Samba4 Linux user has two uid's

Gémes Géza geza at kzsdabas.hu
Fri Mar 22 13:41:46 MDT 2013 

2013-03-22 19:36 keltezéssel, Rowland Penny írta:
> On 22/03/13 17:38, Gémes Géza wrote:
>> 2013-03-22 18:09 keltezéssel, Rowland Penny írta:
>>> On 21/03/13 22:10, Gémes Géza wrote:
>>>> 2013-03-21 21:01 keltezéssel, Rowland Penny írta:
>>>>> HI,
>>>>> If You join a S3 client to a S4 domain you get a different uid on 
>>>>> the client and server i.e.
>>>>>
>>>>> Info from the client
>>>>> $ id user
>>>>> uid=21105(user) gid=20513(domain_users) 
>>>>> groups=20513(domain_users),1101(BUILTIN\users)
>>>>>
>>>>> Info from the server
>>>>> # id user
>>>>> uid=3000016(DOMAIN\user) gid=100(users) groups=100(users)
>>>>>
>>>>> Now if you mount a share onto the client from the server via 
>>>>> pam_script:
>>>>>
>>>>> mount -t cifs //server/dropbox /home/dropbox -o 
>>>>> username=user,cruid=userid,sec=krb5i,multiuser,nobrl,mapchars,mfsymlinks,noserverino 
>>>>>
>>>>>
>>>>> If a file is now created in the share by the user, the user 
>>>>> immediately looses all rights to it from the client.
>>>>>
>>>>> Is this a CIFS problem or a Samba4 problem?
>>>>>
>>>> Hi,
>>>>
>>>> Please check that you have the following:
>>>>
>>>> For samba4 use rfc2370 and specify the uids gids (using e.g. ADUC), 
>>>> copy/symlink the libnss files and allow winbind in /etc/nsswitch.conf
>>>
>>> These were already setup
>>>
>>>> For samba3 use idmap_ad with a range that covers the assigned 
>>>> uids/gids.
>>>
>>> I was using the rid backend so I tried to convert to ad, but I 
>>> cannot get it to work, wbinfo shows all domain users & groups but no 
>>> domain users or groups are shown by getent. With the rid backend 
>>> 'getent passwd' gives:
>>>
>>> administrator:*:20500:20513:Administrator:/home/EXAMPLE/administrator:/bin/bash 
>>>
>>> dns-adserver:*:21101:20513:dns-adserver:/home/EXAMPLE/dns-adserver:/bin/bash 
>>>
>>> dhcpduser:*:21104:20513:dhcpduser:/home/EXAMPLE/dhcpduser:/bin/bash
>>> user1:*:21107:20513:user1:/home/EXAMPLE/user1:/bin/bash
>>> user:*:21105:20513:user:/home/EXAMPLE/user:/bin/bash
>>> krbtgt:*:20502:20513:krbtgt:/home/EXAMPLE/krbtgt:/bin/bash
>>> guest:*:20501:20514:Guest:/home/EXAMPLE/guest:/bin/bash
>>>
>>> with the ad backend I do not get any of the above
>>>
>>>>
>>>> If that is configured and don't work as expected please post your 
>>>> smb.conf (both from AD and client system) and an ldif for an user 
>>>> obtained by ldbsearch.
>>>>
>>>> Regards
>>>>
>>>> Geza Gemes
>>>>
>>>>
>>> Ok, I cannot make it work, so here are the files you requested
>>>
>>> Samba4.0.4 user.ldif
>>>
>>> # user, Users, example.com
>>> dn: CN=user,CN=Users,DC=example,DC=com
>>> cn: user
>>> instanceType: 4
>>> whenCreated: 20130320122306.0Z
>>> uSNCreated: 3778
>>> name: user
>>> objectGUID:: siE+gJgV2kKaQO0qslOkVg==
>>> badPwdCount: 0
>>> codePage: 0
>>> countryCode: 0
>>> badPasswordTime: 0
>>> lastLogoff: 0
>>> lastLogon: 0
>>> primaryGroupID: 513
>>> objectSid:: AQUAAAAAAAUVAAAAtvprU8QVtn/NH/GlUQQAAA==
>>> accountExpires: 9223372036854775807
>>> logonCount: 0
>>> sAMAccountName: user
>>> sAMAccountType: 805306368
>>> userPrincipalName: user at example.com
>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
>>> pwdLastSet: 130082557870000000
>>> userAccountControl: 512
>>> uidNumber: 3000016
>>> gidNumber: 100
>>> unixHomeDirectory: /home/EXAMPLE/user
>>> loginShell: /bin/bash
>>> profilePath: \\server\profiles\user
>>> homeDrive: Z:
>>> homeDirectory: \\server\home\user
>>> objectClass: top
>>> objectClass: posixAccount
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> whenChanged: 20130322130515.0Z
>>> uSNChanged: 3794
>>> distinguishedName: CN=user,CN=Users,DC=example,DC=com
>>>
>>> Samba4.0.4 smb.conf
>>>
>>> # Global parameters
>>> [global]
>>> workgroup = EXAMPLE
>>> realm = example.com
>>> netbios name = SERVER
>>> server role = active directory domain controller
>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
>>> winbind, ntp_signd, kcc, dnsupdate
>>> idmap_ldb:use rfc2307 = yes
>>> acl:search=false
>>> passdb backend = samba4
>>> template shell = /bin/bash
>>> # Turn on Server signing
>>> server signing = auto
>>>
>>> [netlogon]
>>> path = /usr/local/samba/var/locks/sysvol/example.com/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /usr/local/samba/var/locks/sysvol
>>> read only = No
>>>
>>> [home]
>>> path = /home/EXAMPLE
>>> read only = No
>>>
>>> [profiles]
>>> path = /home/EXAMPLE/profiles
>>> read only = No
>>>
>>> [dropbox]
>>> path = /home/EXAMPLE/dropbox
>>> read only = No
>>>
>>>
>>> Samba 3.6.6 on Mint 14
>>>
>>> [global]
>>> workgroup = EXAMPLE
>>> realm = example.com
>>> server string = %h client (Samba)
>>>
>>> log level = 10
>>> log file = /var/log/samba/samba.log
>>> max log size = 4192
>>>
>>> security = ADS
>>> preferred master = no
>>>
>>> idmap config * : backend = tdb
>>> idmap config * : range = 1100-2000
>>>
>>> # idmap config EXAMPLE : backend = ad
>>> idmap config EXAMPLE : backend = rid
>>> idmap config EXAMPLE : range = 20000-3100000
>>> # idmap config EXAMPLE : schema mode = rfc2307
>>>
>>> idmap cache time = 120
>>> idmap negative cache time = 1
>>>
>>> winbind use default domain = yes
>>> winbind nss info = rfc2307
>>> winbind offline logon = yes
>>> winbind refresh tickets = Yes
>>> winbind expand groups = 4
>>> winbind nested groups = yes
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind separator = +
>>> template homedir = /home/%D/%U
>>> template shell = /bin/bash
>>> usershare allow guests = No
>>>
>>> kerberos method = secrets and keytab
>>> dedicated keytab file = /etc/krb5.keytab
>>>
>>> ###### ACL related #######
>>> #For completeness, refer to man page of smb.conf for
>>> #more details on these 2
>>> acl compatibility = Auto
>>> acl check permissions = True
>>> # map Unix permissions into Windows NT ACLs
>>> nt acl support = yes
>>> #extended attributes stored on EXT3 or XFS with user_xattr options
>>> ea support = yes
>>> #True: map rwx => Windows Full Control access
>>> #False: map rwx => equivalent Windows ACL bits
>>> acl map full control = True
>>>
>>> #Users/groups who have write access to the file can modify
>>> # the permissions (incl. ACL)
>>> #Ownership of file/dir may also be changed
>>> #Default: no (disable)
>>> dos filemode = yes
>>> # must set (map [hidden|archive|system|read only]) = no
>>> # Enabled: store DOS attributes onto user.DOSATTRIB file
>>> # file system must be mounted with user_xattr
>>> # extended attributes must be compiled into the Linux kernel
>>> store dos attributes = yes
>>>
>>> #these depend on (create mask), however, refer to (store dos 
>>> attributes)
>>> map hidden = no
>>> map archive = no
>>> map system = no
>>> map read only = no
>>> # map “inherit” and “protected” flags in Windows ACLs into extended
>>> #attribute file called user.SAMBA_PAI
>>> map acl inherit = yes
>>>
>>> #allow users change timestamp, MS Office apps compatiable
>>> dos filetimes = yes
>>>
>>> # Turn on unix extensions
>>> unix extensions = yes
>>>
>>> I hope this helps to identify where I am going wrong and thanks for 
>>> any help you can give.
>>>
>>> Rowland
>>>
>> Hi,
>>
>> The problem could be in the distro package of samba, on ubuntu 12.04 
>> ( version 2:3.6.3-2ubuntu2.4)
>> The following config (only relevant part of it shown) works like charm:
>>
>> [global]
>>    workgroup = KZSDABAS
>>    realm = KZSDABAS.HU
>>    kerberos method = system keytab
>>    security = ads
>>     winbind enum groups = yes
>>     winbind enum users = yes
>>     idmap config *:backend = tdb
>>     idmap config *:range = 2000001-3000000
>>     idmap config KZSDABAS:default = yes
>>     idmap config KZSDABAS:backend = ad
>>     idmap config KZSDABAS:range = 0-1000000
>>     idmap config KZSDABAS:schema_mode = rfc2307
>>     winbind nss info = rfc2307
>>     winbind expand groups = 2
>>     winbind nested groups = yes
>>     winbind use default domain = yes
>>
>> Regards
>>
>> Geza Gemes
>>
>>
> Ok, so I need another version of Samba3 on the client, but which version?
>
> I did consider building 4.0.4 as a fileserver, but cannot find any 
> instructions on how to. I did find a README file in the base build 
> directory of samba4.0.4 on the server, it had this at the top:
>
> NOTE: Installation instructions may be found
>       for the file/print server and domain member in:
>       docs/htmldocs/Samba3-HOWTO/install.html
>
> But, 'ls docs/htmldocs/Samba3-HOWTO/install.html' returns:
>
> ls: cannot access docs/htmldocs/Samba3-HOWTO/install.html: No such 
> file or directory
>
> So how do I build it, any pointers to a website etc, would be very 
> much appreciated.
>
> Thanks Geza for the help so far.
>
> Rowland
>
>
Hi,

As I haven't tried it yet please consider it a speculation, but to me it 
seems, that samba4 (top level build, just as for the AD) is a perfectly 
capable samba (3-like) client (not AD) solution, if you take the init 
scripts of your distribution and modify the path to 
/usr/local/samba/sbin, where you can find smbd nmbd and winbind the 
three "classic" daemons.

Regards

Geza Gemes

More information about the samba-technical mailing list