[Samba] Samba 4 AD share: Access denied

[Rowland Penny]

On 06/08/14 22:24, Ryan Ashley wrote:
> I have tried your suggestions, and some I had found prior to falling 
> back on the mailing list so I already knew some would not work. I was 
> not asked for a response after being pointed to the material so I did 
> not provide one.
>
> Yes, I am very busy as I work as the lead IT and IS specialist in a 
> small business. I cannot devote weeks to a single problem as I handle 
> dozens a day, many resolved within 24hrs. This issue has been on-going 
> due to the fact that I have already tried a ton of what is out there, 
> and as for your "Google search", dozens of those are the same posts 
> regurgitated on numerous sites. I went through an entire page a week 
> or so back and every single link on the page was to the exact same 
> post, on numerous sits that have board-readers that simply read the 
> samba lists among others and duplicate the posts. Useless! I'd say out 
> of 1.9mil results, about 500k are unique. I am getting to where I 
> dislike Google for this reason, but that is another discussion.
>
> I am also happy to hear that you can afford to blow thousands on a 
> simple DVD. Low-income businesses, churches, and what-not cannot. Yes, 
> we know of open-licensing and manage it for several clients, but many 
> people are not willing to spend anything right now if there is a 
> viable alternative. Seeing that S4 has worked flawlessly for two years 
> at a few locations, this fit the client's needs and we installed it. 
> Something is just different this time. I am learning a lot and intend 
> to apply things like the group and user ID's to other domains once we 
> have it working here to avoid future problems.
>
> Also, Windows has MUCH higher resource requirements than Linux. On top 
> of that $3k, how much would we have to pay to bring up the hardware? 
> Too expensive for such little gain.
>
> Finally, if you have taken some personal offense to something, speak 
> up. You offered assistance, I took what I had not already tried and 
> tried it. You did not ask for results, so I assumed the fact that I 
> was still asking for help would have been a clue that the suggestion 
> was no good. Every time anybody asked for anything, including 
> configuration files, I posted them, so there's no need to be bitter. 
> Simply point out that I may have missed something and I'll try it or 
> let you know I already did.
>
> On 8/6/2014 3:57 PM, steve wrote:
>> On Wed, 2014-08-06 at 13:50 -0400, Ryan Ashley wrote:
>>
>>> What information have I not answered fully?
>> Most of the suggestions and tips we have given. As an example, you said
>> that you wanted to add IDs to your users. You were sent a link to help
>> you look up what you said you, 'had no idea how'. You ignored that, so
>> we sent you concrete examples to try. Still nothing.
>>
>> You are a, 'VERY BUSY person', are you? Well, I can only urge everyone
>> here to jump on your case. I repeat. With a 2012 R2 licence and 90 days
>> reduced rate licence, you would have been up days ago for this side of
>> $3000
>>
>> Cheers, and EOT from us,
>> Steve
>>
>
Active Directory works differently from Linux, it uses SID's and RID's, 
Linux uses UID's and GID's. To use AD users as Linux users you somehow 
have to convert the SID's and RID's to UID's and GID's. There are 
several ways to do this by using programs like winbind, nslcd or sssd, 
but they all boil down to the same two ways, you either create a UID/GID 
from the RID or you give the user/group a uidNumber/gidNumber.

That is:
A user is given a uidNumber and gidNumber
A group is given a gidNumber

uidNumber and gidNumber are the attribute names, not uid or gid or 
anything else.

The only way (at the moment) to ensure that your users/groups get the 
same ID everywhere in the domain is to use RFC2307 attributes.

see here for info on RFC2307:

https://www.ietf.org/rfc/rfc2307.txt

How you add these RFC2307 attributes is up to you, the easiest way is to 
use ADUC, but you say that you do not have the UNIX-Attributes tab on 
your users and groups, I also had this problem and solved it by 
searching the internet. I posted a link to one of the pages I used, so I 
do not propose to go over old ground yet again.

If you cannot get the ADUC tab to work for you, then you can always use 
ldb-tools to add the attributes, either by using ldbedit and directly 
modifying the user/group or by creating an ldif and using ldbmodify to 
add this. A typical ldif for a user called John Doe created on a windows 
machine would be:

dn: CN=John Doe,CN=Users,DC=example,DC=com
changetype: modify
add: uid
uid: john
-
add: msSFU30Name
msSFU30Name: john
-
add: msSFU30NisDomain
msSFU30NisDomain: example
-
add: uidNumber
uidNumber: 10000
-
add: gidNumber
gidNumber: 10000
-
add: loginShell
loginShell: /bin/bash
-
add: unixHomeDirectory
unixHomeDirectory: /home/john
-
add: unixUserPassword
unixUserPassword: ABCD!efgh12345$67890

The above ldif is exactly the way that ADUC does it 
(ABCD!efgh12345$67890 is the unixUserPassword that ADUC gives every unix 
user), but you only really need the uidNumber & gidNumber. the uidNumber 
needs to be a unique number and the gidNumber will be the users primary 
Unix group (usually Domain Users) so that number needs to be what ever 
you gave to your main Unix group i.e. Domain Users needs to have the 
gidNumber '10000'

You would add the above ldif like this:

root at dc1:~# kinit
Password for administrator at EXAMPLE.COM:
root at dc1:~# ldbmodify --url=ldap://dc1.example.com --kerberos=yes 
--krb5-ccache=/tmp/krb5cc_0" /path_to/ldif

Replacing 'dc1.example.com' with your S4 AD DC FQDN and '/path_to/ldif' 
with the full path and name of your ldif, and of course you need to run 
all of this on the S4 AD DC.

the uidNumber and gidNumber ranges can be identical, in fact this is the 
way that ADUC works, but whatever range you do use, must be reflected in 
smb.conf
i.e. 'idmap config EXAMPLE : range = 10000-999999'.

Just why you renamed the Administrator account, before you got 
everything working, escapes me, in fact most people probably never 
bother, so I would suggest that you rename the account back again, at 
least until you get everything working correctly.

Do not give the Administrator account a uidNumber or gidNumber, create a 
new user and give this new user the required RFC2307 attributes.

Once you have added the gidNumber to Domain Users and added the ldif to 
John Doe, running (on a client joined to the domain) 'getent passwd' 
should show a line for John Doe and 'getent group Domain\ Users' should 
show the info for Domain Users.

This will be my last post on this thread.

Rowland