[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Fri Aug 8 08:50:50 MDT 2014

Actually, I am quite cool. I am confused with the mountain of 
information I have been handed. I am very appreciative (as I said 
before) of the help you and Steve have offered. I do not believe you 
understand me however. I am a VERY logical person. Telling me something 
without an understanding of why, I am hesitant to just accept it. Try 
it? Sure! But I need to understand why it works or does not work. I am 
honestly not angry and am not trying to get under your skin. I am simply 
trying to solve a problem that must be over my head.

As to your question, I answered it in my last post. All of my users have 
uidNumber and gidNumber set, and they are ALL in the 10001-40000 range. 
I stated this in the last post. The one you replied to. This is why I am 
confused. I DID go read a lot of information over the past 24hr period 
and I have all of my uidNumber and gidNumber attributes between 10001 
and 40000. In fact, I max these somewhere between 10040 and 10050, 
though I do not remember EXACTLY what it is. I can look if needed.

Also, I was not using the domain admin as a normal account. We simply 
rename the account as a security measure. We did not do anything else to 
it. I do not even login on the boxes with it unless it is absolutely 
needed. I simply used it because I was not told not to get the 
information requested from the domain admin account. Had I been told to 
use a regular account and not the domain admin, I would have happily 
done so.

So let me recap. You see my config. Every user and group is assigned a 
unique ID between 10001 and 40000. They are still being assigned 70001 
and above. Winbind and all of the S4 utilities appear to be working. 
SIDs are resolved and can be resolved back to names. My only issue is 
likely a configuration problem, but based on what you two have told me 
AND what I have read, my configuration APPEARS to be correct. So from my 
perspective, I have a correct configuration based on what I have been 
told, but it is not working. I am sorry if this comes across and being a 
nuisance, but I am genuinely NOT trying to offend anybody, I just want 
it working. I am sorry for whatever was said to offend you because I 
have VERY MUCH appreciated your time which you are not being paid for. 
Just remember that you are the Samba professional, I am still learning 
the new S4 stuff.

uidNumber/gidNumber in AD: 10001-40000 (matches config)

On 08/08/2014 10:21 AM, Rowland Penny wrote:
> On 08/08/14 14:45, Ryan Ashley wrote:
>> Alright, I believe I figured something out, but may be mistaken. 
>> Again, I don't see anything in plain English explaining, so this is 
>> my guess. Please let me know if I am right.
>> [global]
>>   netbios name = FS01
>>   workgroup = TRUEVINE
>>   security = ADS
>>   realm = TRUEVINE.LAN
>>   encrypt passwords = yes
>>   dedicated keytab file = /etc/krb5.keytab
>>   kerberos method = secrets and keytab
>>   idmap config *:backend = tdb
>>   idmap config *:range = 70001-80000
>>   idmap config TRUEVINE:backend = ad
>>   idmap config TRUEVINE:schema_mode = rfc2307
>>   idmap config TRUEVINE:range = 10001-40000
>>   winbind nss info = rfc2307
>>   winbind trusted domains only = no
>>   winbind use default domain = yes
>>   winbind enum users = yes
>>   winbind enum groups = yes
>>   vfs objects = acl_xattr
>>   map acl inherit = yes
>>   store dos attributes = yes
>>   auth methods = winbind
>> The line "idmap config *:range = 70001-80000" assigns a unique ID to 
>> anybody who is not in the Truevine domain or who does not have a 
>> uidNumber/gidNumber attribute set. Is this correct? This is where all 
>> of my users and groups are getting ID's from.
>> Now, the line "idmap config TRUEVINE:range = 10001-40000" is the 
>> range of uidNumber/gidNumber attributes to search. This is the range 
>> set aside for domain users and groups, so I assume if I set this to 
>> something over 100k, it would never find anything. However, it is not 
>> finding the uidNumber/gidNumber attributes in this range (which is 
>> everybody) for some reason, and the users wind up with 70001 and 
>> above for their ID's. So what am I doing wrong?
>> On 08/08/2014 09:14 AM, Ryan Ashley wrote:
>>> I am still stuck here. Both member servers are ignoring the 
>>> gidNumber and uidNumber attributes and are assigning their own 
>>> numbers and I cannot figure out why. Leaving the domain, 
>>> uninstalling S4, building the latest, and reinstalling does not fix 
>>> the issue.
>>> On 08/07/2014 02:28 PM, Ryan Ashley wrote:
>>>> Alright, I also checked and I was right, I set "uidNumber" and 
>>>> "gidNumber". Pictures are attached. So with these set, why are they 
>>>> not pulling across to my member servers?
>>>> I do have screenshots showing the correct attributes set in ADUC, 
>>>> but they're note pulling across to my member servers.
>>>> On 08/07/2014 11:22 AM, Ryan Ashley wrote:
>>>>> I figured it out, but it won't let me import it.
>>>>> root at dc01:~# ldbmodify -H /var/lib/samba/private/sam.ldb 
>>>>> /root/ypServ30.ldif --option="dsdb:schema update allowed"=true
>>>>> ERR: (Entry already exists) "Entry 
>>>>> CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan already 
>>>>> exists" on DN 
>>>>> CN=ypServ30,CN=RpcServices,CN=System,dc=truevine,dc=lan at block 
>>>>> before line 5
>>>>> Modify failed after processing 0 records
>>>>> root at dc01:~#
>>>>> So this means it is already there, right? If so, what must I do 
>>>>> here? I am going to check, but I do not remember seeing an 
>>>>> attribute called "gidNumber", only "gid".
>>>>> On 08/07/2014 10:24 AM, Ryan Ashley wrote:
>>>>>> Alright, new problem. That ypServ30.ldif file is asking for all 
>>>>>> kinds of information I do not know or know how to get. I am 
>>>>>> ASSUMING the "domain dn" it is asking for is 
>>>>>> "dc=truevine,dc=lan". However, it also needs to know a NISDOMAIN 
>>>>>> variable and that I do not have a clue about. Is there a guide 
>>>>>> dedicated just to editing this file? I don't have a NIS domain to 
>>>>>> my knowledge. I just want to import the file so I can set my 
>>>>>> attributes. This is kind of complicated just to add a few (four?) 
>>>>>> attributes to my schema.
>>>>>> So, what do I set all these things in the LDIF file to? Is there 
>>>>>> a way I can look them up?
>>>>>> On 08/07/2014 09:42 AM, Ryan Ashley wrote:
>>>>>>> Thanks, Rowland. I just got in this morning and think it finally 
>>>>>>> all fell into place. You mentioned an LDIF file in a prior 
>>>>>>> email. I assume that if I import that LDIF file, it creates the 
>>>>>>> attributes I need. After that, I should be able to set them as 
>>>>>>> you stated. Is this correct?
>>>>>>> My current plan is to re-read your emails and find the file you 
>>>>>>> mentioned. If it does indeed add those attributes, I will import 
>>>>>>> it and try setting them as you stated. If it works, I will 
>>>>>>> report success and summarize what this entire thread was about 
>>>>>>> for others to learn from without reading it all.
>>>>>>> On 08/07/2014 05:16 AM, Rowland Penny wrote:
>>>>>>>> On 06/08/14 22:24, Ryan Ashley wrote:
>>>>>>>>> I have tried your suggestions, and some I had found prior to 
>>>>>>>>> falling back on the mailing list so I already knew some would 
>>>>>>>>> not work. I was not asked for a response after being pointed 
>>>>>>>>> to the material so I did not provide one.
>>>>>>>>> Yes, I am very busy as I work as the lead IT and IS specialist 
>>>>>>>>> in a small business. I cannot devote weeks to a single problem 
>>>>>>>>> as I handle dozens a day, many resolved within 24hrs. This 
>>>>>>>>> issue has been on-going due to the fact that I have already 
>>>>>>>>> tried a ton of what is out there, and as for your "Google 
>>>>>>>>> search", dozens of those are the same posts regurgitated on 
>>>>>>>>> numerous sites. I went through an entire page a week or so 
>>>>>>>>> back and every single link on the page was to the exact same 
>>>>>>>>> post, on numerous sits that have board-readers that simply 
>>>>>>>>> read the samba lists among others and duplicate the posts. 
>>>>>>>>> Useless! I'd say out of 1.9mil results, about 500k are unique. 
>>>>>>>>> I am getting to where I dislike Google for this reason, but 
>>>>>>>>> that is another discussion.
>>>>>>>>> I am also happy to hear that you can afford to blow thousands 
>>>>>>>>> on a simple DVD. Low-income businesses, churches, and what-not 
>>>>>>>>> cannot. Yes, we know of open-licensing and manage it for 
>>>>>>>>> several clients, but many people are not willing to spend 
>>>>>>>>> anything right now if there is a viable alternative. Seeing 
>>>>>>>>> that S4 has worked flawlessly for two years at a few 
>>>>>>>>> locations, this fit the client's needs and we installed it. 
>>>>>>>>> Something is just different this time. I am learning a lot and 
>>>>>>>>> intend to apply things like the group and user ID's to other 
>>>>>>>>> domains once we have it working here to avoid future problems.
>>>>>>>>> Also, Windows has MUCH higher resource requirements than 
>>>>>>>>> Linux. On top of that $3k, how much would we have to pay to 
>>>>>>>>> bring up the hardware? Too expensive for such little gain.
>>>>>>>>> Finally, if you have taken some personal offense to something, 
>>>>>>>>> speak up. You offered assistance, I took what I had not 
>>>>>>>>> already tried and tried it. You did not ask for results, so I 
>>>>>>>>> assumed the fact that I was still asking for help would have 
>>>>>>>>> been a clue that the suggestion was no good. Every time 
>>>>>>>>> anybody asked for anything, including configuration files, I 
>>>>>>>>> posted them, so there's no need to be bitter. Simply point out 
>>>>>>>>> that I may have missed something and I'll try it or let you 
>>>>>>>>> know I already did.
>>>>>>>>> On 8/6/2014 3:57 PM, steve wrote:
>>>>>>>>>> On Wed, 2014-08-06 at 13:50 -0400, Ryan Ashley wrote:
>>>>>>>>>>> What information have I not answered fully?
>>>>>>>>>> Most of the suggestions and tips we have given. As an 
>>>>>>>>>> example, you said
>>>>>>>>>> that you wanted to add IDs to your users. You were sent a 
>>>>>>>>>> link to help
>>>>>>>>>> you look up what you said you, 'had no idea how'. You ignored 
>>>>>>>>>> that, so
>>>>>>>>>> we sent you concrete examples to try. Still nothing.
>>>>>>>>>> You are a, 'VERY BUSY person', are you? Well, I can only urge 
>>>>>>>>>> everyone
>>>>>>>>>> here to jump on your case. I repeat. With a 2012 R2 licence 
>>>>>>>>>> and 90 days
>>>>>>>>>> reduced rate licence, you would have been up days ago for 
>>>>>>>>>> this side of
>>>>>>>>>> $3000
>>>>>>>>>> Cheers, and EOT from us,
>>>>>>>>>> Steve
>>>>>>>> Active Directory works differently from Linux, it uses SID's 
>>>>>>>> and RID's, Linux uses UID's and GID's. To use AD users as Linux 
>>>>>>>> users you somehow have to convert the SID's and RID's to UID's 
>>>>>>>> and GID's. There are several ways to do this by using programs 
>>>>>>>> like winbind, nslcd or sssd, but they all boil down to the same 
>>>>>>>> two ways, you either create a UID/GID from the RID or you give 
>>>>>>>> the user/group a uidNumber/gidNumber.
>>>>>>>> That is:
>>>>>>>> A user is given a uidNumber and gidNumber
>>>>>>>> A group is given a gidNumber
>>>>>>>> uidNumber and gidNumber are the attribute names, not uid or gid 
>>>>>>>> or anything else.
>>>>>>>> The only way (at the moment) to ensure that your users/groups 
>>>>>>>> get the same ID everywhere in the domain is to use RFC2307 
>>>>>>>> attributes.
>>>>>>>> see here for info on RFC2307:
>>>>>>>> https://www.ietf.org/rfc/rfc2307.txt
>>>>>>>> How you add these RFC2307 attributes is up to you, the easiest 
>>>>>>>> way is to use ADUC, but you say that you do not have the 
>>>>>>>> UNIX-Attributes tab on your users and groups, I also had this 
>>>>>>>> problem and solved it by searching the internet. I posted a 
>>>>>>>> link to one of the pages I used, so I do not propose to go over 
>>>>>>>> old ground yet again.
>>>>>>>> If you cannot get the ADUC tab to work for you, then you can 
>>>>>>>> always use ldb-tools to add the attributes, either by using 
>>>>>>>> ldbedit and directly modifying the user/group or by creating an 
>>>>>>>> ldif and using ldbmodify to add this. A typical ldif for a user 
>>>>>>>> called John Doe created on a windows machine would be:
>>>>>>>> dn: CN=John Doe,CN=Users,DC=example,DC=com
>>>>>>>> changetype: modify
>>>>>>>> add: uid
>>>>>>>> uid: john
>>>>>>>> -
>>>>>>>> add: msSFU30Name
>>>>>>>> msSFU30Name: john
>>>>>>>> -
>>>>>>>> add: msSFU30NisDomain
>>>>>>>> msSFU30NisDomain: example
>>>>>>>> -
>>>>>>>> add: uidNumber
>>>>>>>> uidNumber: 10000
>>>>>>>> -
>>>>>>>> add: gidNumber
>>>>>>>> gidNumber: 10000
>>>>>>>> -
>>>>>>>> add: loginShell
>>>>>>>> loginShell: /bin/bash
>>>>>>>> -
>>>>>>>> add: unixHomeDirectory
>>>>>>>> unixHomeDirectory: /home/john
>>>>>>>> -
>>>>>>>> add: unixUserPassword
>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>> The above ldif is exactly the way that ADUC does it 
>>>>>>>> (ABCD!efgh12345$67890 is the unixUserPassword that ADUC gives 
>>>>>>>> every unix user), but you only really need the uidNumber & 
>>>>>>>> gidNumber. the uidNumber needs to be a unique number and the 
>>>>>>>> gidNumber will be the users primary Unix group (usually Domain 
>>>>>>>> Users) so that number needs to be what ever you gave to your 
>>>>>>>> main Unix group i.e. Domain Users needs to have the gidNumber 
>>>>>>>> '10000'
>>>>>>>> You would add the above ldif like this:
>>>>>>>> root at dc1:~# kinit
>>>>>>>> Password for administrator at EXAMPLE.COM:
>>>>>>>> root at dc1:~# ldbmodify --url=ldap://dc1.example.com 
>>>>>>>> --kerberos=yes --krb5-ccache=/tmp/krb5cc_0" /path_to/ldif
>>>>>>>> Replacing 'dc1.example.com' with your S4 AD DC FQDN and 
>>>>>>>> '/path_to/ldif' with the full path and name of your ldif, and 
>>>>>>>> of course you need to run all of this on the S4 AD DC.
>>>>>>>> the uidNumber and gidNumber ranges can be identical, in fact 
>>>>>>>> this is the way that ADUC works, but whatever range you do use, 
>>>>>>>> must be reflected in smb.conf
>>>>>>>> i.e. 'idmap config EXAMPLE : range = 10000-999999'.
>>>>>>>> Just why you renamed the Administrator account, before you got 
>>>>>>>> everything working, escapes me, in fact most people probably 
>>>>>>>> never bother, so I would suggest that you rename the account 
>>>>>>>> back again, at least until you get everything working correctly.
>>>>>>>> Do not give the Administrator account a uidNumber or gidNumber, 
>>>>>>>> create a new user and give this new user the required RFC2307 
>>>>>>>> attributes.
>>>>>>>> Once you have added the gidNumber to Domain Users and added the 
>>>>>>>> ldif to John Doe, running (on a client joined to the domain) 
>>>>>>>> 'getent passwd' should show a line for John Doe and 'getent 
>>>>>>>> group Domain\ Users' should show the info for Domain Users.
>>>>>>>> This will be my last post on this thread.
>>>>>>>> Rowland
> I know I said that I wouldn't post on this thread again, but you are 
> doing my head in, you have taken a simple task and turned it into a 
> farce!!!
> I advised you at least once to remove this line:
> auth methods = winbind
> Here is why (taken from 'man smb.conf')
>       auth methods (G)
>            This option allows the administrator to chose what 
> authentication
>            methods smbd will use when authenticating a user. This option
>            defaults to sensible values based on security. This should be
>            considered a developer option and used only in rare 
> circumstances.
>            In the majority (if not all) of production servers, the 
> default
>            setting should be adequate.
>            Default: auth methods =
> This is also from 'man smb.conf' (abridged):
>        idmap config:OPTION (G)
>            ID mapping in Samba is the mapping between Windows SIDs and 
> Unix
>            user and group IDs. This is performed by Winbindd with a
>            configurable plugin interface. Samba's ID mapping is 
> configured by
>            options starting with the idmap config prefix. An idmap option
>            consists of the idmap config prefix, followed by a domain 
> name or
>            the asterisk character (*), a colon, and the name of an idmap
>            setting for the chosen domain.
>            The following example illustrates how to configure the 
> idmap_ad(8)
>            backend for the CORP domain and the idmap_tdb(8) backend 
> for all
>            other domains. This configuration assumes that the admin of 
>            assigns unix ids below 1000000 via the SFU extensions, and 
> winbind
>            is supposed to use the next million entries for its own 
> mappings
>            from trusted domains and for local groups for example.
>                     idmap config * : backend = tdb
>                     idmap config * : range = 1000000-1999999
>                     idmap config CORP : backend  = ad
>                     idmap config CORP : range = 1000-999999
>                      idmap config *:backend = tdb
>                       idmap config *:range = 70001-80000
>                       idmap config TRUEVINE:backend = ad
>                       idmap config TRUEVINE:schema_mode = rfc2307
>                       idmap config TRUEVINE:range = 10001-40000
> What the above means is that trusted domains and local groups will get 
> mapped to numbers between 70001 and 80000, local groups etc being the 
> windows builtin ones not UNIX ones.
> Your AD users will ONLY get pulled from AD if the 
> uidNumber's/gidNumber's are between 10001 and 40000, ARE THEY ????
> Have you actually got any normal users with uidNumber's & gidNumber's, 
> the last time I heard, you were trying to use the renamed 
> Administrator account as a normal account.
> I would suggest that you go and take a running jump into Glenville 
> Lake to cool off, then come back and re-read your posts again, you 
> might then realise just what a Prat you are coming over as.
> This is definitely my last post on this thread
> Rowland

More information about the samba mailing list