Samba4 Linux user has two uid's

Rowland Penny repenny at f2s.com
Fri Mar 22 14:02:52 MDT 2013


On 22/03/13 19:41, Gémes Géza wrote:
> 2013-03-22 19:36 keltezéssel, Rowland Penny írta:
>> On 22/03/13 17:38, Gémes Géza wrote:
>>> 2013-03-22 18:09 keltezéssel, Rowland Penny írta:
>>>> On 21/03/13 22:10, Gémes Géza wrote:
>>>>> 2013-03-21 21:01 keltezéssel, Rowland Penny írta:
>>>>>> HI,
>>>>>> If You join a S3 client to a S4 domain you get a different uid on 
>>>>>> the client and server i.e.
>>>>>>
>>>>>> Info from the client
>>>>>> $ id user
>>>>>> uid=21105(user) gid=20513(domain_users) 
>>>>>> groups=20513(domain_users),1101(BUILTIN\users)
>>>>>>
>>>>>> Info from the server
>>>>>> # id user
>>>>>> uid=3000016(DOMAIN\user) gid=100(users) groups=100(users)
>>>>>>
>>>>>> Now if you mount a share onto the client from the server via 
>>>>>> pam_script:
>>>>>>
>>>>>> mount -t cifs //server/dropbox /home/dropbox -o 
>>>>>> username=user,cruid=userid,sec=krb5i,multiuser,nobrl,mapchars,mfsymlinks,noserverino 
>>>>>>
>>>>>>
>>>>>> If a file is now created in the share by the user, the user 
>>>>>> immediately looses all rights to it from the client.
>>>>>>
>>>>>> Is this a CIFS problem or a Samba4 problem?
>>>>>>
>>>>> Hi,
>>>>>
>>>>> Please check that you have the following:
>>>>>
>>>>> For samba4 use rfc2370 and specify the uids gids (using e.g. 
>>>>> ADUC), copy/symlink the libnss files and allow winbind in 
>>>>> /etc/nsswitch.conf
>>>>
>>>> These were already setup
>>>>
>>>>> For samba3 use idmap_ad with a range that covers the assigned 
>>>>> uids/gids.
>>>>
>>>> I was using the rid backend so I tried to convert to ad, but I 
>>>> cannot get it to work, wbinfo shows all domain users & groups but 
>>>> no domain users or groups are shown by getent. With the rid backend 
>>>> 'getent passwd' gives:
>>>>
>>>> administrator:*:20500:20513:Administrator:/home/EXAMPLE/administrator:/bin/bash 
>>>>
>>>> dns-adserver:*:21101:20513:dns-adserver:/home/EXAMPLE/dns-adserver:/bin/bash 
>>>>
>>>> dhcpduser:*:21104:20513:dhcpduser:/home/EXAMPLE/dhcpduser:/bin/bash
>>>> user1:*:21107:20513:user1:/home/EXAMPLE/user1:/bin/bash
>>>> user:*:21105:20513:user:/home/EXAMPLE/user:/bin/bash
>>>> krbtgt:*:20502:20513:krbtgt:/home/EXAMPLE/krbtgt:/bin/bash
>>>> guest:*:20501:20514:Guest:/home/EXAMPLE/guest:/bin/bash
>>>>
>>>> with the ad backend I do not get any of the above
>>>>
>>>>>
>>>>> If that is configured and don't work as expected please post your 
>>>>> smb.conf (both from AD and client system) and an ldif for an user 
>>>>> obtained by ldbsearch.
>>>>>
>>>>> Regards
>>>>>
>>>>> Geza Gemes
>>>>>
>>>>>
>>>> Ok, I cannot make it work, so here are the files you requested
>>>>
>>>> Samba4.0.4 user.ldif
>>>>
>>>> # user, Users, example.com
>>>> dn: CN=user,CN=Users,DC=example,DC=com
>>>> cn: user
>>>> instanceType: 4
>>>> whenCreated: 20130320122306.0Z
>>>> uSNCreated: 3778
>>>> name: user
>>>> objectGUID:: siE+gJgV2kKaQO0qslOkVg==
>>>> badPwdCount: 0
>>>> codePage: 0
>>>> countryCode: 0
>>>> badPasswordTime: 0
>>>> lastLogoff: 0
>>>> lastLogon: 0
>>>> primaryGroupID: 513
>>>> objectSid:: AQUAAAAAAAUVAAAAtvprU8QVtn/NH/GlUQQAAA==
>>>> accountExpires: 9223372036854775807
>>>> logonCount: 0
>>>> sAMAccountName: user
>>>> sAMAccountType: 805306368
>>>> userPrincipalName: user at example.com
>>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
>>>> pwdLastSet: 130082557870000000
>>>> userAccountControl: 512
>>>> uidNumber: 3000016
>>>> gidNumber: 100
>>>> unixHomeDirectory: /home/EXAMPLE/user
>>>> loginShell: /bin/bash
>>>> profilePath: \\server\profiles\user
>>>> homeDrive: Z:
>>>> homeDirectory: \\server\home\user
>>>> objectClass: top
>>>> objectClass: posixAccount
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> whenChanged: 20130322130515.0Z
>>>> uSNChanged: 3794
>>>> distinguishedName: CN=user,CN=Users,DC=example,DC=com
>>>>
>>>> Samba4.0.4 smb.conf
>>>>
>>>> # Global parameters
>>>> [global]
>>>> workgroup = EXAMPLE
>>>> realm = example.com
>>>> netbios name = SERVER
>>>> server role = active directory domain controller
>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
>>>> winbind, ntp_signd, kcc, dnsupdate
>>>> idmap_ldb:use rfc2307 = yes
>>>> acl:search=false
>>>> passdb backend = samba4
>>>> template shell = /bin/bash
>>>> # Turn on Server signing
>>>> server signing = auto
>>>>
>>>> [netlogon]
>>>> path = /usr/local/samba/var/locks/sysvol/example.com/scripts
>>>> read only = No
>>>>
>>>> [sysvol]
>>>> path = /usr/local/samba/var/locks/sysvol
>>>> read only = No
>>>>
>>>> [home]
>>>> path = /home/EXAMPLE
>>>> read only = No
>>>>
>>>> [profiles]
>>>> path = /home/EXAMPLE/profiles
>>>> read only = No
>>>>
>>>> [dropbox]
>>>> path = /home/EXAMPLE/dropbox
>>>> read only = No
>>>>
>>>>
>>>> Samba 3.6.6 on Mint 14
>>>>
>>>> [global]
>>>> workgroup = EXAMPLE
>>>> realm = example.com
>>>> server string = %h client (Samba)
>>>>
>>>> log level = 10
>>>> log file = /var/log/samba/samba.log
>>>> max log size = 4192
>>>>
>>>> security = ADS
>>>> preferred master = no
>>>>
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 1100-2000
>>>>
>>>> # idmap config EXAMPLE : backend = ad
>>>> idmap config EXAMPLE : backend = rid
>>>> idmap config EXAMPLE : range = 20000-3100000
>>>> # idmap config EXAMPLE : schema mode = rfc2307
>>>>
>>>> idmap cache time = 120
>>>> idmap negative cache time = 1
>>>>
>>>> winbind use default domain = yes
>>>> winbind nss info = rfc2307
>>>> winbind offline logon = yes
>>>> winbind refresh tickets = Yes
>>>> winbind expand groups = 4
>>>> winbind nested groups = yes
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>> winbind separator = +
>>>> template homedir = /home/%D/%U
>>>> template shell = /bin/bash
>>>> usershare allow guests = No
>>>>
>>>> kerberos method = secrets and keytab
>>>> dedicated keytab file = /etc/krb5.keytab
>>>>
>>>> ###### ACL related #######
>>>> #For completeness, refer to man page of smb.conf for
>>>> #more details on these 2
>>>> acl compatibility = Auto
>>>> acl check permissions = True
>>>> # map Unix permissions into Windows NT ACLs
>>>> nt acl support = yes
>>>> #extended attributes stored on EXT3 or XFS with user_xattr options
>>>> ea support = yes
>>>> #True: map rwx => Windows Full Control access
>>>> #False: map rwx => equivalent Windows ACL bits
>>>> acl map full control = True
>>>>
>>>> #Users/groups who have write access to the file can modify
>>>> # the permissions (incl. ACL)
>>>> #Ownership of file/dir may also be changed
>>>> #Default: no (disable)
>>>> dos filemode = yes
>>>> # must set (map [hidden|archive|system|read only]) = no
>>>> # Enabled: store DOS attributes onto user.DOSATTRIB file
>>>> # file system must be mounted with user_xattr
>>>> # extended attributes must be compiled into the Linux kernel
>>>> store dos attributes = yes
>>>>
>>>> #these depend on (create mask), however, refer to (store dos 
>>>> attributes)
>>>> map hidden = no
>>>> map archive = no
>>>> map system = no
>>>> map read only = no
>>>> # map “inherit” and “protected” flags in Windows ACLs into extended
>>>> #attribute file called user.SAMBA_PAI
>>>> map acl inherit = yes
>>>>
>>>> #allow users change timestamp, MS Office apps compatiable
>>>> dos filetimes = yes
>>>>
>>>> # Turn on unix extensions
>>>> unix extensions = yes
>>>>
>>>> I hope this helps to identify where I am going wrong and thanks for 
>>>> any help you can give.
>>>>
>>>> Rowland
>>>>
>>> Hi,
>>>
>>> The problem could be in the distro package of samba, on ubuntu 12.04 
>>> ( version 2:3.6.3-2ubuntu2.4)
>>> The following config (only relevant part of it shown) works like charm:
>>>
>>> [global]
>>>    workgroup = KZSDABAS
>>>    realm = KZSDABAS.HU
>>>    kerberos method = system keytab
>>>    security = ads
>>>     winbind enum groups = yes
>>>     winbind enum users = yes
>>>     idmap config *:backend = tdb
>>>     idmap config *:range = 2000001-3000000
>>>     idmap config KZSDABAS:default = yes
>>>     idmap config KZSDABAS:backend = ad
>>>     idmap config KZSDABAS:range = 0-1000000
>>>     idmap config KZSDABAS:schema_mode = rfc2307
>>>     winbind nss info = rfc2307
>>>     winbind expand groups = 2
>>>     winbind nested groups = yes
>>>     winbind use default domain = yes
>>>
>>> Regards
>>>
>>> Geza Gemes
>>>
>>>
>> Ok, so I need another version of Samba3 on the client, but which 
>> version?
>>
>> I did consider building 4.0.4 as a fileserver, but cannot find any 
>> instructions on how to. I did find a README file in the base build 
>> directory of samba4.0.4 on the server, it had this at the top:
>>
>> NOTE: Installation instructions may be found
>>       for the file/print server and domain member in:
>>       docs/htmldocs/Samba3-HOWTO/install.html
>>
>> But, 'ls docs/htmldocs/Samba3-HOWTO/install.html' returns:
>>
>> ls: cannot access docs/htmldocs/Samba3-HOWTO/install.html: No such 
>> file or directory
>>
>> So how do I build it, any pointers to a website etc, would be very 
>> much appreciated.
>>
>> Thanks Geza for the help so far.
>>
>> Rowland
>>
>>
> Hi,
>
> As I haven't tried it yet please consider it a speculation, but to me 
> it seems, that samba4 (top level build, just as for the AD) is a 
> perfectly capable samba (3-like) client (not AD) solution, if you take 
> the init scripts of your distribution and modify the path to 
> /usr/local/samba/sbin, where you can find smbd nmbd and winbind the 
> three "classic" daemons.
>
> Regards
>
> Geza Gemes
>
>
Ah, if that is the case, I could copy the samba4 build dir on the server 
to the client and run 'make install' and then set it up again as per the 
original install, well, its worth a try to save time ;-)

Rowland


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the samba-technical mailing list