Samba4 Linux user has two uid's

Fri Mar 22 11:09:56 MDT 2013

On 21/03/13 22:10, Gémes Géza wrote:
> 2013-03-21 21:01 keltezéssel, Rowland Penny írta:
>> HI,
>> If You join a S3 client to a S4 domain you get a different uid on the 
>> client and server i.e.
>>
>> Info from the client
>> $ id user
>> uid=21105(user) gid=20513(domain_users) 
>> groups=20513(domain_users),1101(BUILTIN\users)
>>
>> Info from the server
>> # id user
>> uid=3000016(DOMAIN\user) gid=100(users) groups=100(users)
>>
>> Now if you mount a share onto the client from the server via pam_script:
>>
>> mount -t cifs //server/dropbox /home/dropbox -o 
>> username=user,cruid=userid,sec=krb5i,multiuser,nobrl,mapchars,mfsymlinks,noserverino 
>>
>>
>> If a file is now created in the share by the user, the user 
>> immediately looses all rights to it from the client.
>>
>> Is this a CIFS problem or a Samba4 problem?
>>
> Hi,
>
> Please check that you have the following:
>
> For samba4 use rfc2370 and specify the uids gids (using e.g. ADUC), 
> copy/symlink the libnss files and allow winbind in /etc/nsswitch.conf

These were already setup

> For samba3 use idmap_ad with a range that covers the assigned uids/gids.

I was using the rid backend so I tried to convert to ad, but I cannot 
get it to work, wbinfo shows all domain users & groups but no domain 
users or groups are shown by getent. With the rid backend 'getent 
passwd' gives:

administrator:*:20500:20513:Administrator:/home/EXAMPLE/administrator:/bin/bash
dns-adserver:*:21101:20513:dns-adserver:/home/EXAMPLE/dns-adserver:/bin/bash
dhcpduser:*:21104:20513:dhcpduser:/home/EXAMPLE/dhcpduser:/bin/bash
user1:*:21107:20513:user1:/home/EXAMPLE/user1:/bin/bash
user:*:21105:20513:user:/home/EXAMPLE/user:/bin/bash
krbtgt:*:20502:20513:krbtgt:/home/EXAMPLE/krbtgt:/bin/bash
guest:*:20501:20514:Guest:/home/EXAMPLE/guest:/bin/bash

with the ad backend I do not get any of the above

>
> If that is configured and don't work as expected please post your 
> smb.conf (both from AD and client system) and an ldif for an user 
> obtained by ldbsearch.
>
> Regards
>
> Geza Gemes
>
>
Ok, I cannot make it work, so here are the files you requested

Samba4.0.4 user.ldif

# user, Users, example.com
dn: CN=user,CN=Users,DC=example,DC=com
cn: user
instanceType: 4
whenCreated: 20130320122306.0Z
uSNCreated: 3778
name: user
objectGUID:: siE+gJgV2kKaQO0qslOkVg==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAtvprU8QVtn/NH/GlUQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: user
sAMAccountType: 805306368
userPrincipalName: user at example.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
pwdLastSet: 130082557870000000
userAccountControl: 512
uidNumber: 3000016
gidNumber: 100
unixHomeDirectory: /home/EXAMPLE/user
loginShell: /bin/bash
profilePath: \\server\profiles\user
homeDrive: Z:
homeDirectory: \\server\home\user
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
whenChanged: 20130322130515.0Z
uSNChanged: 3794
distinguishedName: CN=user,CN=Users,DC=example,DC=com

Samba4.0.4 smb.conf

# Global parameters
[global]
workgroup = EXAMPLE
realm = example.com
netbios name = SERVER
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
acl:search=false
passdb backend = samba4
template shell = /bin/bash
# Turn on Server signing
server signing = auto

[netlogon]
path = /usr/local/samba/var/locks/sysvol/example.com/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[home]
path = /home/EXAMPLE
read only = No

[profiles]
path = /home/EXAMPLE/profiles
read only = No

[dropbox]
path = /home/EXAMPLE/dropbox
read only = No

Samba 3.6.6 on Mint 14

[global]
workgroup = EXAMPLE
realm = example.com
server string = %h client (Samba)

log level = 10
log file = /var/log/samba/samba.log
max log size = 4192

security = ADS
preferred master = no

idmap config * : backend = tdb
idmap config * : range = 1100-2000

# idmap config EXAMPLE : backend = ad
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 20000-3100000
# idmap config EXAMPLE : schema mode = rfc2307

idmap cache time = 120
idmap negative cache time = 1

winbind use default domain = yes
winbind nss info = rfc2307
winbind offline logon = yes
winbind refresh tickets = Yes
winbind expand groups = 4
winbind nested groups = yes
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
template homedir = /home/%D/%U
template shell = /bin/bash
usershare allow guests = No

kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab

###### ACL related #######
#For completeness, refer to man page of smb.conf for
#more details on these 2
acl compatibility = Auto
acl check permissions = True
# map Unix permissions into Windows NT ACLs
nt acl support = yes
#extended attributes stored on EXT3 or XFS with user_xattr options
ea support = yes
#True: map rwx => Windows Full Control access
#False: map rwx => equivalent Windows ACL bits
acl map full control = True

#Users/groups who have write access to the file can modify
# the permissions (incl. ACL)
#Ownership of file/dir may also be changed
#Default: no (disable)
dos filemode = yes
# must set (map [hidden|archive|system|read only]) = no
# Enabled: store DOS attributes onto user.DOSATTRIB file
# file system must be mounted with user_xattr
# extended attributes must be compiled into the Linux kernel
store dos attributes = yes

#these depend on (create mask), however, refer to (store dos attributes)
map hidden = no
map archive = no
map system = no
map read only = no
# map “inherit” and “protected” flags in Windows ACLs into extended
#attribute file called user.SAMBA_PAI
map acl inherit = yes

#allow users change timestamp, MS Office apps compatiable
dos filetimes = yes

# Turn on unix extensions
unix extensions = yes

I hope this helps to identify where I am going wrong and thanks for any 
help you can give.

Rowland

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.