Samba4 Linux user has two uid's

Rowland Penny repenny at f2s.com
Fri Mar 22 12:36:24 MDT 2013 

On 22/03/13 17:38, Gémes Géza wrote:
> 2013-03-22 18:09 keltezéssel, Rowland Penny írta:
>> On 21/03/13 22:10, Gémes Géza wrote:
>>> 2013-03-21 21:01 keltezéssel, Rowland Penny írta:
>>>> HI,
>>>> If You join a S3 client to a S4 domain you get a different uid on 
>>>> the client and server i.e.
>>>>
>>>> Info from the client
>>>> $ id user
>>>> uid=21105(user) gid=20513(domain_users) 
>>>> groups=20513(domain_users),1101(BUILTIN\users)
>>>>
>>>> Info from the server
>>>> # id user
>>>> uid=3000016(DOMAIN\user) gid=100(users) groups=100(users)
>>>>
>>>> Now if you mount a share onto the client from the server via 
>>>> pam_script:
>>>>
>>>> mount -t cifs //server/dropbox /home/dropbox -o 
>>>> username=user,cruid=userid,sec=krb5i,multiuser,nobrl,mapchars,mfsymlinks,noserverino 
>>>>
>>>>
>>>> If a file is now created in the share by the user, the user 
>>>> immediately looses all rights to it from the client.
>>>>
>>>> Is this a CIFS problem or a Samba4 problem?
>>>>
>>> Hi,
>>>
>>> Please check that you have the following:
>>>
>>> For samba4 use rfc2370 and specify the uids gids (using e.g. ADUC), 
>>> copy/symlink the libnss files and allow winbind in /etc/nsswitch.conf
>>
>> These were already setup
>>
>>> For samba3 use idmap_ad with a range that covers the assigned 
>>> uids/gids.
>>
>> I was using the rid backend so I tried to convert to ad, but I cannot 
>> get it to work, wbinfo shows all domain users & groups but no domain 
>> users or groups are shown by getent. With the rid backend 'getent 
>> passwd' gives:
>>
>> administrator:*:20500:20513:Administrator:/home/EXAMPLE/administrator:/bin/bash 
>>
>> dns-adserver:*:21101:20513:dns-adserver:/home/EXAMPLE/dns-adserver:/bin/bash 
>>
>> dhcpduser:*:21104:20513:dhcpduser:/home/EXAMPLE/dhcpduser:/bin/bash
>> user1:*:21107:20513:user1:/home/EXAMPLE/user1:/bin/bash
>> user:*:21105:20513:user:/home/EXAMPLE/user:/bin/bash
>> krbtgt:*:20502:20513:krbtgt:/home/EXAMPLE/krbtgt:/bin/bash
>> guest:*:20501:20514:Guest:/home/EXAMPLE/guest:/bin/bash
>>
>> with the ad backend I do not get any of the above
>>
>>>
>>> If that is configured and don't work as expected please post your 
>>> smb.conf (both from AD and client system) and an ldif for an user 
>>> obtained by ldbsearch.
>>>
>>> Regards
>>>
>>> Geza Gemes
>>>
>>>
>> Ok, I cannot make it work, so here are the files you requested
>>
>> Samba4.0.4 user.ldif
>>
>> # user, Users, example.com
>> dn: CN=user,CN=Users,DC=example,DC=com
>> cn: user
>> instanceType: 4
>> whenCreated: 20130320122306.0Z
>> uSNCreated: 3778
>> name: user
>> objectGUID:: siE+gJgV2kKaQO0qslOkVg==
>> badPwdCount: 0
>> codePage: 0
>> countryCode: 0
>> badPasswordTime: 0
>> lastLogoff: 0
>> lastLogon: 0
>> primaryGroupID: 513
>> objectSid:: AQUAAAAAAAUVAAAAtvprU8QVtn/NH/GlUQQAAA==
>> accountExpires: 9223372036854775807
>> logonCount: 0
>> sAMAccountName: user
>> sAMAccountType: 805306368
>> userPrincipalName: user at example.com
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
>> pwdLastSet: 130082557870000000
>> userAccountControl: 512
>> uidNumber: 3000016
>> gidNumber: 100
>> unixHomeDirectory: /home/EXAMPLE/user
>> loginShell: /bin/bash
>> profilePath: \\server\profiles\user
>> homeDrive: Z:
>> homeDirectory: \\server\home\user
>> objectClass: top
>> objectClass: posixAccount
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> whenChanged: 20130322130515.0Z
>> uSNChanged: 3794
>> distinguishedName: CN=user,CN=Users,DC=example,DC=com
>>
>> Samba4.0.4 smb.conf
>>
>> # Global parameters
>> [global]
>> workgroup = EXAMPLE
>> realm = example.com
>> netbios name = SERVER
>> server role = active directory domain controller
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
>> winbind, ntp_signd, kcc, dnsupdate
>> idmap_ldb:use rfc2307 = yes
>> acl:search=false
>> passdb backend = samba4
>> template shell = /bin/bash
>> # Turn on Server signing
>> server signing = auto
>>
>> [netlogon]
>> path = /usr/local/samba/var/locks/sysvol/example.com/scripts
>> read only = No
>>
>> [sysvol]
>> path = /usr/local/samba/var/locks/sysvol
>> read only = No
>>
>> [home]
>> path = /home/EXAMPLE
>> read only = No
>>
>> [profiles]
>> path = /home/EXAMPLE/profiles
>> read only = No
>>
>> [dropbox]
>> path = /home/EXAMPLE/dropbox
>> read only = No
>>
>>
>> Samba 3.6.6 on Mint 14
>>
>> [global]
>> workgroup = EXAMPLE
>> realm = example.com
>> server string = %h client (Samba)
>>
>> log level = 10
>> log file = /var/log/samba/samba.log
>> max log size = 4192
>>
>> security = ADS
>> preferred master = no
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 1100-2000
>>
>> # idmap config EXAMPLE : backend = ad
>> idmap config EXAMPLE : backend = rid
>> idmap config EXAMPLE : range = 20000-3100000
>> # idmap config EXAMPLE : schema mode = rfc2307
>>
>> idmap cache time = 120
>> idmap negative cache time = 1
>>
>> winbind use default domain = yes
>> winbind nss info = rfc2307
>> winbind offline logon = yes
>> winbind refresh tickets = Yes
>> winbind expand groups = 4
>> winbind nested groups = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind separator = +
>> template homedir = /home/%D/%U
>> template shell = /bin/bash
>> usershare allow guests = No
>>
>> kerberos method = secrets and keytab
>> dedicated keytab file = /etc/krb5.keytab
>>
>> ###### ACL related #######
>> #For completeness, refer to man page of smb.conf for
>> #more details on these 2
>> acl compatibility = Auto
>> acl check permissions = True
>> # map Unix permissions into Windows NT ACLs
>> nt acl support = yes
>> #extended attributes stored on EXT3 or XFS with user_xattr options
>> ea support = yes
>> #True: map rwx => Windows Full Control access
>> #False: map rwx => equivalent Windows ACL bits
>> acl map full control = True
>>
>> #Users/groups who have write access to the file can modify
>> # the permissions (incl. ACL)
>> #Ownership of file/dir may also be changed
>> #Default: no (disable)
>> dos filemode = yes
>> # must set (map [hidden|archive|system|read only]) = no
>> # Enabled: store DOS attributes onto user.DOSATTRIB file
>> # file system must be mounted with user_xattr
>> # extended attributes must be compiled into the Linux kernel
>> store dos attributes = yes
>>
>> #these depend on (create mask), however, refer to (store dos attributes)
>> map hidden = no
>> map archive = no
>> map system = no
>> map read only = no
>> # map “inherit” and “protected” flags in Windows ACLs into extended
>> #attribute file called user.SAMBA_PAI
>> map acl inherit = yes
>>
>> #allow users change timestamp, MS Office apps compatiable
>> dos filetimes = yes
>>
>> # Turn on unix extensions
>> unix extensions = yes
>>
>> I hope this helps to identify where I am going wrong and thanks for 
>> any help you can give.
>>
>> Rowland
>>
> Hi,
>
> The problem could be in the distro package of samba, on ubuntu 12.04 ( 
> version 2:3.6.3-2ubuntu2.4)
> The following config (only relevant part of it shown) works like charm:
>
> [global]
>    workgroup = KZSDABAS
>    realm = KZSDABAS.HU
>    kerberos method = system keytab
>    security = ads
>     winbind enum groups = yes
>     winbind enum users = yes
>     idmap config *:backend = tdb
>     idmap config *:range = 2000001-3000000
>     idmap config KZSDABAS:default = yes
>     idmap config KZSDABAS:backend = ad
>     idmap config KZSDABAS:range = 0-1000000
>     idmap config KZSDABAS:schema_mode = rfc2307
>     winbind nss info = rfc2307
>     winbind expand groups = 2
>     winbind nested groups = yes
>     winbind use default domain = yes
>
> Regards
>
> Geza Gemes
>
>
Ok, so I need another version of Samba3 on the client, but which version?

I did consider building 4.0.4 as a fileserver, but cannot find any 
instructions on how to. I did find a README file in the base build 
directory of samba4.0.4 on the server, it had this at the top:

NOTE: Installation instructions may be found
       for the file/print server and domain member in:
       docs/htmldocs/Samba3-HOWTO/install.html

But, 'ls docs/htmldocs/Samba3-HOWTO/install.html' returns:

ls: cannot access docs/htmldocs/Samba3-HOWTO/install.html: No such file 
or directory

So how do I build it, any pointers to a website etc, would be very much 
appreciated.

Thanks Geza for the help so far.

Rowland


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba-technical mailing list