Samba4 Linux user has two uid's

Gémes Géza geza at kzsdabas.hu
Fri Mar 22 11:38:35 MDT 2013 

2013-03-22 18:09 keltezéssel, Rowland Penny írta:
> On 21/03/13 22:10, Gémes Géza wrote:
>> 2013-03-21 21:01 keltezéssel, Rowland Penny írta:
>>> HI,
>>> If You join a S3 client to a S4 domain you get a different uid on 
>>> the client and server i.e.
>>>
>>> Info from the client
>>> $ id user
>>> uid=21105(user) gid=20513(domain_users) 
>>> groups=20513(domain_users),1101(BUILTIN\users)
>>>
>>> Info from the server
>>> # id user
>>> uid=3000016(DOMAIN\user) gid=100(users) groups=100(users)
>>>
>>> Now if you mount a share onto the client from the server via 
>>> pam_script:
>>>
>>> mount -t cifs //server/dropbox /home/dropbox -o 
>>> username=user,cruid=userid,sec=krb5i,multiuser,nobrl,mapchars,mfsymlinks,noserverino 
>>>
>>>
>>> If a file is now created in the share by the user, the user 
>>> immediately looses all rights to it from the client.
>>>
>>> Is this a CIFS problem or a Samba4 problem?
>>>
>> Hi,
>>
>> Please check that you have the following:
>>
>> For samba4 use rfc2370 and specify the uids gids (using e.g. ADUC), 
>> copy/symlink the libnss files and allow winbind in /etc/nsswitch.conf
>
> These were already setup
>
>> For samba3 use idmap_ad with a range that covers the assigned uids/gids.
>
> I was using the rid backend so I tried to convert to ad, but I cannot 
> get it to work, wbinfo shows all domain users & groups but no domain 
> users or groups are shown by getent. With the rid backend 'getent 
> passwd' gives:
>
> administrator:*:20500:20513:Administrator:/home/EXAMPLE/administrator:/bin/bash 
>
> dns-adserver:*:21101:20513:dns-adserver:/home/EXAMPLE/dns-adserver:/bin/bash 
>
> dhcpduser:*:21104:20513:dhcpduser:/home/EXAMPLE/dhcpduser:/bin/bash
> user1:*:21107:20513:user1:/home/EXAMPLE/user1:/bin/bash
> user:*:21105:20513:user:/home/EXAMPLE/user:/bin/bash
> krbtgt:*:20502:20513:krbtgt:/home/EXAMPLE/krbtgt:/bin/bash
> guest:*:20501:20514:Guest:/home/EXAMPLE/guest:/bin/bash
>
> with the ad backend I do not get any of the above
>
>>
>> If that is configured and don't work as expected please post your 
>> smb.conf (both from AD and client system) and an ldif for an user 
>> obtained by ldbsearch.
>>
>> Regards
>>
>> Geza Gemes
>>
>>
> Ok, I cannot make it work, so here are the files you requested
>
> Samba4.0.4 user.ldif
>
> # user, Users, example.com
> dn: CN=user,CN=Users,DC=example,DC=com
> cn: user
> instanceType: 4
> whenCreated: 20130320122306.0Z
> uSNCreated: 3778
> name: user
> objectGUID:: siE+gJgV2kKaQO0qslOkVg==
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAAtvprU8QVtn/NH/GlUQQAAA==
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: user
> sAMAccountType: 805306368
> userPrincipalName: user at example.com
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
> pwdLastSet: 130082557870000000
> userAccountControl: 512
> uidNumber: 3000016
> gidNumber: 100
> unixHomeDirectory: /home/EXAMPLE/user
> loginShell: /bin/bash
> profilePath: \\server\profiles\user
> homeDrive: Z:
> homeDirectory: \\server\home\user
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> whenChanged: 20130322130515.0Z
> uSNChanged: 3794
> distinguishedName: CN=user,CN=Users,DC=example,DC=com
>
> Samba4.0.4 smb.conf
>
> # Global parameters
> [global]
> workgroup = EXAMPLE
> realm = example.com
> netbios name = SERVER
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
> winbind, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
> acl:search=false
> passdb backend = samba4
> template shell = /bin/bash
> # Turn on Server signing
> server signing = auto
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/example.com/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> [home]
> path = /home/EXAMPLE
> read only = No
>
> [profiles]
> path = /home/EXAMPLE/profiles
> read only = No
>
> [dropbox]
> path = /home/EXAMPLE/dropbox
> read only = No
>
>
> Samba 3.6.6 on Mint 14
>
> [global]
> workgroup = EXAMPLE
> realm = example.com
> server string = %h client (Samba)
>
> log level = 10
> log file = /var/log/samba/samba.log
> max log size = 4192
>
> security = ADS
> preferred master = no
>
> idmap config * : backend = tdb
> idmap config * : range = 1100-2000
>
> # idmap config EXAMPLE : backend = ad
> idmap config EXAMPLE : backend = rid
> idmap config EXAMPLE : range = 20000-3100000
> # idmap config EXAMPLE : schema mode = rfc2307
>
> idmap cache time = 120
> idmap negative cache time = 1
>
> winbind use default domain = yes
> winbind nss info = rfc2307
> winbind offline logon = yes
> winbind refresh tickets = Yes
> winbind expand groups = 4
> winbind nested groups = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind separator = +
> template homedir = /home/%D/%U
> template shell = /bin/bash
> usershare allow guests = No
>
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
>
> ###### ACL related #######
> #For completeness, refer to man page of smb.conf for
> #more details on these 2
> acl compatibility = Auto
> acl check permissions = True
> # map Unix permissions into Windows NT ACLs
> nt acl support = yes
> #extended attributes stored on EXT3 or XFS with user_xattr options
> ea support = yes
> #True: map rwx => Windows Full Control access
> #False: map rwx => equivalent Windows ACL bits
> acl map full control = True
>
> #Users/groups who have write access to the file can modify
> # the permissions (incl. ACL)
> #Ownership of file/dir may also be changed
> #Default: no (disable)
> dos filemode = yes
> # must set (map [hidden|archive|system|read only]) = no
> # Enabled: store DOS attributes onto user.DOSATTRIB file
> # file system must be mounted with user_xattr
> # extended attributes must be compiled into the Linux kernel
> store dos attributes = yes
>
> #these depend on (create mask), however, refer to (store dos attributes)
> map hidden = no
> map archive = no
> map system = no
> map read only = no
> # map “inherit” and “protected” flags in Windows ACLs into extended
> #attribute file called user.SAMBA_PAI
> map acl inherit = yes
>
> #allow users change timestamp, MS Office apps compatiable
> dos filetimes = yes
>
> # Turn on unix extensions
> unix extensions = yes
>
> I hope this helps to identify where I am going wrong and thanks for 
> any help you can give.
>
> Rowland
>
Hi,

The problem could be in the distro package of samba, on ubuntu 12.04 ( 
version 2:3.6.3-2ubuntu2.4)
The following config (only relevant part of it shown) works like charm:

[global]
    workgroup = KZSDABAS
    realm = KZSDABAS.HU
    kerberos method = system keytab
    security = ads
     winbind enum groups = yes
     winbind enum users = yes
     idmap config *:backend = tdb
     idmap config *:range = 2000001-3000000
     idmap config KZSDABAS:default = yes
     idmap config KZSDABAS:backend = ad
     idmap config KZSDABAS:range = 0-1000000
     idmap config KZSDABAS:schema_mode = rfc2307
     winbind nss info = rfc2307
     winbind expand groups = 2
     winbind nested groups = yes
     winbind use default domain = yes

Regards

Geza Gemes

More information about the samba-technical mailing list