[Samba] New AD user cannot access file share from member server

Viktor Trojanovic viktor at troja.ch
Mon Jun 19 13:12:03 UTC 2017 

On 19 June 2017 at 14:56, Rowland Penny via samba <samba at lists.samba.org>
wrote:

> On Mon, 19 Jun 2017 14:46:34 +0200
> Viktor Trojanovic <viktor at troja.ch> wrote:
>
> > On 19 June 2017 at 14:20, lingpanda101 via samba
> > <samba at lists.samba.org> wrote:
> >
> > > On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote:
> > >
> > >> That's correct, I don't have "Unix Attributes" but through the
> > >> advanced view I have access to all attributes.
> > >>
> > >> The ldbsearch command is not returning anything in my case, it
> > >> gives me 0 records - no matter which user I try, even the
> > >> Administrator. I checked the
> > >> command several times to make sure there are no typos. I even
> > >> changed the objectclass from "person" to "user" to see if it makes
> > >> any difference but it doesn't.
> > >>
> > >> I tried borth /var/lib/samba/sam.ldb
> > >> and /var/lib/samba/private/sam.ldb) and the environment
> > >> environment has LDB_MODULES_PATH set.
> > >>
> > >> I can easily look at the objects using the ADUC from the RSAT, not
> > >> sure why
> > >> this isn't working...
> > >>
> > >> On 19 June 2017 at 12:59, Rowland Penny via samba
> > >> <samba at lists.samba.org> wrote:
> > >>
> > >> On Mon, 19 Jun 2017 12:38:09 +0200
> > >>> Viktor Trojanovic <viktor at troja.ch> wrote:
> > >>>
> > >>> Here is the DC's smb.conf:
> > >>>>
> > >>>>
> > >>>> [global]
> > >>>>          workgroup = SAMDOM
> > >>>>          realm = SAMDOM.EXAMPLE.COM
> > >>>>          netbios name = DC
> > >>>>          interfaces = lo br-lxc
> > >>>>          bind interfaces only = Yes
> > >>>>          server role = active directory domain controller
> > >>>>          dns forwarder = 192.168.1.2
> > >>>>          idmap_ldb:use rfc2307 = yes
> > >>>>
> > >>>> [netlogon]
> > >>>>          path = /var/lib/samba/sysvol/samdom.example.com/scripts
> > >>>>          read only = No
> > >>>>
> > >>>> [sysvol]
> > >>>>          path = /var/lib/samba/sysvol
> > >>>>          read only = No
> > >>>>
> > >>> Nothing wrong there
> > >>>
> > >>> I'm not sure what you mean by showing you the user's AD object,
> > >>> can
> > >>>> you elaborate?
> > >>>>
> > >>> OK, install ldb-tools if not installed, then run this:
> > >>>
> > >>> ldbsearch -H /usr/local/samba/private/sam.ldb -b
> > >>> 'cn=users,dc=samdom,dc=example,dc=com' -s sub
> > >>> "(&(objectclass=person)(samaccountname=rowland))"
> > >>>
> > >>> Just in case it has got split up over multiple lines, the above
> > >>> should just one line.
> > >>>
> > >>> Replace:
> > >>> /usr/local/samba/private/sam.ldb with the path to your sam.ldb
> > >>>
> > >>> dc=samdom,dc=example,dc=com with your dns/realm names
> > >>>
> > >>> rowland with your users name
> > >>>
> > >>> You should get something like this back:
> > >>>
> > >>> # record 1
> > >>> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> > >>> CN: Rowland Penny
> > >>> sn: Penny
> > >>> description: A Unix user
> > >>> givenName: Rowland
> > >>> instanceType: 4
> > >>> whenCreated: 20151109093821.0Z
> > >>> displayName: Rowland Penny
> > >>> uSNCreated: 3365
> > >>> name: Rowland Penny
> > >>> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72
> > >>> userAccountControl: 66048
> > >>> codePage: 0
> > >>> countryCode: 0
> > >>> homeDrive: H:
> > >>> pwdLastSet: 130915355010000000
> > >>> primaryGroupID: 513
> > >>> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
> > >>> accountExpires: 0
> > >>> sAMAccountName: rowland
> > >>> sAMAccountType: 805306368
> > >>> userPrincipalName: rowland at samdom.example.com
> > >>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=
> > >>> example,DC=c
> > >>>   om
> > >>> unixUserPassword: ABCD!efgh12345$67890
> > >>> uid: rowland
> > >>> msSFU30Name: rowland
> > >>> msSFU30NisDomain: samdom
> > >>> uidNumber: 10000
> > >>> gecos: Rowland Penny
> > >>> unixHomeDirectory: /home/rowland
> > >>> loginShell: /bin/bash
> > >>> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
> > >>> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
> > >>> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com
> > >>> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com
> > >>> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com
> > >>> homeDirectory: \\MEMBER1\home\rowland
> > >>> objectClass: top
> > >>> objectClass: securityPrincipal
> > >>> objectClass: person
> > >>> objectClass: organizationalPerson
> > >>> objectClass: user
> > >>> gidNumber: 10000
> > >>> lastLogonTimestamp: 131418520439158520
> > >>> whenChanged: 20170613182723.0Z
> > >>> uSNChanged: 121030
> > >>> lastLogon: 131423412865104840
> > >>> logonCount: 633
> > >>> distinguishedName: CN=Rowland
> > >>> Penny,CN=Users,DC=samdom,DC=example,DC=com
> > >>>
> > >>> # returned 1 records
> > >>> # 1 entries
> > >>> # 0 referrals
> > >>>
> > >>> Please post that, though you can sanitise it if you like, but if
> > >>> you do, use the same changes through out.
> > >>>
> > >>> Samba is running on (Arch) Linux with Kernel 4.11. Clients are
> > >>>> Windows 10 with all the latest updates, I'm running the RSAT from
> > >>>> there.
> > >>>>
> > >>>> In which case you will not have 'Unix Attributes' tab in ADUC.
> > >>>
> > >>> Rowland
> > >>>
> > >>> --
> > >>> To unsubscribe from this list go to the following URL and read the
> > >>> instructions:  https://lists.samba.org/mailman/options/samba
> > >>>
> > >>> Use this command replace my name with your username.
> > >
> > > /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb
> > > -b 'dc=samdom,dc=example,dc=local' -s sub
> > > "(&(objectclass=person)(samacc ountname=james))"
> > >
> > > Rowland was linking to the CN=users. Yours may not be located there.
> > >
> > >
> > > I could swear I tried this before, too, but it didn't give me any
> > > results.
> > Now all of a sudden it does. I must have made a mistake. It gives me
> > one entry and 3 referrals.
> >
> > [root at DC ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> > 'dc=samdom,dc=example,dc=ch' -s sub
> > "(&(objectclass=person)(samaccountname=jd))"
> > # record 1
> > dn: CN=First Last,OU=OFFICE,DC=samdom,DC=example,DC=ch
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > cn: Jane Doe
> > sn: Doe
> > givenName: Jane
> > instanceType: 4
> > whenCreated: 20170618195208.0Z
> > displayName: Jane Doe
> > uSNCreated: 26951
> > name: Jane Doe
> > objectGUID: e2df5086-fa25-4a25-93f2-d8f5e85a47e7
> > badPwdCount: 0
> > codePage: 0
> > countryCode: 0
> > badPasswordTime: 0
> > lastLogoff: 0
> > primaryGroupID: 513
> > objectSid: S-1-5-21-4280320235-2980747731-3738778716-1116
> > accountExpires: 9223372036854775807
> > sAMAccountName: jd
> > sAMAccountType: 805306368
> > userPrincipalName: jd at samdom.example.ch
> > objectCategory:
> > CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example ,DC=ch
> > userAccountControl: 512
> > msSFU30NisDomain: samdom
> > homeDrive: P:
> > homeDirectory: \\fileserver\users\jd
> > lastLogonTimestamp: 131422908301256970
> > pwdLastSet: 131422908304075720
> > uidNumber: 11008
> > whenChanged: 20170618203831.0Z
> > uSNChanged: 26964
> > lastLogon: 131423462588474750
> > logonCount: 49
> > distinguishedName: CN=Jane Doe,OU=OFFICE,DC=samdom,DC=example,DC=ch
>
> OK, glad we got that sorted out ;-)
>
> Your user 'Jane Doe' does not have a 'gidNumber' attribute, does
> 'Domain Users have a 'gidNumber attribute' ?
>

It does, it's set to 10001.

And none of the users have gidNumber set.

More information about the samba mailing list