[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Wed Aug 6 13:09:58 MDT 2014
Alright, here are the results. I gave the domain admin UID 10001, and it
shows up. I gave the domain users group a GID, and it shows also.
root at dc01:~# ldbsearch --url=/var/lib/samba/private/sam.ldb
sAMAccountName=reachfp
# record 1
dn: CN=reachfp,CN=Users,DC=truevine,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20140619182759.0Z
uSNCreated: 3545
objectGUID: 95f14a06-9370-40ef-8587-546afd171bb6
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130476760790000000
primaryGroupID: 513
objectSid: S-1-5-21-1282933182-1339137838-203774845-500
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=truevine,DC=lan
isCriticalSystemObject: TRUE
memberOf: CN=Administrators,CN=Builtin,DC=truevine,DC=lan
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=truevine,DC=lan
memberOf: CN=Enterprise Admins,CN=Users,DC=truevine,DC=lan
memberOf: CN=Schema Admins,CN=Users,DC=truevine,DC=lan
memberOf: CN=Domain Admins,CN=Users,DC=truevine,DC=lan
userPrincipalName: reachfp at truevine.lan
givenName: Reach
sAMAccountName: reachfp
cn: reachfp
name: reachfp
sn: Technology FP
displayName: Reach Technology FP
uid: 10001
whenChanged: 20140806175855.0Z
uSNChanged: 114720
distinguishedName: CN=reachfp,CN=Users,DC=truevine,DC=lan
# Referral
ref: ldap://truevine.lan/CN=Configuration,DC=truevine,DC=lan
# Referral
ref: ldap://truevine.lan/DC=DomainDnsZones,DC=truevine,DC=lan
# Referral
ref: ldap://truevine.lan/DC=ForestDnsZones,DC=truevine,DC=lan
# returned 4 records
# 1 entries
# 3 referrals
root at dc01:~# ldbsearch --url=/var/lib/samba/private/sam.ldb cn=Domain\ Users
# record 1
dn: CN=Domain Users,CN=Users,DC=truevine,DC=lan
objectClass: top
objectClass: group
cn: Domain Users
description: All domain users
instanceType: 4
whenCreated: 20140619182759.0Z
uSNCreated: 3541
name: Domain Users
objectGUID: 84560291-87be-4664-8a4d-08f44a84accf
objectSid: S-1-5-21-1282933182-1339137838-203774845-513
sAMAccountName: Domain Users
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=truevine,DC=lan
isCriticalSystemObject: TRUE
memberOf: CN=Users,CN=Builtin,DC=truevine,DC=lan
gidNumber: 10003
whenChanged: 20140806180212.0Z
uSNChanged: 114735
distinguishedName: CN=Domain Users,CN=Users,DC=truevine,DC=lan
# Referral
ref: ldap://truevine.lan/CN=Configuration,DC=truevine,DC=lan
# Referral
ref: ldap://truevine.lan/DC=DomainDnsZones,DC=truevine,DC=lan
# Referral
ref: ldap://truevine.lan/DC=ForestDnsZones,DC=truevine,DC=lan
# returned 4 records
# 1 entries
# 3 referrals
Once I have the groups working, I'll be handing out a unique UID to each
user account, starting with the built-in ones.
On 08/06/2014 02:33 PM, Rowland Penny wrote:
> On 06/08/14 19:20, Ryan Ashley wrote:
>> Alright, I already gave every group a gIDNumber using the "advanced
>> features" option via the "Attribute Editor". Each group has a unique
>> ID. There are 16 built-in groups (domain admins, domain users, etc)
>> and five I have. My last group ended with 10021. The first group was
>> 10001. I then stopped S4 on my print-server, deleted
>> "group_mapping.tdb", "winbind_cache.tdb", and "winbind_idmap.tdb",
>> rebooted the server, and (S4 starts automatically) changed group
>> ownership of a directory to "domain admins". When listing the
>> directory with "ls -lAn", it showed 70012, not 10001. So they all
>> have gIDNumber set now, but it isn't pulling through. What could
>> cause that?
>
> OK, can you post the results of these two commands (run on the S4
> server):
>
> ldbsearch --url=/usr/local/samba/private/sam.ldb
> sAMAccountName=<username>
>
> ldbsearch --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users
>
> Replace <username> with a valid domain user, you may also have to
> change the path to sam.ldb, you may also have to install ldb-tools,
> but as I think that as you compiled samba yourself, they will be
> installed in /usr/local/samba/bin
>
> Rowland
>
>>
>> On 08/06/2014 01:58 PM, Rowland Penny wrote:
>>> On 06/08/14 18:50, Ryan Ashley wrote:
>>>> Sorry Rowland! I accidentally sent this to you the first go around.
>>>> My bad.
>>>>
>>>> I am actually surprised that a few others in the IT field know how
>>>> to toy with carbs and such. My hobby is antique tractors and road
>>>> vehicles. I love how easy it is to work on them. I wouldn't touch
>>>> my 2013 F-150 with a ten-foot pole though. Too many computers and
>>>> such. Also, the engine is covered in plastic guards, but I digress.
>>>>
>>>> What information have I not answered fully? If I did not understand
>>>> what was asked, I asked about it. Like when "ute" was posted. I
>>>> have posted my configs each time they are asked for. Nothing has
>>>> been edited. I asked about NIS and you gave me the link at MS I
>>>> read a while back. It says install the NIS stuff. S4 says NIS is
>>>> installed. Now I am confused. I very obviously cannot install NIS
>>>> stuff from 2008 R2 into a Linux system with S4, and S4 says it is
>>>> running NIS according to the test on the wiki page I linked below.
>>>> Do you understand my confusion now?
>>>>
>>>> To add to that, MS says that once the NIS stuff is on the server
>>>> (again, S4 says it is), I will see the UNIX tab on my ADUC tool.
>>>> This is why I have been very hesitant to use the advanced feature
>>>> and attempt to add ID's. If the tool isn't detecting NIS and I
>>>> force this stuff, will something break? If I can get a guarantee
>>>> that nothing will break if I force ID's via the advanced options,
>>>> I'll do it right now. My thought process is different however. It
>>>> goes something like "I need to get NIS working on the S4 server,
>>>> then the regular tab will show up, and I am golden. Since it is not
>>>> showing up, I probably shouldn't attempt to force ID's through the
>>>> advanced option". Am I wrong here?
>>>>
>>>> As for questions, I asked two or three times if I needed that line
>>>> in my member server configurations, and I was just now told that I
>>>> should only have it on DC's. This is fine, but we all miss or
>>>> forget to answer once in a while, so if I forgot something, kindly
>>>> remind me and I will be happy to answer it. Oh, and what about my
>>>> question for the line that sets a range of 500-40000?
>>>>
>>>> I'm not aggravated with anybody, but I need this fixed. I am a VERY
>>>> BUSY person and I may forget things. Do not take it personally,
>>>> please. I love the S4 project and it has worked fine up until now.
>>>> I believe my issue here is that I must assign an ID to each group
>>>> and each user for file shares to work correctly under Linux. My
>>>> other clients share files from Linux-based NAS devices and that is
>>>> PROBABLY the key difference. Now I know I can add these ID numbers
>>>> without the UNIX tab, but is it safe to do that
>>>>
>>>> On 08/06/2014 04:29 AM, Rowland Penny wrote:
>>>>> On 06/08/14 05:24, Ryan Ashley wrote:
>>>>>> Plenty of replies since this afternoon! I will try to answer your
>>>>>> questions in order, as well as ask questions.
>>>>>>
>>>>>> "All provisioning with RFC2307 does is add the ypServ30.ldif, it
>>>>>> does not do anything else, it is up to you to use it. "
>>>>>>
>>>>>> Alright, how? Remember, all my domains are golden except this. I
>>>>>> have never had to use ldif files or assign ID numbers because
>>>>>> they always just worked.
>>>>>>
>>>>>
>>>>> By adding whatever RFC2307 attributes that you will need, these
>>>>> are usually uidNumber, gidNumber, loginShell and
>>>>> unixHomeDirectory. How you add them is up to you, you can use
>>>>> samba-tool, ADUC or even write your own scripts around ldb-tools etc.
>>>>>
>>>>> I think that in the past you must have been using the winbind rid
>>>>> backend, only problem with this is that (at the moment) you get
>>>>> different id numbers on the server from any client.
>>>>>
>>>>>> "This is a known windows problem, search Google (other search
>>>>>> providers are available) for a solution."
>>>>>>
>>>>>> I have been searching, and I have tried loads of results, to no
>>>>>> avail. Some said install libnss-ldapd, which I still don't know
>>>>>> what it does, others said to do various config entries, also to
>>>>>> no avail, so I am back here. I have reverted my changes since
>>>>>> nothing worked.
>>>>>
>>>>> You cannot have searched very hard, the search term 'no unix
>>>>> attributes tab' turns up about 1,910,000 results and the top one is:
>>>>>
>>>>> http://support.microsoft.com/kb/921913
>>>>>
>>>>>>
>>>>>> "I'd guess you don't have a UNIX tab because the Samba AD schema
>>>>>> doesn't have it. I'm not sure why that would be, since I don't
>>>>>> use any of the UNIX AD extensions myself."
>>>>>
>>>>> That was a very wrong statement, even if you do not provision with
>>>>> rfc2307, you still get the rfc2307 attributes and objectclasses in
>>>>> AD and it is not the reason you haven't got the tab
>>>>>
>>>>>>
>>>>>> I never have either, it always JUST WORKED. This is not
>>>>>> frustration with the help, it is frustration in that it just
>>>>>> refuses to work for no good reason. That's why I am attempting to
>>>>>> ditch Windows, because things just don't work and nobody knows
>>>>>> why. I actually feel that Rowland and Steve have been great, and
>>>>>> have made me SERIOUSLY question the highly incomplete guides on
>>>>>> the wiki. I mean nowhere does it mention the line that creates
>>>>>> the keytab for Kerberos in any guides. Nowhere does it mention
>>>>>> the ID's or anything else they have talked with me about. I
>>>>>> honestly believe the ID numbers will solve the issue, but I
>>>>>> cannot do that yet.
>>>>>>
>>>>>> "You do not need to provision with rfc2307 nor do you need a UNIX
>>>>>> tab to allocate uidNumbers. You already have what you need.
>>>>>> Please try it."
>>>>>>
>>>>>> Alright, how? Again, and this is what I keep repeating, I have
>>>>>> NEVER had to do this before. Up to this very point in time, S4
>>>>>> has been rock-solid. None of my other domains use the Kerberos
>>>>>> keytab. None of them use uID's or gID's. They all just work.
>>>>>> You're telling me I have the tools to do this, but it is like me
>>>>>> telling you to adjust your main jet to 1.5 turns out. Unless
>>>>>> you're into antiques like I am, you haven't a clue what I mean or
>>>>>> how to do it. I am not trying to be rude, I just literally do not
>>>>>> have a clue how to do this.
>>>>>>
>>>>>
>>>>> er, I actually do know what you are talking about when it comes to
>>>>> the main jet, this would be the initial setting on the carburettor
>>>>> and you would adjust the high speed running from there, what do
>>>>> you set the slow run jet to ?
>>>>>
>>>>> Just how did you setup samba prior to having these problems, did
>>>>> you set it up as a PDC or a standalone or what ?
>>>>>
>>>>> You also seem very reticent about answering questions, you never
>>>>> seem to quite answer them fully, sometimes not at all.
>>>>>
>>>>>> "You have to activate advanced features in ADUC and edit the
>>>>>> attributes from the attribute editor tab."
>>>>>>
>>>>>> Yes, I did that and saw it in there, but chose not to edit that
>>>>>> way for one reason. According to many posts I read on search
>>>>>> results from Google, the UNIX tab shows up once the system
>>>>>> detects NIS. I believe NIS is off for some reason, but I did the
>>>>>> check at the link below and it returned one result, indicating
>>>>>> that NIS is supposedly enabled. It would be better to simply show
>>>>>> me a yes or no, but I guess that isn't an option.
>>>>>>
>>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
>>>>>> CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan
>>>>>> Referenced from:
>>>>>> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
>>>>>>
>>>>>> Ricky:
>>>>>> I have NOT pulled any packages from any repos. I cloned the
>>>>>> official repo, configured and built. It turns out that by default
>>>>>> it builds 4.2.0-pre<xyz> instead of 4-1-stable. In an attempt to
>>>>>> rule out a 4.2 bug, I uninstalled (make uninstall) 4.2 and
>>>>>> configured and built 4.1, then installed it. I completely removed
>>>>>> any leftover files and directories by hand, with the exception of
>>>>>> my configuration file. Here's the info you requested.
>>>>>>
>>>>>> root at fs01:~# getent passwd | grep reachfp
>>>>>> reachfp:*:70010:70002:reachfp:/home/TRUEVINE/reachfp:/bin/false
>>>>>> root at fs01:~# getent passwd | grep cynthiaj
>>>>>> cynthiaj:*:70016:70002:Cynthia
>>>>>> Jones:/home/TRUEVINE/cynthiaj:/bin/false
>>>>>> root at fs01:~# getent passwd | grep daquanm
>>>>>> daquanm:*:70002:70002:DaQuan Major:/home/TRUEVINE/daquanm:/bin/false
>>>>>> root at fs01:~# getent passwd | grep reach_support
>>>>>> reach_support:*:70015:70002:Reach
>>>>>> Support:/home/TRUEVINE/reach_support:/bin/false
>>>>>>
>>>>>
>>>>> All of those numbers are coming from the 'builtin' range
>>>>> (70001-80000) and shouldn't be and wouldn't be if you gave your
>>>>> users and groups uidNumber's & gidNumber's
>>>>>
>>>>> If you do not want to do this, change this line:
>>>>>
>>>>> idmap config TRUEVINE:backend = ad
>>>>>
>>>>> To this:
>>>>>
>>>>> idmap config TRUEVINE:backend = rid
>>>>>
>>>>> Remove these:
>>>>>
>>>>> idmap config TRUEVINE:schema_mode = rfc2307
>>>>> idmap_ldb:use rfc2307 = yes # this shouldn't be on the fileserver
>>>>> anyway, it's for the AD server
>>>>> auth methods = winbind
>>>>>
>>>>> Rowland
>>>>>
>>>>>> =====================
>>>>>> FS01 Configuration File:
>>>>>> =====================
>>>>>> [global]
>>>>>> netbios name = FS01
>>>>>> workgroup = TRUEVINE
>>>>>> security = ADS
>>>>>> realm = TRUEVINE.LAN
>>>>>> encrypt passwords = yes
>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>> kerberos method = secrets and keytab
>>>>>>
>>>>>> idmap config *:backend = tdb
>>>>>> idmap config *:range = 70001-80000
>>>>>> idmap config TRUEVINE:backend = ad
>>>>>> idmap config TRUEVINE:schema_mode = rfc2307
>>>>>> idmap config TRUEVINE:range = 500-40000
>>>>>> idmap_ldb:use rfc2307 = yes
>>>>>>
>>>>>> winbind nss info = rfc2307
>>>>>> winbind trusted domains only = no
>>>>>> winbind use default domain = yes
>>>>>> winbind enum users = yes
>>>>>> winbind enum groups = yes
>>>>>>
>>>>>> vfs objects = acl_xattr
>>>>>> map acl inherit = yes
>>>>>> store dos attributes = yes
>>>>>> auth methods = winbind
>>>>>> log level = 3
>>>>>>
>>>>>> [install$]
>>>>>> path = /home/shared/install
>>>>>> comment = "Software installation files"
>>>>>> read only = no
>>>>>> guest ok = no
>>>>>>
>>>>>> [staff$]
>>>>>> path = /home/shared/staff
>>>>>> comment = "Staff file share"
>>>>>> read only = no
>>>>>> guest ok = no
>>>>>>
>>>>>> [fbc$]
>>>>>> path = /home/shared/fbc
>>>>>> comment = "Family Bible College file share"
>>>>>> read only = no
>>>>>> guest ok = no
>>>>>>
>>>>>>
>>>>>> One thing I am unclear on is whether or not I need "idmap_ldb:use
>>>>>> rfc2307 = yes" in member server configs or ONLY AD DC configs.
>>>>>> Also, what does "idmap config TRUEVINE:range = 500-40000"
>>>>>> specify? I was trying to set AD users to 70001-80000 for their
>>>>>> ID's, but maybe I misunderstand things. Thanks for your help and
>>>>>> input. I'm not frustrated with you guys, just the fact that ONE
>>>>>> server is acting up and I am having to do all kinds of things I
>>>>>> have never had to do before just to share files. It isn't a bad
>>>>>> frustration however, I enjoy building projects from source and
>>>>>> using Linux in general. If this was Windows I'd have found an
>>>>>> alternative by now.
>>>>>>
>>>>>> On 8/5/2014 11:57 PM, Ricky Nance wrote:
>>>>>>> So IF I read the 70+ previous mails correctly, it looks like you
>>>>>>> have
>>>>>>> tried both packages and samba source, if this is the case you could
>>>>>>> have some seriously screwed up library files, causing various
>>>>>>> issues
>>>>>>> (such as binaries just crashing at certain points). With that said,
>>>>>>> there is a fair chance that your libnss_winbind.so (or so.2) is
>>>>>>> mismatched from your current winbind causing exactly this issue.
>>>>>>>
>>>>>>> Is there any chance you can give us a current recap of your
>>>>>>> issue/setup? Include current configs (if you need to mask
>>>>>>> something,
>>>>>>> make that clear). Also please provide the output of getent passwd |
>>>>>>> grep ADUSER (replace ADUSER with an actual user) and which setup
>>>>>>> (package or source, and which package you are using) you currently
>>>>>>> have (as well as what you have tried there too).
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Ricky
>>>>>>>
>>>>>>> On Tue, Aug 5, 2014 at 3:18 PM, Davor Vusir
>>>>>>> <davortvusir at gmail.com> wrote:
>>>>>>>> 2014-08-05 20:32 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>>>>>>>>> Well, again, no issues until now. I never did the Kerberos
>>>>>>>>> keytab thing
>>>>>>>>> before, and everything works. Never did the NIS thing before,
>>>>>>>>> and everything
>>>>>>>>> works. Now I am learning these things should be done and I
>>>>>>>>> have been told
>>>>>>>>> what to do and have done them as well as documented them in
>>>>>>>>> our technical
>>>>>>>>> reference. However, I am now at the point where I cannot set
>>>>>>>>> ID's due to not
>>>>>>>>> having the UNIX tab in ADUC. I did provision with
>>>>>>>>> "--use-rfc2307" and it is
>>>>>>>>> in all of my S4 configuration files, but no luck yet. What do
>>>>>>>>> I need to
>>>>>>>>> check to get that tab to appear? If assigning an ID fixes
>>>>>>>>> this, I will
>>>>>>>>> HAPPILY do it on all of our domains as we go out for maintenance.
>>>>>>>>>
>>>>>>>> You have to activate advanced features in ADUC and edit the
>>>>>>>> attributes
>>>>>>>> from the attribute editor tab.
>>>>>>>>
>>>>>>>> It's a pity we couldn't help you sort this out. I think it's quite
>>>>>>>> strange that it doesn't work at this particular server as you
>>>>>>>> say that
>>>>>>>> this is the standard way of yours to configure Samba. Why it
>>>>>>>> doesn't
>>>>>>>> work, I really don't know. One thing that springs to mind is,
>>>>>>>> and I
>>>>>>>> don't have knowledge enough to back it up, when using the TDB
>>>>>>>> backend
>>>>>>>> you're not guaranteed consistent id mapping through the server
>>>>>>>> park. I
>>>>>>>> have found nothing that states that winbind populates the
>>>>>>>> tdb-databases in a certain order (a-z, ascending SID numbering or
>>>>>>>> other mechanism). Which of course might give you different
>>>>>>>> uidnumbers
>>>>>>>> (from the *:range) for different accounts. Please correct me if
>>>>>>>> I'm
>>>>>>>> wrong. Is there a way to check this?
>>>>>>>>
>>>>>>>> But I do think that Rowland and Steve are right to 'push' for
>>>>>>>> populating and using uid- and gidnumbers. uid- and gidnumbers
>>>>>>>> with an
>>>>>>>> interpretator like winbind, sssd or other is a/the bridge between
>>>>>>>> Linux and windows. And it's a low-cost activation and
>>>>>>>> maintenance. I
>>>>>>>> think you should consider their advice and rethink your setup.
>>>>>>>>
>>>>>>>> Well, I'm out of ideas except that I have noticed that the
>>>>>>>> activation
>>>>>>>> of vfs module acl_xattr in the global section of smb.conf does not
>>>>>>>> always/ever work on a mounted volume created from LVM. You
>>>>>>>> might need
>>>>>>>> to/have to put it in the share section.
>>>>>>>>
>>>>>>>> If you find out what caused this, please let us know.
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> Davor
>>>>>>>>
>>>>>>>>> On 08/05/2014 02:16 PM, steve wrote:
>>>>>>>>>> On Tue, 2014-08-05 at 13:17 -0400, Ryan Ashley wrote:
>>>>>>>>>>> The way that sounds, the "file server" guide is incomplete,
>>>>>>>>>>> because
>>>>>>>>>>> nowhere does it mention any of what you're telling me. I
>>>>>>>>>>> also have
>>>>>>>>>>> little trouble finding good documentation on every Linux
>>>>>>>>>>> product I use.
>>>>>>>>>>> S4 is the one big exception, but with the guides, it
>>>>>>>>>>> eliminates some of
>>>>>>>>>>> that need. I do not buy the whole argument of using Windows for
>>>>>>>>>>> documentation, because 90% of their documentation is
>>>>>>>>>>> rambling crud. When
>>>>>>>>>>> you get an error and have an ID, the docs don't have the ID
>>>>>>>>>>> you want,
>>>>>>>>>>> you are hosed.
>>>>>>>>>> Unless you know what you're doing, the time it takes to get
>>>>>>>>>> up on
>>>>>>>>>> user-land Linux compared with enterprise or microsoft
>>>>>>>>>> out-of-the-box-or-just-call-the-engineer is false economy.
>>>>>>>>>>> Again, I am running Debian Wheezy 7.5 64bit under XenServer
>>>>>>>>>>> 6.2 with the
>>>>>>>>>>> latest updates. The stable repos have an OLD version of S4,
>>>>>>>>>>> and I do not
>>>>>>>>>>> mind building it myself anyway.
>>>>>>>>>> Debian doesn't install samba unless you tell it?
>>>>>>>>>>> Finally, you have told me I need this and that, but no
>>>>>>>>>>> direction is
>>>>>>>>>>> noted.
>>>>>>>>>> http://bit.ly/1s8LTZc
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> To unsubscribe from this list go to the following URL and read
>>>>>>>>> the
>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>
>>>>
>>> Too late, I already replied ;-)
>>>
>>> Rowland
>>>
>>
>
More information about the samba
mailing list