Samba4 Linux user has two uid's
Thomas Simmons
twsnnva at gmail.com
Sun Mar 24 09:53:56 MDT 2013
On Sun, Mar 24, 2013 at 11:38 AM, Rowland Penny <repenny at f2s.com> wrote:
> On 24/03/13 12:43, Thomas Simmons wrote:
>
>> On Sun, Mar 24, 2013 at 2:38 AM, Gémes Géza <geza at kzsdabas.hu> wrote:
>>
>> 2013-03-23 14:16 keltezéssel, Rowland Penny írta:
>>>
>>> On 23/03/13 05:39, Gémes Géza wrote:
>>>>
>>>> 2013-03-22 21:24 keltezéssel, Rowland Penny írta:
>>>>>
>>>>> On 22/03/13 20:02, Rowland Penny wrote:
>>>>>>
>>>>>> On 22/03/13 19:41, Gémes Géza wrote:
>>>>>>>
>>>>>>> 2013-03-22 19:36 keltezéssel, Rowland Penny írta:
>>>>>>>>
>>>>>>>> On 22/03/13 17:38, Gémes Géza wrote:
>>>>>>>>>
>>>>>>>>> 2013-03-22 18:09 keltezéssel, Rowland Penny írta:
>>>>>>>>>>
>>>>>>>>>> On 21/03/13 22:10, Gémes Géza wrote:
>>>>>>>>>>>
>>>>>>>>>>> 2013-03-21 21:01 keltezéssel, Rowland Penny írta:
>>>>>>>>>>>>
>>>>>>>>>>>> HI,
>>>>>>>>>>>>> If You join a S3 client to a S4 domain you get a different uid
>>>>>>>>>>>>> on the client and server i.e.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Info from the client
>>>>>>>>>>>>> $ id user
>>>>>>>>>>>>> uid=21105(user) gid=20513(domain_users)
>>>>>>>>>>>>> groups=20513(domain_users),****1101(BUILTIN\users)
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Info from the server
>>>>>>>>>>>>> # id user
>>>>>>>>>>>>> uid=3000016(DOMAIN\user) gid=100(users) groups=100(users)
>>>>>>>>>>>>>
>>>>>>>>>>>>> Now if you mount a share onto the client from the server via
>>>>>>>>>>>>> pam_script:
>>>>>>>>>>>>>
>>>>>>>>>>>>> mount -t cifs //server/dropbox /home/dropbox -o
>>>>>>>>>>>>> username=user,cruid=userid,****sec=krb5i,multiuser,nobrl,**
>>>>>>>>>>>>> mapchars,mfsymlinks,****noserverino
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> If a file is now created in the share by the user, the user
>>>>>>>>>>>>> immediately looses all rights to it from the client.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Is this a CIFS problem or a Samba4 problem?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>
>>>>>>>>>>>> Please check that you have the following:
>>>>>>>>>>>>
>>>>>>>>>>>> For samba4 use rfc2370 and specify the uids gids (using e.g.
>>>>>>>>>>>> ADUC), copy/symlink the libnss files and allow winbind in
>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>>
>>>>>>>>>>>> These were already setup
>>>>>>>>>>>
>>>>>>>>>>> For samba3 use idmap_ad with a range that covers the assigned
>>>>>>>>>>>
>>>>>>>>>>>> uids/gids.
>>>>>>>>>>>>
>>>>>>>>>>>> I was using the rid backend so I tried to convert to ad, but I
>>>>>>>>>>> cannot get it to work, wbinfo shows all domain users & groups
>>>>>>>>>>> but no domain
>>>>>>>>>>> users or groups are shown by getent. With the rid backend
>>>>>>>>>>> 'getent passwd'
>>>>>>>>>>> gives:
>>>>>>>>>>>
>>>>>>>>>>> administrator:*:20500:20513:****Administrator:/home/EXAMPLE/****
>>>>>>>>>>> administrator:/bin/bash
>>>>>>>>>>>
>>>>>>>>>>> dns-adserver:*:21101:20513:****dns-adserver:/home/EXAMPLE/****
>>>>>>>>>>> dns-adserver:/bin/bash
>>>>>>>>>>>
>>>>>>>>>>> dhcpduser:*:21104:20513:****dhcpduser:/home/EXAMPLE/****
>>>>>>>>>>> dhcpduser:/bin/bash
>>>>>>>>>>>
>>>>>>>>>>> user1:*:21107:20513:user1:/****home/EXAMPLE/user1:/bin/bash
>>>>>>>>>>> user:*:21105:20513:user:/home/****EXAMPLE/user:/bin/bash
>>>>>>>>>>> krbtgt:*:20502:20513:krbtgt:/****home/EXAMPLE/krbtgt:/bin/bash
>>>>>>>>>>> guest:*:20501:20514:Guest:/****home/EXAMPLE/guest:/bin/bash
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> with the ad backend I do not get any of the above
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> If that is configured and don't work as expected please post
>>>>>>>>>>>> your
>>>>>>>>>>>> smb.conf (both from AD and client system) and an ldif for an
>>>>>>>>>>>> user obtained
>>>>>>>>>>>> by ldbsearch.
>>>>>>>>>>>>
>>>>>>>>>>>> Regards
>>>>>>>>>>>>
>>>>>>>>>>>> Geza Gemes
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Ok, I cannot make it work, so here are the files you requested
>>>>>>>>>>>>
>>>>>>>>>>> Samba4.0.4 user.ldif
>>>>>>>>>>>
>>>>>>>>>>> # user, Users, example.com
>>>>>>>>>>> dn: CN=user,CN=Users,DC=example,****DC=com
>>>>>>>>>>>
>>>>>>>>>>> cn: user
>>>>>>>>>>> instanceType: 4
>>>>>>>>>>> whenCreated: 20130320122306.0Z
>>>>>>>>>>> uSNCreated: 3778
>>>>>>>>>>> name: user
>>>>>>>>>>> objectGUID:: siE+gJgV2kKaQO0qslOkVg==
>>>>>>>>>>> badPwdCount: 0
>>>>>>>>>>> codePage: 0
>>>>>>>>>>> countryCode: 0
>>>>>>>>>>> badPasswordTime: 0
>>>>>>>>>>> lastLogoff: 0
>>>>>>>>>>> lastLogon: 0
>>>>>>>>>>> primaryGroupID: 513
>>>>>>>>>>> objectSid:: AQUAAAAAAAUVAAAAtvprU8QVtn/NH/****GlUQQAAA==
>>>>>>>>>>>
>>>>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>>>>> logonCount: 0
>>>>>>>>>>> sAMAccountName: user
>>>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>>>> userPrincipalName: user at example.com
>>>>>>>>>>> objectCategory: CN=Person,CN=Schema,CN=**
>>>>>>>>>>> Configuration,DC=example,DC=****com
>>>>>>>>>>>
>>>>>>>>>>> pwdLastSet: 130082557870000000
>>>>>>>>>>> userAccountControl: 512
>>>>>>>>>>> uidNumber: 3000016
>>>>>>>>>>> gidNumber: 100
>>>>>>>>>>> unixHomeDirectory: /home/EXAMPLE/user
>>>>>>>>>>> loginShell: /bin/bash
>>>>>>>>>>> profilePath: \\server\profiles\user
>>>>>>>>>>> homeDrive: Z:
>>>>>>>>>>> homeDirectory: \\server\home\user
>>>>>>>>>>> objectClass: top
>>>>>>>>>>> objectClass: posixAccount
>>>>>>>>>>> objectClass: person
>>>>>>>>>>> objectClass: organizationalPerson
>>>>>>>>>>> objectClass: user
>>>>>>>>>>> whenChanged: 20130322130515.0Z
>>>>>>>>>>> uSNChanged: 3794
>>>>>>>>>>> distinguishedName: CN=user,CN=Users,DC=example,****DC=com
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Samba4.0.4 smb.conf
>>>>>>>>>>>
>>>>>>>>>>> # Global parameters
>>>>>>>>>>> [global]
>>>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>>>> realm = example.com
>>>>>>>>>>> netbios name = SERVER
>>>>>>>>>>> server role = active directory domain controller
>>>>>>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>>>>>>>>>> winbind, ntp_signd, kcc, dnsupdate
>>>>>>>>>>> idmap_ldb:use rfc2307 = yes
>>>>>>>>>>> acl:search=false
>>>>>>>>>>> passdb backend = samba4
>>>>>>>>>>> template shell = /bin/bash
>>>>>>>>>>> # Turn on Server signing
>>>>>>>>>>> server signing = auto
>>>>>>>>>>>
>>>>>>>>>>> [netlogon]
>>>>>>>>>>> path = /usr/local/samba/var/locks/****sysvol/example.com/scripts
>>>>>>>>>>>
>>>>>>>>>>> read only = No
>>>>>>>>>>>
>>>>>>>>>>> [sysvol]
>>>>>>>>>>> path = /usr/local/samba/var/locks/****sysvol
>>>>>>>>>>>
>>>>>>>>>>> read only = No
>>>>>>>>>>>
>>>>>>>>>>> [home]
>>>>>>>>>>> path = /home/EXAMPLE
>>>>>>>>>>> read only = No
>>>>>>>>>>>
>>>>>>>>>>> [profiles]
>>>>>>>>>>> path = /home/EXAMPLE/profiles
>>>>>>>>>>> read only = No
>>>>>>>>>>>
>>>>>>>>>>> [dropbox]
>>>>>>>>>>> path = /home/EXAMPLE/dropbox
>>>>>>>>>>> read only = No
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Samba 3.6.6 on Mint 14
>>>>>>>>>>>
>>>>>>>>>>> [global]
>>>>>>>>>>> workgroup = EXAMPLE
>>>>>>>>>>> realm = example.com
>>>>>>>>>>> server string = %h client (Samba)
>>>>>>>>>>>
>>>>>>>>>>> log level = 10
>>>>>>>>>>> log file = /var/log/samba/samba.log
>>>>>>>>>>> max log size = 4192
>>>>>>>>>>>
>>>>>>>>>>> security = ADS
>>>>>>>>>>> preferred master = no
>>>>>>>>>>>
>>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>>> idmap config * : range = 1100-2000
>>>>>>>>>>>
>>>>>>>>>>> # idmap config EXAMPLE : backend = ad
>>>>>>>>>>> idmap config EXAMPLE : backend = rid
>>>>>>>>>>> idmap config EXAMPLE : range = 20000-3100000
>>>>>>>>>>> # idmap config EXAMPLE : schema mode = rfc2307
>>>>>>>>>>>
>>>>>>>>>>> idmap cache time = 120
>>>>>>>>>>> idmap negative cache time = 1
>>>>>>>>>>>
>>>>>>>>>>> winbind use default domain = yes
>>>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>>>> winbind offline logon = yes
>>>>>>>>>>> winbind refresh tickets = Yes
>>>>>>>>>>> winbind expand groups = 4
>>>>>>>>>>> winbind nested groups = yes
>>>>>>>>>>> winbind enum users = yes
>>>>>>>>>>> winbind enum groups = yes
>>>>>>>>>>> winbind separator = +
>>>>>>>>>>> template homedir = /home/%D/%U
>>>>>>>>>>> template shell = /bin/bash
>>>>>>>>>>> usershare allow guests = No
>>>>>>>>>>>
>>>>>>>>>>> kerberos method = secrets and keytab
>>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>>
>>>>>>>>>>> ###### ACL related #######
>>>>>>>>>>> #For completeness, refer to man page of smb.conf for
>>>>>>>>>>> #more details on these 2
>>>>>>>>>>> acl compatibility = Auto
>>>>>>>>>>> acl check permissions = True
>>>>>>>>>>> # map Unix permissions into Windows NT ACLs
>>>>>>>>>>> nt acl support = yes
>>>>>>>>>>> #extended attributes stored on EXT3 or XFS with user_xattr
>>>>>>>>>>> options
>>>>>>>>>>> ea support = yes
>>>>>>>>>>> #True: map rwx => Windows Full Control access
>>>>>>>>>>> #False: map rwx => equivalent Windows ACL bits
>>>>>>>>>>> acl map full control = True
>>>>>>>>>>>
>>>>>>>>>>> #Users/groups who have write access to the file can modify
>>>>>>>>>>> # the permissions (incl. ACL)
>>>>>>>>>>> #Ownership of file/dir may also be changed
>>>>>>>>>>> #Default: no (disable)
>>>>>>>>>>> dos filemode = yes
>>>>>>>>>>> # must set (map [hidden|archive|system|read only]) = no
>>>>>>>>>>> # Enabled: store DOS attributes onto user.DOSATTRIB file
>>>>>>>>>>> # file system must be mounted with user_xattr
>>>>>>>>>>> # extended attributes must be compiled into the Linux kernel
>>>>>>>>>>> store dos attributes = yes
>>>>>>>>>>>
>>>>>>>>>>> #these depend on (create mask), however, refer to (store dos
>>>>>>>>>>> attributes)
>>>>>>>>>>> map hidden = no
>>>>>>>>>>> map archive = no
>>>>>>>>>>> map system = no
>>>>>>>>>>> map read only = no
>>>>>>>>>>> # map “inherit” and “protected” flags in Windows ACLs into
>>>>>>>>>>> extended
>>>>>>>>>>> #attribute file called user.SAMBA_PAI
>>>>>>>>>>> map acl inherit = yes
>>>>>>>>>>>
>>>>>>>>>>> #allow users change timestamp, MS Office apps compatiable
>>>>>>>>>>> dos filetimes = yes
>>>>>>>>>>>
>>>>>>>>>>> # Turn on unix extensions
>>>>>>>>>>> unix extensions = yes
>>>>>>>>>>>
>>>>>>>>>>> I hope this helps to identify where I am going wrong and thanks
>>>>>>>>>>> for any help you can give.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>> The problem could be in the distro package of samba, on ubuntu
>>>>>>>>>> 12.04 ( version 2:3.6.3-2ubuntu2.4)
>>>>>>>>>> The following config (only relevant part of it shown) works like
>>>>>>>>>> charm:
>>>>>>>>>>
>>>>>>>>>> [global]
>>>>>>>>>> workgroup = KZSDABAS
>>>>>>>>>> realm = KZSDABAS.HU
>>>>>>>>>> kerberos method = system keytab
>>>>>>>>>> security = ads
>>>>>>>>>> winbind enum groups = yes
>>>>>>>>>> winbind enum users = yes
>>>>>>>>>> idmap config *:backend = tdb
>>>>>>>>>> idmap config *:range = 2000001-3000000
>>>>>>>>>> idmap config KZSDABAS:default = yes
>>>>>>>>>> idmap config KZSDABAS:backend = ad
>>>>>>>>>> idmap config KZSDABAS:range = 0-1000000
>>>>>>>>>> idmap config KZSDABAS:schema_mode = rfc2307
>>>>>>>>>> winbind nss info = rfc2307
>>>>>>>>>> winbind expand groups = 2
>>>>>>>>>> winbind nested groups = yes
>>>>>>>>>> winbind use default domain = yes
>>>>>>>>>>
>>>>>>>>>> Regards
>>>>>>>>>>
>>>>>>>>>> Geza Gemes
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Ok, so I need another version of Samba3 on the client, but which
>>>>>>>>>>
>>>>>>>>> version?
>>>>>>>>>
>>>>>>>>> I did consider building 4.0.4 as a fileserver, but cannot find any
>>>>>>>>> instructions on how to. I did find a README file in the base build
>>>>>>>>> directory of samba4.0.4 on the server, it had this at the top:
>>>>>>>>>
>>>>>>>>> NOTE: Installation instructions may be found
>>>>>>>>> for the file/print server and domain member in:
>>>>>>>>> docs/htmldocs/Samba3-HOWTO/****install.html
>>>>>>>>>
>>>>>>>>> But, 'ls docs/htmldocs/Samba3-HOWTO/****install.html' returns:
>>>>>>>>>
>>>>>>>>> ls: cannot access docs/htmldocs/Samba3-HOWTO/****install.html: No
>>>>>>>>>
>>>>>>>>> such file or directory
>>>>>>>>>
>>>>>>>>> So how do I build it, any pointers to a website etc, would be very
>>>>>>>>> much appreciated.
>>>>>>>>>
>>>>>>>>> Thanks Geza for the help so far.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>> As I haven't tried it yet please consider it a speculation, but to
>>>>>>>> me
>>>>>>>> it seems, that samba4 (top level build, just as for the AD) is a
>>>>>>>> perfectly
>>>>>>>> capable samba (3-like) client (not AD) solution, if you take the
>>>>>>>> init
>>>>>>>> scripts of your distribution and modify the path to
>>>>>>>> /usr/local/samba/sbin,
>>>>>>>> where you can find smbd nmbd and winbind the three "classic"
>>>>>>>> daemons.
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>
>>>>>>>> Geza Gemes
>>>>>>>>
>>>>>>>>
>>>>>>>> Ah, if that is the case, I could copy the samba4 build dir on the
>>>>>>>>
>>>>>>> server to the client and run 'make install' and then set it up again
>>>>>>> as per
>>>>>>> the original install, well, its worth a try to save time ;-)
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>
>>>>>>> Well that didn't work, so back to compiling it on the client
>>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>> Just a sidenote: I use to configure make and make install samba on a
>>>>>>
>>>>> development box and scp over (tar-ed) the /usr/local/samba to the
>>>>> machine
>>>>> where I want it installed (not to willing to compile programs on the
>>>>> servers), perhaps bad habit, but I always have an installable copy of
>>>>> the
>>>>> latest samba release this way.
>>>>>
>>>>> Regards
>>>>>
>>>>> Geza Gemes
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Ok, well that didn't work either, I downloaded, compiled and
>>>>> installed
>>>>>
>>>> Samba4.0.4 and tried to set it up as a domain member using smbd, nmbd
>>>> and
>>>> winbindd. I cannot get the deamons to keep running, mostly smbd, they
>>>> seem
>>>> to start and then stop almost immediately. Has anybody got Samba4 to
>>>> work
>>>> this way and if so how.
>>>>
>>>> Next plan, try to find a later version of Samba 3.6 that I can install
>>>> on
>>>> Mint 14
>>>>
>>>> Rowland
>>>>
>>>> I think you should file a bug report about smbd (4.0.4).
>>>>
>>> Regards
>>>
>>> Geza Gemes
>>>
>>> Hello Rowland,
>>
>> I've not been watching your thread very well, but I tested quite a few
>> configurations while working on a similar problem. You may be able to pick
>> up some useful bits of info from that thread.
>>
>> https://lists.samba.org/**archive/samba/2012-December/**170521.html<https://lists.samba.org/archive/samba/2012-December/170521.html>
>>
>>
>> Hi, what I am do is very similar to what you tried to do, after reading
> what Geza posted and realising that he was doing the ranges the opposite
> way round to what I was doing, I got it work with samba 3.6.3 on Ubuntu
> server 12.04.
>
> This is the relevant part of smb.conf:
>
>
> idmap config *:backend = tdb
> idmap config *:range = 2000001-3000000
> idmap config HOME:default = yes
> idmap config HOME:backend = ad
> idmap config HOME:range = 0-1000000
> idmap config HOME:schema mode = rfc2307
>
> I then tried again on Mint 14 with Samba 3.6.6 with exactly the same
> smb.conf, I got no domain info returned by 'getent passwd'.
>
> I downloaded and compiled 3.6.12 with the same result or rather lack of
> result.
>
> I then tried compiling 4.0.4 with './configure --with-ads
> --with-shared-modules=idmap'
> This seemed to worked but all the deamons have to be run with '-D' to get
> them to keep running.
> But I had the same problem, whilst 'wbinfo -u' shows all the domain users,
> 'getent passwd' only shows local users.
>
> I am now beginning to think that either something changed after 3.6.3 or I
> am doing something wrong.
>
> Is anybody using a later version than 3.6.3 as a member client against S4
> AD?
>
> Rowland
>
> Hello Rowland,
Please note that I resolved that problem by using
--with-shared-modules=idmap_ad, not --with-shared-modules=idmap.
Unfortunately, I only ran into this while troubleshooting another problem,
so the only notes I have are what's on the list. That said, I'm pretty sure
I got 3.6.10 working.
Here is where I mention --with-shared-modules=idmap_ad:
https://lists.samba.org/archive/samba/2012-December/170552.html
More information about the samba-technical
mailing list