[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Thu Aug 7 09:22:28 MDT 2014

I figured it out, but it won't let me import it.

root at dc01:~# ldbmodify -H /var/lib/samba/private/sam.ldb 
/root/ypServ30.ldif --option="dsdb:schema update allowed"=true
ERR: (Entry already exists) "Entry 
CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan already exists" 
on DN CN=ypServ30,CN=RpcServices,CN=System,dc=truevine,dc=lan at block 
before line 5
Modify failed after processing 0 records
root at dc01:~#

So this means it is already there, right? If so, what must I do here? I 
am going to check, but I do not remember seeing an attribute called 
"gidNumber", only "gid".

On 08/07/2014 10:24 AM, Ryan Ashley wrote:
> Alright, new problem. That ypServ30.ldif file is asking for all kinds 
> of information I do not know or know how to get. I am ASSUMING the 
> "domain dn" it is asking for is "dc=truevine,dc=lan". However, it also 
> needs to know a NISDOMAIN variable and that I do not have a clue 
> about. Is there a guide dedicated just to editing this file? I don't 
> have a NIS domain to my knowledge. I just want to import the file so I 
> can set my attributes. This is kind of complicated just to add a few 
> (four?) attributes to my schema.
> So, what do I set all these things in the LDIF file to? Is there a way 
> I can look them up?
> On 08/07/2014 09:42 AM, Ryan Ashley wrote:
>> Thanks, Rowland. I just got in this morning and think it finally all 
>> fell into place. You mentioned an LDIF file in a prior email. I 
>> assume that if I import that LDIF file, it creates the attributes I 
>> need. After that, I should be able to set them as you stated. Is this 
>> correct?
>> My current plan is to re-read your emails and find the file you 
>> mentioned. If it does indeed add those attributes, I will import it 
>> and try setting them as you stated. If it works, I will report 
>> success and summarize what this entire thread was about for others to 
>> learn from without reading it all.
>> On 08/07/2014 05:16 AM, Rowland Penny wrote:
>>> On 06/08/14 22:24, Ryan Ashley wrote:
>>>> I have tried your suggestions, and some I had found prior to 
>>>> falling back on the mailing list so I already knew some would not 
>>>> work. I was not asked for a response after being pointed to the 
>>>> material so I did not provide one.
>>>> Yes, I am very busy as I work as the lead IT and IS specialist in a 
>>>> small business. I cannot devote weeks to a single problem as I 
>>>> handle dozens a day, many resolved within 24hrs. This issue has 
>>>> been on-going due to the fact that I have already tried a ton of 
>>>> what is out there, and as for your "Google search", dozens of those 
>>>> are the same posts regurgitated on numerous sites. I went through 
>>>> an entire page a week or so back and every single link on the page 
>>>> was to the exact same post, on numerous sits that have 
>>>> board-readers that simply read the samba lists among others and 
>>>> duplicate the posts. Useless! I'd say out of 1.9mil results, about 
>>>> 500k are unique. I am getting to where I dislike Google for this 
>>>> reason, but that is another discussion.
>>>> I am also happy to hear that you can afford to blow thousands on a 
>>>> simple DVD. Low-income businesses, churches, and what-not cannot. 
>>>> Yes, we know of open-licensing and manage it for several clients, 
>>>> but many people are not willing to spend anything right now if 
>>>> there is a viable alternative. Seeing that S4 has worked flawlessly 
>>>> for two years at a few locations, this fit the client's needs and 
>>>> we installed it. Something is just different this time. I am 
>>>> learning a lot and intend to apply things like the group and user 
>>>> ID's to other domains once we have it working here to avoid future 
>>>> problems.
>>>> Also, Windows has MUCH higher resource requirements than Linux. On 
>>>> top of that $3k, how much would we have to pay to bring up the 
>>>> hardware? Too expensive for such little gain.
>>>> Finally, if you have taken some personal offense to something, 
>>>> speak up. You offered assistance, I took what I had not already 
>>>> tried and tried it. You did not ask for results, so I assumed the 
>>>> fact that I was still asking for help would have been a clue that 
>>>> the suggestion was no good. Every time anybody asked for anything, 
>>>> including configuration files, I posted them, so there's no need to 
>>>> be bitter. Simply point out that I may have missed something and 
>>>> I'll try it or let you know I already did.
>>>> On 8/6/2014 3:57 PM, steve wrote:
>>>>> On Wed, 2014-08-06 at 13:50 -0400, Ryan Ashley wrote:
>>>>>> What information have I not answered fully?
>>>>> Most of the suggestions and tips we have given. As an example, you 
>>>>> said
>>>>> that you wanted to add IDs to your users. You were sent a link to 
>>>>> help
>>>>> you look up what you said you, 'had no idea how'. You ignored 
>>>>> that, so
>>>>> we sent you concrete examples to try. Still nothing.
>>>>> You are a, 'VERY BUSY person', are you? Well, I can only urge 
>>>>> everyone
>>>>> here to jump on your case. I repeat. With a 2012 R2 licence and 90 
>>>>> days
>>>>> reduced rate licence, you would have been up days ago for this 
>>>>> side of
>>>>> $3000
>>>>> Cheers, and EOT from us,
>>>>> Steve
>>> Active Directory works differently from Linux, it uses SID's and 
>>> RID's, Linux uses UID's and GID's. To use AD users as Linux users 
>>> you somehow have to convert the SID's and RID's to UID's and GID's. 
>>> There are several ways to do this by using programs like winbind, 
>>> nslcd or sssd, but they all boil down to the same two ways, you 
>>> either create a UID/GID from the RID or you give the user/group a 
>>> uidNumber/gidNumber.
>>> That is:
>>> A user is given a uidNumber and gidNumber
>>> A group is given a gidNumber
>>> uidNumber and gidNumber are the attribute names, not uid or gid or 
>>> anything else.
>>> The only way (at the moment) to ensure that your users/groups get 
>>> the same ID everywhere in the domain is to use RFC2307 attributes.
>>> see here for info on RFC2307:
>>> https://www.ietf.org/rfc/rfc2307.txt
>>> How you add these RFC2307 attributes is up to you, the easiest way 
>>> is to use ADUC, but you say that you do not have the UNIX-Attributes 
>>> tab on your users and groups, I also had this problem and solved it 
>>> by searching the internet. I posted a link to one of the pages I 
>>> used, so I do not propose to go over old ground yet again.
>>> If you cannot get the ADUC tab to work for you, then you can always 
>>> use ldb-tools to add the attributes, either by using ldbedit and 
>>> directly modifying the user/group or by creating an ldif and using 
>>> ldbmodify to add this. A typical ldif for a user called John Doe 
>>> created on a windows machine would be:
>>> dn: CN=John Doe,CN=Users,DC=example,DC=com
>>> changetype: modify
>>> add: uid
>>> uid: john
>>> -
>>> add: msSFU30Name
>>> msSFU30Name: john
>>> -
>>> add: msSFU30NisDomain
>>> msSFU30NisDomain: example
>>> -
>>> add: uidNumber
>>> uidNumber: 10000
>>> -
>>> add: gidNumber
>>> gidNumber: 10000
>>> -
>>> add: loginShell
>>> loginShell: /bin/bash
>>> -
>>> add: unixHomeDirectory
>>> unixHomeDirectory: /home/john
>>> -
>>> add: unixUserPassword
>>> unixUserPassword: ABCD!efgh12345$67890
>>> The above ldif is exactly the way that ADUC does it 
>>> (ABCD!efgh12345$67890 is the unixUserPassword that ADUC gives every 
>>> unix user), but you only really need the uidNumber & gidNumber. the 
>>> uidNumber needs to be a unique number and the gidNumber will be the 
>>> users primary Unix group (usually Domain Users) so that number needs 
>>> to be what ever you gave to your main Unix group i.e. Domain Users 
>>> needs to have the gidNumber '10000'
>>> You would add the above ldif like this:
>>> root at dc1:~# kinit
>>> Password for administrator at EXAMPLE.COM:
>>> root at dc1:~# ldbmodify --url=ldap://dc1.example.com --kerberos=yes 
>>> --krb5-ccache=/tmp/krb5cc_0" /path_to/ldif
>>> Replacing 'dc1.example.com' with your S4 AD DC FQDN and 
>>> '/path_to/ldif' with the full path and name of your ldif, and of 
>>> course you need to run all of this on the S4 AD DC.
>>> the uidNumber and gidNumber ranges can be identical, in fact this is 
>>> the way that ADUC works, but whatever range you do use, must be 
>>> reflected in smb.conf
>>> i.e. 'idmap config EXAMPLE : range = 10000-999999'.
>>> Just why you renamed the Administrator account, before you got 
>>> everything working, escapes me, in fact most people probably never 
>>> bother, so I would suggest that you rename the account back again, 
>>> at least until you get everything working correctly.
>>> Do not give the Administrator account a uidNumber or gidNumber, 
>>> create a new user and give this new user the required RFC2307 
>>> attributes.
>>> Once you have added the gidNumber to Domain Users and added the ldif 
>>> to John Doe, running (on a client joined to the domain) 'getent 
>>> passwd' should show a line for John Doe and 'getent group Domain\ 
>>> Users' should show the info for Domain Users.
>>> This will be my last post on this thread.
>>> Rowland

More information about the samba mailing list