Access control with Active Directory and group based permissions

Troubleshooting
9

Hi @b_b ,

I got to trying this over the week-end and this morning and was able to control access to secondary groups using that approach. In particular, this is the setup I used (let me know if that indeed fits what you are trying to do):

Active Directory setup

Groups

Create 2 custom groups:

  • adgroup1
  • adgroup2

Users

Create 3 new users:

  • aduser1
  • aduser2
  • aduser3

Group memberships

Set up group memberships to add the following groups to these users:

  • adgroup1:
aduser2
aduser3
aduser1
  • adgroup2:
aduser2
aduser1

Rockstor setup

I made the idmap changes I described above (note that I have not tested whether they were indeed required but I think we should make them anyway), created a share named test_share01. Note that I changed the access to set the domain users@samdom.example.com group as owner but I do not think that matters.

Samba config

Create a Samba export of test_share01 using Rockstor’s webUI using default settings, nothing particular here. The resulting smb.conf is as follows:

buildvm155:~ # cat /etc/samba/smb.conf
[global]
    log file = /var/log/samba/log.%m
    log level = 10
    load printers = no
    cups options = raw
    printcap name = /dev/null
    map to guest = Bad User

####BEGIN: Rockstor SAMBA GLOBAL CUSTOM####
    vfs objects = acl_xattr
    map acl inherit = yes
    idmap config * : backend = tdb
    idmap config * : range = 10000-19999
    idmap config SAMDOM : backend = sss
    idmap config SAMDOM : range = 200000-2000200000
    workgroup = SAMDOM
####END: Rockstor SAMBA GLOBAL CUSTOM####

####BEGIN: Rockstor ACTIVE DIRECTORY CONFIG####
    security = ads
    realm = SAMDOM.EXAMPLE.COM
    kerberos method = secrets and keytab
    client signing = yes
    client use spnego = yes
####END: Rockstor ACTIVE DIRECTORY CONFIG####

####BEGIN: Rockstor SAMBA CONFIG####
[test_share01]
    root preexec = "/opt/rockstor/.venv/bin/mnt-share test_share01"
    root preexec close = yes
    comment = b'Samba-Export'
    path = /mnt2/test_share01
    browseable = yes
    read only = no
    guest ok = no
####END: Rockstor SAMBA CONFIG####

Set up ACL from windows

I followed the Samba wiki guide linked above to give:

  • on test_share01: Full Control to adgroup2.

This means:

  • users from adgroup2 should be able to access, read, write, and modify: aduser1 and aduser2
  • users that do NOT belong to adgroup2, such as aduser3 should not be able to access, read, write, and modify.

Test the end result

From Windows:

  • I first mapped the test_share01 as a new network drive as user SAMDOM\aduser1. It worked, and I could create a new file named test_file_from_aduser1.txt.
  • Disconnect the mapped network drive.
  • Create a new network drive mapping of test_share01 as user SAMDOM\aduser3. I get connection refused due to "You do not have permission access to \testserver\test_share01".

It thus all seems to work as expected.

For reference, the resulting permissions as seen from the Samba host (Rockstor machine):

buildvm155:~ # ls -lah /mnt2/test_share01
total 8.0K
drwxrwx---+ 1 root                             domain admins@samdom.example.com 98 Sep 11 10:43 .
drwxr-xr-x  1 root                             root                             90 Aug 30 15:28 ..
-rwxrwxr-x+ 1 aduser1@samdom.example.com       domain users@samdom.example.com  37 Sep 11 10:43 tesfile_from_aduser1.txt

Let me know if that fits what you need and I can give more details on whatever step(s) you would like.

3 Likes