How to secure samba share access using 'valid users' parameters along with local samba groups with security=ads.
Environment
- Red Hat Enterprise Linux 5/6/7
- samba
- winbind
Issue
- How do I secure samba share access using 'valid users' paramters along with local samba groups when system is joined to AD and winbind is used ?
Resolution
Solution 1:
1] Add a local group(non UNIX) in samba database The group gid will be allocated out of the winbind range.
# net sam createlocalgroup <local_group_name>
Example:
# net sam createlocalgroup tgroup
2] Add a member to a local group. The group can be specified only by name, the member can be specified by name or SID.
Note: If required add AD users as well as local users in this group.
# net sam addmem <local_group_name> <ad_user_name>
Example:
# net sam addmem tgroup EXAMPLE\\aduser
3] Change group of the shared path to local group as below.
# chgrp -R "<local_group_name>" /<share>
Example:
# chgrp -R "RHEL6\\tgroup" /share
4] Run following command to list group members.
# net sam listmem <local_group_name>
Example:
# net sam listmem tgroup
5] Add the local group in file smb.conf as below.
[share]
.
.
valid users = +tgroup
Note: Restart of samba service is required after above change.
Solution 2:
Another workaround would be to mention an AD group directly in "valid users":
[share]
valid users = +"DOMAIN\adgroup"
Diagnostic Steps
1] Have a look at following test:
[root@rhel6 ~]# getent passwd -s 'winbind' aduser
aduser:*:1001116:1000513:aduser:/home/EXAMPLE/aduser:/bin/bash
[root@rhel6 ~]# net sam createlocalgroup localgroup
Created local group localgroup with RID 1001 <---------------------
[root@rhel6 ~]# net sam addmem localgroup EXAMPLE\\aduser
Added EXAMPLE\aduser to RHEL6\localgroup <---------------------
[root@rhel6 ~]# id aduser
uid=1001109(EXAMPLE\aduser) gid=1000513(EXAMPLE\domain users) groups=1000513(EXAMPLE\domain users),3001000(RHEL6\localgroup),2000001(BUILTIN\users)
[root@rhel6 ~]# groups EXAMPLE\\aduser
EXAMPLE\aduser :EXAMPLE\domain users RHEL6\localgroup BUILTIN\users <------------------
2] Samba configuration looks like:
[root@rhel6 ]# cat /etc/samba/smb.conf
[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
security = ADS
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = No
idmap config * : backend = autorid
idmap config * : range = 1000000-19999999
idmap config * : rangesize = 1000000
template shell = /bin/bash
winbind use default domain = yes
[share]
comment = Test Share
path = /share
read only = no
public = yes
valid users = +localgroup <----
3] I tried to access the share and it was successful .
# smbclient //`hostname`/share -U EXAMPLE\\aduser%testing123
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 3.6.23-24.el6_7]
smb: \> ls
. D 0 Fri Mar 25 03:23:34 2016
.. DR 0 Fri Mar 25 03:23:12 2016
a.txt 0 Fri Mar 25 03:23:34 2016
34300 blocks of size 262144. 27613 blocks available
smb: \>
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
3 Comments
needs to be updated to reflect modern rhel7 + rhel8
also, you have garbage like winbind use default domain = no and then winbind use default domain = yes in the same smb.conf file.
Subject/Title of this article has "parameters" misspelled.
Hello Jay,
Thank you for reporting this, I've corrected it and re-published the article.