Samba4 Linux user has two uid's

Thomas Simmons twsnnva at gmail.com
Sun Mar 24 06:43:57 MDT 2013 

On Sun, Mar 24, 2013 at 2:38 AM, Gémes Géza <geza at kzsdabas.hu> wrote:

> 2013-03-23 14:16 keltezéssel, Rowland Penny írta:
>
>> On 23/03/13 05:39, Gémes Géza wrote:
>>
>>> 2013-03-22 21:24 keltezéssel, Rowland Penny írta:
>>>
>>>> On 22/03/13 20:02, Rowland Penny wrote:
>>>>
>>>>> On 22/03/13 19:41, Gémes Géza wrote:
>>>>>
>>>>>> 2013-03-22 19:36 keltezéssel, Rowland Penny írta:
>>>>>>
>>>>>>> On 22/03/13 17:38, Gémes Géza wrote:
>>>>>>>
>>>>>>>> 2013-03-22 18:09 keltezéssel, Rowland Penny írta:
>>>>>>>>
>>>>>>>>> On 21/03/13 22:10, Gémes Géza wrote:
>>>>>>>>>
>>>>>>>>>> 2013-03-21 21:01 keltezéssel, Rowland Penny írta:
>>>>>>>>>>
>>>>>>>>>>> HI,
>>>>>>>>>>> If You join a S3 client to a S4 domain you get a different uid
>>>>>>>>>>> on the client and server i.e.
>>>>>>>>>>>
>>>>>>>>>>> Info from the client
>>>>>>>>>>> $ id user
>>>>>>>>>>> uid=21105(user) gid=20513(domain_users)
>>>>>>>>>>> groups=20513(domain_users),**1101(BUILTIN\users)
>>>>>>>>>>>
>>>>>>>>>>> Info from the server
>>>>>>>>>>> # id user
>>>>>>>>>>> uid=3000016(DOMAIN\user) gid=100(users) groups=100(users)
>>>>>>>>>>>
>>>>>>>>>>> Now if you mount a share onto the client from the server via
>>>>>>>>>>> pam_script:
>>>>>>>>>>>
>>>>>>>>>>> mount -t cifs //server/dropbox /home/dropbox -o
>>>>>>>>>>> username=user,cruid=userid,**sec=krb5i,multiuser,nobrl,**
>>>>>>>>>>> mapchars,mfsymlinks,**noserverino
>>>>>>>>>>>
>>>>>>>>>>> If a file is now created in the share by the user, the user
>>>>>>>>>>> immediately looses all rights to it from the client.
>>>>>>>>>>>
>>>>>>>>>>> Is this a CIFS problem or a Samba4 problem?
>>>>>>>>>>>
>>>>>>>>>>>  Hi,
>>>>>>>>>>
>>>>>>>>>> Please check that you have the following:
>>>>>>>>>>
>>>>>>>>>> For samba4 use rfc2370 and specify the uids gids (using e.g.
>>>>>>>>>> ADUC), copy/symlink the libnss files and allow winbind in /etc/nsswitch.conf
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> These were already setup
>>>>>>>>>
>>>>>>>>>  For samba3 use idmap_ad with a range that covers the assigned
>>>>>>>>>> uids/gids.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I was using the rid backend so I tried to convert to ad, but I
>>>>>>>>> cannot get it to work, wbinfo shows all domain users & groups but no domain
>>>>>>>>> users or groups are shown by getent. With the rid backend 'getent passwd'
>>>>>>>>> gives:
>>>>>>>>>
>>>>>>>>> administrator:*:20500:20513:**Administrator:/home/EXAMPLE/**administrator:/bin/bash
>>>>>>>>>
>>>>>>>>> dns-adserver:*:21101:20513:**dns-adserver:/home/EXAMPLE/**dns-adserver:/bin/bash
>>>>>>>>>
>>>>>>>>> dhcpduser:*:21104:20513:**dhcpduser:/home/EXAMPLE/**dhcpduser:/bin/bash
>>>>>>>>>
>>>>>>>>> user1:*:21107:20513:user1:/**home/EXAMPLE/user1:/bin/bash
>>>>>>>>> user:*:21105:20513:user:/home/**EXAMPLE/user:/bin/bash
>>>>>>>>> krbtgt:*:20502:20513:krbtgt:/**home/EXAMPLE/krbtgt:/bin/bash
>>>>>>>>> guest:*:20501:20514:Guest:/**home/EXAMPLE/guest:/bin/bash
>>>>>>>>>
>>>>>>>>> with the ad backend I do not get any of the above
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> If that is configured and don't work as expected please post your
>>>>>>>>>> smb.conf (both from AD and client system) and an ldif for an user obtained
>>>>>>>>>> by ldbsearch.
>>>>>>>>>>
>>>>>>>>>> Regards
>>>>>>>>>>
>>>>>>>>>> Geza Gemes
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>  Ok, I cannot make it work, so here are the files you requested
>>>>>>>>>
>>>>>>>>> Samba4.0.4 user.ldif
>>>>>>>>>
>>>>>>>>> # user, Users, example.com
>>>>>>>>> dn: CN=user,CN=Users,DC=example,**DC=com
>>>>>>>>> cn: user
>>>>>>>>> instanceType: 4
>>>>>>>>> whenCreated: 20130320122306.0Z
>>>>>>>>> uSNCreated: 3778
>>>>>>>>> name: user
>>>>>>>>> objectGUID:: siE+gJgV2kKaQO0qslOkVg==
>>>>>>>>> badPwdCount: 0
>>>>>>>>> codePage: 0
>>>>>>>>> countryCode: 0
>>>>>>>>> badPasswordTime: 0
>>>>>>>>> lastLogoff: 0
>>>>>>>>> lastLogon: 0
>>>>>>>>> primaryGroupID: 513
>>>>>>>>> objectSid:: AQUAAAAAAAUVAAAAtvprU8QVtn/NH/**GlUQQAAA==
>>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>>> logonCount: 0
>>>>>>>>> sAMAccountName: user
>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>> userPrincipalName: user at example.com
>>>>>>>>> objectCategory: CN=Person,CN=Schema,CN=**
>>>>>>>>> Configuration,DC=example,DC=**com
>>>>>>>>> pwdLastSet: 130082557870000000
>>>>>>>>> userAccountControl: 512
>>>>>>>>> uidNumber: 3000016
>>>>>>>>> gidNumber: 100
>>>>>>>>> unixHomeDirectory: /home/EXAMPLE/user
>>>>>>>>> loginShell: /bin/bash
>>>>>>>>> profilePath: \\server\profiles\user
>>>>>>>>> homeDrive: Z:
>>>>>>>>> homeDirectory: \\server\home\user
>>>>>>>>> objectClass: top
>>>>>>>>> objectClass: posixAccount
>>>>>>>>> objectClass: person
>>>>>>>>> objectClass: organizationalPerson
>>>>>>>>> objectClass: user
>>>>>>>>> whenChanged: 20130322130515.0Z
>>>>>>>>> uSNChanged: 3794
>>>>>>>>> distinguishedName: CN=user,CN=Users,DC=example,**DC=com
>>>>>>>>>
>>>>>>>>> Samba4.0.4 smb.conf
>>>>>>>>>
>>>>>>>>> # Global parameters
>>>>>>>>> [global]
>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>> realm = example.com
>>>>>>>>> netbios name = SERVER
>>>>>>>>> server role = active directory domain controller
>>>>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>>>>>>>> winbind, ntp_signd, kcc, dnsupdate
>>>>>>>>> idmap_ldb:use rfc2307 = yes
>>>>>>>>> acl:search=false
>>>>>>>>> passdb backend = samba4
>>>>>>>>> template shell = /bin/bash
>>>>>>>>> # Turn on Server signing
>>>>>>>>> server signing = auto
>>>>>>>>>
>>>>>>>>> [netlogon]
>>>>>>>>> path = /usr/local/samba/var/locks/**sysvol/example.com/scripts
>>>>>>>>> read only = No
>>>>>>>>>
>>>>>>>>> [sysvol]
>>>>>>>>> path = /usr/local/samba/var/locks/**sysvol
>>>>>>>>> read only = No
>>>>>>>>>
>>>>>>>>> [home]
>>>>>>>>> path = /home/EXAMPLE
>>>>>>>>> read only = No
>>>>>>>>>
>>>>>>>>> [profiles]
>>>>>>>>> path = /home/EXAMPLE/profiles
>>>>>>>>> read only = No
>>>>>>>>>
>>>>>>>>> [dropbox]
>>>>>>>>> path = /home/EXAMPLE/dropbox
>>>>>>>>> read only = No
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Samba 3.6.6 on Mint 14
>>>>>>>>>
>>>>>>>>> [global]
>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>> realm = example.com
>>>>>>>>> server string = %h client (Samba)
>>>>>>>>>
>>>>>>>>> log level = 10
>>>>>>>>> log file = /var/log/samba/samba.log
>>>>>>>>> max log size = 4192
>>>>>>>>>
>>>>>>>>> security = ADS
>>>>>>>>> preferred master = no
>>>>>>>>>
>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>> idmap config * : range = 1100-2000
>>>>>>>>>
>>>>>>>>> # idmap config EXAMPLE : backend = ad
>>>>>>>>> idmap config EXAMPLE : backend = rid
>>>>>>>>> idmap config EXAMPLE : range = 20000-3100000
>>>>>>>>> # idmap config EXAMPLE : schema mode = rfc2307
>>>>>>>>>
>>>>>>>>> idmap cache time = 120
>>>>>>>>> idmap negative cache time = 1
>>>>>>>>>
>>>>>>>>> winbind use default domain = yes
>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>> winbind offline logon = yes
>>>>>>>>> winbind refresh tickets = Yes
>>>>>>>>> winbind expand groups = 4
>>>>>>>>> winbind nested groups = yes
>>>>>>>>> winbind enum users = yes
>>>>>>>>> winbind enum groups = yes
>>>>>>>>> winbind separator = +
>>>>>>>>> template homedir = /home/%D/%U
>>>>>>>>> template shell = /bin/bash
>>>>>>>>> usershare allow guests = No
>>>>>>>>>
>>>>>>>>> kerberos method = secrets and keytab
>>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>
>>>>>>>>> ###### ACL related #######
>>>>>>>>> #For completeness, refer to man page of smb.conf for
>>>>>>>>> #more details on these 2
>>>>>>>>> acl compatibility = Auto
>>>>>>>>> acl check permissions = True
>>>>>>>>> # map Unix permissions into Windows NT ACLs
>>>>>>>>> nt acl support = yes
>>>>>>>>> #extended attributes stored on EXT3 or XFS with user_xattr options
>>>>>>>>> ea support = yes
>>>>>>>>> #True: map rwx => Windows Full Control access
>>>>>>>>> #False: map rwx => equivalent Windows ACL bits
>>>>>>>>> acl map full control = True
>>>>>>>>>
>>>>>>>>> #Users/groups who have write access to the file can modify
>>>>>>>>> # the permissions (incl. ACL)
>>>>>>>>> #Ownership of file/dir may also be changed
>>>>>>>>> #Default: no (disable)
>>>>>>>>> dos filemode = yes
>>>>>>>>> # must set (map [hidden|archive|system|read only]) = no
>>>>>>>>> # Enabled: store DOS attributes onto user.DOSATTRIB file
>>>>>>>>> # file system must be mounted with user_xattr
>>>>>>>>> # extended attributes must be compiled into the Linux kernel
>>>>>>>>> store dos attributes = yes
>>>>>>>>>
>>>>>>>>> #these depend on (create mask), however, refer to (store dos
>>>>>>>>> attributes)
>>>>>>>>> map hidden = no
>>>>>>>>> map archive = no
>>>>>>>>> map system = no
>>>>>>>>> map read only = no
>>>>>>>>> # map “inherit” and “protected” flags in Windows ACLs into extended
>>>>>>>>> #attribute file called user.SAMBA_PAI
>>>>>>>>> map acl inherit = yes
>>>>>>>>>
>>>>>>>>> #allow users change timestamp, MS Office apps compatiable
>>>>>>>>> dos filetimes = yes
>>>>>>>>>
>>>>>>>>> # Turn on unix extensions
>>>>>>>>> unix extensions = yes
>>>>>>>>>
>>>>>>>>> I hope this helps to identify where I am going wrong and thanks
>>>>>>>>> for any help you can give.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>>  Hi,
>>>>>>>>
>>>>>>>> The problem could be in the distro package of samba, on ubuntu
>>>>>>>> 12.04 ( version 2:3.6.3-2ubuntu2.4)
>>>>>>>> The following config (only relevant part of it shown) works like
>>>>>>>> charm:
>>>>>>>>
>>>>>>>> [global]
>>>>>>>>    workgroup = KZSDABAS
>>>>>>>>    realm = KZSDABAS.HU
>>>>>>>>    kerberos method = system keytab
>>>>>>>>    security = ads
>>>>>>>>     winbind enum groups = yes
>>>>>>>>     winbind enum users = yes
>>>>>>>>     idmap config *:backend = tdb
>>>>>>>>     idmap config *:range = 2000001-3000000
>>>>>>>>     idmap config KZSDABAS:default = yes
>>>>>>>>     idmap config KZSDABAS:backend = ad
>>>>>>>>     idmap config KZSDABAS:range = 0-1000000
>>>>>>>>     idmap config KZSDABAS:schema_mode = rfc2307
>>>>>>>>     winbind nss info = rfc2307
>>>>>>>>     winbind expand groups = 2
>>>>>>>>     winbind nested groups = yes
>>>>>>>>     winbind use default domain = yes
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>
>>>>>>>> Geza Gemes
>>>>>>>>
>>>>>>>>
>>>>>>>>  Ok, so I need another version of Samba3 on the client, but which
>>>>>>> version?
>>>>>>>
>>>>>>> I did consider building 4.0.4 as a fileserver, but cannot find any
>>>>>>> instructions on how to. I did find a README file in the base build
>>>>>>> directory of samba4.0.4 on the server, it had this at the top:
>>>>>>>
>>>>>>> NOTE: Installation instructions may be found
>>>>>>>       for the file/print server and domain member in:
>>>>>>>       docs/htmldocs/Samba3-HOWTO/**install.html
>>>>>>>
>>>>>>> But, 'ls docs/htmldocs/Samba3-HOWTO/**install.html' returns:
>>>>>>>
>>>>>>> ls: cannot access docs/htmldocs/Samba3-HOWTO/**install.html: No
>>>>>>> such file or directory
>>>>>>>
>>>>>>> So how do I build it, any pointers to a website etc, would be very
>>>>>>> much appreciated.
>>>>>>>
>>>>>>> Thanks Geza for the help so far.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>
>>>>>>>  Hi,
>>>>>>
>>>>>> As I haven't tried it yet please consider it a speculation, but to me
>>>>>> it seems, that samba4 (top level build, just as for the AD) is a perfectly
>>>>>> capable samba (3-like) client (not AD) solution, if you take the init
>>>>>> scripts of your distribution and modify the path to /usr/local/samba/sbin,
>>>>>> where you can find smbd nmbd and winbind the three "classic" daemons.
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Geza Gemes
>>>>>>
>>>>>>
>>>>>>  Ah, if that is the case, I could copy the samba4 build dir on the
>>>>> server to the client and run 'make install' and then set it up again as per
>>>>> the original install, well, its worth a try to save time ;-)
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>  Well that didn't work, so back to compiling it on the client
>>>>
>>>> Rowland
>>>>
>>>>  Just a sidenote: I use to configure make and make install samba on a
>>> development box and scp over (tar-ed) the /usr/local/samba to the machine
>>> where I want it installed (not to willing to compile programs on the
>>> servers), perhaps bad habit, but I always have an installable copy of the
>>> latest samba release this way.
>>>
>>> Regards
>>>
>>> Geza Gemes
>>>
>>>
>>>
>>>
>>>  Ok, well that didn't work either, I downloaded, compiled and installed
>> Samba4.0.4 and tried to set it up as a domain member using smbd, nmbd and
>> winbindd. I cannot get the deamons to keep running, mostly smbd, they seem
>> to start and then stop almost immediately. Has anybody got Samba4 to work
>> this way and if so how.
>>
>> Next plan, try to find a later version of Samba 3.6 that I can install on
>> Mint 14
>>
>> Rowland
>>
>>  I think you should file a bug report about smbd (4.0.4).
>
> Regards
>
> Geza Gemes
>

Hello Rowland,

I've not been watching your thread very well, but I tested quite a few
configurations while working on a similar problem. You may be able to pick
up some useful bits of info from that thread.

https://lists.samba.org/archive/samba/2012-December/170521.html

More information about the samba-technical mailing list