Samba4 Linux user has two uid's
Rowland Penny
repenny at f2s.com
Sun Mar 24 12:53:18 MDT 2013
On 24/03/13 15:53, Thomas Simmons wrote:
> On Sun, Mar 24, 2013 at 11:38 AM, Rowland Penny <repenny at f2s.com
> <mailto:repenny at f2s.com>> wrote:
>
> On 24/03/13 12:43, Thomas Simmons wrote:
>
> On Sun, Mar 24, 2013 at 2:38 AM, Gémes Géza <geza at kzsdabas.hu
> <mailto:geza at kzsdabas.hu>> wrote:
>
> 2013-03-23 14:16 keltezéssel, Rowland Penny írta:
>
> On 23/03/13 05:39, Gémes Géza wrote:
>
> 2013-03-22 21:24 keltezéssel, Rowland Penny írta:
>
> On 22/03/13 20:02, Rowland Penny wrote:
>
> On 22/03/13 19:41, Gémes Géza wrote:
>
> 2013-03-22 19:36 keltezéssel, Rowland
> Penny írta:
>
> On 22/03/13 17:38, Gémes Géza wrote:
>
> 2013-03-22 18:09 keltezéssel,
> Rowland Penny írta:
>
> On 21/03/13 22:10, Gémes
> Géza wrote:
>
> 2013-03-21 21:01
> keltezéssel, Rowland
> Penny írta:
>
> HI,
> If You join a S3
> client to a S4
> domain you get a
> different uid
> on the client and
> server i.e.
>
> Info from the client
> $ id user
> uid=21105(user)
> gid=20513(domain_users)
> groups=20513(domain_users),**1101(BUILTIN\users)
>
>
>
> Info from the server
> # id user
> uid=3000016(DOMAIN\user)
> gid=100(users)
> groups=100(users)
>
> Now if you mount a
> share onto the
> client from the
> server via
> pam_script:
>
> mount -t cifs
> //server/dropbox
> /home/dropbox -o
> username=user,cruid=userid,**sec=krb5i,multiuser,nobrl,**
> mapchars,mfsymlinks,**noserverino
>
>
>
> If a file is now
> created in the
> share by the user,
> the user
> immediately looses
> all rights to it
> from the client.
>
> Is this a CIFS
> problem or a
> Samba4 problem?
>
> Hi,
>
> Please check that you
> have the following:
>
> For samba4 use rfc2370
> and specify the uids
> gids (using e.g.
> ADUC), copy/symlink
> the libnss files and
> allow winbind in
> /etc/nsswitch.conf
>
> These were already setup
>
> For samba3 use idmap_ad
> with a range that covers
> the assigned
>
> uids/gids.
>
> I was using the rid
> backend so I tried to
> convert to ad, but I
> cannot get it to work,
> wbinfo shows all domain
> users & groups but no domain
> users or groups are shown
> by getent. With the rid
> backend 'getent passwd'
> gives:
>
> administrator:*:20500:20513:**Administrator:/home/EXAMPLE/**administrator:/bin/bash
>
> dns-adserver:*:21101:20513:**dns-adserver:/home/EXAMPLE/**dns-adserver:/bin/bash
>
> dhcpduser:*:21104:20513:**dhcpduser:/home/EXAMPLE/**dhcpduser:/bin/bash
>
> user1:*:21107:20513:user1:/**home/EXAMPLE/user1:/bin/bash
> user:*:21105:20513:user:/home/**EXAMPLE/user:/bin/bash
> krbtgt:*:20502:20513:krbtgt:/**home/EXAMPLE/krbtgt:/bin/bash
> guest:*:20501:20514:Guest:/**home/EXAMPLE/guest:/bin/bash
>
>
>
> with the ad backend I do
> not get any of the above
>
>
> If that is configured
> and don't work as
> expected please post your
> smb.conf (both from AD
> and client system) and
> an ldif for an user
> obtained
> by ldbsearch.
>
> Regards
>
> Geza Gemes
>
>
> Ok, I cannot make it
> work, so here are the
> files you requested
>
> Samba4.0.4 user.ldif
>
> # user, Users, example.com
> <http://example.com>
> dn:
> CN=user,CN=Users,DC=example,**DC=com
>
>
> cn: user
> instanceType: 4
> whenCreated: 20130320122306.0Z
> uSNCreated: 3778
> name: user
> objectGUID::
> siE+gJgV2kKaQO0qslOkVg==
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid::
> AQUAAAAAAAUVAAAAtvprU8QVtn/NH/**GlUQQAAA==
>
>
> accountExpires:
> 9223372036854775807
> logonCount: 0
> sAMAccountName: user
> sAMAccountType: 805306368
> userPrincipalName:
> user at example.com
> <mailto:user at example.com>
> objectCategory:
> CN=Person,CN=Schema,CN=**
> Configuration,DC=example,DC=**com
>
>
> pwdLastSet: 130082557870000000
> userAccountControl: 512
> uidNumber: 3000016
> gidNumber: 100
> unixHomeDirectory:
> /home/EXAMPLE/user
> loginShell: /bin/bash
> profilePath:
> \\server\profiles\user
> homeDrive: Z:
> homeDirectory:
> \\server\home\user
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass:
> organizationalPerson
> objectClass: user
> whenChanged: 20130322130515.0Z
> uSNChanged: 3794
> distinguishedName:
> CN=user,CN=Users,DC=example,**DC=com
>
>
>
> Samba4.0.4 smb.conf
>
> # Global parameters
> [global]
> workgroup = EXAMPLE
> realm = example.com
> <http://example.com>
> netbios name = SERVER
> server role = active
> directory domain controller
> server services = s3fs,
> rpc, nbt, wrepl, ldap,
> cldap, kdc, drepl,
> winbind, ntp_signd, kcc,
> dnsupdate
> idmap_ldb:use rfc2307 = yes
> acl:search=false
> passdb backend = samba4
> template shell = /bin/bash
> # Turn on Server signing
> server signing = auto
>
> [netlogon]
> path =
> /usr/local/samba/var/locks/**sysvol/example.com/scripts
> <http://example.com/scripts>
>
> read only = No
>
> [sysvol]
> path =
> /usr/local/samba/var/locks/**sysvol
>
>
> read only = No
>
> [home]
> path = /home/EXAMPLE
> read only = No
>
> [profiles]
> path = /home/EXAMPLE/profiles
> read only = No
>
> [dropbox]
> path = /home/EXAMPLE/dropbox
> read only = No
>
>
> Samba 3.6.6 on Mint 14
>
> [global]
> workgroup = EXAMPLE
> realm = example.com
> <http://example.com>
> server string = %h client
> (Samba)
>
> log level = 10
> log file =
> /var/log/samba/samba.log
> max log size = 4192
>
> security = ADS
> preferred master = no
>
> idmap config * : backend = tdb
> idmap config * : range =
> 1100-2000
>
> # idmap config EXAMPLE :
> backend = ad
> idmap config EXAMPLE :
> backend = rid
> idmap config EXAMPLE :
> range = 20000-3100000
> # idmap config EXAMPLE :
> schema mode = rfc2307
>
> idmap cache time = 120
> idmap negative cache time = 1
>
> winbind use default domain
> = yes
> winbind nss info = rfc2307
> winbind offline logon = yes
> winbind refresh tickets = Yes
> winbind expand groups = 4
> winbind nested groups = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind separator = +
> template homedir = /home/%D/%U
> template shell = /bin/bash
> usershare allow guests = No
>
> kerberos method = secrets
> and keytab
> dedicated keytab file =
> /etc/krb5.keytab
>
> ###### ACL related #######
> #For completeness, refer
> to man page of smb.conf for
> #more details on these 2
> acl compatibility = Auto
> acl check permissions = True
> # map Unix permissions
> into Windows NT ACLs
> nt acl support = yes
> #extended attributes
> stored on EXT3 or XFS with
> user_xattr options
> ea support = yes
> #True: map rwx => Windows
> Full Control access
> #False: map rwx =>
> equivalent Windows ACL bits
> acl map full control = True
>
> #Users/groups who have
> write access to the file
> can modify
> # the permissions (incl. ACL)
> #Ownership of file/dir may
> also be changed
> #Default: no (disable)
> dos filemode = yes
> # must set (map
> [hidden|archive|system|read only])
> = no
> # Enabled: store DOS
> attributes onto
> user.DOSATTRIB file
> # file system must be
> mounted with user_xattr
> # extended attributes must
> be compiled into the Linux
> kernel
> store dos attributes = yes
>
> #these depend on (create
> mask), however, refer to
> (store dos
> attributes)
> map hidden = no
> map archive = no
> map system = no
> map read only = no
> # map “inherit” and
> “protected” flags in
> Windows ACLs into extended
> #attribute file called
> user.SAMBA_PAI
> map acl inherit = yes
>
> #allow users change
> timestamp, MS Office apps
> compatiable
> dos filetimes = yes
>
> # Turn on unix extensions
> unix extensions = yes
>
> I hope this helps to
> identify where I am going
> wrong and thanks
> for any help you can give.
>
> Rowland
>
> Hi,
>
> The problem could be in the
> distro package of samba, on ubuntu
> 12.04 ( version
> 2:3.6.3-2ubuntu2.4)
> The following config (only
> relevant part of it shown)
> works like
> charm:
>
> [global]
> workgroup = KZSDABAS
> realm = KZSDABAS.HU
> <http://KZSDABAS.HU>
> kerberos method = system
> keytab
> security = ads
> winbind enum groups = yes
> winbind enum users = yes
> idmap config *:backend = tdb
> idmap config *:range =
> 2000001-3000000
> idmap config
> KZSDABAS:default = yes
> idmap config
> KZSDABAS:backend = ad
> idmap config
> KZSDABAS:range = 0-1000000
> idmap config
> KZSDABAS:schema_mode = rfc2307
> winbind nss info = rfc2307
> winbind expand groups = 2
> winbind nested groups = yes
> winbind use default
> domain = yes
>
> Regards
>
> Geza Gemes
>
>
> Ok, so I need another
> version of Samba3 on the
> client, but which
>
> version?
>
> I did consider building 4.0.4 as a
> fileserver, but cannot find any
> instructions on how to. I did find
> a README file in the base build
> directory of samba4.0.4 on the
> server, it had this at the top:
>
> NOTE: Installation instructions
> may be found
> for the file/print server
> and domain member in:
>
> docs/htmldocs/Samba3-HOWTO/**install.html
>
> But, 'ls
> docs/htmldocs/Samba3-HOWTO/**install.html'
> returns:
>
> ls: cannot access
> docs/htmldocs/Samba3-HOWTO/**install.html:
> No
>
> such file or directory
>
> So how do I build it, any pointers
> to a website etc, would be very
> much appreciated.
>
> Thanks Geza for the help so far.
>
> Rowland
>
>
> Hi,
>
> As I haven't tried it yet please
> consider it a speculation, but to me
> it seems, that samba4 (top level
> build, just as for the AD) is a perfectly
> capable samba (3-like) client (not AD)
> solution, if you take the init
> scripts of your distribution and
> modify the path to /usr/local/samba/sbin,
> where you can find smbd nmbd and
> winbind the three "classic" daemons.
>
> Regards
>
> Geza Gemes
>
>
> Ah, if that is the case, I could
> copy the samba4 build dir on the
>
> server to the client and run 'make
> install' and then set it up again as per
> the original install, well, its worth a
> try to save time ;-)
>
> Rowland
>
>
> Well that didn't work, so back to
> compiling it on the client
>
> Rowland
>
> Just a sidenote: I use to configure make and
> make install samba on a
>
> development box and scp over (tar-ed) the
> /usr/local/samba to the machine
> where I want it installed (not to willing to
> compile programs on the
> servers), perhaps bad habit, but I always have an
> installable copy of the
> latest samba release this way.
>
> Regards
>
> Geza Gemes
>
>
>
>
> Ok, well that didn't work either, I downloaded,
> compiled and installed
>
> Samba4.0.4 and tried to set it up as a domain member
> using smbd, nmbd and
> winbindd. I cannot get the deamons to keep running,
> mostly smbd, they seem
> to start and then stop almost immediately. Has anybody
> got Samba4 to work
> this way and if so how.
>
> Next plan, try to find a later version of Samba 3.6
> that I can install on
> Mint 14
>
> Rowland
>
> I think you should file a bug report about smbd (4.0.4).
>
> Regards
>
> Geza Gemes
>
> Hello Rowland,
>
> I've not been watching your thread very well, but I tested
> quite a few
> configurations while working on a similar problem. You may be
> able to pick
> up some useful bits of info from that thread.
>
> https://lists.samba.org/archive/samba/2012-December/170521.html
>
>
> Hi, what I am do is very similar to what you tried to do, after
> reading what Geza posted and realising that he was doing the
> ranges the opposite way round to what I was doing, I got it work
> with samba 3.6.3 on Ubuntu server 12.04.
>
> This is the relevant part of smb.conf:
>
>
> idmap config *:backend = tdb
> idmap config *:range = 2000001-3000000
> idmap config HOME:default = yes
> idmap config HOME:backend = ad
> idmap config HOME:range = 0-1000000
> idmap config HOME:schema mode = rfc2307
>
> I then tried again on Mint 14 with Samba 3.6.6 with exactly the
> same smb.conf, I got no domain info returned by 'getent passwd'.
>
> I downloaded and compiled 3.6.12 with the same result or rather
> lack of result.
>
> I then tried compiling 4.0.4 with './configure --with-ads
> --with-shared-modules=idmap'
> This seemed to worked but all the deamons have to be run with '-D'
> to get them to keep running.
> But I had the same problem, whilst 'wbinfo -u' shows all the
> domain users, 'getent passwd' only shows local users.
>
> I am now beginning to think that either something changed after
> 3.6.3 or I am doing something wrong.
>
> Is anybody using a later version than 3.6.3 as a member client
> against S4 AD?
>
> Rowland
>
> Hello Rowland,
>
> Please note that I resolved that problem by using
> --with-shared-modules=idmap_ad, not --with-shared-modules=idmap.
> Unfortunately, I only ran into this while troubleshooting another
> problem, so the only notes I have are what's on the list. That said,
> I'm pretty sure I got 3.6.10 working.
>
> Here is where I mention --with-shared-modules=idmap_ad:
>
> https://lists.samba.org/archive/samba/2012-December/170552.html
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.
Hi, sorry, cut & paste error, I did use --with-shared-modules=idmap_ad
I have now downloaded and compiled 3.6.13 exactly the same as the others
but this is worse.
I cannot join the domain!
net ads join -U Administrator at EXAMPLE.COM
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the
domain.
So have I got all the packages installed to compile samba3? I do not
know, I cannot find any instructions anywhere on how to compile S3.
Could someone please post a list of debian packages required to compile
S3 and confirm the configure line is: ./configure --with-ads
--with-shared-modules=idmap_ad
Thanks in advance
Rowland
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba-technical
mailing list