Samba4 Linux user has two uid's
Rowland Penny
repenny at f2s.com
Sun Mar 24 09:38:02 MDT 2013
On 24/03/13 12:43, Thomas Simmons wrote:
> On Sun, Mar 24, 2013 at 2:38 AM, Gémes Géza <geza at kzsdabas.hu> wrote:
>
>> 2013-03-23 14:16 keltezéssel, Rowland Penny írta:
>>
>>> On 23/03/13 05:39, Gémes Géza wrote:
>>>
>>>> 2013-03-22 21:24 keltezéssel, Rowland Penny írta:
>>>>
>>>>> On 22/03/13 20:02, Rowland Penny wrote:
>>>>>
>>>>>> On 22/03/13 19:41, Gémes Géza wrote:
>>>>>>
>>>>>>> 2013-03-22 19:36 keltezéssel, Rowland Penny írta:
>>>>>>>
>>>>>>>> On 22/03/13 17:38, Gémes Géza wrote:
>>>>>>>>
>>>>>>>>> 2013-03-22 18:09 keltezéssel, Rowland Penny írta:
>>>>>>>>>
>>>>>>>>>> On 21/03/13 22:10, Gémes Géza wrote:
>>>>>>>>>>
>>>>>>>>>>> 2013-03-21 21:01 keltezéssel, Rowland Penny írta:
>>>>>>>>>>>
>>>>>>>>>>>> HI,
>>>>>>>>>>>> If You join a S3 client to a S4 domain you get a different uid
>>>>>>>>>>>> on the client and server i.e.
>>>>>>>>>>>>
>>>>>>>>>>>> Info from the client
>>>>>>>>>>>> $ id user
>>>>>>>>>>>> uid=21105(user) gid=20513(domain_users)
>>>>>>>>>>>> groups=20513(domain_users),**1101(BUILTIN\users)
>>>>>>>>>>>>
>>>>>>>>>>>> Info from the server
>>>>>>>>>>>> # id user
>>>>>>>>>>>> uid=3000016(DOMAIN\user) gid=100(users) groups=100(users)
>>>>>>>>>>>>
>>>>>>>>>>>> Now if you mount a share onto the client from the server via
>>>>>>>>>>>> pam_script:
>>>>>>>>>>>>
>>>>>>>>>>>> mount -t cifs //server/dropbox /home/dropbox -o
>>>>>>>>>>>> username=user,cruid=userid,**sec=krb5i,multiuser,nobrl,**
>>>>>>>>>>>> mapchars,mfsymlinks,**noserverino
>>>>>>>>>>>>
>>>>>>>>>>>> If a file is now created in the share by the user, the user
>>>>>>>>>>>> immediately looses all rights to it from the client.
>>>>>>>>>>>>
>>>>>>>>>>>> Is this a CIFS problem or a Samba4 problem?
>>>>>>>>>>>>
>>>>>>>>>>>> Hi,
>>>>>>>>>>> Please check that you have the following:
>>>>>>>>>>>
>>>>>>>>>>> For samba4 use rfc2370 and specify the uids gids (using e.g.
>>>>>>>>>>> ADUC), copy/symlink the libnss files and allow winbind in /etc/nsswitch.conf
>>>>>>>>>>>
>>>>>>>>>> These were already setup
>>>>>>>>>>
>>>>>>>>>> For samba3 use idmap_ad with a range that covers the assigned
>>>>>>>>>>> uids/gids.
>>>>>>>>>>>
>>>>>>>>>> I was using the rid backend so I tried to convert to ad, but I
>>>>>>>>>> cannot get it to work, wbinfo shows all domain users & groups but no domain
>>>>>>>>>> users or groups are shown by getent. With the rid backend 'getent passwd'
>>>>>>>>>> gives:
>>>>>>>>>>
>>>>>>>>>> administrator:*:20500:20513:**Administrator:/home/EXAMPLE/**administrator:/bin/bash
>>>>>>>>>>
>>>>>>>>>> dns-adserver:*:21101:20513:**dns-adserver:/home/EXAMPLE/**dns-adserver:/bin/bash
>>>>>>>>>>
>>>>>>>>>> dhcpduser:*:21104:20513:**dhcpduser:/home/EXAMPLE/**dhcpduser:/bin/bash
>>>>>>>>>>
>>>>>>>>>> user1:*:21107:20513:user1:/**home/EXAMPLE/user1:/bin/bash
>>>>>>>>>> user:*:21105:20513:user:/home/**EXAMPLE/user:/bin/bash
>>>>>>>>>> krbtgt:*:20502:20513:krbtgt:/**home/EXAMPLE/krbtgt:/bin/bash
>>>>>>>>>> guest:*:20501:20514:Guest:/**home/EXAMPLE/guest:/bin/bash
>>>>>>>>>>
>>>>>>>>>> with the ad backend I do not get any of the above
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> If that is configured and don't work as expected please post your
>>>>>>>>>>> smb.conf (both from AD and client system) and an ldif for an user obtained
>>>>>>>>>>> by ldbsearch.
>>>>>>>>>>>
>>>>>>>>>>> Regards
>>>>>>>>>>>
>>>>>>>>>>> Geza Gemes
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Ok, I cannot make it work, so here are the files you requested
>>>>>>>>>> Samba4.0.4 user.ldif
>>>>>>>>>>
>>>>>>>>>> # user, Users, example.com
>>>>>>>>>> dn: CN=user,CN=Users,DC=example,**DC=com
>>>>>>>>>> cn: user
>>>>>>>>>> instanceType: 4
>>>>>>>>>> whenCreated: 20130320122306.0Z
>>>>>>>>>> uSNCreated: 3778
>>>>>>>>>> name: user
>>>>>>>>>> objectGUID:: siE+gJgV2kKaQO0qslOkVg==
>>>>>>>>>> badPwdCount: 0
>>>>>>>>>> codePage: 0
>>>>>>>>>> countryCode: 0
>>>>>>>>>> badPasswordTime: 0
>>>>>>>>>> lastLogoff: 0
>>>>>>>>>> lastLogon: 0
>>>>>>>>>> primaryGroupID: 513
>>>>>>>>>> objectSid:: AQUAAAAAAAUVAAAAtvprU8QVtn/NH/**GlUQQAAA==
>>>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>>>> logonCount: 0
>>>>>>>>>> sAMAccountName: user
>>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>>> userPrincipalName: user at example.com
>>>>>>>>>> objectCategory: CN=Person,CN=Schema,CN=**
>>>>>>>>>> Configuration,DC=example,DC=**com
>>>>>>>>>> pwdLastSet: 130082557870000000
>>>>>>>>>> userAccountControl: 512
>>>>>>>>>> uidNumber: 3000016
>>>>>>>>>> gidNumber: 100
>>>>>>>>>> unixHomeDirectory: /home/EXAMPLE/user
>>>>>>>>>> loginShell: /bin/bash
>>>>>>>>>> profilePath: \\server\profiles\user
>>>>>>>>>> homeDrive: Z:
>>>>>>>>>> homeDirectory: \\server\home\user
>>>>>>>>>> objectClass: top
>>>>>>>>>> objectClass: posixAccount
>>>>>>>>>> objectClass: person
>>>>>>>>>> objectClass: organizationalPerson
>>>>>>>>>> objectClass: user
>>>>>>>>>> whenChanged: 20130322130515.0Z
>>>>>>>>>> uSNChanged: 3794
>>>>>>>>>> distinguishedName: CN=user,CN=Users,DC=example,**DC=com
>>>>>>>>>>
>>>>>>>>>> Samba4.0.4 smb.conf
>>>>>>>>>>
>>>>>>>>>> # Global parameters
>>>>>>>>>> [global]
>>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>>> realm = example.com
>>>>>>>>>> netbios name = SERVER
>>>>>>>>>> server role = active directory domain controller
>>>>>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>>>>>>>>> winbind, ntp_signd, kcc, dnsupdate
>>>>>>>>>> idmap_ldb:use rfc2307 = yes
>>>>>>>>>> acl:search=false
>>>>>>>>>> passdb backend = samba4
>>>>>>>>>> template shell = /bin/bash
>>>>>>>>>> # Turn on Server signing
>>>>>>>>>> server signing = auto
>>>>>>>>>>
>>>>>>>>>> [netlogon]
>>>>>>>>>> path = /usr/local/samba/var/locks/**sysvol/example.com/scripts
>>>>>>>>>> read only = No
>>>>>>>>>>
>>>>>>>>>> [sysvol]
>>>>>>>>>> path = /usr/local/samba/var/locks/**sysvol
>>>>>>>>>> read only = No
>>>>>>>>>>
>>>>>>>>>> [home]
>>>>>>>>>> path = /home/EXAMPLE
>>>>>>>>>> read only = No
>>>>>>>>>>
>>>>>>>>>> [profiles]
>>>>>>>>>> path = /home/EXAMPLE/profiles
>>>>>>>>>> read only = No
>>>>>>>>>>
>>>>>>>>>> [dropbox]
>>>>>>>>>> path = /home/EXAMPLE/dropbox
>>>>>>>>>> read only = No
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Samba 3.6.6 on Mint 14
>>>>>>>>>>
>>>>>>>>>> [global]
>>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>>> realm = example.com
>>>>>>>>>> server string = %h client (Samba)
>>>>>>>>>>
>>>>>>>>>> log level = 10
>>>>>>>>>> log file = /var/log/samba/samba.log
>>>>>>>>>> max log size = 4192
>>>>>>>>>>
>>>>>>>>>> security = ADS
>>>>>>>>>> preferred master = no
>>>>>>>>>>
>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>> idmap config * : range = 1100-2000
>>>>>>>>>>
>>>>>>>>>> # idmap config EXAMPLE : backend = ad
>>>>>>>>>> idmap config EXAMPLE : backend = rid
>>>>>>>>>> idmap config EXAMPLE : range = 20000-3100000
>>>>>>>>>> # idmap config EXAMPLE : schema mode = rfc2307
>>>>>>>>>>
>>>>>>>>>> idmap cache time = 120
>>>>>>>>>> idmap negative cache time = 1
>>>>>>>>>>
>>>>>>>>>> winbind use default domain = yes
>>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>>> winbind offline logon = yes
>>>>>>>>>> winbind refresh tickets = Yes
>>>>>>>>>> winbind expand groups = 4
>>>>>>>>>> winbind nested groups = yes
>>>>>>>>>> winbind enum users = yes
>>>>>>>>>> winbind enum groups = yes
>>>>>>>>>> winbind separator = +
>>>>>>>>>> template homedir = /home/%D/%U
>>>>>>>>>> template shell = /bin/bash
>>>>>>>>>> usershare allow guests = No
>>>>>>>>>>
>>>>>>>>>> kerberos method = secrets and keytab
>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>
>>>>>>>>>> ###### ACL related #######
>>>>>>>>>> #For completeness, refer to man page of smb.conf for
>>>>>>>>>> #more details on these 2
>>>>>>>>>> acl compatibility = Auto
>>>>>>>>>> acl check permissions = True
>>>>>>>>>> # map Unix permissions into Windows NT ACLs
>>>>>>>>>> nt acl support = yes
>>>>>>>>>> #extended attributes stored on EXT3 or XFS with user_xattr options
>>>>>>>>>> ea support = yes
>>>>>>>>>> #True: map rwx => Windows Full Control access
>>>>>>>>>> #False: map rwx => equivalent Windows ACL bits
>>>>>>>>>> acl map full control = True
>>>>>>>>>>
>>>>>>>>>> #Users/groups who have write access to the file can modify
>>>>>>>>>> # the permissions (incl. ACL)
>>>>>>>>>> #Ownership of file/dir may also be changed
>>>>>>>>>> #Default: no (disable)
>>>>>>>>>> dos filemode = yes
>>>>>>>>>> # must set (map [hidden|archive|system|read only]) = no
>>>>>>>>>> # Enabled: store DOS attributes onto user.DOSATTRIB file
>>>>>>>>>> # file system must be mounted with user_xattr
>>>>>>>>>> # extended attributes must be compiled into the Linux kernel
>>>>>>>>>> store dos attributes = yes
>>>>>>>>>>
>>>>>>>>>> #these depend on (create mask), however, refer to (store dos
>>>>>>>>>> attributes)
>>>>>>>>>> map hidden = no
>>>>>>>>>> map archive = no
>>>>>>>>>> map system = no
>>>>>>>>>> map read only = no
>>>>>>>>>> # map “inherit” and “protected” flags in Windows ACLs into extended
>>>>>>>>>> #attribute file called user.SAMBA_PAI
>>>>>>>>>> map acl inherit = yes
>>>>>>>>>>
>>>>>>>>>> #allow users change timestamp, MS Office apps compatiable
>>>>>>>>>> dos filetimes = yes
>>>>>>>>>>
>>>>>>>>>> # Turn on unix extensions
>>>>>>>>>> unix extensions = yes
>>>>>>>>>>
>>>>>>>>>> I hope this helps to identify where I am going wrong and thanks
>>>>>>>>>> for any help you can give.
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>> The problem could be in the distro package of samba, on ubuntu
>>>>>>>>> 12.04 ( version 2:3.6.3-2ubuntu2.4)
>>>>>>>>> The following config (only relevant part of it shown) works like
>>>>>>>>> charm:
>>>>>>>>>
>>>>>>>>> [global]
>>>>>>>>> workgroup = KZSDABAS
>>>>>>>>> realm = KZSDABAS.HU
>>>>>>>>> kerberos method = system keytab
>>>>>>>>> security = ads
>>>>>>>>> winbind enum groups = yes
>>>>>>>>> winbind enum users = yes
>>>>>>>>> idmap config *:backend = tdb
>>>>>>>>> idmap config *:range = 2000001-3000000
>>>>>>>>> idmap config KZSDABAS:default = yes
>>>>>>>>> idmap config KZSDABAS:backend = ad
>>>>>>>>> idmap config KZSDABAS:range = 0-1000000
>>>>>>>>> idmap config KZSDABAS:schema_mode = rfc2307
>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>> winbind expand groups = 2
>>>>>>>>> winbind nested groups = yes
>>>>>>>>> winbind use default domain = yes
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>>
>>>>>>>>> Geza Gemes
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Ok, so I need another version of Samba3 on the client, but which
>>>>>>>> version?
>>>>>>>>
>>>>>>>> I did consider building 4.0.4 as a fileserver, but cannot find any
>>>>>>>> instructions on how to. I did find a README file in the base build
>>>>>>>> directory of samba4.0.4 on the server, it had this at the top:
>>>>>>>>
>>>>>>>> NOTE: Installation instructions may be found
>>>>>>>> for the file/print server and domain member in:
>>>>>>>> docs/htmldocs/Samba3-HOWTO/**install.html
>>>>>>>>
>>>>>>>> But, 'ls docs/htmldocs/Samba3-HOWTO/**install.html' returns:
>>>>>>>>
>>>>>>>> ls: cannot access docs/htmldocs/Samba3-HOWTO/**install.html: No
>>>>>>>> such file or directory
>>>>>>>>
>>>>>>>> So how do I build it, any pointers to a website etc, would be very
>>>>>>>> much appreciated.
>>>>>>>>
>>>>>>>> Thanks Geza for the help so far.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>
>>>>>>>> Hi,
>>>>>>> As I haven't tried it yet please consider it a speculation, but to me
>>>>>>> it seems, that samba4 (top level build, just as for the AD) is a perfectly
>>>>>>> capable samba (3-like) client (not AD) solution, if you take the init
>>>>>>> scripts of your distribution and modify the path to /usr/local/samba/sbin,
>>>>>>> where you can find smbd nmbd and winbind the three "classic" daemons.
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Geza Gemes
>>>>>>>
>>>>>>>
>>>>>>> Ah, if that is the case, I could copy the samba4 build dir on the
>>>>>> server to the client and run 'make install' and then set it up again as per
>>>>>> the original install, well, its worth a try to save time ;-)
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>>> Well that didn't work, so back to compiling it on the client
>>>>> Rowland
>>>>>
>>>>> Just a sidenote: I use to configure make and make install samba on a
>>>> development box and scp over (tar-ed) the /usr/local/samba to the machine
>>>> where I want it installed (not to willing to compile programs on the
>>>> servers), perhaps bad habit, but I always have an installable copy of the
>>>> latest samba release this way.
>>>>
>>>> Regards
>>>>
>>>> Geza Gemes
>>>>
>>>>
>>>>
>>>>
>>>> Ok, well that didn't work either, I downloaded, compiled and installed
>>> Samba4.0.4 and tried to set it up as a domain member using smbd, nmbd and
>>> winbindd. I cannot get the deamons to keep running, mostly smbd, they seem
>>> to start and then stop almost immediately. Has anybody got Samba4 to work
>>> this way and if so how.
>>>
>>> Next plan, try to find a later version of Samba 3.6 that I can install on
>>> Mint 14
>>>
>>> Rowland
>>>
>>> I think you should file a bug report about smbd (4.0.4).
>> Regards
>>
>> Geza Gemes
>>
> Hello Rowland,
>
> I've not been watching your thread very well, but I tested quite a few
> configurations while working on a similar problem. You may be able to pick
> up some useful bits of info from that thread.
>
> https://lists.samba.org/archive/samba/2012-December/170521.html
>
>
Hi, what I am do is very similar to what you tried to do, after reading
what Geza posted and realising that he was doing the ranges the opposite
way round to what I was doing, I got it work with samba 3.6.3 on Ubuntu
server 12.04.
This is the relevant part of smb.conf:
idmap config *:backend = tdb
idmap config *:range = 2000001-3000000
idmap config HOME:default = yes
idmap config HOME:backend = ad
idmap config HOME:range = 0-1000000
idmap config HOME:schema mode = rfc2307
I then tried again on Mint 14 with Samba 3.6.6 with exactly the same
smb.conf, I got no domain info returned by 'getent passwd'.
I downloaded and compiled 3.6.12 with the same result or rather lack of
result.
I then tried compiling 4.0.4 with './configure --with-ads
--with-shared-modules=idmap'
This seemed to worked but all the deamons have to be run with '-D' to
get them to keep running.
But I had the same problem, whilst 'wbinfo -u' shows all the domain
users, 'getent passwd' only shows local users.
I am now beginning to think that either something changed after 3.6.3 or
I am doing something wrong.
Is anybody using a later version than 3.6.3 as a member client against
S4 AD?
Rowland
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba-technical
mailing list