I know how to set up a write permission for a samba ad share.
My main problem is how to map openhab into the AD, so that openhab can read it and no one else (Linux permission system).
I have to mix it up.
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
But here is the solution which works for me.
ATTENTION: The solution could be incomplete!!!
The solution is not retested on other systems.
You are warned.
System info:
Ubuntu 18.10 Server with Samba 4 AD DC and openHAB2 (and much more ;-))
An id-mapping via smb.conf is not possible, because the share of
the openHAB2 config is on the same machine as the AD DC.
The user account of the AD must be corresponding with the Linux user accounts on the system.
In smb.conf add these lines:
[openHAB2-conf]
path=/etc/openhab2
read only = no
Don’t add any other options like “force user”, it prevents you from configuring or using the share.
Like in the example from the Samba Wiki you need a user group which can configure share permissions.
Execute this command to make the “Domain Admins” to one of these groups.
# net rpc rights grant "YOURDOMAIN\Domain Admins" SeDiskOperatorPrivilege -U "YOURDOMAIN\administrator"
Change the owner and the group of the share /etc/openhab2
sudo chown -R root:"Domain Admins" /etc/openhab2
The owner root can be changed with any other user, but I want that no one has read or write permissions,
as long as I am not finished.
And on top, if the owner is root samba AD change it in the permission config to “Administrator”, and so all users are readable with no unreadable uid.
The group “Domain Admins” is very important, because we need a user or a group as an owner which has “SeDiskOperatorPrivilege”
Change the permission of the share /etc/openhab2
sudo chmod -R 0770 /etc/openhab2
Reload the samba config to apply the change
smbcontrol all reload-config
for the next step, we need the POSIX uid and gid from the openhab user.
id openhab
the output should look like this:
uid=103(openhab) gid=107(openhab) Gruppen=107(openhab),5(tty),20(dialout),29(audio)
write down the uid and the gid.
After that, openhab have no access to any file in /etc/openhab2.
To change that log on to a windows domain client as a user of the “Domain Admins” group.
Start “Active Directory Users and Computers”
Click on "View in the Top-Menu and activate “Advanced Features”.
This activates the attribute editor to set POSIX attributes like uid and gid.
Now it is time to create a new corresponding openhabuser in the Active Directory.
In the left Tree select “Users” and make a right-click on it.
In the context menu go to new and then select “User”.
In the new window enter something like “openHABUser” in “Full Name” and “User logon name”.
Click on Next.
Now choose a password.
Deselect “User must change password at next logon”.
Select “Password never expires”.
Click on Next.
Click on Finish.
Now it is time to create our new UserGroup for openhab.
Right-click on Users in the left tree.
In the context menu go to new and then select “Group”.
In the new window enter something like “openHABUsers” in “Groupname”
Click on OK.
Now double-click on your created “openHABUser”.
In the new window click on the “Attribute-Editor” tab.
And look for the uidNumber, double-click on the entry and enter the uid from openhab. (in my setup 103).
Click on OK.
Click on Apply.
Now double-click on your created Group “openHABUsers”.
In the new window click on the “Attribute-Editor” tab.
And look for the gidNumber, double-click on entry and enter the gid from openhab. (in my setup 107).
Click on OK.
Click on the “Members” tab.
Click on Add.
In the new Window enter your created User “openHABUser”, and click on “Check Name”.
If a new Window appears, select the right user you want to add and click on OK.
If you want to add any other user, which should have access to /etc/openhab2 via samba share, enter the name of the user behind your openhab user and click on “Check Name”.
If you are finished with adding users,
click on OK.
Click on Apply.
Click on OK.
Now we have a corresponding user and group.
The next step is to configure the permissions of the share.
Open a File-Explorer window and enter the address of your Samba Server(example: \testserver or \192.168.0.100).
Right-click on “openHAB2-conf” and select properties.
Click on the security tab.
Click on Advanced.
In the new window click on the user “Everyone” and click on remove.
Click on add and select “openHABUser” as principal. (like you add a user to a group)
Select “Allow” by Type.
Select “This folder, subfolders and files” by Applies to.
Check “Full control” in the Advanced permission section.
Click on OK.
Repeat the add process, but now for the group “openHABUsers” as principal.
Now we are ready to change the owner of the share.
Click on “Change” on the right of the “Owner” information.
Enter the name of the “openHABUser”, check the Name and click on OK.
A checkbox appears directly under the “Owner” information.
Check it to apply the owner to every subfolder and file.
Click on Apply and then on OK.
Now it should be able for every user in the “openHABUsers” Group to access, read and write every file in the share.
Back on the terminal of the server, we can check if the uid and gid are correct.
Go to the openhab config folder
ls -ld /etc/openhab2
you should see something like this
drwxrwx---+ 13 openhab YOURDOMAIN\domain admins 4096 Oct 25 14:07 /etc/openhab2
If you get a number instead of “YOURDOMAIN\domain admins”.
You should check if your winbind service is configured correctly.
If you get a number other than 103 (your openhab user uid) or openhab in the owner field,
it is possible that you have a problem with the internal id-mapping.
Now it is time to check all users and groups which has access to the directory.
getfacl -n /etc/openhab2/
the Output should look something like this:
# file: etc/openhab2/
# owner: 103
# group: 3000004
user::rwx
user:0:rwx
user:103:rwx
user:3000004:rwx
group::rwx
group:107:rwx
group:3000004:rwx
mask::rwx
other::---
default:user::rwx
default:user:0:rwx
default:user:103:rwx
default:user:3000004:rwx
default:group::---
default:group:107:rwx
default:group:3000004:rwx
default:mask::rwx
default:other::---
If the 103 (your openhab user uid) is the owner and a user and 107 (your openhab group gid) is a group, all is right and should work.
If the openhab user uid is not listed you have a uid mapping problem, as I had.
Get the sid of your openHABUser (the one in the AD)
wbinfo --name-to-sid openHABUser
Check the uid
wbinfo --sid-to-uid <the id from wbinfo --name-to-sid openHABUser>
if the uid is different from the uid of the Linux user “openhab”, you can change it by hand.
find the idmap.ldb
find /var | grep idmap.ldb
or if you compiled samba yourself
find /usr/local | grep idmap.ldb
the output should look like this
/var/db/samba4/private/idmap.ldb
now we have all infos to edit the uid of the AD openHABUser.
ldbedit -e vi -H /var/db/samba4/private/idmap.ldb objectsid=<the id from wbinfo --name-to-sid openHABUser>
I selected vi as editor (-e vi), but you can also choose nano as editor(-e nano).
change the xidNumber entry to the uid of the Linux user openhab.
save and exit the editor.
The next step is to flush the net cache and to reload the samba config.
net cache flush
smbcontrol all reload-config
Now repeat the permission settings on a windows pc, change the owner again to “openHABUser”, also delete the “openHABUser” and the “openHABUsers” from the permission list and re-add them.
Don’t forget the checkbox under the owner settings.
After applying the settings, recheck with getfacl if the numbers are correct.
I hope, I forgot nothing.
Sorry for my bad english, I am constantly improving myself.
This tutorial needs a few more improvements, but I hope that it helps someone.
