[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Fri Aug 8 10:23:29 MDT 2014
Alright, I went in and spent an hour verifying that every domain user
has a unique gidNumber and uidNumber, and that every group has a unique
gidNumber. Everybody does, and here are three users as proof.
root at dc01:~# ldbsearch --url=/var/lib/samba/private/sam.ldb
sAMAccountName=daquanm
# record 1
dn: CN=<hidden for privacy>,OU=Standard Users,OU=TVM,DC=truevine,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: DaQuan Major
sn: Major
givenName: DaQuan
instanceType: 4
whenCreated: 20140714195118.0Z
displayName: DaQuan Major
uSNCreated: 4016
name: <hidden for privacy>
objectGUID: 3674d02b-cb02-4f60-a681-7c5c4331b3f6
codePage: 0
countryCode: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-1282933182-1339137838-203774845-1117
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: daquanm
sAMAccountType: 805306368
userPrincipalName: daquanm at truevine.lan
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=truevine,DC=lan
userAccountControl: 512
pwdLastSet: 130500115540000000
badPasswordTime: 130509892377138980
badPwdCount: 0
memberOf: CN=AudioVideo,OU=Standard Groups,OU=TVM,DC=truevine,DC=lan
memberOf: CN=Staff,OU=Standard Groups,OU=TVM,DC=truevine,DC=lan
uidNumber: 10004
gidNumber: 10019
whenChanged: 20140808160635.0Z
uSNChanged: 124816
distinguishedName: CN=<hidden for privacy>,OU=Standard
Users,OU=TVM,DC=truevine,DC=lan
# Referral
ref: ldap://truevine.lan/CN=Configuration,DC=truevine,DC=lan
# Referral
ref: ldap://truevine.lan/DC=DomainDnsZones,DC=truevine,DC=lan
# Referral
ref: ldap://truevine.lan/DC=ForestDnsZones,DC=truevine,DC=lan
# returned 4 records
# 1 entries
# 3 referrals
root at dc01:~# ldbsearch --url=/var/lib/samba/private/sam.ldb
sAMAccountName=reach_support
# record 1
dn: CN=Reach Support,OU=Standard Users,OU=TVM,DC=truevine,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Reach Support
sn: Support
givenName: Reach
instanceType: 4
whenCreated: 20140714194354.0Z
displayName: Reach Support
uSNCreated: 3978
name: Reach Support
objectGUID: ec33dabc-3cc0-4f45-82bf-2668f77330ac
codePage: 0
countryCode: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-1282933182-1339137838-203774845-1108
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: reach_support
sAMAccountType: 805306368
userPrincipalName: reach_support at truevine.lan
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=truevine,DC=lan
userAccountControl: 66048
lockoutTime: 0
pwdLastSet: 130510333270000000
badPasswordTime: 130517332316439030
badPwdCount: 0
memberOf: CN=VPN Users,OU=Standard Groups,OU=TVM,DC=truevine,DC=lan
memberOf: CN=Staff,OU=Standard Groups,OU=TVM,DC=truevine,DC=lan
memberOf: CN=AudioVideo,OU=Standard Groups,OU=TVM,DC=truevine,DC=lan
memberOf: CN=FBC,OU=Standard Groups,OU=TVM,DC=truevine,DC=lan
uidNumber: 10002
gidNumber: 10017
whenChanged: 20140808160527.0Z
uSNChanged: 124814
distinguishedName: CN=Reach Support,OU=Standard
Users,OU=TVM,DC=truevine,DC=la
n
# Referral
ref: ldap://truevine.lan/CN=Configuration,DC=truevine,DC=lan
# Referral
ref: ldap://truevine.lan/DC=DomainDnsZones,DC=truevine,DC=lan
# Referral
ref: ldap://truevine.lan/DC=ForestDnsZones,DC=truevine,DC=lan
# returned 4 records
# 1 entries
# 3 referrals
root at dc01:~# ldbsearch --url=/var/lib/samba/private/sam.ldb
sAMAccountName=yolandab
# record 1
dn: CN=<hidden for privacy>,OU=Standard Users,OU=TVM,DC=truevine,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Yolanda Bennett
sn: Bennett
givenName: Yolanda
instanceType: 4
whenCreated: 20140714194958.0Z
displayName: <hidden for privacy>
uSNCreated: 4004
name: Yolanda Bennett
objectGUID: b65b3c8c-5b90-4ff2-b6c1-9570caea0437
codePage: 0
countryCode: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-1282933182-1339137838-203774845-1115
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: yolandab
sAMAccountType: 805306368
userPrincipalName: yolandab at truevine.lan
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=truevine,DC=lan
userAccountControl: 512
pwdLastSet: 130499222690000000
badPasswordTime: 130499223708567390
badPwdCount: 0
memberOf: CN=Staff,OU=Standard Groups,OU=TVM,DC=truevine,DC=lan
memberOf: CN=NewMembers,OU=Standard Groups,OU=TVM,DC=truevine,DC=lan
memberOf: CN=AudioVideo,OU=Standard Groups,OU=TVM,DC=truevine,DC=lan
uidNumber: 10013
gidNumber: 10028
whenChanged: 20140808161008.0Z
uSNChanged: 124838
distinguishedName: CN=<hidden for privacy>,OU=Standard
Users,OU=TVM,DC=truevine,DC=
lan
# Referral
ref: ldap://truevine.lan/CN=Configuration,DC=truevine,DC=lan
# Referral
ref: ldap://truevine.lan/DC=DomainDnsZones,DC=truevine,DC=lan
# Referral
ref: ldap://truevine.lan/DC=ForestDnsZones,DC=truevine,DC=lan
# returned 4 records
# 1 entries
# 3 referrals
My configuration file has not changed since I last posted it. As you can
see, smb.conf is configured for 10001-40000 and all of my
uidNumber/gidNumber attributes are well within that range. Still, it is
assigning 70001 and above, no matter what I do. You claim that I am
making this difficult, but I do not know what minor thing I am missing.
You had me setup reverse DNS zones, do the Kerberos keytab thing, and
all kinds of things I never knew about, but as you can clearly see,
despite your best efforts and mine, and despite the ID's being in the
correct range, it does not work. If it is so simple, what am I
overlooking? I am not trying to be rude, but I was told I am making this
difficult. I do not know how.
On 08/08/2014 10:21 AM, Rowland Penny wrote:
> On 08/08/14 14:45, Ryan Ashley wrote:
>> Alright, I believe I figured something out, but may be mistaken.
>> Again, I don't see anything in plain English explaining, so this is
>> my guess. Please let me know if I am right.
>>
>> [global]
>> netbios name = FS01
>> workgroup = TRUEVINE
>> security = ADS
>> realm = TRUEVINE.LAN
>> encrypt passwords = yes
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 70001-80000
>> idmap config TRUEVINE:backend = ad
>> idmap config TRUEVINE:schema_mode = rfc2307
>> idmap config TRUEVINE:range = 10001-40000
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>>
>> vfs objects = acl_xattr
>> map acl inherit = yes
>> store dos attributes = yes
>> auth methods = winbind
>>
>> The line "idmap config *:range = 70001-80000" assigns a unique ID to
>> anybody who is not in the Truevine domain or who does not have a
>> uidNumber/gidNumber attribute set. Is this correct? This is where all
>> of my users and groups are getting ID's from.
>>
>> Now, the line "idmap config TRUEVINE:range = 10001-40000" is the
>> range of uidNumber/gidNumber attributes to search. This is the range
>> set aside for domain users and groups, so I assume if I set this to
>> something over 100k, it would never find anything. However, it is not
>> finding the uidNumber/gidNumber attributes in this range (which is
>> everybody) for some reason, and the users wind up with 70001 and
>> above for their ID's. So what am I doing wrong?
>>
>>
> I know I said that I wouldn't post on this thread again, but you are
> doing my head in, you have taken a simple task and turned it into a
> farce!!!
>
> I advised you at least once to remove this line:
>
> auth methods = winbind
>
> Here is why (taken from 'man smb.conf')
>
> auth methods (G)
>
> This option allows the administrator to chose what
> authentication
> methods smbd will use when authenticating a user. This option
> defaults to sensible values based on security. This should be
> considered a developer option and used only in rare
> circumstances.
> In the majority (if not all) of production servers, the
> default
> setting should be adequate.
>
> Default: auth methods =
>
> This is also from 'man smb.conf' (abridged):
>
> idmap config:OPTION (G)
>
> ID mapping in Samba is the mapping between Windows SIDs and
> Unix
> user and group IDs. This is performed by Winbindd with a
> configurable plugin interface. Samba's ID mapping is
> configured by
> options starting with the idmap config prefix. An idmap option
> consists of the idmap config prefix, followed by a domain
> name or
> the asterisk character (*), a colon, and the name of an idmap
> setting for the chosen domain.
>
> The following example illustrates how to configure the
> idmap_ad(8)
> backend for the CORP domain and the idmap_tdb(8) backend
> for all
> other domains. This configuration assumes that the admin of
> CORP
> assigns unix ids below 1000000 via the SFU extensions, and
> winbind
> is supposed to use the next million entries for its own
> mappings
> from trusted domains and for local groups for example.
>
> idmap config * : backend = tdb
> idmap config * : range = 1000000-1999999
>
> idmap config CORP : backend = ad
> idmap config CORP : range = 1000-999999
>
> YOURS:
>
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config TRUEVINE:backend = ad
> idmap config TRUEVINE:schema_mode = rfc2307
> idmap config TRUEVINE:range = 10001-40000
>
> What the above means is that trusted domains and local groups will get
> mapped to numbers between 70001 and 80000, local groups etc being the
> windows builtin ones not UNIX ones.
>
> Your AD users will ONLY get pulled from AD if the
> uidNumber's/gidNumber's are between 10001 and 40000, ARE THEY ????
>
> Have you actually got any normal users with uidNumber's & gidNumber's,
> the last time I heard, you were trying to use the renamed
> Administrator account as a normal account.
>
> I would suggest that you go and take a running jump into Glenville
> Lake to cool off, then come back and re-read your posts again, you
> might then realise just what a Prat you are coming over as.
>
> This is definitely my last post on this thread
>
> Rowland
>
More information about the samba
mailing list