[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Fri Aug 8 07:45:21 MDT 2014

Alright, I believe I figured something out, but may be mistaken. Again, 
I don't see anything in plain English explaining, so this is my guess. 
Please let me know if I am right.

   netbios name = FS01
   workgroup = TRUEVINE
   security = ADS
   realm = TRUEVINE.LAN
   encrypt passwords = yes
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config TRUEVINE:backend = ad
   idmap config TRUEVINE:schema_mode = rfc2307
   idmap config TRUEVINE:range = 10001-40000

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users = yes
   winbind enum groups = yes

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
   auth methods = winbind

The line "idmap config *:range = 70001-80000" assigns a unique ID to 
anybody who is not in the Truevine domain or who does not have a 
uidNumber/gidNumber attribute set. Is this correct? This is where all of 
my users and groups are getting ID's from.

Now, the line "idmap config TRUEVINE:range = 10001-40000" is the range 
of uidNumber/gidNumber attributes to search. This is the range set aside 
for domain users and groups, so I assume if I set this to something over 
100k, it would never find anything. However, it is not finding the 
uidNumber/gidNumber attributes in this range (which is everybody) for 
some reason, and the users wind up with 70001 and above for their ID's. 
So what am I doing wrong?

On 08/08/2014 09:14 AM, Ryan Ashley wrote:
> I am still stuck here. Both member servers are ignoring the gidNumber 
> and uidNumber attributes and are assigning their own numbers and I 
> cannot figure out why. Leaving the domain, uninstalling S4, building 
> the latest, and reinstalling does not fix the issue.
> On 08/07/2014 02:28 PM, Ryan Ashley wrote:
>> Alright, I also checked and I was right, I set "uidNumber" and 
>> "gidNumber". Pictures are attached. So with these set, why are they 
>> not pulling across to my member servers?
>> I do have screenshots showing the correct attributes set in ADUC, but 
>> they're note pulling across to my member servers.
>> On 08/07/2014 11:22 AM, Ryan Ashley wrote:
>>> I figured it out, but it won't let me import it.
>>> root at dc01:~# ldbmodify -H /var/lib/samba/private/sam.ldb 
>>> /root/ypServ30.ldif --option="dsdb:schema update allowed"=true
>>> ERR: (Entry already exists) "Entry 
>>> CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan already 
>>> exists" on DN 
>>> CN=ypServ30,CN=RpcServices,CN=System,dc=truevine,dc=lan at block 
>>> before line 5
>>> Modify failed after processing 0 records
>>> root at dc01:~#
>>> So this means it is already there, right? If so, what must I do 
>>> here? I am going to check, but I do not remember seeing an attribute 
>>> called "gidNumber", only "gid".
>>> On 08/07/2014 10:24 AM, Ryan Ashley wrote:
>>>> Alright, new problem. That ypServ30.ldif file is asking for all 
>>>> kinds of information I do not know or know how to get. I am 
>>>> ASSUMING the "domain dn" it is asking for is "dc=truevine,dc=lan". 
>>>> However, it also needs to know a NISDOMAIN variable and that I do 
>>>> not have a clue about. Is there a guide dedicated just to editing 
>>>> this file? I don't have a NIS domain to my knowledge. I just want 
>>>> to import the file so I can set my attributes. This is kind of 
>>>> complicated just to add a few (four?) attributes to my schema.
>>>> So, what do I set all these things in the LDIF file to? Is there a 
>>>> way I can look them up?
>>>> On 08/07/2014 09:42 AM, Ryan Ashley wrote:
>>>>> Thanks, Rowland. I just got in this morning and think it finally 
>>>>> all fell into place. You mentioned an LDIF file in a prior email. 
>>>>> I assume that if I import that LDIF file, it creates the 
>>>>> attributes I need. After that, I should be able to set them as you 
>>>>> stated. Is this correct?
>>>>> My current plan is to re-read your emails and find the file you 
>>>>> mentioned. If it does indeed add those attributes, I will import 
>>>>> it and try setting them as you stated. If it works, I will report 
>>>>> success and summarize what this entire thread was about for others 
>>>>> to learn from without reading it all.
>>>>> On 08/07/2014 05:16 AM, Rowland Penny wrote:
>>>>>> On 06/08/14 22:24, Ryan Ashley wrote:
>>>>>>> I have tried your suggestions, and some I had found prior to 
>>>>>>> falling back on the mailing list so I already knew some would 
>>>>>>> not work. I was not asked for a response after being pointed to 
>>>>>>> the material so I did not provide one.
>>>>>>> Yes, I am very busy as I work as the lead IT and IS specialist 
>>>>>>> in a small business. I cannot devote weeks to a single problem 
>>>>>>> as I handle dozens a day, many resolved within 24hrs. This issue 
>>>>>>> has been on-going due to the fact that I have already tried a 
>>>>>>> ton of what is out there, and as for your "Google search", 
>>>>>>> dozens of those are the same posts regurgitated on numerous 
>>>>>>> sites. I went through an entire page a week or so back and every 
>>>>>>> single link on the page was to the exact same post, on numerous 
>>>>>>> sits that have board-readers that simply read the samba lists 
>>>>>>> among others and duplicate the posts. Useless! I'd say out of 
>>>>>>> 1.9mil results, about 500k are unique. I am getting to where I 
>>>>>>> dislike Google for this reason, but that is another discussion.
>>>>>>> I am also happy to hear that you can afford to blow thousands on 
>>>>>>> a simple DVD. Low-income businesses, churches, and what-not 
>>>>>>> cannot. Yes, we know of open-licensing and manage it for several 
>>>>>>> clients, but many people are not willing to spend anything right 
>>>>>>> now if there is a viable alternative. Seeing that S4 has worked 
>>>>>>> flawlessly for two years at a few locations, this fit the 
>>>>>>> client's needs and we installed it. Something is just different 
>>>>>>> this time. I am learning a lot and intend to apply things like 
>>>>>>> the group and user ID's to other domains once we have it working 
>>>>>>> here to avoid future problems.
>>>>>>> Also, Windows has MUCH higher resource requirements than Linux. 
>>>>>>> On top of that $3k, how much would we have to pay to bring up 
>>>>>>> the hardware? Too expensive for such little gain.
>>>>>>> Finally, if you have taken some personal offense to something, 
>>>>>>> speak up. You offered assistance, I took what I had not already 
>>>>>>> tried and tried it. You did not ask for results, so I assumed 
>>>>>>> the fact that I was still asking for help would have been a clue 
>>>>>>> that the suggestion was no good. Every time anybody asked for 
>>>>>>> anything, including configuration files, I posted them, so 
>>>>>>> there's no need to be bitter. Simply point out that I may have 
>>>>>>> missed something and I'll try it or let you know I already did.
>>>>>>> On 8/6/2014 3:57 PM, steve wrote:
>>>>>>>> On Wed, 2014-08-06 at 13:50 -0400, Ryan Ashley wrote:
>>>>>>>>> What information have I not answered fully?
>>>>>>>> Most of the suggestions and tips we have given. As an example, 
>>>>>>>> you said
>>>>>>>> that you wanted to add IDs to your users. You were sent a link 
>>>>>>>> to help
>>>>>>>> you look up what you said you, 'had no idea how'. You ignored 
>>>>>>>> that, so
>>>>>>>> we sent you concrete examples to try. Still nothing.
>>>>>>>> You are a, 'VERY BUSY person', are you? Well, I can only urge 
>>>>>>>> everyone
>>>>>>>> here to jump on your case. I repeat. With a 2012 R2 licence and 
>>>>>>>> 90 days
>>>>>>>> reduced rate licence, you would have been up days ago for this 
>>>>>>>> side of
>>>>>>>> $3000
>>>>>>>> Cheers, and EOT from us,
>>>>>>>> Steve
>>>>>> Active Directory works differently from Linux, it uses SID's and 
>>>>>> RID's, Linux uses UID's and GID's. To use AD users as Linux users 
>>>>>> you somehow have to convert the SID's and RID's to UID's and 
>>>>>> GID's. There are several ways to do this by using programs like 
>>>>>> winbind, nslcd or sssd, but they all boil down to the same two 
>>>>>> ways, you either create a UID/GID from the RID or you give the 
>>>>>> user/group a uidNumber/gidNumber.
>>>>>> That is:
>>>>>> A user is given a uidNumber and gidNumber
>>>>>> A group is given a gidNumber
>>>>>> uidNumber and gidNumber are the attribute names, not uid or gid 
>>>>>> or anything else.
>>>>>> The only way (at the moment) to ensure that your users/groups get 
>>>>>> the same ID everywhere in the domain is to use RFC2307 attributes.
>>>>>> see here for info on RFC2307:
>>>>>> https://www.ietf.org/rfc/rfc2307.txt
>>>>>> How you add these RFC2307 attributes is up to you, the easiest 
>>>>>> way is to use ADUC, but you say that you do not have the 
>>>>>> UNIX-Attributes tab on your users and groups, I also had this 
>>>>>> problem and solved it by searching the internet. I posted a link 
>>>>>> to one of the pages I used, so I do not propose to go over old 
>>>>>> ground yet again.
>>>>>> If you cannot get the ADUC tab to work for you, then you can 
>>>>>> always use ldb-tools to add the attributes, either by using 
>>>>>> ldbedit and directly modifying the user/group or by creating an 
>>>>>> ldif and using ldbmodify to add this. A typical ldif for a user 
>>>>>> called John Doe created on a windows machine would be:
>>>>>> dn: CN=John Doe,CN=Users,DC=example,DC=com
>>>>>> changetype: modify
>>>>>> add: uid
>>>>>> uid: john
>>>>>> -
>>>>>> add: msSFU30Name
>>>>>> msSFU30Name: john
>>>>>> -
>>>>>> add: msSFU30NisDomain
>>>>>> msSFU30NisDomain: example
>>>>>> -
>>>>>> add: uidNumber
>>>>>> uidNumber: 10000
>>>>>> -
>>>>>> add: gidNumber
>>>>>> gidNumber: 10000
>>>>>> -
>>>>>> add: loginShell
>>>>>> loginShell: /bin/bash
>>>>>> -
>>>>>> add: unixHomeDirectory
>>>>>> unixHomeDirectory: /home/john
>>>>>> -
>>>>>> add: unixUserPassword
>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>> The above ldif is exactly the way that ADUC does it 
>>>>>> (ABCD!efgh12345$67890 is the unixUserPassword that ADUC gives 
>>>>>> every unix user), but you only really need the uidNumber & 
>>>>>> gidNumber. the uidNumber needs to be a unique number and the 
>>>>>> gidNumber will be the users primary Unix group (usually Domain 
>>>>>> Users) so that number needs to be what ever you gave to your main 
>>>>>> Unix group i.e. Domain Users needs to have the gidNumber '10000'
>>>>>> You would add the above ldif like this:
>>>>>> root at dc1:~# kinit
>>>>>> Password for administrator at EXAMPLE.COM:
>>>>>> root at dc1:~# ldbmodify --url=ldap://dc1.example.com --kerberos=yes 
>>>>>> --krb5-ccache=/tmp/krb5cc_0" /path_to/ldif
>>>>>> Replacing 'dc1.example.com' with your S4 AD DC FQDN and 
>>>>>> '/path_to/ldif' with the full path and name of your ldif, and of 
>>>>>> course you need to run all of this on the S4 AD DC.
>>>>>> the uidNumber and gidNumber ranges can be identical, in fact this 
>>>>>> is the way that ADUC works, but whatever range you do use, must 
>>>>>> be reflected in smb.conf
>>>>>> i.e. 'idmap config EXAMPLE : range = 10000-999999'.
>>>>>> Just why you renamed the Administrator account, before you got 
>>>>>> everything working, escapes me, in fact most people probably 
>>>>>> never bother, so I would suggest that you rename the account back 
>>>>>> again, at least until you get everything working correctly.
>>>>>> Do not give the Administrator account a uidNumber or gidNumber, 
>>>>>> create a new user and give this new user the required RFC2307 
>>>>>> attributes.
>>>>>> Once you have added the gidNumber to Domain Users and added the 
>>>>>> ldif to John Doe, running (on a client joined to the domain) 
>>>>>> 'getent passwd' should show a line for John Doe and 'getent group 
>>>>>> Domain\ Users' should show the info for Domain Users.
>>>>>> This will be my last post on this thread.
>>>>>> Rowland

More information about the samba mailing list