Samba4 Linux user has two uid's

Rowland Penny repenny at f2s.com
Sat Mar 23 07:16:34 MDT 2013 

On 23/03/13 05:39, Gémes Géza wrote:
> 2013-03-22 21:24 keltezéssel, Rowland Penny írta:
>> On 22/03/13 20:02, Rowland Penny wrote:
>>> On 22/03/13 19:41, Gémes Géza wrote:
>>>> 2013-03-22 19:36 keltezéssel, Rowland Penny írta:
>>>>> On 22/03/13 17:38, Gémes Géza wrote:
>>>>>> 2013-03-22 18:09 keltezéssel, Rowland Penny írta:
>>>>>>> On 21/03/13 22:10, Gémes Géza wrote:
>>>>>>>> 2013-03-21 21:01 keltezéssel, Rowland Penny írta:
>>>>>>>>> HI,
>>>>>>>>> If You join a S3 client to a S4 domain you get a different uid 
>>>>>>>>> on the client and server i.e.
>>>>>>>>>
>>>>>>>>> Info from the client
>>>>>>>>> $ id user
>>>>>>>>> uid=21105(user) gid=20513(domain_users) 
>>>>>>>>> groups=20513(domain_users),1101(BUILTIN\users)
>>>>>>>>>
>>>>>>>>> Info from the server
>>>>>>>>> # id user
>>>>>>>>> uid=3000016(DOMAIN\user) gid=100(users) groups=100(users)
>>>>>>>>>
>>>>>>>>> Now if you mount a share onto the client from the server via 
>>>>>>>>> pam_script:
>>>>>>>>>
>>>>>>>>> mount -t cifs //server/dropbox /home/dropbox -o 
>>>>>>>>> username=user,cruid=userid,sec=krb5i,multiuser,nobrl,mapchars,mfsymlinks,noserverino 
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> If a file is now created in the share by the user, the user 
>>>>>>>>> immediately looses all rights to it from the client.
>>>>>>>>>
>>>>>>>>> Is this a CIFS problem or a Samba4 problem?
>>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Please check that you have the following:
>>>>>>>>
>>>>>>>> For samba4 use rfc2370 and specify the uids gids (using e.g. 
>>>>>>>> ADUC), copy/symlink the libnss files and allow winbind in 
>>>>>>>> /etc/nsswitch.conf
>>>>>>>
>>>>>>> These were already setup
>>>>>>>
>>>>>>>> For samba3 use idmap_ad with a range that covers the assigned 
>>>>>>>> uids/gids.
>>>>>>>
>>>>>>> I was using the rid backend so I tried to convert to ad, but I 
>>>>>>> cannot get it to work, wbinfo shows all domain users & groups 
>>>>>>> but no domain users or groups are shown by getent. With the rid 
>>>>>>> backend 'getent passwd' gives:
>>>>>>>
>>>>>>> administrator:*:20500:20513:Administrator:/home/EXAMPLE/administrator:/bin/bash 
>>>>>>>
>>>>>>> dns-adserver:*:21101:20513:dns-adserver:/home/EXAMPLE/dns-adserver:/bin/bash 
>>>>>>>
>>>>>>> dhcpduser:*:21104:20513:dhcpduser:/home/EXAMPLE/dhcpduser:/bin/bash
>>>>>>> user1:*:21107:20513:user1:/home/EXAMPLE/user1:/bin/bash
>>>>>>> user:*:21105:20513:user:/home/EXAMPLE/user:/bin/bash
>>>>>>> krbtgt:*:20502:20513:krbtgt:/home/EXAMPLE/krbtgt:/bin/bash
>>>>>>> guest:*:20501:20514:Guest:/home/EXAMPLE/guest:/bin/bash
>>>>>>>
>>>>>>> with the ad backend I do not get any of the above
>>>>>>>
>>>>>>>>
>>>>>>>> If that is configured and don't work as expected please post 
>>>>>>>> your smb.conf (both from AD and client system) and an ldif for 
>>>>>>>> an user obtained by ldbsearch.
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>
>>>>>>>> Geza Gemes
>>>>>>>>
>>>>>>>>
>>>>>>> Ok, I cannot make it work, so here are the files you requested
>>>>>>>
>>>>>>> Samba4.0.4 user.ldif
>>>>>>>
>>>>>>> # user, Users, example.com
>>>>>>> dn: CN=user,CN=Users,DC=example,DC=com
>>>>>>> cn: user
>>>>>>> instanceType: 4
>>>>>>> whenCreated: 20130320122306.0Z
>>>>>>> uSNCreated: 3778
>>>>>>> name: user
>>>>>>> objectGUID:: siE+gJgV2kKaQO0qslOkVg==
>>>>>>> badPwdCount: 0
>>>>>>> codePage: 0
>>>>>>> countryCode: 0
>>>>>>> badPasswordTime: 0
>>>>>>> lastLogoff: 0
>>>>>>> lastLogon: 0
>>>>>>> primaryGroupID: 513
>>>>>>> objectSid:: AQUAAAAAAAUVAAAAtvprU8QVtn/NH/GlUQQAAA==
>>>>>>> accountExpires: 9223372036854775807
>>>>>>> logonCount: 0
>>>>>>> sAMAccountName: user
>>>>>>> sAMAccountType: 805306368
>>>>>>> userPrincipalName: user at example.com
>>>>>>> objectCategory: 
>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
>>>>>>> pwdLastSet: 130082557870000000
>>>>>>> userAccountControl: 512
>>>>>>> uidNumber: 3000016
>>>>>>> gidNumber: 100
>>>>>>> unixHomeDirectory: /home/EXAMPLE/user
>>>>>>> loginShell: /bin/bash
>>>>>>> profilePath: \\server\profiles\user
>>>>>>> homeDrive: Z:
>>>>>>> homeDirectory: \\server\home\user
>>>>>>> objectClass: top
>>>>>>> objectClass: posixAccount
>>>>>>> objectClass: person
>>>>>>> objectClass: organizationalPerson
>>>>>>> objectClass: user
>>>>>>> whenChanged: 20130322130515.0Z
>>>>>>> uSNChanged: 3794
>>>>>>> distinguishedName: CN=user,CN=Users,DC=example,DC=com
>>>>>>>
>>>>>>> Samba4.0.4 smb.conf
>>>>>>>
>>>>>>> # Global parameters
>>>>>>> [global]
>>>>>>> workgroup = EXAMPLE
>>>>>>> realm = example.com
>>>>>>> netbios name = SERVER
>>>>>>> server role = active directory domain controller
>>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>>>>>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>>>>> idmap_ldb:use rfc2307 = yes
>>>>>>> acl:search=false
>>>>>>> passdb backend = samba4
>>>>>>> template shell = /bin/bash
>>>>>>> # Turn on Server signing
>>>>>>> server signing = auto
>>>>>>>
>>>>>>> [netlogon]
>>>>>>> path = /usr/local/samba/var/locks/sysvol/example.com/scripts
>>>>>>> read only = No
>>>>>>>
>>>>>>> [sysvol]
>>>>>>> path = /usr/local/samba/var/locks/sysvol
>>>>>>> read only = No
>>>>>>>
>>>>>>> [home]
>>>>>>> path = /home/EXAMPLE
>>>>>>> read only = No
>>>>>>>
>>>>>>> [profiles]
>>>>>>> path = /home/EXAMPLE/profiles
>>>>>>> read only = No
>>>>>>>
>>>>>>> [dropbox]
>>>>>>> path = /home/EXAMPLE/dropbox
>>>>>>> read only = No
>>>>>>>
>>>>>>>
>>>>>>> Samba 3.6.6 on Mint 14
>>>>>>>
>>>>>>> [global]
>>>>>>> workgroup = EXAMPLE
>>>>>>> realm = example.com
>>>>>>> server string = %h client (Samba)
>>>>>>>
>>>>>>> log level = 10
>>>>>>> log file = /var/log/samba/samba.log
>>>>>>> max log size = 4192
>>>>>>>
>>>>>>> security = ADS
>>>>>>> preferred master = no
>>>>>>>
>>>>>>> idmap config * : backend = tdb
>>>>>>> idmap config * : range = 1100-2000
>>>>>>>
>>>>>>> # idmap config EXAMPLE : backend = ad
>>>>>>> idmap config EXAMPLE : backend = rid
>>>>>>> idmap config EXAMPLE : range = 20000-3100000
>>>>>>> # idmap config EXAMPLE : schema mode = rfc2307
>>>>>>>
>>>>>>> idmap cache time = 120
>>>>>>> idmap negative cache time = 1
>>>>>>>
>>>>>>> winbind use default domain = yes
>>>>>>> winbind nss info = rfc2307
>>>>>>> winbind offline logon = yes
>>>>>>> winbind refresh tickets = Yes
>>>>>>> winbind expand groups = 4
>>>>>>> winbind nested groups = yes
>>>>>>> winbind enum users = yes
>>>>>>> winbind enum groups = yes
>>>>>>> winbind separator = +
>>>>>>> template homedir = /home/%D/%U
>>>>>>> template shell = /bin/bash
>>>>>>> usershare allow guests = No
>>>>>>>
>>>>>>> kerberos method = secrets and keytab
>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>
>>>>>>> ###### ACL related #######
>>>>>>> #For completeness, refer to man page of smb.conf for
>>>>>>> #more details on these 2
>>>>>>> acl compatibility = Auto
>>>>>>> acl check permissions = True
>>>>>>> # map Unix permissions into Windows NT ACLs
>>>>>>> nt acl support = yes
>>>>>>> #extended attributes stored on EXT3 or XFS with user_xattr options
>>>>>>> ea support = yes
>>>>>>> #True: map rwx => Windows Full Control access
>>>>>>> #False: map rwx => equivalent Windows ACL bits
>>>>>>> acl map full control = True
>>>>>>>
>>>>>>> #Users/groups who have write access to the file can modify
>>>>>>> # the permissions (incl. ACL)
>>>>>>> #Ownership of file/dir may also be changed
>>>>>>> #Default: no (disable)
>>>>>>> dos filemode = yes
>>>>>>> # must set (map [hidden|archive|system|read only]) = no
>>>>>>> # Enabled: store DOS attributes onto user.DOSATTRIB file
>>>>>>> # file system must be mounted with user_xattr
>>>>>>> # extended attributes must be compiled into the Linux kernel
>>>>>>> store dos attributes = yes
>>>>>>>
>>>>>>> #these depend on (create mask), however, refer to (store dos 
>>>>>>> attributes)
>>>>>>> map hidden = no
>>>>>>> map archive = no
>>>>>>> map system = no
>>>>>>> map read only = no
>>>>>>> # map “inherit” and “protected” flags in Windows ACLs into extended
>>>>>>> #attribute file called user.SAMBA_PAI
>>>>>>> map acl inherit = yes
>>>>>>>
>>>>>>> #allow users change timestamp, MS Office apps compatiable
>>>>>>> dos filetimes = yes
>>>>>>>
>>>>>>> # Turn on unix extensions
>>>>>>> unix extensions = yes
>>>>>>>
>>>>>>> I hope this helps to identify where I am going wrong and thanks 
>>>>>>> for any help you can give.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> The problem could be in the distro package of samba, on ubuntu 
>>>>>> 12.04 ( version 2:3.6.3-2ubuntu2.4)
>>>>>> The following config (only relevant part of it shown) works like 
>>>>>> charm:
>>>>>>
>>>>>> [global]
>>>>>>    workgroup = KZSDABAS
>>>>>>    realm = KZSDABAS.HU
>>>>>>    kerberos method = system keytab
>>>>>>    security = ads
>>>>>>     winbind enum groups = yes
>>>>>>     winbind enum users = yes
>>>>>>     idmap config *:backend = tdb
>>>>>>     idmap config *:range = 2000001-3000000
>>>>>>     idmap config KZSDABAS:default = yes
>>>>>>     idmap config KZSDABAS:backend = ad
>>>>>>     idmap config KZSDABAS:range = 0-1000000
>>>>>>     idmap config KZSDABAS:schema_mode = rfc2307
>>>>>>     winbind nss info = rfc2307
>>>>>>     winbind expand groups = 2
>>>>>>     winbind nested groups = yes
>>>>>>     winbind use default domain = yes
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Geza Gemes
>>>>>>
>>>>>>
>>>>> Ok, so I need another version of Samba3 on the client, but which 
>>>>> version?
>>>>>
>>>>> I did consider building 4.0.4 as a fileserver, but cannot find any 
>>>>> instructions on how to. I did find a README file in the base build 
>>>>> directory of samba4.0.4 on the server, it had this at the top:
>>>>>
>>>>> NOTE: Installation instructions may be found
>>>>>       for the file/print server and domain member in:
>>>>>       docs/htmldocs/Samba3-HOWTO/install.html
>>>>>
>>>>> But, 'ls docs/htmldocs/Samba3-HOWTO/install.html' returns:
>>>>>
>>>>> ls: cannot access docs/htmldocs/Samba3-HOWTO/install.html: No such 
>>>>> file or directory
>>>>>
>>>>> So how do I build it, any pointers to a website etc, would be very 
>>>>> much appreciated.
>>>>>
>>>>> Thanks Geza for the help so far.
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>> Hi,
>>>>
>>>> As I haven't tried it yet please consider it a speculation, but to 
>>>> me it seems, that samba4 (top level build, just as for the AD) is a 
>>>> perfectly capable samba (3-like) client (not AD) solution, if you 
>>>> take the init scripts of your distribution and modify the path to 
>>>> /usr/local/samba/sbin, where you can find smbd nmbd and winbind the 
>>>> three "classic" daemons.
>>>>
>>>> Regards
>>>>
>>>> Geza Gemes
>>>>
>>>>
>>> Ah, if that is the case, I could copy the samba4 build dir on the 
>>> server to the client and run 'make install' and then set it up again 
>>> as per the original install, well, its worth a try to save time ;-)
>>>
>>> Rowland
>>>
>>>
>> Well that didn't work, so back to compiling it on the client
>>
>> Rowland
>>
> Just a sidenote: I use to configure make and make install samba on a 
> development box and scp over (tar-ed) the /usr/local/samba to the 
> machine where I want it installed (not to willing to compile programs 
> on the servers), perhaps bad habit, but I always have an installable 
> copy of the latest samba release this way.
>
> Regards
>
> Geza Gemes
>
>
>
>
Ok, well that didn't work either, I downloaded, compiled and installed 
Samba4.0.4 and tried to set it up as a domain member using smbd, nmbd 
and winbindd. I cannot get the deamons to keep running, mostly smbd, 
they seem to start and then stop almost immediately. Has anybody got 
Samba4 to work this way and if so how.

Next plan, try to find a later version of Samba 3.6 that I can install 
on Mint 14

Rowland

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba-technical mailing list