[Samba] Permission Denied

Tue Dec 8 16:33:36 UTC 2015

2015-12-08 17:15 GMT+01:00 Rowland penny <rpenny at samba.org>:

> On 08/12/15 16:02, mathias dufresne wrote:
>
>> On any Linux system where you want to be able to use AD users as system
>> users you need to configure PAM. This because it is PAM which discuss with
>> the tool you have chosen to retrieve users information from AD and then
>> build system users with these information.
>>
>
> It may be better if you stop calling local Unix users 'system users',
> system users are something else, i.e. 'root' is a system user, as is
> 'www-data'

System users are users available from system side.
Local users are users declared in /etc/passwd.

What is the point of your remark?

>
>
>
>> I think you also need to configure PAM for file servers connected to some
>> domain (AD or NT4) for the underlaying system knows which user (system
>> user, ie uid, gid, groups...) access to some shared file, to grant or
>> refuse this access.
>>
>
> Yes, if you need to connect to a Unix machine, the Unix OS needs to know
> whoever is trying to connect.
>
> The short way to put it would be: to configure your system configure PAM,
>> without PAM configured only applications are configured: kinit could work,
>> net command too, wbinfo also... but not getent and so all application
>> relying to system side won't work (example from your first post: "id"
>> command rely on getent/PAM/nss/don't ask precisely and so won't work)
>>
>> This can't be completely true as frontier between system and application
>> is
>> more than fine (PAM is an app after all and a system could do what you
>> want
>> it does without PAM configured -> a Samba DC without PAM configured can be
>> fully managed, just ACLs would lack beauty I expect).
>>
>
> PAM is just part of the system, in fact some systems don't use PAM, but
> the majority of Unix systems use it because it makes life easier.
>
> Rowland
>
>
> 2015-12-08 16:20 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>>
>> You are right! I haven't configured PAM for winbind on the DCs, probably
>>> because I don't need this.
>>>
>>> Any reasons why I should, if I manage my domain from Windows ADUC and
>>> don't log-on to the DCs as Administrator locally?
>>>
>>> Ole
>>>
>>>
>>>
>>> Am 08.12.2015 um 14:39 schrieb mathias dufresne:
>>>
>>> Ole,
>>>>
>>>> Did you configure PAM to use AD as a users source ? You need to have
>>>> Winbind or SSSD or nslcd configured to access your AD + configure PAM +
>>>> configure nsswitch.conf. Then you will system users from AD (ie "getent
>>>> passwd my-ad-account" would work).
>>>>
>>>> Cheers,
>>>>
>>>> mathias
>>>>
>>>> 2015-12-07 20:54 GMT+01:00 Rowland penny <rpenny at samba.org>:
>>>>
>>>> On 07/12/15 19:42, Ole Traupe wrote:
>>>>
>>>>> If I do this (rely on the user map file containing "!root =
>>>>>
>>>>>> BPN\Administrator BPN\administrator"), should I expect "id
>>>>>>>
>>>>>>>> Administrator"
>>>>>>>> to give anything?
>>>>>>>>
>>>>>>>> Ole
>>>>>>>>
>>>>>>>>
>>>>>>>> Only a Samba AD DC, you will not get anything from 'getent
>>>>>>>>
>>>>>>> Administrator' on a Unix domain member, but remember, with the user
>>>>>>> map
>>>>>>> 'Administrator' becomes 'root' :-)
>>>>>>>
>>>>>>> Yes, and I can manage share permissions via ADUC due to the user
>>>>>>>
>>>>>> mapping.
>>>>>>
>>>>>> But on the DCs I still get "No such user" (although I don't have any
>>>>>> appearent problem).
>>>>>>
>>>>>> Ole
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Have you changed anything on the DCs ? Are the winbind nss links in
>>>>>>
>>>>> place
>>>>> ? (not sure if this makes any difference, but I always create them)
>>>>>
>>>>> if I run 'id Administrator', I get:
>>>>>
>>>>> uid=0(root) gid=100(users)
>>>>> groups=0(root),100(users),3000004(SAMdom\Group
>>>>> Policy Creator Owners),3000006(SAMDOM\Enterprise
>>>>> Admins),3000008(SAMDOM\Domain Admins),3000007(SAMDOM\Schema Admins)
>>>>>
>>>>> 'getent password Administrator' returns:
>>>>>
>>>>> SAMDOM\Administrator:*:0:100::/home/Administrator:/bin/bash
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>