Samba4 Linux user has two uid's
Rowland Penny
repenny at f2s.com
Fri Mar 22 14:24:45 MDT 2013
On 22/03/13 20:02, Rowland Penny wrote:
> On 22/03/13 19:41, Gémes Géza wrote:
>> 2013-03-22 19:36 keltezéssel, Rowland Penny írta:
>>> On 22/03/13 17:38, Gémes Géza wrote:
>>>> 2013-03-22 18:09 keltezéssel, Rowland Penny írta:
>>>>> On 21/03/13 22:10, Gémes Géza wrote:
>>>>>> 2013-03-21 21:01 keltezéssel, Rowland Penny írta:
>>>>>>> HI,
>>>>>>> If You join a S3 client to a S4 domain you get a different uid
>>>>>>> on the client and server i.e.
>>>>>>>
>>>>>>> Info from the client
>>>>>>> $ id user
>>>>>>> uid=21105(user) gid=20513(domain_users)
>>>>>>> groups=20513(domain_users),1101(BUILTIN\users)
>>>>>>>
>>>>>>> Info from the server
>>>>>>> # id user
>>>>>>> uid=3000016(DOMAIN\user) gid=100(users) groups=100(users)
>>>>>>>
>>>>>>> Now if you mount a share onto the client from the server via
>>>>>>> pam_script:
>>>>>>>
>>>>>>> mount -t cifs //server/dropbox /home/dropbox -o
>>>>>>> username=user,cruid=userid,sec=krb5i,multiuser,nobrl,mapchars,mfsymlinks,noserverino
>>>>>>>
>>>>>>>
>>>>>>> If a file is now created in the share by the user, the user
>>>>>>> immediately looses all rights to it from the client.
>>>>>>>
>>>>>>> Is this a CIFS problem or a Samba4 problem?
>>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Please check that you have the following:
>>>>>>
>>>>>> For samba4 use rfc2370 and specify the uids gids (using e.g.
>>>>>> ADUC), copy/symlink the libnss files and allow winbind in
>>>>>> /etc/nsswitch.conf
>>>>>
>>>>> These were already setup
>>>>>
>>>>>> For samba3 use idmap_ad with a range that covers the assigned
>>>>>> uids/gids.
>>>>>
>>>>> I was using the rid backend so I tried to convert to ad, but I
>>>>> cannot get it to work, wbinfo shows all domain users & groups but
>>>>> no domain users or groups are shown by getent. With the rid
>>>>> backend 'getent passwd' gives:
>>>>>
>>>>> administrator:*:20500:20513:Administrator:/home/EXAMPLE/administrator:/bin/bash
>>>>>
>>>>> dns-adserver:*:21101:20513:dns-adserver:/home/EXAMPLE/dns-adserver:/bin/bash
>>>>>
>>>>> dhcpduser:*:21104:20513:dhcpduser:/home/EXAMPLE/dhcpduser:/bin/bash
>>>>> user1:*:21107:20513:user1:/home/EXAMPLE/user1:/bin/bash
>>>>> user:*:21105:20513:user:/home/EXAMPLE/user:/bin/bash
>>>>> krbtgt:*:20502:20513:krbtgt:/home/EXAMPLE/krbtgt:/bin/bash
>>>>> guest:*:20501:20514:Guest:/home/EXAMPLE/guest:/bin/bash
>>>>>
>>>>> with the ad backend I do not get any of the above
>>>>>
>>>>>>
>>>>>> If that is configured and don't work as expected please post your
>>>>>> smb.conf (both from AD and client system) and an ldif for an user
>>>>>> obtained by ldbsearch.
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Geza Gemes
>>>>>>
>>>>>>
>>>>> Ok, I cannot make it work, so here are the files you requested
>>>>>
>>>>> Samba4.0.4 user.ldif
>>>>>
>>>>> # user, Users, example.com
>>>>> dn: CN=user,CN=Users,DC=example,DC=com
>>>>> cn: user
>>>>> instanceType: 4
>>>>> whenCreated: 20130320122306.0Z
>>>>> uSNCreated: 3778
>>>>> name: user
>>>>> objectGUID:: siE+gJgV2kKaQO0qslOkVg==
>>>>> badPwdCount: 0
>>>>> codePage: 0
>>>>> countryCode: 0
>>>>> badPasswordTime: 0
>>>>> lastLogoff: 0
>>>>> lastLogon: 0
>>>>> primaryGroupID: 513
>>>>> objectSid:: AQUAAAAAAAUVAAAAtvprU8QVtn/NH/GlUQQAAA==
>>>>> accountExpires: 9223372036854775807
>>>>> logonCount: 0
>>>>> sAMAccountName: user
>>>>> sAMAccountType: 805306368
>>>>> userPrincipalName: user at example.com
>>>>> objectCategory:
>>>>> CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
>>>>> pwdLastSet: 130082557870000000
>>>>> userAccountControl: 512
>>>>> uidNumber: 3000016
>>>>> gidNumber: 100
>>>>> unixHomeDirectory: /home/EXAMPLE/user
>>>>> loginShell: /bin/bash
>>>>> profilePath: \\server\profiles\user
>>>>> homeDrive: Z:
>>>>> homeDirectory: \\server\home\user
>>>>> objectClass: top
>>>>> objectClass: posixAccount
>>>>> objectClass: person
>>>>> objectClass: organizationalPerson
>>>>> objectClass: user
>>>>> whenChanged: 20130322130515.0Z
>>>>> uSNChanged: 3794
>>>>> distinguishedName: CN=user,CN=Users,DC=example,DC=com
>>>>>
>>>>> Samba4.0.4 smb.conf
>>>>>
>>>>> # Global parameters
>>>>> [global]
>>>>> workgroup = EXAMPLE
>>>>> realm = example.com
>>>>> netbios name = SERVER
>>>>> server role = active directory domain controller
>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>>>> winbind, ntp_signd, kcc, dnsupdate
>>>>> idmap_ldb:use rfc2307 = yes
>>>>> acl:search=false
>>>>> passdb backend = samba4
>>>>> template shell = /bin/bash
>>>>> # Turn on Server signing
>>>>> server signing = auto
>>>>>
>>>>> [netlogon]
>>>>> path = /usr/local/samba/var/locks/sysvol/example.com/scripts
>>>>> read only = No
>>>>>
>>>>> [sysvol]
>>>>> path = /usr/local/samba/var/locks/sysvol
>>>>> read only = No
>>>>>
>>>>> [home]
>>>>> path = /home/EXAMPLE
>>>>> read only = No
>>>>>
>>>>> [profiles]
>>>>> path = /home/EXAMPLE/profiles
>>>>> read only = No
>>>>>
>>>>> [dropbox]
>>>>> path = /home/EXAMPLE/dropbox
>>>>> read only = No
>>>>>
>>>>>
>>>>> Samba 3.6.6 on Mint 14
>>>>>
>>>>> [global]
>>>>> workgroup = EXAMPLE
>>>>> realm = example.com
>>>>> server string = %h client (Samba)
>>>>>
>>>>> log level = 10
>>>>> log file = /var/log/samba/samba.log
>>>>> max log size = 4192
>>>>>
>>>>> security = ADS
>>>>> preferred master = no
>>>>>
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 1100-2000
>>>>>
>>>>> # idmap config EXAMPLE : backend = ad
>>>>> idmap config EXAMPLE : backend = rid
>>>>> idmap config EXAMPLE : range = 20000-3100000
>>>>> # idmap config EXAMPLE : schema mode = rfc2307
>>>>>
>>>>> idmap cache time = 120
>>>>> idmap negative cache time = 1
>>>>>
>>>>> winbind use default domain = yes
>>>>> winbind nss info = rfc2307
>>>>> winbind offline logon = yes
>>>>> winbind refresh tickets = Yes
>>>>> winbind expand groups = 4
>>>>> winbind nested groups = yes
>>>>> winbind enum users = yes
>>>>> winbind enum groups = yes
>>>>> winbind separator = +
>>>>> template homedir = /home/%D/%U
>>>>> template shell = /bin/bash
>>>>> usershare allow guests = No
>>>>>
>>>>> kerberos method = secrets and keytab
>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>
>>>>> ###### ACL related #######
>>>>> #For completeness, refer to man page of smb.conf for
>>>>> #more details on these 2
>>>>> acl compatibility = Auto
>>>>> acl check permissions = True
>>>>> # map Unix permissions into Windows NT ACLs
>>>>> nt acl support = yes
>>>>> #extended attributes stored on EXT3 or XFS with user_xattr options
>>>>> ea support = yes
>>>>> #True: map rwx => Windows Full Control access
>>>>> #False: map rwx => equivalent Windows ACL bits
>>>>> acl map full control = True
>>>>>
>>>>> #Users/groups who have write access to the file can modify
>>>>> # the permissions (incl. ACL)
>>>>> #Ownership of file/dir may also be changed
>>>>> #Default: no (disable)
>>>>> dos filemode = yes
>>>>> # must set (map [hidden|archive|system|read only]) = no
>>>>> # Enabled: store DOS attributes onto user.DOSATTRIB file
>>>>> # file system must be mounted with user_xattr
>>>>> # extended attributes must be compiled into the Linux kernel
>>>>> store dos attributes = yes
>>>>>
>>>>> #these depend on (create mask), however, refer to (store dos
>>>>> attributes)
>>>>> map hidden = no
>>>>> map archive = no
>>>>> map system = no
>>>>> map read only = no
>>>>> # map “inherit” and “protected” flags in Windows ACLs into extended
>>>>> #attribute file called user.SAMBA_PAI
>>>>> map acl inherit = yes
>>>>>
>>>>> #allow users change timestamp, MS Office apps compatiable
>>>>> dos filetimes = yes
>>>>>
>>>>> # Turn on unix extensions
>>>>> unix extensions = yes
>>>>>
>>>>> I hope this helps to identify where I am going wrong and thanks
>>>>> for any help you can give.
>>>>>
>>>>> Rowland
>>>>>
>>>> Hi,
>>>>
>>>> The problem could be in the distro package of samba, on ubuntu
>>>> 12.04 ( version 2:3.6.3-2ubuntu2.4)
>>>> The following config (only relevant part of it shown) works like
>>>> charm:
>>>>
>>>> [global]
>>>> workgroup = KZSDABAS
>>>> realm = KZSDABAS.HU
>>>> kerberos method = system keytab
>>>> security = ads
>>>> winbind enum groups = yes
>>>> winbind enum users = yes
>>>> idmap config *:backend = tdb
>>>> idmap config *:range = 2000001-3000000
>>>> idmap config KZSDABAS:default = yes
>>>> idmap config KZSDABAS:backend = ad
>>>> idmap config KZSDABAS:range = 0-1000000
>>>> idmap config KZSDABAS:schema_mode = rfc2307
>>>> winbind nss info = rfc2307
>>>> winbind expand groups = 2
>>>> winbind nested groups = yes
>>>> winbind use default domain = yes
>>>>
>>>> Regards
>>>>
>>>> Geza Gemes
>>>>
>>>>
>>> Ok, so I need another version of Samba3 on the client, but which
>>> version?
>>>
>>> I did consider building 4.0.4 as a fileserver, but cannot find any
>>> instructions on how to. I did find a README file in the base build
>>> directory of samba4.0.4 on the server, it had this at the top:
>>>
>>> NOTE: Installation instructions may be found
>>> for the file/print server and domain member in:
>>> docs/htmldocs/Samba3-HOWTO/install.html
>>>
>>> But, 'ls docs/htmldocs/Samba3-HOWTO/install.html' returns:
>>>
>>> ls: cannot access docs/htmldocs/Samba3-HOWTO/install.html: No such
>>> file or directory
>>>
>>> So how do I build it, any pointers to a website etc, would be very
>>> much appreciated.
>>>
>>> Thanks Geza for the help so far.
>>>
>>> Rowland
>>>
>>>
>> Hi,
>>
>> As I haven't tried it yet please consider it a speculation, but to me
>> it seems, that samba4 (top level build, just as for the AD) is a
>> perfectly capable samba (3-like) client (not AD) solution, if you
>> take the init scripts of your distribution and modify the path to
>> /usr/local/samba/sbin, where you can find smbd nmbd and winbind the
>> three "classic" daemons.
>>
>> Regards
>>
>> Geza Gemes
>>
>>
> Ah, if that is the case, I could copy the samba4 build dir on the
> server to the client and run 'make install' and then set it up again
> as per the original install, well, its worth a try to save time ;-)
>
> Rowland
>
>
Well that didn't work, so back to compiling it on the client
Rowland
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba-technical
mailing list