[Samba] Samba 4 AD share: Access denied

Rowland Penny rowlandpenny at googlemail.com
Fri Aug 8 11:12:22 MDT 2014


On 08/08/14 17:49, Ryan Ashley wrote:
> Thanks, Rowland. I do not have some of the things you have on your 
> laptop. Our server configs are almost identical, and I use BIND9 also. 
> I am going to assume then, based on that, that my issue lies in my 
> client configuration. I can run getent on the server and get the 
> correct results. Just not on the two member servers, more proof that 
> it is indeed an issue on them.
>
> If I may ask, you have a LOT of entries not shown in any of the 
> guides, including the ones you already had me add, such as the keytab. 
> Several of your entries catch my eye.
>
OK, if on the client, you run 'man smb.conf' you will get displayed what 
is called the 'manpage' for what you can put into smb.conf and what they do.


> winbind expand groups = 4

            This option controls the maximum depth that winbindd will 
traverse
            when flattening nested group memberships of Windows domain 
groups.

>
> winbind normalize names = yes

            This parameter controls whether winbindd will replace 
whitespace in
            user and group names with an underscore (_) character.

> printcap name = cups

            This parameter may be used to override the compiled-in default
            printcap name used by the server (usually /etc/printcap).

> cups options = raw

            This parameter is only applicable if printing is set to 
cups. Its
            value is a free form string of options passed directly to 
the cups
            library.

> usershare allow guests = yes

Controls if usershares can permit guest access.

> os level = 20

            This integer value controls what level Samba advertises 
itself as
            for browse elections. The value of this parameter determines
            whether nmbd(8) has a chance of becoming a local master 
browser for
            the workgroup in the local broadcast area.

> map to guest = bad user

            This parameter can take four different values, which tell 
smbd(8)
            what to do with user login requests that don't match a valid 
UNIX
            user in some way.

            ·   Bad User - Means user logins with an invalid password are
                rejected, unless the username does not exist, in which 
case it
                is treated as a guest login and mapped into the guest 
account.

> username map = /etc/samba/smbmap

            This option allows you to specify a file containing a mapping of
            usernames from the clients to the server.

This is my smbmap file

!root = EXAMPLE\Administrator Administrator administrator

As I said there is more info available in the smb.conf manpage.

>
> I have never seen these before. The last entry on my list may be the 
> key if it does what I think it does. Before I add these lines I need 
> to ask if there is a cache of ID's to names somewhere. See, I find it 
> VERY odd that as often as I have removed the system from the domain, 
> wiped out everything in "/var/lib/samba", and rejoined the domain, it 
> keeps mapping the EXACT same ID numbers on each box to the same 
> usernames. My belief is that there is a cache I am not deleting 
> somewhere. Would you mind telling me if there is a file somewhere I 
> should delete to remove the old mappings?

If you are deleting /var/lib/samba then you are deleting the cache, 
provided of course you are doing this on the client. The fact that you 
are getting the right uidNumber's on the server shows that this seems to 
be set up correctly, the problem does seem to be with the client. Do you 
have all these packages installed on the client:

samba libnss-winbind winbind libpam-winbind krb5-config libpam-krb5 
krb5-user

After that, I can only think that we are going to have to walk through 
the setup file by file.

Rowland

>
> On 08/08/2014 12:30 PM, Rowland Penny wrote:
>> On 08/08/14 15:50, Ryan Ashley wrote:
>>> Actually, I am quite cool. I am confused with the mountain of 
>>> information I have been handed. I am very appreciative (as I said 
>>> before) of the help you and Steve have offered. I do not believe you 
>>> understand me however. I am a VERY logical person. Telling me 
>>> something without an understanding of why, I am hesitant to just 
>>> accept it. Try it? Sure! But I need to understand why it works or 
>>> does not work. I am honestly not angry and am not trying to get 
>>> under your skin. I am simply trying to solve a problem that must be 
>>> over my head.
>>>
>>> As to your question, I answered it in my last post. All of my users 
>>> have uidNumber and gidNumber set, and they are ALL in the 
>>> 10001-40000 range. I stated this in the last post. The one you 
>>> replied to. This is why I am confused. I DID go read a lot of 
>>> information over the past 24hr period and I have all of my uidNumber 
>>> and gidNumber attributes between 10001 and 40000. In fact, I max 
>>> these somewhere between 10040 and 10050, though I do not remember 
>>> EXACTLY what it is. I can look if needed.
>>>
>>> Also, I was not using the domain admin as a normal account. We 
>>> simply rename the account as a security measure. We did not do 
>>> anything else to it. I do not even login on the boxes with it unless 
>>> it is absolutely needed. I simply used it because I was not told not 
>>> to get the information requested from the domain admin account. Had 
>>> I been told to use a regular account and not the domain admin, I 
>>> would have happily done so.
>>>
>>> So let me recap. You see my config. Every user and group is assigned 
>>> a unique ID between 10001 and 40000. They are still being assigned 
>>> 70001 and above. Winbind and all of the S4 utilities appear to be 
>>> working. SIDs are resolved and can be resolved back to names. My 
>>> only issue is likely a configuration problem, but based on what you 
>>> two have told me AND what I have read, my configuration APPEARS to 
>>> be correct. So from my perspective, I have a correct configuration 
>>> based on what I have been told, but it is not working. I am sorry if 
>>> this comes across and being a nuisance, but I am genuinely NOT 
>>> trying to offend anybody, I just want it working. I am sorry for 
>>> whatever was said to offend you because I have VERY MUCH appreciated 
>>> your time which you are not being paid for. Just remember that you 
>>> are the Samba professional, I am still learning the new S4 stuff.
>>>
>>> uidNumber/gidNumber in AD: 10001-40000 (matches config)
>>>
>>> On 08/08/2014 10:21 AM, Rowland Penny wrote:
>>>> On 08/08/14 14:45, Ryan Ashley wrote:
>>>>> Alright, I believe I figured something out, but may be mistaken. 
>>>>> Again, I don't see anything in plain English explaining, so this 
>>>>> is my guess. Please let me know if I am right.
>>>>>
>>>>> [global]
>>>>>   netbios name = FS01
>>>>>   workgroup = TRUEVINE
>>>>>   security = ADS
>>>>>   realm = TRUEVINE.LAN
>>>>>   encrypt passwords = yes
>>>>>   dedicated keytab file = /etc/krb5.keytab
>>>>>   kerberos method = secrets and keytab
>>>>>
>>>>>   idmap config *:backend = tdb
>>>>>   idmap config *:range = 70001-80000
>>>>>   idmap config TRUEVINE:backend = ad
>>>>>   idmap config TRUEVINE:schema_mode = rfc2307
>>>>>   idmap config TRUEVINE:range = 10001-40000
>>>>>
>>>>>   winbind nss info = rfc2307
>>>>>   winbind trusted domains only = no
>>>>>   winbind use default domain = yes
>>>>>   winbind enum users = yes
>>>>>   winbind enum groups = yes
>>>>>
>>>>>   vfs objects = acl_xattr
>>>>>   map acl inherit = yes
>>>>>   store dos attributes = yes
>>>>>   auth methods = winbind
>>>>>
>>>>> The line "idmap config *:range = 70001-80000" assigns a unique ID 
>>>>> to anybody who is not in the Truevine domain or who does not have 
>>>>> a uidNumber/gidNumber attribute set. Is this correct? This is 
>>>>> where all of my users and groups are getting ID's from.
>>>>>
>>>>> Now, the line "idmap config TRUEVINE:range = 10001-40000" is the 
>>>>> range of uidNumber/gidNumber attributes to search. This is the 
>>>>> range set aside for domain users and groups, so I assume if I set 
>>>>> this to something over 100k, it would never find anything. 
>>>>> However, it is not finding the uidNumber/gidNumber attributes in 
>>>>> this range (which is everybody) for some reason, and the users 
>>>>> wind up with 70001 and above for their ID's. So what am I doing 
>>>>> wrong?
>>>>>
>>>>> On 08/08/2014 09:14 AM, Ryan Ashley wrote:
>>>>>> I am still stuck here. Both member servers are ignoring the 
>>>>>> gidNumber and uidNumber attributes and are assigning their own 
>>>>>> numbers and I cannot figure out why. Leaving the domain, 
>>>>>> uninstalling S4, building the latest, and reinstalling does not 
>>>>>> fix the issue.
>>>>>>
>>>>>> On 08/07/2014 02:28 PM, Ryan Ashley wrote:
>>>>>>> Alright, I also checked and I was right, I set "uidNumber" and 
>>>>>>> "gidNumber". Pictures are attached. So with these set, why are 
>>>>>>> they not pulling across to my member servers?
>>>>>>>
>>>>>>> I do have screenshots showing the correct attributes set in 
>>>>>>> ADUC, but they're note pulling across to my member servers.
>>>>>>>
>>>>>>> On 08/07/2014 11:22 AM, Ryan Ashley wrote:
>>>>>>>> I figured it out, but it won't let me import it.
>>>>>>>>
>>>>>>>> root at dc01:~# ldbmodify -H /var/lib/samba/private/sam.ldb 
>>>>>>>> /root/ypServ30.ldif --option="dsdb:schema update allowed"=true
>>>>>>>> ERR: (Entry already exists) "Entry 
>>>>>>>> CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan already 
>>>>>>>> exists" on DN 
>>>>>>>> CN=ypServ30,CN=RpcServices,CN=System,dc=truevine,dc=lan at 
>>>>>>>> block before line 5
>>>>>>>> Modify failed after processing 0 records
>>>>>>>> root at dc01:~#
>>>>>>>>
>>>>>>>> So this means it is already there, right? If so, what must I do 
>>>>>>>> here? I am going to check, but I do not remember seeing an 
>>>>>>>> attribute called "gidNumber", only "gid".
>>>>>>>>
>>>>>>>> On 08/07/2014 10:24 AM, Ryan Ashley wrote:
>>>>>>>>> Alright, new problem. That ypServ30.ldif file is asking for 
>>>>>>>>> all kinds of information I do not know or know how to get. I 
>>>>>>>>> am ASSUMING the "domain dn" it is asking for is 
>>>>>>>>> "dc=truevine,dc=lan". However, it also needs to know a 
>>>>>>>>> NISDOMAIN variable and that I do not have a clue about. Is 
>>>>>>>>> there a guide dedicated just to editing this file? I don't 
>>>>>>>>> have a NIS domain to my knowledge. I just want to import the 
>>>>>>>>> file so I can set my attributes. This is kind of complicated 
>>>>>>>>> just to add a few (four?) attributes to my schema.
>>>>>>>>>
>>>>>>>>> So, what do I set all these things in the LDIF file to? Is 
>>>>>>>>> there a way I can look them up?
>>>>>>>>>
>>>>>>>>> On 08/07/2014 09:42 AM, Ryan Ashley wrote:
>>>>>>>>>> Thanks, Rowland. I just got in this morning and think it 
>>>>>>>>>> finally all fell into place. You mentioned an LDIF file in a 
>>>>>>>>>> prior email. I assume that if I import that LDIF file, it 
>>>>>>>>>> creates the attributes I need. After that, I should be able 
>>>>>>>>>> to set them as you stated. Is this correct?
>>>>>>>>>>
>>>>>>>>>> My current plan is to re-read your emails and find the file 
>>>>>>>>>> you mentioned. If it does indeed add those attributes, I will 
>>>>>>>>>> import it and try setting them as you stated. If it works, I 
>>>>>>>>>> will report success and summarize what this entire thread was 
>>>>>>>>>> about for others to learn from without reading it all.
>>>>>>>>>>
>>>>>>>>>> On 08/07/2014 05:16 AM, Rowland Penny wrote:
>>>>>>>>>>> On 06/08/14 22:24, Ryan Ashley wrote:
>>>>>>>>>>>> I have tried your suggestions, and some I had found prior 
>>>>>>>>>>>> to falling back on the mailing list so I already knew some 
>>>>>>>>>>>> would not work. I was not asked for a response after being 
>>>>>>>>>>>> pointed to the material so I did not provide one.
>>>>>>>>>>>>
>>>>>>>>>>>> Yes, I am very busy as I work as the lead IT and IS 
>>>>>>>>>>>> specialist in a small business. I cannot devote weeks to a 
>>>>>>>>>>>> single problem as I handle dozens a day, many resolved 
>>>>>>>>>>>> within 24hrs. This issue has been on-going due to the fact 
>>>>>>>>>>>> that I have already tried a ton of what is out there, and 
>>>>>>>>>>>> as for your "Google search", dozens of those are the same 
>>>>>>>>>>>> posts regurgitated on numerous sites. I went through an 
>>>>>>>>>>>> entire page a week or so back and every single link on the 
>>>>>>>>>>>> page was to the exact same post, on numerous sits that have 
>>>>>>>>>>>> board-readers that simply read the samba lists among others 
>>>>>>>>>>>> and duplicate the posts. Useless! I'd say out of 1.9mil 
>>>>>>>>>>>> results, about 500k are unique. I am getting to where I 
>>>>>>>>>>>> dislike Google for this reason, but that is another 
>>>>>>>>>>>> discussion.
>>>>>>>>>>>>
>>>>>>>>>>>> I am also happy to hear that you can afford to blow 
>>>>>>>>>>>> thousands on a simple DVD. Low-income businesses, churches, 
>>>>>>>>>>>> and what-not cannot. Yes, we know of open-licensing and 
>>>>>>>>>>>> manage it for several clients, but many people are not 
>>>>>>>>>>>> willing to spend anything right now if there is a viable 
>>>>>>>>>>>> alternative. Seeing that S4 has worked flawlessly for two 
>>>>>>>>>>>> years at a few locations, this fit the client's needs and 
>>>>>>>>>>>> we installed it. Something is just different this time. I 
>>>>>>>>>>>> am learning a lot and intend to apply things like the group 
>>>>>>>>>>>> and user ID's to other domains once we have it working here 
>>>>>>>>>>>> to avoid future problems.
>>>>>>>>>>>>
>>>>>>>>>>>> Also, Windows has MUCH higher resource requirements than 
>>>>>>>>>>>> Linux. On top of that $3k, how much would we have to pay to 
>>>>>>>>>>>> bring up the hardware? Too expensive for such little gain.
>>>>>>>>>>>>
>>>>>>>>>>>> Finally, if you have taken some personal offense to 
>>>>>>>>>>>> something, speak up. You offered assistance, I took what I 
>>>>>>>>>>>> had not already tried and tried it. You did not ask for 
>>>>>>>>>>>> results, so I assumed the fact that I was still asking for 
>>>>>>>>>>>> help would have been a clue that the suggestion was no 
>>>>>>>>>>>> good. Every time anybody asked for anything, including 
>>>>>>>>>>>> configuration files, I posted them, so there's no need to 
>>>>>>>>>>>> be bitter. Simply point out that I may have missed 
>>>>>>>>>>>> something and I'll try it or let you know I already did.
>>>>>>>>>>>>
>>>>>>>>>>>> On 8/6/2014 3:57 PM, steve wrote:
>>>>>>>>>>>>> On Wed, 2014-08-06 at 13:50 -0400, Ryan Ashley wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> What information have I not answered fully?
>>>>>>>>>>>>> Most of the suggestions and tips we have given. As an 
>>>>>>>>>>>>> example, you said
>>>>>>>>>>>>> that you wanted to add IDs to your users. You were sent a 
>>>>>>>>>>>>> link to help
>>>>>>>>>>>>> you look up what you said you, 'had no idea how'. You 
>>>>>>>>>>>>> ignored that, so
>>>>>>>>>>>>> we sent you concrete examples to try. Still nothing.
>>>>>>>>>>>>>
>>>>>>>>>>>>> You are a, 'VERY BUSY person', are you? Well, I can only 
>>>>>>>>>>>>> urge everyone
>>>>>>>>>>>>> here to jump on your case. I repeat. With a 2012 R2 
>>>>>>>>>>>>> licence and 90 days
>>>>>>>>>>>>> reduced rate licence, you would have been up days ago for 
>>>>>>>>>>>>> this side of
>>>>>>>>>>>>> $3000
>>>>>>>>>>>>>
>>>>>>>>>>>>> Cheers, and EOT from us,
>>>>>>>>>>>>> Steve
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> Active Directory works differently from Linux, it uses SID's 
>>>>>>>>>>> and RID's, Linux uses UID's and GID's. To use AD users as 
>>>>>>>>>>> Linux users you somehow have to convert the SID's and RID's 
>>>>>>>>>>> to UID's and GID's. There are several ways to do this by 
>>>>>>>>>>> using programs like winbind, nslcd or sssd, but they all 
>>>>>>>>>>> boil down to the same two ways, you either create a UID/GID 
>>>>>>>>>>> from the RID or you give the user/group a uidNumber/gidNumber.
>>>>>>>>>>>
>>>>>>>>>>> That is:
>>>>>>>>>>> A user is given a uidNumber and gidNumber
>>>>>>>>>>> A group is given a gidNumber
>>>>>>>>>>>
>>>>>>>>>>> uidNumber and gidNumber are the attribute names, not uid or 
>>>>>>>>>>> gid or anything else.
>>>>>>>>>>>
>>>>>>>>>>> The only way (at the moment) to ensure that your 
>>>>>>>>>>> users/groups get the same ID everywhere in the domain is to 
>>>>>>>>>>> use RFC2307 attributes.
>>>>>>>>>>>
>>>>>>>>>>> see here for info on RFC2307:
>>>>>>>>>>>
>>>>>>>>>>> https://www.ietf.org/rfc/rfc2307.txt
>>>>>>>>>>>
>>>>>>>>>>> How you add these RFC2307 attributes is up to you, the 
>>>>>>>>>>> easiest way is to use ADUC, but you say that you do not have 
>>>>>>>>>>> the UNIX-Attributes tab on your users and groups, I also had 
>>>>>>>>>>> this problem and solved it by searching the internet. I 
>>>>>>>>>>> posted a link to one of the pages I used, so I do not 
>>>>>>>>>>> propose to go over old ground yet again.
>>>>>>>>>>>
>>>>>>>>>>> If you cannot get the ADUC tab to work for you, then you can 
>>>>>>>>>>> always use ldb-tools to add the attributes, either by using 
>>>>>>>>>>> ldbedit and directly modifying the user/group or by creating 
>>>>>>>>>>> an ldif and using ldbmodify to add this. A typical ldif for 
>>>>>>>>>>> a user called John Doe created on a windows machine would be:
>>>>>>>>>>>
>>>>>>>>>>> dn: CN=John Doe,CN=Users,DC=example,DC=com
>>>>>>>>>>> changetype: modify
>>>>>>>>>>> add: uid
>>>>>>>>>>> uid: john
>>>>>>>>>>> -
>>>>>>>>>>> add: msSFU30Name
>>>>>>>>>>> msSFU30Name: john
>>>>>>>>>>> -
>>>>>>>>>>> add: msSFU30NisDomain
>>>>>>>>>>> msSFU30NisDomain: example
>>>>>>>>>>> -
>>>>>>>>>>> add: uidNumber
>>>>>>>>>>> uidNumber: 10000
>>>>>>>>>>> -
>>>>>>>>>>> add: gidNumber
>>>>>>>>>>> gidNumber: 10000
>>>>>>>>>>> -
>>>>>>>>>>> add: loginShell
>>>>>>>>>>> loginShell: /bin/bash
>>>>>>>>>>> -
>>>>>>>>>>> add: unixHomeDirectory
>>>>>>>>>>> unixHomeDirectory: /home/john
>>>>>>>>>>> -
>>>>>>>>>>> add: unixUserPassword
>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>
>>>>>>>>>>> The above ldif is exactly the way that ADUC does it 
>>>>>>>>>>> (ABCD!efgh12345$67890 is the unixUserPassword that ADUC 
>>>>>>>>>>> gives every unix user), but you only really need the 
>>>>>>>>>>> uidNumber & gidNumber. the uidNumber needs to be a unique 
>>>>>>>>>>> number and the gidNumber will be the users primary Unix 
>>>>>>>>>>> group (usually Domain Users) so that number needs to be what 
>>>>>>>>>>> ever you gave to your main Unix group i.e. Domain Users 
>>>>>>>>>>> needs to have the gidNumber '10000'
>>>>>>>>>>>
>>>>>>>>>>> You would add the above ldif like this:
>>>>>>>>>>>
>>>>>>>>>>> root at dc1:~# kinit
>>>>>>>>>>> Password for administrator at EXAMPLE.COM:
>>>>>>>>>>> root at dc1:~# ldbmodify --url=ldap://dc1.example.com 
>>>>>>>>>>> --kerberos=yes --krb5-ccache=/tmp/krb5cc_0" /path_to/ldif
>>>>>>>>>>>
>>>>>>>>>>> Replacing 'dc1.example.com' with your S4 AD DC FQDN and 
>>>>>>>>>>> '/path_to/ldif' with the full path and name of your ldif, 
>>>>>>>>>>> and of course you need to run all of this on the S4 AD DC.
>>>>>>>>>>>
>>>>>>>>>>> the uidNumber and gidNumber ranges can be identical, in fact 
>>>>>>>>>>> this is the way that ADUC works, but whatever range you do 
>>>>>>>>>>> use, must be reflected in smb.conf
>>>>>>>>>>> i.e. 'idmap config EXAMPLE : range = 10000-999999'.
>>>>>>>>>>>
>>>>>>>>>>> Just why you renamed the Administrator account, before you 
>>>>>>>>>>> got everything working, escapes me, in fact most people 
>>>>>>>>>>> probably never bother, so I would suggest that you rename 
>>>>>>>>>>> the account back again, at least until you get everything 
>>>>>>>>>>> working correctly.
>>>>>>>>>>>
>>>>>>>>>>> Do not give the Administrator account a uidNumber or 
>>>>>>>>>>> gidNumber, create a new user and give this new user the 
>>>>>>>>>>> required RFC2307 attributes.
>>>>>>>>>>>
>>>>>>>>>>> Once you have added the gidNumber to Domain Users and added 
>>>>>>>>>>> the ldif to John Doe, running (on a client joined to the 
>>>>>>>>>>> domain) 'getent passwd' should show a line for John Doe and 
>>>>>>>>>>> 'getent group Domain\ Users' should show the info for Domain 
>>>>>>>>>>> Users.
>>>>>>>>>>>
>>>>>>>>>>> This will be my last post on this thread.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>> I know I said that I wouldn't post on this thread again, but you 
>>>> are doing my head in, you have taken a simple task and turned it 
>>>> into a farce!!!
>>>>
>>>> I advised you at least once to remove this line:
>>>>
>>>> auth methods = winbind
>>>>
>>>> Here is why (taken from 'man smb.conf')
>>>>
>>>>       auth methods (G)
>>>>
>>>>            This option allows the administrator to chose what 
>>>> authentication
>>>>            methods smbd will use when authenticating a user. This 
>>>> option
>>>>            defaults to sensible values based on security. This 
>>>> should be
>>>>            considered a developer option and used only in rare 
>>>> circumstances.
>>>>            In the majority (if not all) of production servers, the 
>>>> default
>>>>            setting should be adequate.
>>>>
>>>>            Default: auth methods =
>>>>
>>>> This is also from 'man smb.conf' (abridged):
>>>>
>>>>        idmap config:OPTION (G)
>>>>
>>>>            ID mapping in Samba is the mapping between Windows SIDs 
>>>> and Unix
>>>>            user and group IDs. This is performed by Winbindd with a
>>>>            configurable plugin interface. Samba's ID mapping is 
>>>> configured by
>>>>            options starting with the idmap config prefix. An idmap 
>>>> option
>>>>            consists of the idmap config prefix, followed by a 
>>>> domain name or
>>>>            the asterisk character (*), a colon, and the name of an 
>>>> idmap
>>>>            setting for the chosen domain.
>>>>
>>>>            The following example illustrates how to configure the 
>>>> idmap_ad(8)
>>>>            backend for the CORP domain and the idmap_tdb(8) backend 
>>>> for all
>>>>            other domains. This configuration assumes that the admin 
>>>> of CORP
>>>>            assigns unix ids below 1000000 via the SFU extensions, 
>>>> and winbind
>>>>            is supposed to use the next million entries for its own 
>>>> mappings
>>>>            from trusted domains and for local groups for example.
>>>>
>>>>                     idmap config * : backend = tdb
>>>>                     idmap config * : range = 1000000-1999999
>>>>
>>>>                     idmap config CORP : backend  = ad
>>>>                     idmap config CORP : range = 1000-999999
>>>>
>>>> YOURS:
>>>>
>>>>                      idmap config *:backend = tdb
>>>>                       idmap config *:range = 70001-80000
>>>>                       idmap config TRUEVINE:backend = ad
>>>>                       idmap config TRUEVINE:schema_mode = rfc2307
>>>>                       idmap config TRUEVINE:range = 10001-40000
>>>>
>>>> What the above means is that trusted domains and local groups will 
>>>> get mapped to numbers between 70001 and 80000, local groups etc 
>>>> being the windows builtin ones not UNIX ones.
>>>>
>>>> Your AD users will ONLY get pulled from AD if the 
>>>> uidNumber's/gidNumber's are between 10001 and 40000, ARE THEY ????
>>>>
>>>> Have you actually got any normal users with uidNumber's & 
>>>> gidNumber's, the last time I heard, you were trying to use the 
>>>> renamed Administrator account as a normal account.
>>>>
>>>> I would suggest that you go and take a running jump into Glenville 
>>>> Lake to cool off, then come back and re-read your posts again, you 
>>>> might then realise just what a Prat you are coming over as.
>>>>
>>>> This is definitely my last post on this thread
>>>>
>>>> Rowland
>>>>
>>>
>> Hopefully this is definitely going to be my last post on this thread.
>>
>> My S4 AD DC runs on Debian Wheezy 7.5 with samba 4.1.7 from backports 
>> and was provisioned with rfc2307.
>>
>> My laptop runs Linux Mint 17 (aka Ubuntu 14.04) with samba 4.1.6
>>
>> This is smb.conf on the S4 server:
>>
>> [global]
>>         workgroup = EXAMPLE
>>         realm = example.com
>>         netbios name = DC1
>>         server role = active directory domain controller
>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>         idmap_ldb:use rfc2307 = yes
>>
>> [netlogon]
>>         path = /var/lib/samba/sysvol/example.com/scripts
>>         read only = No
>>
>> [sysvol]
>>         path = /var/lib/samba/sysvol
>>         read only = No
>>
>> NOTE: I use Bind9 instead of the internal DNS server.
>>
>> This is my AD entry:
>>
>> dn: CN=Rowland Penny,CN=Users,DC=example,DC=com
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: Rowland Penny
>> sn: Penny
>> givenName: Rowland
>> instanceType: 4
>> whenCreated: 20140604153749.0Z
>> displayName: Rowland Penny
>> uSNCreated: 3812
>> name: Rowland Penny
>> objectGUID: 79e251c6-70c0-4b8b-8fa7-e10eb1d603ae
>> badPwdCount: 0
>> codePage: 0
>> badPasswordTime: 0
>> lastLogoff: 0
>> lastLogon: 0
>> primaryGroupID: 513
>> objectSid: S-1-5-21-2624802715-3731723941-638006480-1106
>> logonCount: 0
>> sAMAccountName: rowland
>> sAMAccountType: 805306368
>> userPrincipalName: rowland at example.com
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
>> pwdLastSet: 130463698700000000
>> uid: rowland
>> msSFU30Name: rowland
>> msSFU30NisDomain: example
>> uidNumber: 10000
>> gidNumber: 10000
>> loginShell: /bin/bash
>> unixHomeDirectory: /home/rowland
>> unixUserPassword: ABCD!efgh123457890
>> userAccountControl: 66048
>> accountExpires: 0
>> co: United Kingdom
>> countryCode: 826
>> c: GB
>> l: Clitheroe
>> postalCode: BB7 1ND
>> st: Lancashire
>> profilePath: \\dc1\profiles\rowland
>> homeDirectory: \\dc1\rowland
>> homeDrive: G:
>> memberOf: CN=Domain Admins,CN=Users,DC=example,DC=com
>> memberOf: CN=administration,CN=Users,DC=example,DC=com
>> description: A Unix User
>> whenChanged: 20140707145726.0Z
>> uSNChanged: 8309
>> distinguishedName: CN=Rowland Penny,CN=Users,DC=example,DC=com
>>
>> This is smb.conf on the laptop
>>
>> [global]
>>         workgroup = EXAMPLE
>>         security = ADS
>>         realm = EXAMPLE.COM
>>         #client signing = yes
>>         dedicated keytab file = /etc/krb5.keytab
>>         kerberos method = secrets and keytab
>>         server string = Samba 4 Client %h
>>         winbind enum users = yes
>>         winbind enum groups = yes
>>         winbind use default domain = yes
>>         winbind expand groups = 4
>>         winbind nss info = rfc2307
>>         winbind refresh tickets = Yes
>>         winbind offline logon = yes
>>         winbind normalize names = Yes
>>         idmap config * : backend = tdb
>>         idmap config * : range = 2000-9999
>>         idmap config EXAMPLE : backend  = ad
>>         idmap config EXAMPLE : range = 10000-999999
>>         idmap config EXAMPLE : schema_mode = rfc2307
>>         printcap name = cups
>>         cups options = raw
>>         usershare allow guests = yes
>>         domain master = no
>>         local master = no
>>         preferred master = no
>>         os level = 20
>>         map to guest = bad user
>>         username map = /etc/samba/smbmap
>>         vfs objects = acl_xattr
>>         map acl inherit = Yes
>>         store dos attributes = Yes
>>
>> If, on the laptop, I run 'getent passwd rowland' I get this:
>>
>> rowland:*:10000:10000::/home/rowland:/bin/bash
>>
>> If I also run 'getent group Domain\ Users' I get this:
>>
>> domain_users:x:10000:
>>
>> I have also this afternoon set up a new linux computer, just as the 
>> laptop and it just works, so somewhere you are doing something very 
>> wrong, It is easy to set up a linux client, well easy for everybody 
>> else except you, it would seem.
>>
>> I repeat that you have something very wrong, you need to check your 
>> set up, both the S4 server and the client, compare everything with 
>> mine and try and see just where you are going wrong.
>>
>> Rowland
>>
>



More information about the samba mailing list