Samba4 Linux user has two uid's

Gémes Géza geza at kzsdabas.hu
Fri Mar 22 23:39:45 MDT 2013 

2013-03-22 21:24 keltezéssel, Rowland Penny írta:
> On 22/03/13 20:02, Rowland Penny wrote:
>> On 22/03/13 19:41, Gémes Géza wrote:
>>> 2013-03-22 19:36 keltezéssel, Rowland Penny írta:
>>>> On 22/03/13 17:38, Gémes Géza wrote:
>>>>> 2013-03-22 18:09 keltezéssel, Rowland Penny írta:
>>>>>> On 21/03/13 22:10, Gémes Géza wrote:
>>>>>>> 2013-03-21 21:01 keltezéssel, Rowland Penny írta:
>>>>>>>> HI,
>>>>>>>> If You join a S3 client to a S4 domain you get a different uid 
>>>>>>>> on the client and server i.e.
>>>>>>>>
>>>>>>>> Info from the client
>>>>>>>> $ id user
>>>>>>>> uid=21105(user) gid=20513(domain_users) 
>>>>>>>> groups=20513(domain_users),1101(BUILTIN\users)
>>>>>>>>
>>>>>>>> Info from the server
>>>>>>>> # id user
>>>>>>>> uid=3000016(DOMAIN\user) gid=100(users) groups=100(users)
>>>>>>>>
>>>>>>>> Now if you mount a share onto the client from the server via 
>>>>>>>> pam_script:
>>>>>>>>
>>>>>>>> mount -t cifs //server/dropbox /home/dropbox -o 
>>>>>>>> username=user,cruid=userid,sec=krb5i,multiuser,nobrl,mapchars,mfsymlinks,noserverino 
>>>>>>>>
>>>>>>>>
>>>>>>>> If a file is now created in the share by the user, the user 
>>>>>>>> immediately looses all rights to it from the client.
>>>>>>>>
>>>>>>>> Is this a CIFS problem or a Samba4 problem?
>>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Please check that you have the following:
>>>>>>>
>>>>>>> For samba4 use rfc2370 and specify the uids gids (using e.g. 
>>>>>>> ADUC), copy/symlink the libnss files and allow winbind in 
>>>>>>> /etc/nsswitch.conf
>>>>>>
>>>>>> These were already setup
>>>>>>
>>>>>>> For samba3 use idmap_ad with a range that covers the assigned 
>>>>>>> uids/gids.
>>>>>>
>>>>>> I was using the rid backend so I tried to convert to ad, but I 
>>>>>> cannot get it to work, wbinfo shows all domain users & groups but 
>>>>>> no domain users or groups are shown by getent. With the rid 
>>>>>> backend 'getent passwd' gives:
>>>>>>
>>>>>> administrator:*:20500:20513:Administrator:/home/EXAMPLE/administrator:/bin/bash 
>>>>>>
>>>>>> dns-adserver:*:21101:20513:dns-adserver:/home/EXAMPLE/dns-adserver:/bin/bash 
>>>>>>
>>>>>> dhcpduser:*:21104:20513:dhcpduser:/home/EXAMPLE/dhcpduser:/bin/bash
>>>>>> user1:*:21107:20513:user1:/home/EXAMPLE/user1:/bin/bash
>>>>>> user:*:21105:20513:user:/home/EXAMPLE/user:/bin/bash
>>>>>> krbtgt:*:20502:20513:krbtgt:/home/EXAMPLE/krbtgt:/bin/bash
>>>>>> guest:*:20501:20514:Guest:/home/EXAMPLE/guest:/bin/bash
>>>>>>
>>>>>> with the ad backend I do not get any of the above
>>>>>>
>>>>>>>
>>>>>>> If that is configured and don't work as expected please post 
>>>>>>> your smb.conf (both from AD and client system) and an ldif for 
>>>>>>> an user obtained by ldbsearch.
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Geza Gemes
>>>>>>>
>>>>>>>
>>>>>> Ok, I cannot make it work, so here are the files you requested
>>>>>>
>>>>>> Samba4.0.4 user.ldif
>>>>>>
>>>>>> # user, Users, example.com
>>>>>> dn: CN=user,CN=Users,DC=example,DC=com
>>>>>> cn: user
>>>>>> instanceType: 4
>>>>>> whenCreated: 20130320122306.0Z
>>>>>> uSNCreated: 3778
>>>>>> name: user
>>>>>> objectGUID:: siE+gJgV2kKaQO0qslOkVg==
>>>>>> badPwdCount: 0
>>>>>> codePage: 0
>>>>>> countryCode: 0
>>>>>> badPasswordTime: 0
>>>>>> lastLogoff: 0
>>>>>> lastLogon: 0
>>>>>> primaryGroupID: 513
>>>>>> objectSid:: AQUAAAAAAAUVAAAAtvprU8QVtn/NH/GlUQQAAA==
>>>>>> accountExpires: 9223372036854775807
>>>>>> logonCount: 0
>>>>>> sAMAccountName: user
>>>>>> sAMAccountType: 805306368
>>>>>> userPrincipalName: user at example.com
>>>>>> objectCategory: 
>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
>>>>>> pwdLastSet: 130082557870000000
>>>>>> userAccountControl: 512
>>>>>> uidNumber: 3000016
>>>>>> gidNumber: 100
>>>>>> unixHomeDirectory: /home/EXAMPLE/user
>>>>>> loginShell: /bin/bash
>>>>>> profilePath: \\server\profiles\user
>>>>>> homeDrive: Z:
>>>>>> homeDirectory: \\server\home\user
>>>>>> objectClass: top
>>>>>> objectClass: posixAccount
>>>>>> objectClass: person
>>>>>> objectClass: organizationalPerson
>>>>>> objectClass: user
>>>>>> whenChanged: 20130322130515.0Z
>>>>>> uSNChanged: 3794
>>>>>> distinguishedName: CN=user,CN=Users,DC=example,DC=com
>>>>>>
>>>>>> Samba4.0.4 smb.conf
>>>>>>
>>>>>> # Global parameters
>>>>>> [global]
>>>>>> workgroup = EXAMPLE
>>>>>> realm = example.com
>>>>>> netbios name = SERVER
>>>>>> server role = active directory domain controller
>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
>>>>>> winbind, ntp_signd, kcc, dnsupdate
>>>>>> idmap_ldb:use rfc2307 = yes
>>>>>> acl:search=false
>>>>>> passdb backend = samba4
>>>>>> template shell = /bin/bash
>>>>>> # Turn on Server signing
>>>>>> server signing = auto
>>>>>>
>>>>>> [netlogon]
>>>>>> path = /usr/local/samba/var/locks/sysvol/example.com/scripts
>>>>>> read only = No
>>>>>>
>>>>>> [sysvol]
>>>>>> path = /usr/local/samba/var/locks/sysvol
>>>>>> read only = No
>>>>>>
>>>>>> [home]
>>>>>> path = /home/EXAMPLE
>>>>>> read only = No
>>>>>>
>>>>>> [profiles]
>>>>>> path = /home/EXAMPLE/profiles
>>>>>> read only = No
>>>>>>
>>>>>> [dropbox]
>>>>>> path = /home/EXAMPLE/dropbox
>>>>>> read only = No
>>>>>>
>>>>>>
>>>>>> Samba 3.6.6 on Mint 14
>>>>>>
>>>>>> [global]
>>>>>> workgroup = EXAMPLE
>>>>>> realm = example.com
>>>>>> server string = %h client (Samba)
>>>>>>
>>>>>> log level = 10
>>>>>> log file = /var/log/samba/samba.log
>>>>>> max log size = 4192
>>>>>>
>>>>>> security = ADS
>>>>>> preferred master = no
>>>>>>
>>>>>> idmap config * : backend = tdb
>>>>>> idmap config * : range = 1100-2000
>>>>>>
>>>>>> # idmap config EXAMPLE : backend = ad
>>>>>> idmap config EXAMPLE : backend = rid
>>>>>> idmap config EXAMPLE : range = 20000-3100000
>>>>>> # idmap config EXAMPLE : schema mode = rfc2307
>>>>>>
>>>>>> idmap cache time = 120
>>>>>> idmap negative cache time = 1
>>>>>>
>>>>>> winbind use default domain = yes
>>>>>> winbind nss info = rfc2307
>>>>>> winbind offline logon = yes
>>>>>> winbind refresh tickets = Yes
>>>>>> winbind expand groups = 4
>>>>>> winbind nested groups = yes
>>>>>> winbind enum users = yes
>>>>>> winbind enum groups = yes
>>>>>> winbind separator = +
>>>>>> template homedir = /home/%D/%U
>>>>>> template shell = /bin/bash
>>>>>> usershare allow guests = No
>>>>>>
>>>>>> kerberos method = secrets and keytab
>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>
>>>>>> ###### ACL related #######
>>>>>> #For completeness, refer to man page of smb.conf for
>>>>>> #more details on these 2
>>>>>> acl compatibility = Auto
>>>>>> acl check permissions = True
>>>>>> # map Unix permissions into Windows NT ACLs
>>>>>> nt acl support = yes
>>>>>> #extended attributes stored on EXT3 or XFS with user_xattr options
>>>>>> ea support = yes
>>>>>> #True: map rwx => Windows Full Control access
>>>>>> #False: map rwx => equivalent Windows ACL bits
>>>>>> acl map full control = True
>>>>>>
>>>>>> #Users/groups who have write access to the file can modify
>>>>>> # the permissions (incl. ACL)
>>>>>> #Ownership of file/dir may also be changed
>>>>>> #Default: no (disable)
>>>>>> dos filemode = yes
>>>>>> # must set (map [hidden|archive|system|read only]) = no
>>>>>> # Enabled: store DOS attributes onto user.DOSATTRIB file
>>>>>> # file system must be mounted with user_xattr
>>>>>> # extended attributes must be compiled into the Linux kernel
>>>>>> store dos attributes = yes
>>>>>>
>>>>>> #these depend on (create mask), however, refer to (store dos 
>>>>>> attributes)
>>>>>> map hidden = no
>>>>>> map archive = no
>>>>>> map system = no
>>>>>> map read only = no
>>>>>> # map “inherit” and “protected” flags in Windows ACLs into extended
>>>>>> #attribute file called user.SAMBA_PAI
>>>>>> map acl inherit = yes
>>>>>>
>>>>>> #allow users change timestamp, MS Office apps compatiable
>>>>>> dos filetimes = yes
>>>>>>
>>>>>> # Turn on unix extensions
>>>>>> unix extensions = yes
>>>>>>
>>>>>> I hope this helps to identify where I am going wrong and thanks 
>>>>>> for any help you can give.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> Hi,
>>>>>
>>>>> The problem could be in the distro package of samba, on ubuntu 
>>>>> 12.04 ( version 2:3.6.3-2ubuntu2.4)
>>>>> The following config (only relevant part of it shown) works like 
>>>>> charm:
>>>>>
>>>>> [global]
>>>>>    workgroup = KZSDABAS
>>>>>    realm = KZSDABAS.HU
>>>>>    kerberos method = system keytab
>>>>>    security = ads
>>>>>     winbind enum groups = yes
>>>>>     winbind enum users = yes
>>>>>     idmap config *:backend = tdb
>>>>>     idmap config *:range = 2000001-3000000
>>>>>     idmap config KZSDABAS:default = yes
>>>>>     idmap config KZSDABAS:backend = ad
>>>>>     idmap config KZSDABAS:range = 0-1000000
>>>>>     idmap config KZSDABAS:schema_mode = rfc2307
>>>>>     winbind nss info = rfc2307
>>>>>     winbind expand groups = 2
>>>>>     winbind nested groups = yes
>>>>>     winbind use default domain = yes
>>>>>
>>>>> Regards
>>>>>
>>>>> Geza Gemes
>>>>>
>>>>>
>>>> Ok, so I need another version of Samba3 on the client, but which 
>>>> version?
>>>>
>>>> I did consider building 4.0.4 as a fileserver, but cannot find any 
>>>> instructions on how to. I did find a README file in the base build 
>>>> directory of samba4.0.4 on the server, it had this at the top:
>>>>
>>>> NOTE: Installation instructions may be found
>>>>       for the file/print server and domain member in:
>>>>       docs/htmldocs/Samba3-HOWTO/install.html
>>>>
>>>> But, 'ls docs/htmldocs/Samba3-HOWTO/install.html' returns:
>>>>
>>>> ls: cannot access docs/htmldocs/Samba3-HOWTO/install.html: No such 
>>>> file or directory
>>>>
>>>> So how do I build it, any pointers to a website etc, would be very 
>>>> much appreciated.
>>>>
>>>> Thanks Geza for the help so far.
>>>>
>>>> Rowland
>>>>
>>>>
>>> Hi,
>>>
>>> As I haven't tried it yet please consider it a speculation, but to 
>>> me it seems, that samba4 (top level build, just as for the AD) is a 
>>> perfectly capable samba (3-like) client (not AD) solution, if you 
>>> take the init scripts of your distribution and modify the path to 
>>> /usr/local/samba/sbin, where you can find smbd nmbd and winbind the 
>>> three "classic" daemons.
>>>
>>> Regards
>>>
>>> Geza Gemes
>>>
>>>
>> Ah, if that is the case, I could copy the samba4 build dir on the 
>> server to the client and run 'make install' and then set it up again 
>> as per the original install, well, its worth a try to save time ;-)
>>
>> Rowland
>>
>>
> Well that didn't work, so back to compiling it on the client
>
> Rowland
>
Just a sidenote: I use to configure make and make install samba on a 
development box and scp over (tar-ed) the /usr/local/samba to the 
machine where I want it installed (not to willing to compile programs on 
the servers), perhaps bad habit, but I always have an installable copy 
of the latest samba release this way.

Regards

Geza Gemes

More information about the samba-technical mailing list