System service access to AD-owned files

Support
, , ,
#1

NethServer Version: 7.4.1708 (Final)
Module: Samba (et al.)

TL;DR: I’m trying to run a system service as a non-root user, but this service needs access to files in the samba shares (/var/lib/nethserver/ibay/) which are owned by AD groups and I can’t figure out how to do that.

I’m not familiar enough with domains on Linux and sssd to know if I’m making this unnecessarily difficult, but systemd definitely only allows running services as local users. I have successfully configured k5start as a (system) service to get a current ticket for headless@my.domain under the local user headless_local. However, this doesn’t seem to grant access to the desired files (despite headless@my.domain being a member of the owner group etc.).

Does anyone have any ideas? Although not ideal, it currently works to simply run the service as root.

Thanks & Merry Christmas,
Will

#2

This seems to me a nasty one. Consider a situation where you have multiple DC’s or multiple Samba Fileservers. Then setting up a service running on a local (system) account will give a challenge, right?
Can you give a bit more background on the service you want to run and why it needs access to samba fileshares?

#3

I had a hunch… this is my home router/lab (and a member of the “cutting cheese with a chainsaw” hall of fame). The domain only exists because LDAP is even less familiar to me (and seemed a bit insufficient).

The program I’m running is syncthing, it serves as a combination of local backup, remote backup, and file sync to pretty much everything I’m running.

Previously, syncthing was confined to an Ubuntu VM which had exclusive access to relevant files and the nethserver was more or less unused for personal data. The Ubuntu VM (which is the only member of the domain) was good-enough and able to share a bit over samba.

However, I’m now trying to move the remote backup and most of the synced data from a different computer to this box. At that point, the limits of the VM were too much.

So, I’ll back up a bit.

  1. My understanding is that systemd will not run a service as a domain user and that a local user cannot be mapped to a domain group. If either of these is possible then please let me know.
  2. From there I went about setting up k5start etc. to provide a ticket as described above.*
    • the reason I had hoped this would work is that local accounts on the Ubuntu VM follow get access to the same files via NFS once they have a ticket.

If no one sees an obvious “this is what fixes it” I’m fine leaving the service as root… I have bigger blocks of cheese to cut, and I’m probably only a few months to a year away from a de-complication of this box.

Thank you :slight_smile:

#4

If it’s on the same nethserver AD you might do it by creating an AD user and using it for the system service (syncthing@theuser.service). Syncthing will access the local filesystem.

If file permissions are important to you, do the tests on a separate share. If you need to, you can reset the shared folder permissions, and also have the option of setting the UMask parameter in the systemd service file.

Not the same case but, if it’s of help, @JOduMonT kindly shared these notes on syncthing:

#5

Not sure I understood correctly, but here is how I start services that needs to access my shares : I add those keys in the systemctl configuration file :

[Service]
User=plex@gaillet.be
Group=multimedia@gaillet.be

plex is a user that is only used for the services that needs access to my multimedia library.

Is it clear ? Does it help you ?

#6

My Plex override file just has this, so it doesn’t insist on using it’s own group:

        [Service]
        Group=

I then have plex set up, under NS as an AD user, but never updated the password to "activate it:

fileshare is then the owning group of the shares:

That appears to work correctly for me. Plex finds all the data, and by adding my own personal user to fileshare I can add/delete stuff as necessary.

Cheers.