Samba4 Linux user has two uid's
Rowland Penny
repenny at f2s.com
Mon Mar 25 04:25:33 MDT 2013
On 24/03/13 20:01, Gémes Géza wrote:
> 2013-03-24 19:53 keltezéssel, Rowland Penny írta:
>> On 24/03/13 15:53, Thomas Simmons wrote:
>>> On Sun, Mar 24, 2013 at 11:38 AM, Rowland Penny <repenny at f2s.com
>>> <mailto:repenny at f2s.com>> wrote:
>>>
>>> On 24/03/13 12:43, Thomas Simmons wrote:
>>>
>>> On Sun, Mar 24, 2013 at 2:38 AM, Gémes Géza <geza at kzsdabas.hu
>>> <mailto:geza at kzsdabas.hu>> wrote:
>>>
>>> 2013-03-23 14:16 keltezéssel, Rowland Penny írta:
>>>
>>> On 23/03/13 05:39, Gémes Géza wrote:
>>>
>>> 2013-03-22 21:24 keltezéssel, Rowland Penny írta:
>>>
>>> On 22/03/13 20:02, Rowland Penny wrote:
>>>
>>> On 22/03/13 19:41, Gémes Géza wrote:
>>>
>>> 2013-03-22 19:36 keltezéssel, Rowland
>>> Penny írta:
>>>
>>> On 22/03/13 17:38, Gémes Géza
>>> wrote:
>>>
>>> 2013-03-22 18:09 keltezéssel,
>>> Rowland Penny írta:
>>>
>>> On 21/03/13 22:10, Gémes
>>> Géza wrote:
>>>
>>> 2013-03-21 21:01
>>> keltezéssel, Rowland
>>> Penny írta:
>>>
>>> HI,
>>> If You join a S3
>>> client to a S4
>>> domain you get a
>>> different uid
>>> on the client and
>>> server i.e.
>>>
>>> Info from the
>>> client
>>> $ id user
>>> uid=21105(user)
>>> gid=20513(domain_users)
>>> groups=20513(domain_users),**1101(BUILTIN\users)
>>>
>>>
>>>
>>> Info from the
>>> server
>>> # id user
>>> uid=3000016(DOMAIN\user)
>>> gid=100(users)
>>> groups=100(users)
>>>
>>> Now if you mount a
>>> share onto the
>>> client from the
>>> server via
>>> pam_script:
>>>
>>> mount -t cifs
>>> //server/dropbox
>>> /home/dropbox -o
>>> username=user,cruid=userid,**sec=krb5i,multiuser,nobrl,**
>>> mapchars,mfsymlinks,**noserverino
>>>
>>>
>>>
>>> If a file is now
>>> created in the
>>> share by the user,
>>> the user
>>> immediately looses
>>> all rights to it
>>> from the client.
>>>
>>> Is this a CIFS
>>> problem or a
>>> Samba4 problem?
>>>
>>> Hi,
>>>
>>> Please check that you
>>> have the following:
>>>
>>> For samba4 use rfc2370
>>> and specify the uids
>>> gids (using e.g.
>>> ADUC), copy/symlink
>>> the libnss files and
>>> allow winbind in
>>> /etc/nsswitch.conf
>>>
>>> These were already setup
>>>
>>> For samba3 use idmap_ad
>>> with a range that covers
>>> the assigned
>>>
>>> uids/gids.
>>>
>>> I was using the rid
>>> backend so I tried to
>>> convert to ad, but I
>>> cannot get it to work,
>>> wbinfo shows all domain
>>> users & groups but no
>>> domain
>>> users or groups are shown
>>> by getent. With the rid
>>> backend 'getent passwd'
>>> gives:
>>>
>>> administrator:*:20500:20513:**Administrator:/home/EXAMPLE/**administrator:/bin/bash
>>>
>>>
>>> dns-adserver:*:21101:20513:**dns-adserver:/home/EXAMPLE/**dns-adserver:/bin/bash
>>>
>>>
>>> dhcpduser:*:21104:20513:**dhcpduser:/home/EXAMPLE/**dhcpduser:/bin/bash
>>>
>>> user1:*:21107:20513:user1:/**home/EXAMPLE/user1:/bin/bash
>>> user:*:21105:20513:user:/home/**EXAMPLE/user:/bin/bash
>>> krbtgt:*:20502:20513:krbtgt:/**home/EXAMPLE/krbtgt:/bin/bash
>>> guest:*:20501:20514:Guest:/**home/EXAMPLE/guest:/bin/bash
>>>
>>>
>>>
>>> with the ad backend I do
>>> not get any of the above
>>>
>>>
>>> If that is configured
>>> and don't work as
>>> expected please post
>>> your
>>> smb.conf (both from AD
>>> and client system) and
>>> an ldif for an user
>>> obtained
>>> by ldbsearch.
>>>
>>> Regards
>>>
>>> Geza Gemes
>>>
>>>
>>> Ok, I cannot make it
>>> work, so here are the
>>> files you requested
>>>
>>> Samba4.0.4 user.ldif
>>>
>>> # user, Users, example.com
>>> <http://example.com>
>>> dn:
>>> CN=user,CN=Users,DC=example,**DC=com
>>>
>>>
>>> cn: user
>>> instanceType: 4
>>> whenCreated:
>>> 20130320122306.0Z
>>> uSNCreated: 3778
>>> name: user
>>> objectGUID::
>>> siE+gJgV2kKaQO0qslOkVg==
>>> badPwdCount: 0
>>> codePage: 0
>>> countryCode: 0
>>> badPasswordTime: 0
>>> lastLogoff: 0
>>> lastLogon: 0
>>> primaryGroupID: 513
>>> objectSid::
>>> AQUAAAAAAAUVAAAAtvprU8QVtn/NH/**GlUQQAAA==
>>>
>>>
>>> accountExpires:
>>> 9223372036854775807
>>> logonCount: 0
>>> sAMAccountName: user
>>> sAMAccountType: 805306368
>>> userPrincipalName:
>>> user at example.com
>>> <mailto:user at example.com>
>>> objectCategory:
>>> CN=Person,CN=Schema,CN=**
>>> Configuration,DC=example,DC=**com
>>>
>>>
>>> pwdLastSet:
>>> 130082557870000000
>>> userAccountControl: 512
>>> uidNumber: 3000016
>>> gidNumber: 100
>>> unixHomeDirectory:
>>> /home/EXAMPLE/user
>>> loginShell: /bin/bash
>>> profilePath:
>>> \\server\profiles\user
>>> homeDrive: Z:
>>> homeDirectory:
>>> \\server\home\user
>>> objectClass: top
>>> objectClass: posixAccount
>>> objectClass: person
>>> objectClass:
>>> organizationalPerson
>>> objectClass: user
>>> whenChanged:
>>> 20130322130515.0Z
>>> uSNChanged: 3794
>>> distinguishedName:
>>> CN=user,CN=Users,DC=example,**DC=com
>>>
>>>
>>>
>>> Samba4.0.4 smb.conf
>>>
>>> # Global parameters
>>> [global]
>>> workgroup = EXAMPLE
>>> realm = example.com
>>> <http://example.com>
>>> netbios name = SERVER
>>> server role = active
>>> directory domain controller
>>> server services = s3fs,
>>> rpc, nbt, wrepl, ldap,
>>> cldap, kdc, drepl,
>>> winbind, ntp_signd, kcc,
>>> dnsupdate
>>> idmap_ldb:use rfc2307 = yes
>>> acl:search=false
>>> passdb backend = samba4
>>> template shell = /bin/bash
>>> # Turn on Server signing
>>> server signing = auto
>>>
>>> [netlogon]
>>> path =
>>> /usr/local/samba/var/locks/**sysvol/example.com/scripts
>>> <http://example.com/scripts>
>>>
>>> read only = No
>>>
>>> [sysvol]
>>> path =
>>> /usr/local/samba/var/locks/**sysvol
>>>
>>>
>>> read only = No
>>>
>>> [home]
>>> path = /home/EXAMPLE
>>> read only = No
>>>
>>> [profiles]
>>> path =
>>> /home/EXAMPLE/profiles
>>> read only = No
>>>
>>> [dropbox]
>>> path =
>>> /home/EXAMPLE/dropbox
>>> read only = No
>>>
>>>
>>> Samba 3.6.6 on Mint 14
>>>
>>> [global]
>>> workgroup = EXAMPLE
>>> realm = example.com
>>> <http://example.com>
>>> server string = %h client
>>> (Samba)
>>>
>>> log level = 10
>>> log file =
>>> /var/log/samba/samba.log
>>> max log size = 4192
>>>
>>> security = ADS
>>> preferred master = no
>>>
>>> idmap config * : backend
>>> = tdb
>>> idmap config * : range =
>>> 1100-2000
>>>
>>> # idmap config EXAMPLE :
>>> backend = ad
>>> idmap config EXAMPLE :
>>> backend = rid
>>> idmap config EXAMPLE :
>>> range = 20000-3100000
>>> # idmap config EXAMPLE :
>>> schema mode = rfc2307
>>>
>>> idmap cache time = 120
>>> idmap negative cache
>>> time = 1
>>>
>>> winbind use default domain
>>> = yes
>>> winbind nss info = rfc2307
>>> winbind offline logon = yes
>>> winbind refresh tickets
>>> = Yes
>>> winbind expand groups = 4
>>> winbind nested groups = yes
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind separator = +
>>> template homedir =
>>> /home/%D/%U
>>> template shell = /bin/bash
>>> usershare allow guests = No
>>>
>>> kerberos method = secrets
>>> and keytab
>>> dedicated keytab file =
>>> /etc/krb5.keytab
>>>
>>> ###### ACL related #######
>>> #For completeness, refer
>>> to man page of smb.conf for
>>> #more details on these 2
>>> acl compatibility = Auto
>>> acl check permissions =
>>> True
>>> # map Unix permissions
>>> into Windows NT ACLs
>>> nt acl support = yes
>>> #extended attributes
>>> stored on EXT3 or XFS with
>>> user_xattr options
>>> ea support = yes
>>> #True: map rwx => Windows
>>> Full Control access
>>> #False: map rwx =>
>>> equivalent Windows ACL bits
>>> acl map full control = True
>>>
>>> #Users/groups who have
>>> write access to the file
>>> can modify
>>> # the permissions (incl.
>>> ACL)
>>> #Ownership of file/dir may
>>> also be changed
>>> #Default: no (disable)
>>> dos filemode = yes
>>> # must set (map
>>> [hidden|archive|system|read only])
>>> = no
>>> # Enabled: store DOS
>>> attributes onto
>>> user.DOSATTRIB file
>>> # file system must be
>>> mounted with user_xattr
>>> # extended attributes must
>>> be compiled into the Linux
>>> kernel
>>> store dos attributes = yes
>>>
>>> #these depend on (create
>>> mask), however, refer to
>>> (store dos
>>> attributes)
>>> map hidden = no
>>> map archive = no
>>> map system = no
>>> map read only = no
>>> # map “inherit” and
>>> “protected” flags in
>>> Windows ACLs into extended
>>> #attribute file called
>>> user.SAMBA_PAI
>>> map acl inherit = yes
>>>
>>> #allow users change
>>> timestamp, MS Office apps
>>> compatiable
>>> dos filetimes = yes
>>>
>>> # Turn on unix extensions
>>> unix extensions = yes
>>>
>>> I hope this helps to
>>> identify where I am going
>>> wrong and thanks
>>> for any help you can give.
>>>
>>> Rowland
>>>
>>> Hi,
>>>
>>> The problem could be in the
>>> distro package of samba, on
>>> ubuntu
>>> 12.04 ( version
>>> 2:3.6.3-2ubuntu2.4)
>>> The following config (only
>>> relevant part of it shown)
>>> works like
>>> charm:
>>>
>>> [global]
>>> workgroup = KZSDABAS
>>> realm = KZSDABAS.HU
>>> <http://KZSDABAS.HU>
>>> kerberos method = system
>>> keytab
>>> security = ads
>>> winbind enum groups = yes
>>> winbind enum users = yes
>>> idmap config *:backend
>>> = tdb
>>> idmap config *:range =
>>> 2000001-3000000
>>> idmap config
>>> KZSDABAS:default = yes
>>> idmap config
>>> KZSDABAS:backend = ad
>>> idmap config
>>> KZSDABAS:range = 0-1000000
>>> idmap config
>>> KZSDABAS:schema_mode = rfc2307
>>> winbind nss info = rfc2307
>>> winbind expand groups = 2
>>> winbind nested groups =
>>> yes
>>> winbind use default
>>> domain = yes
>>>
>>> Regards
>>>
>>> Geza Gemes
>>>
>>>
>>> Ok, so I need another
>>> version of Samba3 on the
>>> client, but which
>>>
>>> version?
>>>
>>> I did consider building 4.0.4 as a
>>> fileserver, but cannot find any
>>> instructions on how to. I did find
>>> a README file in the base build
>>> directory of samba4.0.4 on the
>>> server, it had this at the top:
>>>
>>> NOTE: Installation instructions
>>> may be found
>>> for the file/print server
>>> and domain member in:
>>> docs/htmldocs/Samba3-HOWTO/**install.html
>>>
>>> But, 'ls
>>> docs/htmldocs/Samba3-HOWTO/**install.html'
>>> returns:
>>>
>>> ls: cannot access
>>> docs/htmldocs/Samba3-HOWTO/**install.html:
>>> No
>>>
>>> such file or directory
>>>
>>> So how do I build it, any pointers
>>> to a website etc, would be very
>>> much appreciated.
>>>
>>> Thanks Geza for the help so far.
>>>
>>> Rowland
>>>
>>>
>>> Hi,
>>>
>>> As I haven't tried it yet please
>>> consider it a speculation, but to me
>>> it seems, that samba4 (top level
>>> build, just as for the AD) is a
>>> perfectly
>>> capable samba (3-like) client (not AD)
>>> solution, if you take the init
>>> scripts of your distribution and
>>> modify the path to
>>> /usr/local/samba/sbin,
>>> where you can find smbd nmbd and
>>> winbind the three "classic" daemons.
>>>
>>> Regards
>>>
>>> Geza Gemes
>>>
>>>
>>> Ah, if that is the case, I could
>>> copy the samba4 build dir on the
>>>
>>> server to the client and run 'make
>>> install' and then set it up again as per
>>> the original install, well, its worth a
>>> try to save time ;-)
>>>
>>> Rowland
>>>
>>>
>>> Well that didn't work, so back to
>>> compiling it on the client
>>>
>>> Rowland
>>>
>>> Just a sidenote: I use to configure make and
>>> make install samba on a
>>>
>>> development box and scp over (tar-ed) the
>>> /usr/local/samba to the machine
>>> where I want it installed (not to willing to
>>> compile programs on the
>>> servers), perhaps bad habit, but I always have an
>>> installable copy of the
>>> latest samba release this way.
>>>
>>> Regards
>>>
>>> Geza Gemes
>>>
>>>
>>>
>>>
>>> Ok, well that didn't work either, I downloaded,
>>> compiled and installed
>>>
>>> Samba4.0.4 and tried to set it up as a domain member
>>> using smbd, nmbd and
>>> winbindd. I cannot get the deamons to keep running,
>>> mostly smbd, they seem
>>> to start and then stop almost immediately. Has anybody
>>> got Samba4 to work
>>> this way and if so how.
>>>
>>> Next plan, try to find a later version of Samba 3.6
>>> that I can install on
>>> Mint 14
>>>
>>> Rowland
>>>
>>> I think you should file a bug report about smbd
>>> (4.0.4).
>>>
>>> Regards
>>>
>>> Geza Gemes
>>>
>>> Hello Rowland,
>>>
>>> I've not been watching your thread very well, but I tested
>>> quite a few
>>> configurations while working on a similar problem. You may be
>>> able to pick
>>> up some useful bits of info from that thread.
>>>
>>> https://lists.samba.org/archive/samba/2012-December/170521.html
>>>
>>>
>>> Hi, what I am do is very similar to what you tried to do, after
>>> reading what Geza posted and realising that he was doing the
>>> ranges the opposite way round to what I was doing, I got it work
>>> with samba 3.6.3 on Ubuntu server 12.04.
>>>
>>> This is the relevant part of smb.conf:
>>>
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 2000001-3000000
>>> idmap config HOME:default = yes
>>> idmap config HOME:backend = ad
>>> idmap config HOME:range = 0-1000000
>>> idmap config HOME:schema mode = rfc2307
>>>
>>> I then tried again on Mint 14 with Samba 3.6.6 with exactly the
>>> same smb.conf, I got no domain info returned by 'getent passwd'.
>>>
>>> I downloaded and compiled 3.6.12 with the same result or rather
>>> lack of result.
>>>
>>> I then tried compiling 4.0.4 with './configure --with-ads
>>> --with-shared-modules=idmap'
>>> This seemed to worked but all the deamons have to be run with '-D'
>>> to get them to keep running.
>>> But I had the same problem, whilst 'wbinfo -u' shows all the
>>> domain users, 'getent passwd' only shows local users.
>>>
>>> I am now beginning to think that either something changed after
>>> 3.6.3 or I am doing something wrong.
>>>
>>> Is anybody using a later version than 3.6.3 as a member client
>>> against S4 AD?
>>>
>>> Rowland
>>>
>>> Hello Rowland,
>>>
>>> Please note that I resolved that problem by using
>>> --with-shared-modules=idmap_ad, not --with-shared-modules=idmap.
>>> Unfortunately, I only ran into this while troubleshooting another
>>> problem, so the only notes I have are what's on the list. That said,
>>> I'm pretty sure I got 3.6.10 working.
>>>
>>> Here is where I mention --with-shared-modules=idmap_ad:
>>>
>>> https://lists.samba.org/archive/samba/2012-December/170552.html
>>>
>>>
>>> --
>>> This message has been scanned for viruses and
>>> dangerous content by *MailScanner* <http://www.mailscanner.info/>,
>>> and is
>>> believed to be clean.
>>
>> Hi, sorry, cut & paste error, I did use --with-shared-modules=idmap_ad
>>
>> I have now downloaded and compiled 3.6.13 exactly the same as the
>> others but this is worse.
>> I cannot join the domain!
>>
>> net ads join -U Administrator at EXAMPLE.COM
>> Host is not configured as a member server.
>> Invalid configuration. Exiting....
>> Failed to join domain: This operation is only allowed for the PDC of
>> the domain.
>>
>> So have I got all the packages installed to compile samba3? I do not
>> know, I cannot find any instructions anywhere on how to compile S3.
>>
>> Could someone please post a list of debian packages required to
>> compile S3 and confirm the configure line is: ./configure --with-ads
>> --with-shared-modules=idmap_ad
>>
>> Thanks in advance
>>
>> Rowland
>>
> Without saying that it is a solution, but could be, what if you would
> download the samba3 source package from ubuntu 12.04 and do a
> dpkg-buildpackage on it on your mint system? If you are afraid that it
> will be replaced on system updates, you could edit the
> debian/changelog file and specify a greater "version" number (I mean
> the part of the version before the semicolon), which is exactly for
> the purpose of triking dpkg into believing that your package is newer
> than an other (which is).
>
> Regards
>
> Geza Gemes
>
>
Well yes that is a possibility, but it doesn't prove whether there is or
there isn't a problem with samba 3.6.6 on Mint 14.
If I could find out Just how samba 3 is supposed to be compiled to use
it with a S4 AD server and what packages I need to install, I could then
hopefully get a version of S3 to work on Mint 14.
My problem is that I require the idiots (i.e. me) guide to compiling S3
and for the life of me, despite intensive websearching, I cannot find
anything really relevant, just bits and pieces.
As I said, I have tried S4 as client and a couple of S3 versions and
they all ultimately fail in the same way, no domain users are shown by
getent. This either means that there is problem with S3 after 3.6.3 or
(more likely) a problem with the way I am compiling Samba.
Rowland
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba-technical
mailing list