for this that has only been previously tested with public shares. I am not a sysadmin, I am primarily a java developer and the task of making this work has fallen to me.
I need the domain admins or at least the domain administrator to be able to alter ownership of shares from windows and set ACL's on shares and subfolders.
My first attempts where on debian 8 and I could not administer the shares from windows or assign ACL's. If I changed the ownership on the samba domain member to 'administrator@smb.local:domain admins@smb.local' I could appear to do some administration. I could set ownership and ACL's on the share and sub folders. However these appeared only in windows and the acl's were never set on the inux side.
Some reading lead me to believe that I needed to use libwbclient-sssd to make this work. Hence the move to debian 9.
In debian 9 I ran into the same issue when using the samba libwbclient. I can set acl's from the command line on debian and windows does detect these, but setting the acl's from windows doesn't appear to work.
When I changed to use the libwbclient-sssd things got worse. I can't logon to the shares as the auth appears to be ntlmssp. If I used smbclient -k the auth is krb5 but logon still fails. Both these work with the samba libwbclient and the usernames and passwords are correct.
So I have multiple problems...
acl's cannot be set from windows onto the debian shares libwbclient-sssd doesn't support ntlm and logon fails with krb5
My questions are
1. Is it possible for a domain administrator to set acl's from windows onto samba shares? 2. Has anyone a got a configuration with sssd where a domain administrator can set acl's from windows onto samba shares? 3. How can I force all clients to use krb5 rather than ntlm?
The full config I am using is listed below
debian_version = 9.0
apt-get install ctdb apt-get install samba apt-get install sssd apt-get install libwbclient-sssd apt-get install smbclient apt-get install libkrb5-dev apt-get install libkrb5-3 apt-get install libsasl2-modules-gssapi-mit
#########################################################
cat /etc/samba/smb.conf [global]
workgroup = SMB server string = SMB Gateway map to guest = bad uid clustering = yes server max protocol = SMB2_10
#================== ACL support =====================
store dos attributes = Yes dos filemode = Yes vfs objects = acl_xattr
#================== Added to try and prevent ntlm auth =====================
client lanman auth = no lanman auth = no ntlm auth = no client NTLMv2 auth = no
#================== Performance Options =====================
socket options = TCP_NODELAY max xmit = 262144 deadtime = 15
smb2 max read = 8388608 smb2 max trans = 8388608 smb2 max write = 8388608
dbwrap_tdb_mutexes:* = yes min receivefile size = 131072 aio read size = 16384 aio write size = 16384 write cache size = 262144
#==================== Logging Options =================
log file = /var/log/samba/log.%m max log size = 50 log level = 10
#========= Standalone / Domain Server Options =========
security = ads
#================ Domain Members Options ==============
realm = SMB.local kerberos method = system keytab
#================ fix file issues ==============
dos filemode = yes unix extensions = no
#================ No printers ==================
load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes
#======================= Shares =======================
[share2] path = /var/testshares/share2 writeable = True
######################################################### cat /etc/krb5.conf
[libdefaults] default_realm = SMB.LOCAL
#########################################################
cat /etc/nsswitch.conf
passwd: compat sss group: compat sss shadow: compat sss gshadow: files
hosts: files dns sss networks: files
protocols: db files services: db files sss ethers: db files rpc: db files
#########################################################
cat /etc/sssd/sssd.conf
[sssd] config_file_version = 2 domains = SMB.local services = nss, pam debug_level = 9 [nss] debug_level = 9 [pam] debug_level = 9
[domain/SMB.local] debug_level = 9 default_shell = /bin/bash krb5_realm = SMB.LOCAL id_provider = ad access_provider = ad cache_credentials = true use_fully_qualified_names = true krb5_store_password_if_offline = true ad_gpo_access_control = disabled
#########################################################
cat /etc/sysconfig/ctdb
# Options to ctdbd, read by ctdbd_wrapper(1) # # See ctdbd.conf(5) for more information about CTDB configuration variables.
# Shared recovery lock file to avoid split brain. No default. # # Do NOT run CTDB without a recovery lock file unless you know exactly # what you are doing. CTDB_RECOVERY_LOCK=/tmp/ctdb.lock
# List of nodes in the cluster. Default is below. CTDB_NODES=/etc/ctdb/nodes
# List of public addresses for providing NAS services. No default. CTDB_PUBLIC_ADDRESSES=/etc/ctdb/public_addresses
# What services should CTDB manage? Default is none. CTDB_MANAGES_SAMBA=yes # CTDB_MANAGES_WINBIND=yes # CTDB_MANAGES_NFS=yes
# Raise the file descriptor limit for CTDB? ulimit -n 10000
# Default is to use the log file below instead of syslog. CTDB_LOGFILE=/var/log/log.ctdb CTDB_SYSLOG=no
# Default log level is ERR. NOTICE is a little more verbose. CTDB_DEBUGLEVEL=NOTICE
# Set some CTDB tunable variables during CTDB startup? # CTDB_SET_TraverseTimeout=60
CTDB_SERVICE_SMB=smbd
#########################################################
cat /etc/ctdb/nodes
127.0.0.1 ######################################################### ctdb public_addresses is empty
#########################################################
testparm -s
Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[share]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER
# Global parameters [global] realm = SMB.LOCAL server string = SMB Gateway workgroup = SMB log file = /var/log/samba/log.%m max log size = 50 clustering = Yes disable spoolss = Yes load printers = No printcap name = /dev/null max xmit = 262144 min receivefile size = 131072 server max protocol = SMB2 unix extensions = No client NTLMv2 auth = No kerberos method = system keytab map to guest = Bad Uid security = ADS deadtime = 15 dbwrap_tdb_mutexes:* = yes idmap config * : backend = tdb store dos attributes = Yes dos filemode = Yes printing = bsd aio read size = 16384 aio write size = 16384 write cache size = 262144 vfs objects = acl_xattr
[share] path = /var/testshares/share3 read only = No
#########################################################
domain successfully joined with
net ads join -Uadministrator%password
dns successfully registered with
net ads dns register stretch.smb.local 192.168.1.156 -Uadministrator%password
getent passed administrator@SMB.local administrator@SMB.local:*:778800500:778800513:Administrator:/:/bin/bash
sssd-users@lists.fedorahosted.org