[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Fri Aug 8 07:14:59 MDT 2014
I am still stuck here. Both member servers are ignoring the gidNumber
and uidNumber attributes and are assigning their own numbers and I
cannot figure out why. Leaving the domain, uninstalling S4, building the
latest, and reinstalling does not fix the issue.
On 08/07/2014 02:28 PM, Ryan Ashley wrote:
> Alright, I also checked and I was right, I set "uidNumber" and
> "gidNumber". Pictures are attached. So with these set, why are they
> not pulling across to my member servers?
>
> I do have screenshots showing the correct attributes set in ADUC, but
> they're note pulling across to my member servers.
>
> On 08/07/2014 11:22 AM, Ryan Ashley wrote:
>> I figured it out, but it won't let me import it.
>>
>> root at dc01:~# ldbmodify -H /var/lib/samba/private/sam.ldb
>> /root/ypServ30.ldif --option="dsdb:schema update allowed"=true
>> ERR: (Entry already exists) "Entry
>> CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan already
>> exists" on DN CN=ypServ30,CN=RpcServices,CN=System,dc=truevine,dc=lan
>> at block before line 5
>> Modify failed after processing 0 records
>> root at dc01:~#
>>
>> So this means it is already there, right? If so, what must I do here?
>> I am going to check, but I do not remember seeing an attribute called
>> "gidNumber", only "gid".
>>
>> On 08/07/2014 10:24 AM, Ryan Ashley wrote:
>>> Alright, new problem. That ypServ30.ldif file is asking for all
>>> kinds of information I do not know or know how to get. I am ASSUMING
>>> the "domain dn" it is asking for is "dc=truevine,dc=lan". However,
>>> it also needs to know a NISDOMAIN variable and that I do not have a
>>> clue about. Is there a guide dedicated just to editing this file? I
>>> don't have a NIS domain to my knowledge. I just want to import the
>>> file so I can set my attributes. This is kind of complicated just to
>>> add a few (four?) attributes to my schema.
>>>
>>> So, what do I set all these things in the LDIF file to? Is there a
>>> way I can look them up?
>>>
>>> On 08/07/2014 09:42 AM, Ryan Ashley wrote:
>>>> Thanks, Rowland. I just got in this morning and think it finally
>>>> all fell into place. You mentioned an LDIF file in a prior email. I
>>>> assume that if I import that LDIF file, it creates the attributes I
>>>> need. After that, I should be able to set them as you stated. Is
>>>> this correct?
>>>>
>>>> My current plan is to re-read your emails and find the file you
>>>> mentioned. If it does indeed add those attributes, I will import it
>>>> and try setting them as you stated. If it works, I will report
>>>> success and summarize what this entire thread was about for others
>>>> to learn from without reading it all.
>>>>
>>>> On 08/07/2014 05:16 AM, Rowland Penny wrote:
>>>>> On 06/08/14 22:24, Ryan Ashley wrote:
>>>>>> I have tried your suggestions, and some I had found prior to
>>>>>> falling back on the mailing list so I already knew some would not
>>>>>> work. I was not asked for a response after being pointed to the
>>>>>> material so I did not provide one.
>>>>>>
>>>>>> Yes, I am very busy as I work as the lead IT and IS specialist in
>>>>>> a small business. I cannot devote weeks to a single problem as I
>>>>>> handle dozens a day, many resolved within 24hrs. This issue has
>>>>>> been on-going due to the fact that I have already tried a ton of
>>>>>> what is out there, and as for your "Google search", dozens of
>>>>>> those are the same posts regurgitated on numerous sites. I went
>>>>>> through an entire page a week or so back and every single link on
>>>>>> the page was to the exact same post, on numerous sits that have
>>>>>> board-readers that simply read the samba lists among others and
>>>>>> duplicate the posts. Useless! I'd say out of 1.9mil results,
>>>>>> about 500k are unique. I am getting to where I dislike Google for
>>>>>> this reason, but that is another discussion.
>>>>>>
>>>>>> I am also happy to hear that you can afford to blow thousands on
>>>>>> a simple DVD. Low-income businesses, churches, and what-not
>>>>>> cannot. Yes, we know of open-licensing and manage it for several
>>>>>> clients, but many people are not willing to spend anything right
>>>>>> now if there is a viable alternative. Seeing that S4 has worked
>>>>>> flawlessly for two years at a few locations, this fit the
>>>>>> client's needs and we installed it. Something is just different
>>>>>> this time. I am learning a lot and intend to apply things like
>>>>>> the group and user ID's to other domains once we have it working
>>>>>> here to avoid future problems.
>>>>>>
>>>>>> Also, Windows has MUCH higher resource requirements than Linux.
>>>>>> On top of that $3k, how much would we have to pay to bring up the
>>>>>> hardware? Too expensive for such little gain.
>>>>>>
>>>>>> Finally, if you have taken some personal offense to something,
>>>>>> speak up. You offered assistance, I took what I had not already
>>>>>> tried and tried it. You did not ask for results, so I assumed the
>>>>>> fact that I was still asking for help would have been a clue that
>>>>>> the suggestion was no good. Every time anybody asked for
>>>>>> anything, including configuration files, I posted them, so
>>>>>> there's no need to be bitter. Simply point out that I may have
>>>>>> missed something and I'll try it or let you know I already did.
>>>>>>
>>>>>> On 8/6/2014 3:57 PM, steve wrote:
>>>>>>> On Wed, 2014-08-06 at 13:50 -0400, Ryan Ashley wrote:
>>>>>>>
>>>>>>>> What information have I not answered fully?
>>>>>>> Most of the suggestions and tips we have given. As an example,
>>>>>>> you said
>>>>>>> that you wanted to add IDs to your users. You were sent a link
>>>>>>> to help
>>>>>>> you look up what you said you, 'had no idea how'. You ignored
>>>>>>> that, so
>>>>>>> we sent you concrete examples to try. Still nothing.
>>>>>>>
>>>>>>> You are a, 'VERY BUSY person', are you? Well, I can only urge
>>>>>>> everyone
>>>>>>> here to jump on your case. I repeat. With a 2012 R2 licence and
>>>>>>> 90 days
>>>>>>> reduced rate licence, you would have been up days ago for this
>>>>>>> side of
>>>>>>> $3000
>>>>>>>
>>>>>>> Cheers, and EOT from us,
>>>>>>> Steve
>>>>>>>
>>>>>>
>>>>> Active Directory works differently from Linux, it uses SID's and
>>>>> RID's, Linux uses UID's and GID's. To use AD users as Linux users
>>>>> you somehow have to convert the SID's and RID's to UID's and
>>>>> GID's. There are several ways to do this by using programs like
>>>>> winbind, nslcd or sssd, but they all boil down to the same two
>>>>> ways, you either create a UID/GID from the RID or you give the
>>>>> user/group a uidNumber/gidNumber.
>>>>>
>>>>> That is:
>>>>> A user is given a uidNumber and gidNumber
>>>>> A group is given a gidNumber
>>>>>
>>>>> uidNumber and gidNumber are the attribute names, not uid or gid or
>>>>> anything else.
>>>>>
>>>>> The only way (at the moment) to ensure that your users/groups get
>>>>> the same ID everywhere in the domain is to use RFC2307 attributes.
>>>>>
>>>>> see here for info on RFC2307:
>>>>>
>>>>> https://www.ietf.org/rfc/rfc2307.txt
>>>>>
>>>>> How you add these RFC2307 attributes is up to you, the easiest way
>>>>> is to use ADUC, but you say that you do not have the
>>>>> UNIX-Attributes tab on your users and groups, I also had this
>>>>> problem and solved it by searching the internet. I posted a link
>>>>> to one of the pages I used, so I do not propose to go over old
>>>>> ground yet again.
>>>>>
>>>>> If you cannot get the ADUC tab to work for you, then you can
>>>>> always use ldb-tools to add the attributes, either by using
>>>>> ldbedit and directly modifying the user/group or by creating an
>>>>> ldif and using ldbmodify to add this. A typical ldif for a user
>>>>> called John Doe created on a windows machine would be:
>>>>>
>>>>> dn: CN=John Doe,CN=Users,DC=example,DC=com
>>>>> changetype: modify
>>>>> add: uid
>>>>> uid: john
>>>>> -
>>>>> add: msSFU30Name
>>>>> msSFU30Name: john
>>>>> -
>>>>> add: msSFU30NisDomain
>>>>> msSFU30NisDomain: example
>>>>> -
>>>>> add: uidNumber
>>>>> uidNumber: 10000
>>>>> -
>>>>> add: gidNumber
>>>>> gidNumber: 10000
>>>>> -
>>>>> add: loginShell
>>>>> loginShell: /bin/bash
>>>>> -
>>>>> add: unixHomeDirectory
>>>>> unixHomeDirectory: /home/john
>>>>> -
>>>>> add: unixUserPassword
>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>
>>>>> The above ldif is exactly the way that ADUC does it
>>>>> (ABCD!efgh12345$67890 is the unixUserPassword that ADUC gives
>>>>> every unix user), but you only really need the uidNumber &
>>>>> gidNumber. the uidNumber needs to be a unique number and the
>>>>> gidNumber will be the users primary Unix group (usually Domain
>>>>> Users) so that number needs to be what ever you gave to your main
>>>>> Unix group i.e. Domain Users needs to have the gidNumber '10000'
>>>>>
>>>>> You would add the above ldif like this:
>>>>>
>>>>> root at dc1:~# kinit
>>>>> Password for administrator at EXAMPLE.COM:
>>>>> root at dc1:~# ldbmodify --url=ldap://dc1.example.com --kerberos=yes
>>>>> --krb5-ccache=/tmp/krb5cc_0" /path_to/ldif
>>>>>
>>>>> Replacing 'dc1.example.com' with your S4 AD DC FQDN and
>>>>> '/path_to/ldif' with the full path and name of your ldif, and of
>>>>> course you need to run all of this on the S4 AD DC.
>>>>>
>>>>> the uidNumber and gidNumber ranges can be identical, in fact this
>>>>> is the way that ADUC works, but whatever range you do use, must be
>>>>> reflected in smb.conf
>>>>> i.e. 'idmap config EXAMPLE : range = 10000-999999'.
>>>>>
>>>>> Just why you renamed the Administrator account, before you got
>>>>> everything working, escapes me, in fact most people probably never
>>>>> bother, so I would suggest that you rename the account back again,
>>>>> at least until you get everything working correctly.
>>>>>
>>>>> Do not give the Administrator account a uidNumber or gidNumber,
>>>>> create a new user and give this new user the required RFC2307
>>>>> attributes.
>>>>>
>>>>> Once you have added the gidNumber to Domain Users and added the
>>>>> ldif to John Doe, running (on a client joined to the domain)
>>>>> 'getent passwd' should show a line for John Doe and 'getent group
>>>>> Domain\ Users' should show the info for Domain Users.
>>>>>
>>>>> This will be my last post on this thread.
>>>>>
>>>>> Rowland
>>>>
>>>
>>
>
More information about the samba
mailing list