Samba4 Linux user has two uid's
Gémes Géza
geza at kzsdabas.hu
Sun Mar 24 00:38:10 MDT 2013
2013-03-23 14:16 keltezéssel, Rowland Penny írta:
> On 23/03/13 05:39, Gémes Géza wrote:
>> 2013-03-22 21:24 keltezéssel, Rowland Penny írta:
>>> On 22/03/13 20:02, Rowland Penny wrote:
>>>> On 22/03/13 19:41, Gémes Géza wrote:
>>>>> 2013-03-22 19:36 keltezéssel, Rowland Penny írta:
>>>>>> On 22/03/13 17:38, Gémes Géza wrote:
>>>>>>> 2013-03-22 18:09 keltezéssel, Rowland Penny írta:
>>>>>>>> On 21/03/13 22:10, Gémes Géza wrote:
>>>>>>>>> 2013-03-21 21:01 keltezéssel, Rowland Penny írta:
>>>>>>>>>> HI,
>>>>>>>>>> If You join a S3 client to a S4 domain you get a different
>>>>>>>>>> uid on the client and server i.e.
>>>>>>>>>>
>>>>>>>>>> Info from the client
>>>>>>>>>> $ id user
>>>>>>>>>> uid=21105(user) gid=20513(domain_users)
>>>>>>>>>> groups=20513(domain_users),1101(BUILTIN\users)
>>>>>>>>>>
>>>>>>>>>> Info from the server
>>>>>>>>>> # id user
>>>>>>>>>> uid=3000016(DOMAIN\user) gid=100(users) groups=100(users)
>>>>>>>>>>
>>>>>>>>>> Now if you mount a share onto the client from the server via
>>>>>>>>>> pam_script:
>>>>>>>>>>
>>>>>>>>>> mount -t cifs //server/dropbox /home/dropbox -o
>>>>>>>>>> username=user,cruid=userid,sec=krb5i,multiuser,nobrl,mapchars,mfsymlinks,noserverino
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> If a file is now created in the share by the user, the user
>>>>>>>>>> immediately looses all rights to it from the client.
>>>>>>>>>>
>>>>>>>>>> Is this a CIFS problem or a Samba4 problem?
>>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Please check that you have the following:
>>>>>>>>>
>>>>>>>>> For samba4 use rfc2370 and specify the uids gids (using e.g.
>>>>>>>>> ADUC), copy/symlink the libnss files and allow winbind in
>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>
>>>>>>>> These were already setup
>>>>>>>>
>>>>>>>>> For samba3 use idmap_ad with a range that covers the assigned
>>>>>>>>> uids/gids.
>>>>>>>>
>>>>>>>> I was using the rid backend so I tried to convert to ad, but I
>>>>>>>> cannot get it to work, wbinfo shows all domain users & groups
>>>>>>>> but no domain users or groups are shown by getent. With the rid
>>>>>>>> backend 'getent passwd' gives:
>>>>>>>>
>>>>>>>> administrator:*:20500:20513:Administrator:/home/EXAMPLE/administrator:/bin/bash
>>>>>>>>
>>>>>>>> dns-adserver:*:21101:20513:dns-adserver:/home/EXAMPLE/dns-adserver:/bin/bash
>>>>>>>>
>>>>>>>> dhcpduser:*:21104:20513:dhcpduser:/home/EXAMPLE/dhcpduser:/bin/bash
>>>>>>>>
>>>>>>>> user1:*:21107:20513:user1:/home/EXAMPLE/user1:/bin/bash
>>>>>>>> user:*:21105:20513:user:/home/EXAMPLE/user:/bin/bash
>>>>>>>> krbtgt:*:20502:20513:krbtgt:/home/EXAMPLE/krbtgt:/bin/bash
>>>>>>>> guest:*:20501:20514:Guest:/home/EXAMPLE/guest:/bin/bash
>>>>>>>>
>>>>>>>> with the ad backend I do not get any of the above
>>>>>>>>
>>>>>>>>>
>>>>>>>>> If that is configured and don't work as expected please post
>>>>>>>>> your smb.conf (both from AD and client system) and an ldif for
>>>>>>>>> an user obtained by ldbsearch.
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>>
>>>>>>>>> Geza Gemes
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Ok, I cannot make it work, so here are the files you requested
>>>>>>>>
>>>>>>>> Samba4.0.4 user.ldif
>>>>>>>>
>>>>>>>> # user, Users, example.com
>>>>>>>> dn: CN=user,CN=Users,DC=example,DC=com
>>>>>>>> cn: user
>>>>>>>> instanceType: 4
>>>>>>>> whenCreated: 20130320122306.0Z
>>>>>>>> uSNCreated: 3778
>>>>>>>> name: user
>>>>>>>> objectGUID:: siE+gJgV2kKaQO0qslOkVg==
>>>>>>>> badPwdCount: 0
>>>>>>>> codePage: 0
>>>>>>>> countryCode: 0
>>>>>>>> badPasswordTime: 0
>>>>>>>> lastLogoff: 0
>>>>>>>> lastLogon: 0
>>>>>>>> primaryGroupID: 513
>>>>>>>> objectSid:: AQUAAAAAAAUVAAAAtvprU8QVtn/NH/GlUQQAAA==
>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>> logonCount: 0
>>>>>>>> sAMAccountName: user
>>>>>>>> sAMAccountType: 805306368
>>>>>>>> userPrincipalName: user at example.com
>>>>>>>> objectCategory:
>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
>>>>>>>> pwdLastSet: 130082557870000000
>>>>>>>> userAccountControl: 512
>>>>>>>> uidNumber: 3000016
>>>>>>>> gidNumber: 100
>>>>>>>> unixHomeDirectory: /home/EXAMPLE/user
>>>>>>>> loginShell: /bin/bash
>>>>>>>> profilePath: \\server\profiles\user
>>>>>>>> homeDrive: Z:
>>>>>>>> homeDirectory: \\server\home\user
>>>>>>>> objectClass: top
>>>>>>>> objectClass: posixAccount
>>>>>>>> objectClass: person
>>>>>>>> objectClass: organizationalPerson
>>>>>>>> objectClass: user
>>>>>>>> whenChanged: 20130322130515.0Z
>>>>>>>> uSNChanged: 3794
>>>>>>>> distinguishedName: CN=user,CN=Users,DC=example,DC=com
>>>>>>>>
>>>>>>>> Samba4.0.4 smb.conf
>>>>>>>>
>>>>>>>> # Global parameters
>>>>>>>> [global]
>>>>>>>> workgroup = EXAMPLE
>>>>>>>> realm = example.com
>>>>>>>> netbios name = SERVER
>>>>>>>> server role = active directory domain controller
>>>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>>>>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>>>>>> idmap_ldb:use rfc2307 = yes
>>>>>>>> acl:search=false
>>>>>>>> passdb backend = samba4
>>>>>>>> template shell = /bin/bash
>>>>>>>> # Turn on Server signing
>>>>>>>> server signing = auto
>>>>>>>>
>>>>>>>> [netlogon]
>>>>>>>> path = /usr/local/samba/var/locks/sysvol/example.com/scripts
>>>>>>>> read only = No
>>>>>>>>
>>>>>>>> [sysvol]
>>>>>>>> path = /usr/local/samba/var/locks/sysvol
>>>>>>>> read only = No
>>>>>>>>
>>>>>>>> [home]
>>>>>>>> path = /home/EXAMPLE
>>>>>>>> read only = No
>>>>>>>>
>>>>>>>> [profiles]
>>>>>>>> path = /home/EXAMPLE/profiles
>>>>>>>> read only = No
>>>>>>>>
>>>>>>>> [dropbox]
>>>>>>>> path = /home/EXAMPLE/dropbox
>>>>>>>> read only = No
>>>>>>>>
>>>>>>>>
>>>>>>>> Samba 3.6.6 on Mint 14
>>>>>>>>
>>>>>>>> [global]
>>>>>>>> workgroup = EXAMPLE
>>>>>>>> realm = example.com
>>>>>>>> server string = %h client (Samba)
>>>>>>>>
>>>>>>>> log level = 10
>>>>>>>> log file = /var/log/samba/samba.log
>>>>>>>> max log size = 4192
>>>>>>>>
>>>>>>>> security = ADS
>>>>>>>> preferred master = no
>>>>>>>>
>>>>>>>> idmap config * : backend = tdb
>>>>>>>> idmap config * : range = 1100-2000
>>>>>>>>
>>>>>>>> # idmap config EXAMPLE : backend = ad
>>>>>>>> idmap config EXAMPLE : backend = rid
>>>>>>>> idmap config EXAMPLE : range = 20000-3100000
>>>>>>>> # idmap config EXAMPLE : schema mode = rfc2307
>>>>>>>>
>>>>>>>> idmap cache time = 120
>>>>>>>> idmap negative cache time = 1
>>>>>>>>
>>>>>>>> winbind use default domain = yes
>>>>>>>> winbind nss info = rfc2307
>>>>>>>> winbind offline logon = yes
>>>>>>>> winbind refresh tickets = Yes
>>>>>>>> winbind expand groups = 4
>>>>>>>> winbind nested groups = yes
>>>>>>>> winbind enum users = yes
>>>>>>>> winbind enum groups = yes
>>>>>>>> winbind separator = +
>>>>>>>> template homedir = /home/%D/%U
>>>>>>>> template shell = /bin/bash
>>>>>>>> usershare allow guests = No
>>>>>>>>
>>>>>>>> kerberos method = secrets and keytab
>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>>
>>>>>>>> ###### ACL related #######
>>>>>>>> #For completeness, refer to man page of smb.conf for
>>>>>>>> #more details on these 2
>>>>>>>> acl compatibility = Auto
>>>>>>>> acl check permissions = True
>>>>>>>> # map Unix permissions into Windows NT ACLs
>>>>>>>> nt acl support = yes
>>>>>>>> #extended attributes stored on EXT3 or XFS with user_xattr options
>>>>>>>> ea support = yes
>>>>>>>> #True: map rwx => Windows Full Control access
>>>>>>>> #False: map rwx => equivalent Windows ACL bits
>>>>>>>> acl map full control = True
>>>>>>>>
>>>>>>>> #Users/groups who have write access to the file can modify
>>>>>>>> # the permissions (incl. ACL)
>>>>>>>> #Ownership of file/dir may also be changed
>>>>>>>> #Default: no (disable)
>>>>>>>> dos filemode = yes
>>>>>>>> # must set (map [hidden|archive|system|read only]) = no
>>>>>>>> # Enabled: store DOS attributes onto user.DOSATTRIB file
>>>>>>>> # file system must be mounted with user_xattr
>>>>>>>> # extended attributes must be compiled into the Linux kernel
>>>>>>>> store dos attributes = yes
>>>>>>>>
>>>>>>>> #these depend on (create mask), however, refer to (store dos
>>>>>>>> attributes)
>>>>>>>> map hidden = no
>>>>>>>> map archive = no
>>>>>>>> map system = no
>>>>>>>> map read only = no
>>>>>>>> # map “inherit” and “protected” flags in Windows ACLs into
>>>>>>>> extended
>>>>>>>> #attribute file called user.SAMBA_PAI
>>>>>>>> map acl inherit = yes
>>>>>>>>
>>>>>>>> #allow users change timestamp, MS Office apps compatiable
>>>>>>>> dos filetimes = yes
>>>>>>>>
>>>>>>>> # Turn on unix extensions
>>>>>>>> unix extensions = yes
>>>>>>>>
>>>>>>>> I hope this helps to identify where I am going wrong and thanks
>>>>>>>> for any help you can give.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> The problem could be in the distro package of samba, on ubuntu
>>>>>>> 12.04 ( version 2:3.6.3-2ubuntu2.4)
>>>>>>> The following config (only relevant part of it shown) works like
>>>>>>> charm:
>>>>>>>
>>>>>>> [global]
>>>>>>> workgroup = KZSDABAS
>>>>>>> realm = KZSDABAS.HU
>>>>>>> kerberos method = system keytab
>>>>>>> security = ads
>>>>>>> winbind enum groups = yes
>>>>>>> winbind enum users = yes
>>>>>>> idmap config *:backend = tdb
>>>>>>> idmap config *:range = 2000001-3000000
>>>>>>> idmap config KZSDABAS:default = yes
>>>>>>> idmap config KZSDABAS:backend = ad
>>>>>>> idmap config KZSDABAS:range = 0-1000000
>>>>>>> idmap config KZSDABAS:schema_mode = rfc2307
>>>>>>> winbind nss info = rfc2307
>>>>>>> winbind expand groups = 2
>>>>>>> winbind nested groups = yes
>>>>>>> winbind use default domain = yes
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Geza Gemes
>>>>>>>
>>>>>>>
>>>>>> Ok, so I need another version of Samba3 on the client, but which
>>>>>> version?
>>>>>>
>>>>>> I did consider building 4.0.4 as a fileserver, but cannot find
>>>>>> any instructions on how to. I did find a README file in the base
>>>>>> build directory of samba4.0.4 on the server, it had this at the top:
>>>>>>
>>>>>> NOTE: Installation instructions may be found
>>>>>> for the file/print server and domain member in:
>>>>>> docs/htmldocs/Samba3-HOWTO/install.html
>>>>>>
>>>>>> But, 'ls docs/htmldocs/Samba3-HOWTO/install.html' returns:
>>>>>>
>>>>>> ls: cannot access docs/htmldocs/Samba3-HOWTO/install.html: No
>>>>>> such file or directory
>>>>>>
>>>>>> So how do I build it, any pointers to a website etc, would be
>>>>>> very much appreciated.
>>>>>>
>>>>>> Thanks Geza for the help so far.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>> Hi,
>>>>>
>>>>> As I haven't tried it yet please consider it a speculation, but to
>>>>> me it seems, that samba4 (top level build, just as for the AD) is
>>>>> a perfectly capable samba (3-like) client (not AD) solution, if
>>>>> you take the init scripts of your distribution and modify the path
>>>>> to /usr/local/samba/sbin, where you can find smbd nmbd and winbind
>>>>> the three "classic" daemons.
>>>>>
>>>>> Regards
>>>>>
>>>>> Geza Gemes
>>>>>
>>>>>
>>>> Ah, if that is the case, I could copy the samba4 build dir on the
>>>> server to the client and run 'make install' and then set it up
>>>> again as per the original install, well, its worth a try to save
>>>> time ;-)
>>>>
>>>> Rowland
>>>>
>>>>
>>> Well that didn't work, so back to compiling it on the client
>>>
>>> Rowland
>>>
>> Just a sidenote: I use to configure make and make install samba on a
>> development box and scp over (tar-ed) the /usr/local/samba to the
>> machine where I want it installed (not to willing to compile programs
>> on the servers), perhaps bad habit, but I always have an installable
>> copy of the latest samba release this way.
>>
>> Regards
>>
>> Geza Gemes
>>
>>
>>
>>
> Ok, well that didn't work either, I downloaded, compiled and installed
> Samba4.0.4 and tried to set it up as a domain member using smbd, nmbd
> and winbindd. I cannot get the deamons to keep running, mostly smbd,
> they seem to start and then stop almost immediately. Has anybody got
> Samba4 to work this way and if so how.
>
> Next plan, try to find a later version of Samba 3.6 that I can install
> on Mint 14
>
> Rowland
>
I think you should file a bug report about smbd (4.0.4).
Regards
Geza Gemes
More information about the samba-technical
mailing list