[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Sat Aug 9 11:58:46 MDT 2014
I have been working on this alone for a while since the thread is
so long and have tried a few things and discovered others. One REALLY
strange thing is that when I use getent to look up users, some users
show the 70001 and up IDs, and others do not show a thing. This is
normal users now, not my domain admin account. For example, "getent
passwd yolandab" returns nothing while "getent passwd cynthiaj" returns
two ID's above 70k. Even my normal user account, reach_support, returns
nothing. This one has me a tad lost, but the next thing I discovered may
be the solution.
If I attempt to install libnss-winbind or libpam-winbind from the
repos, it tries to install the Samba stuff from the repos. Aren't those
two built when you build S4? I am currently looking for them and have a
"find" command running on the system in a screen session. I imagine I
need to symlink those to /lib, right? Assuming they were built, I will
try this and if it doesn't work, I will let you know. If it does, I will
also tell you. I hope this has been my issue all along, but we should
know soon.
Finally, I delete both /var/lib/samba AND /var/cache/samba. I found
the latter afterwards. I also deleted /etc/krb5.keytab once I left the
domain and before joining again. Just being safe. I do know that the
keytab does not store ID's or anything, I am just trying to be thorough.
Thank you again for your help and I do know of the manpages, but I
normally get headaches reading them. I wish they had the info on a wiki
page so I could go right to the section I want to study.
On 8/8/2014 1:12 PM, Rowland Penny wrote:
> On 08/08/14 17:49, Ryan Ashley wrote:
>> Thanks, Rowland. I do not have some of the things you have on your
>> laptop. Our server configs are almost identical, and I use BIND9
>> also. I am going to assume then, based on that, that my issue lies in
>> my client configuration. I can run getent on the server and get the
>> correct results. Just not on the two member servers, more proof that
>> it is indeed an issue on them.
>>
>> If I may ask, you have a LOT of entries not shown in any of the
>> guides, including the ones you already had me add, such as the
>> keytab. Several of your entries catch my eye.
>>
> OK, if on the client, you run 'man smb.conf' you will get displayed
> what is called the 'manpage' for what you can put into smb.conf and
> what they do.
>
>
>> winbind expand groups = 4
>
> This option controls the maximum depth that winbindd will
> traverse
> when flattening nested group memberships of Windows domain
> groups.
>
>>
>> winbind normalize names = yes
>
> This parameter controls whether winbindd will replace
> whitespace in
> user and group names with an underscore (_) character.
>
>> printcap name = cups
>
> This parameter may be used to override the compiled-in default
> printcap name used by the server (usually /etc/printcap).
>
>> cups options = raw
>
> This parameter is only applicable if printing is set to
> cups. Its
> value is a free form string of options passed directly to
> the cups
> library.
>
>> usershare allow guests = yes
>
> Controls if usershares can permit guest access.
>
>> os level = 20
>
> This integer value controls what level Samba advertises
> itself as
> for browse elections. The value of this parameter determines
> whether nmbd(8) has a chance of becoming a local master
> browser for
> the workgroup in the local broadcast area.
>
>> map to guest = bad user
>
> This parameter can take four different values, which tell
> smbd(8)
> what to do with user login requests that don't match a
> valid UNIX
> user in some way.
>
> · Bad User - Means user logins with an invalid password are
> rejected, unless the username does not exist, in which
> case it
> is treated as a guest login and mapped into the guest
> account.
>
>> username map = /etc/samba/smbmap
>
> This option allows you to specify a file containing a
> mapping of
> usernames from the clients to the server.
>
> This is my smbmap file
>
> !root = EXAMPLE\Administrator Administrator administrator
>
> As I said there is more info available in the smb.conf manpage.
>
>>
>> I have never seen these before. The last entry on my list may be the
>> key if it does what I think it does. Before I add these lines I need
>> to ask if there is a cache of ID's to names somewhere. See, I find it
>> VERY odd that as often as I have removed the system from the domain,
>> wiped out everything in "/var/lib/samba", and rejoined the domain, it
>> keeps mapping the EXACT same ID numbers on each box to the same
>> usernames. My belief is that there is a cache I am not deleting
>> somewhere. Would you mind telling me if there is a file somewhere I
>> should delete to remove the old mappings?
>
> If you are deleting /var/lib/samba then you are deleting the cache,
> provided of course you are doing this on the client. The fact that you
> are getting the right uidNumber's on the server shows that this seems
> to be set up correctly, the problem does seem to be with the client.
> Do you have all these packages installed on the client:
>
> samba libnss-winbind winbind libpam-winbind krb5-config libpam-krb5
> krb5-user
>
> After that, I can only think that we are going to have to walk through
> the setup file by file.
>
> Rowland
>
>>
>> On 08/08/2014 12:30 PM, Rowland Penny wrote:
>>> On 08/08/14 15:50, Ryan Ashley wrote:
>>>> Actually, I am quite cool. I am confused with the mountain of
>>>> information I have been handed. I am very appreciative (as I said
>>>> before) of the help you and Steve have offered. I do not believe
>>>> you understand me however. I am a VERY logical person. Telling me
>>>> something without an understanding of why, I am hesitant to just
>>>> accept it. Try it? Sure! But I need to understand why it works or
>>>> does not work. I am honestly not angry and am not trying to get
>>>> under your skin. I am simply trying to solve a problem that must be
>>>> over my head.
>>>>
>>>> As to your question, I answered it in my last post. All of my users
>>>> have uidNumber and gidNumber set, and they are ALL in the
>>>> 10001-40000 range. I stated this in the last post. The one you
>>>> replied to. This is why I am confused. I DID go read a lot of
>>>> information over the past 24hr period and I have all of my
>>>> uidNumber and gidNumber attributes between 10001 and 40000. In
>>>> fact, I max these somewhere between 10040 and 10050, though I do
>>>> not remember EXACTLY what it is. I can look if needed.
>>>>
>>>> Also, I was not using the domain admin as a normal account. We
>>>> simply rename the account as a security measure. We did not do
>>>> anything else to it. I do not even login on the boxes with it
>>>> unless it is absolutely needed. I simply used it because I was not
>>>> told not to get the information requested from the domain admin
>>>> account. Had I been told to use a regular account and not the
>>>> domain admin, I would have happily done so.
>>>>
>>>> So let me recap. You see my config. Every user and group is
>>>> assigned a unique ID between 10001 and 40000. They are still being
>>>> assigned 70001 and above. Winbind and all of the S4 utilities
>>>> appear to be working. SIDs are resolved and can be resolved back to
>>>> names. My only issue is likely a configuration problem, but based
>>>> on what you two have told me AND what I have read, my configuration
>>>> APPEARS to be correct. So from my perspective, I have a correct
>>>> configuration based on what I have been told, but it is not
>>>> working. I am sorry if this comes across and being a nuisance, but
>>>> I am genuinely NOT trying to offend anybody, I just want it
>>>> working. I am sorry for whatever was said to offend you because I
>>>> have VERY MUCH appreciated your time which you are not being paid
>>>> for. Just remember that you are the Samba professional, I am still
>>>> learning the new S4 stuff.
>>>>
>>>> uidNumber/gidNumber in AD: 10001-40000 (matches config)
>>>>
>>>> On 08/08/2014 10:21 AM, Rowland Penny wrote:
>>>>> On 08/08/14 14:45, Ryan Ashley wrote:
>>>>>> Alright, I believe I figured something out, but may be mistaken.
>>>>>> Again, I don't see anything in plain English explaining, so this
>>>>>> is my guess. Please let me know if I am right.
>>>>>>
>>>>>> [global]
>>>>>> netbios name = FS01
>>>>>> workgroup = TRUEVINE
>>>>>> security = ADS
>>>>>> realm = TRUEVINE.LAN
>>>>>> encrypt passwords = yes
>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>> kerberos method = secrets and keytab
>>>>>>
>>>>>> idmap config *:backend = tdb
>>>>>> idmap config *:range = 70001-80000
>>>>>> idmap config TRUEVINE:backend = ad
>>>>>> idmap config TRUEVINE:schema_mode = rfc2307
>>>>>> idmap config TRUEVINE:range = 10001-40000
>>>>>>
>>>>>> winbind nss info = rfc2307
>>>>>> winbind trusted domains only = no
>>>>>> winbind use default domain = yes
>>>>>> winbind enum users = yes
>>>>>> winbind enum groups = yes
>>>>>>
>>>>>> vfs objects = acl_xattr
>>>>>> map acl inherit = yes
>>>>>> store dos attributes = yes
>>>>>> auth methods = winbind
>>>>>>
>>>>>> The line "idmap config *:range = 70001-80000" assigns a unique ID
>>>>>> to anybody who is not in the Truevine domain or who does not have
>>>>>> a uidNumber/gidNumber attribute set. Is this correct? This is
>>>>>> where all of my users and groups are getting ID's from.
>>>>>>
>>>>>> Now, the line "idmap config TRUEVINE:range = 10001-40000" is the
>>>>>> range of uidNumber/gidNumber attributes to search. This is the
>>>>>> range set aside for domain users and groups, so I assume if I set
>>>>>> this to something over 100k, it would never find anything.
>>>>>> However, it is not finding the uidNumber/gidNumber attributes in
>>>>>> this range (which is everybody) for some reason, and the users
>>>>>> wind up with 70001 and above for their ID's. So what am I doing
>>>>>> wrong?
>>>>>>
>>>>>> On 08/08/2014 09:14 AM, Ryan Ashley wrote:
>>>>>>> I am still stuck here. Both member servers are ignoring the
>>>>>>> gidNumber and uidNumber attributes and are assigning their own
>>>>>>> numbers and I cannot figure out why. Leaving the domain,
>>>>>>> uninstalling S4, building the latest, and reinstalling does not
>>>>>>> fix the issue.
>>>>>>>
>>>>>>> On 08/07/2014 02:28 PM, Ryan Ashley wrote:
>>>>>>>> Alright, I also checked and I was right, I set "uidNumber" and
>>>>>>>> "gidNumber". Pictures are attached. So with these set, why are
>>>>>>>> they not pulling across to my member servers?
>>>>>>>>
>>>>>>>> I do have screenshots showing the correct attributes set in
>>>>>>>> ADUC, but they're note pulling across to my member servers.
>>>>>>>>
>>>>>>>> On 08/07/2014 11:22 AM, Ryan Ashley wrote:
>>>>>>>>> I figured it out, but it won't let me import it.
>>>>>>>>>
>>>>>>>>> root at dc01:~# ldbmodify -H /var/lib/samba/private/sam.ldb
>>>>>>>>> /root/ypServ30.ldif --option="dsdb:schema update allowed"=true
>>>>>>>>> ERR: (Entry already exists) "Entry
>>>>>>>>> CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan
>>>>>>>>> already exists" on DN
>>>>>>>>> CN=ypServ30,CN=RpcServices,CN=System,dc=truevine,dc=lan at
>>>>>>>>> block before line 5
>>>>>>>>> Modify failed after processing 0 records
>>>>>>>>> root at dc01:~#
>>>>>>>>>
>>>>>>>>> So this means it is already there, right? If so, what must I
>>>>>>>>> do here? I am going to check, but I do not remember seeing an
>>>>>>>>> attribute called "gidNumber", only "gid".
>>>>>>>>>
>>>>>>>>> On 08/07/2014 10:24 AM, Ryan Ashley wrote:
>>>>>>>>>> Alright, new problem. That ypServ30.ldif file is asking for
>>>>>>>>>> all kinds of information I do not know or know how to get. I
>>>>>>>>>> am ASSUMING the "domain dn" it is asking for is
>>>>>>>>>> "dc=truevine,dc=lan". However, it also needs to know a
>>>>>>>>>> NISDOMAIN variable and that I do not have a clue about. Is
>>>>>>>>>> there a guide dedicated just to editing this file? I don't
>>>>>>>>>> have a NIS domain to my knowledge. I just want to import the
>>>>>>>>>> file so I can set my attributes. This is kind of complicated
>>>>>>>>>> just to add a few (four?) attributes to my schema.
>>>>>>>>>>
>>>>>>>>>> So, what do I set all these things in the LDIF file to? Is
>>>>>>>>>> there a way I can look them up?
>>>>>>>>>>
>>>>>>>>>> On 08/07/2014 09:42 AM, Ryan Ashley wrote:
>>>>>>>>>>> Thanks, Rowland. I just got in this morning and think it
>>>>>>>>>>> finally all fell into place. You mentioned an LDIF file in a
>>>>>>>>>>> prior email. I assume that if I import that LDIF file, it
>>>>>>>>>>> creates the attributes I need. After that, I should be able
>>>>>>>>>>> to set them as you stated. Is this correct?
>>>>>>>>>>>
>>>>>>>>>>> My current plan is to re-read your emails and find the file
>>>>>>>>>>> you mentioned. If it does indeed add those attributes, I
>>>>>>>>>>> will import it and try setting them as you stated. If it
>>>>>>>>>>> works, I will report success and summarize what this entire
>>>>>>>>>>> thread was about for others to learn from without reading it
>>>>>>>>>>> all.
>>>>>>>>>>>
>>>>>>>>>>> On 08/07/2014 05:16 AM, Rowland Penny wrote:
>>>>>>>>>>>> On 06/08/14 22:24, Ryan Ashley wrote:
>>>>>>>>>>>>> I have tried your suggestions, and some I had found prior
>>>>>>>>>>>>> to falling back on the mailing list so I already knew some
>>>>>>>>>>>>> would not work. I was not asked for a response after being
>>>>>>>>>>>>> pointed to the material so I did not provide one.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Yes, I am very busy as I work as the lead IT and IS
>>>>>>>>>>>>> specialist in a small business. I cannot devote weeks to a
>>>>>>>>>>>>> single problem as I handle dozens a day, many resolved
>>>>>>>>>>>>> within 24hrs. This issue has been on-going due to the fact
>>>>>>>>>>>>> that I have already tried a ton of what is out there, and
>>>>>>>>>>>>> as for your "Google search", dozens of those are the same
>>>>>>>>>>>>> posts regurgitated on numerous sites. I went through an
>>>>>>>>>>>>> entire page a week or so back and every single link on the
>>>>>>>>>>>>> page was to the exact same post, on numerous sits that
>>>>>>>>>>>>> have board-readers that simply read the samba lists among
>>>>>>>>>>>>> others and duplicate the posts. Useless! I'd say out of
>>>>>>>>>>>>> 1.9mil results, about 500k are unique. I am getting to
>>>>>>>>>>>>> where I dislike Google for this reason, but that is
>>>>>>>>>>>>> another discussion.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I am also happy to hear that you can afford to blow
>>>>>>>>>>>>> thousands on a simple DVD. Low-income businesses,
>>>>>>>>>>>>> churches, and what-not cannot. Yes, we know of
>>>>>>>>>>>>> open-licensing and manage it for several clients, but many
>>>>>>>>>>>>> people are not willing to spend anything right now if
>>>>>>>>>>>>> there is a viable alternative. Seeing that S4 has worked
>>>>>>>>>>>>> flawlessly for two years at a few locations, this fit the
>>>>>>>>>>>>> client's needs and we installed it. Something is just
>>>>>>>>>>>>> different this time. I am learning a lot and intend to
>>>>>>>>>>>>> apply things like the group and user ID's to other domains
>>>>>>>>>>>>> once we have it working here to avoid future problems.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Also, Windows has MUCH higher resource requirements than
>>>>>>>>>>>>> Linux. On top of that $3k, how much would we have to pay
>>>>>>>>>>>>> to bring up the hardware? Too expensive for such little gain.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Finally, if you have taken some personal offense to
>>>>>>>>>>>>> something, speak up. You offered assistance, I took what I
>>>>>>>>>>>>> had not already tried and tried it. You did not ask for
>>>>>>>>>>>>> results, so I assumed the fact that I was still asking for
>>>>>>>>>>>>> help would have been a clue that the suggestion was no
>>>>>>>>>>>>> good. Every time anybody asked for anything, including
>>>>>>>>>>>>> configuration files, I posted them, so there's no need to
>>>>>>>>>>>>> be bitter. Simply point out that I may have missed
>>>>>>>>>>>>> something and I'll try it or let you know I already did.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 8/6/2014 3:57 PM, steve wrote:
>>>>>>>>>>>>>> On Wed, 2014-08-06 at 13:50 -0400, Ryan Ashley wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> What information have I not answered fully?
>>>>>>>>>>>>>> Most of the suggestions and tips we have given. As an
>>>>>>>>>>>>>> example, you said
>>>>>>>>>>>>>> that you wanted to add IDs to your users. You were sent a
>>>>>>>>>>>>>> link to help
>>>>>>>>>>>>>> you look up what you said you, 'had no idea how'. You
>>>>>>>>>>>>>> ignored that, so
>>>>>>>>>>>>>> we sent you concrete examples to try. Still nothing.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> You are a, 'VERY BUSY person', are you? Well, I can only
>>>>>>>>>>>>>> urge everyone
>>>>>>>>>>>>>> here to jump on your case. I repeat. With a 2012 R2
>>>>>>>>>>>>>> licence and 90 days
>>>>>>>>>>>>>> reduced rate licence, you would have been up days ago for
>>>>>>>>>>>>>> this side of
>>>>>>>>>>>>>> $3000
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Cheers, and EOT from us,
>>>>>>>>>>>>>> Steve
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> Active Directory works differently from Linux, it uses
>>>>>>>>>>>> SID's and RID's, Linux uses UID's and GID's. To use AD
>>>>>>>>>>>> users as Linux users you somehow have to convert the SID's
>>>>>>>>>>>> and RID's to UID's and GID's. There are several ways to do
>>>>>>>>>>>> this by using programs like winbind, nslcd or sssd, but
>>>>>>>>>>>> they all boil down to the same two ways, you either create
>>>>>>>>>>>> a UID/GID from the RID or you give the user/group a
>>>>>>>>>>>> uidNumber/gidNumber.
>>>>>>>>>>>>
>>>>>>>>>>>> That is:
>>>>>>>>>>>> A user is given a uidNumber and gidNumber
>>>>>>>>>>>> A group is given a gidNumber
>>>>>>>>>>>>
>>>>>>>>>>>> uidNumber and gidNumber are the attribute names, not uid or
>>>>>>>>>>>> gid or anything else.
>>>>>>>>>>>>
>>>>>>>>>>>> The only way (at the moment) to ensure that your
>>>>>>>>>>>> users/groups get the same ID everywhere in the domain is to
>>>>>>>>>>>> use RFC2307 attributes.
>>>>>>>>>>>>
>>>>>>>>>>>> see here for info on RFC2307:
>>>>>>>>>>>>
>>>>>>>>>>>> https://www.ietf.org/rfc/rfc2307.txt
>>>>>>>>>>>>
>>>>>>>>>>>> How you add these RFC2307 attributes is up to you, the
>>>>>>>>>>>> easiest way is to use ADUC, but you say that you do not
>>>>>>>>>>>> have the UNIX-Attributes tab on your users and groups, I
>>>>>>>>>>>> also had this problem and solved it by searching the
>>>>>>>>>>>> internet. I posted a link to one of the pages I used, so I
>>>>>>>>>>>> do not propose to go over old ground yet again.
>>>>>>>>>>>>
>>>>>>>>>>>> If you cannot get the ADUC tab to work for you, then you
>>>>>>>>>>>> can always use ldb-tools to add the attributes, either by
>>>>>>>>>>>> using ldbedit and directly modifying the user/group or by
>>>>>>>>>>>> creating an ldif and using ldbmodify to add this. A typical
>>>>>>>>>>>> ldif for a user called John Doe created on a windows
>>>>>>>>>>>> machine would be:
>>>>>>>>>>>>
>>>>>>>>>>>> dn: CN=John Doe,CN=Users,DC=example,DC=com
>>>>>>>>>>>> changetype: modify
>>>>>>>>>>>> add: uid
>>>>>>>>>>>> uid: john
>>>>>>>>>>>> -
>>>>>>>>>>>> add: msSFU30Name
>>>>>>>>>>>> msSFU30Name: john
>>>>>>>>>>>> -
>>>>>>>>>>>> add: msSFU30NisDomain
>>>>>>>>>>>> msSFU30NisDomain: example
>>>>>>>>>>>> -
>>>>>>>>>>>> add: uidNumber
>>>>>>>>>>>> uidNumber: 10000
>>>>>>>>>>>> -
>>>>>>>>>>>> add: gidNumber
>>>>>>>>>>>> gidNumber: 10000
>>>>>>>>>>>> -
>>>>>>>>>>>> add: loginShell
>>>>>>>>>>>> loginShell: /bin/bash
>>>>>>>>>>>> -
>>>>>>>>>>>> add: unixHomeDirectory
>>>>>>>>>>>> unixHomeDirectory: /home/john
>>>>>>>>>>>> -
>>>>>>>>>>>> add: unixUserPassword
>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>
>>>>>>>>>>>> The above ldif is exactly the way that ADUC does it
>>>>>>>>>>>> (ABCD!efgh12345$67890 is the unixUserPassword that ADUC
>>>>>>>>>>>> gives every unix user), but you only really need the
>>>>>>>>>>>> uidNumber & gidNumber. the uidNumber needs to be a unique
>>>>>>>>>>>> number and the gidNumber will be the users primary Unix
>>>>>>>>>>>> group (usually Domain Users) so that number needs to be
>>>>>>>>>>>> what ever you gave to your main Unix group i.e. Domain
>>>>>>>>>>>> Users needs to have the gidNumber '10000'
>>>>>>>>>>>>
>>>>>>>>>>>> You would add the above ldif like this:
>>>>>>>>>>>>
>>>>>>>>>>>> root at dc1:~# kinit
>>>>>>>>>>>> Password for administrator at EXAMPLE.COM:
>>>>>>>>>>>> root at dc1:~# ldbmodify --url=ldap://dc1.example.com
>>>>>>>>>>>> --kerberos=yes --krb5-ccache=/tmp/krb5cc_0" /path_to/ldif
>>>>>>>>>>>>
>>>>>>>>>>>> Replacing 'dc1.example.com' with your S4 AD DC FQDN and
>>>>>>>>>>>> '/path_to/ldif' with the full path and name of your ldif,
>>>>>>>>>>>> and of course you need to run all of this on the S4 AD DC.
>>>>>>>>>>>>
>>>>>>>>>>>> the uidNumber and gidNumber ranges can be identical, in
>>>>>>>>>>>> fact this is the way that ADUC works, but whatever range
>>>>>>>>>>>> you do use, must be reflected in smb.conf
>>>>>>>>>>>> i.e. 'idmap config EXAMPLE : range = 10000-999999'.
>>>>>>>>>>>>
>>>>>>>>>>>> Just why you renamed the Administrator account, before you
>>>>>>>>>>>> got everything working, escapes me, in fact most people
>>>>>>>>>>>> probably never bother, so I would suggest that you rename
>>>>>>>>>>>> the account back again, at least until you get everything
>>>>>>>>>>>> working correctly.
>>>>>>>>>>>>
>>>>>>>>>>>> Do not give the Administrator account a uidNumber or
>>>>>>>>>>>> gidNumber, create a new user and give this new user the
>>>>>>>>>>>> required RFC2307 attributes.
>>>>>>>>>>>>
>>>>>>>>>>>> Once you have added the gidNumber to Domain Users and added
>>>>>>>>>>>> the ldif to John Doe, running (on a client joined to the
>>>>>>>>>>>> domain) 'getent passwd' should show a line for John Doe and
>>>>>>>>>>>> 'getent group Domain\ Users' should show the info for
>>>>>>>>>>>> Domain Users.
>>>>>>>>>>>>
>>>>>>>>>>>> This will be my last post on this thread.
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> I know I said that I wouldn't post on this thread again, but you
>>>>> are doing my head in, you have taken a simple task and turned it
>>>>> into a farce!!!
>>>>>
>>>>> I advised you at least once to remove this line:
>>>>>
>>>>> auth methods = winbind
>>>>>
>>>>> Here is why (taken from 'man smb.conf')
>>>>>
>>>>> auth methods (G)
>>>>>
>>>>> This option allows the administrator to chose what
>>>>> authentication
>>>>> methods smbd will use when authenticating a user. This
>>>>> option
>>>>> defaults to sensible values based on security. This
>>>>> should be
>>>>> considered a developer option and used only in rare
>>>>> circumstances.
>>>>> In the majority (if not all) of production servers, the
>>>>> default
>>>>> setting should be adequate.
>>>>>
>>>>> Default: auth methods =
>>>>>
>>>>> This is also from 'man smb.conf' (abridged):
>>>>>
>>>>> idmap config:OPTION (G)
>>>>>
>>>>> ID mapping in Samba is the mapping between Windows SIDs
>>>>> and Unix
>>>>> user and group IDs. This is performed by Winbindd with a
>>>>> configurable plugin interface. Samba's ID mapping is
>>>>> configured by
>>>>> options starting with the idmap config prefix. An idmap
>>>>> option
>>>>> consists of the idmap config prefix, followed by a
>>>>> domain name or
>>>>> the asterisk character (*), a colon, and the name of an
>>>>> idmap
>>>>> setting for the chosen domain.
>>>>>
>>>>> The following example illustrates how to configure the
>>>>> idmap_ad(8)
>>>>> backend for the CORP domain and the idmap_tdb(8)
>>>>> backend for all
>>>>> other domains. This configuration assumes that the
>>>>> admin of CORP
>>>>> assigns unix ids below 1000000 via the SFU extensions,
>>>>> and winbind
>>>>> is supposed to use the next million entries for its own
>>>>> mappings
>>>>> from trusted domains and for local groups for example.
>>>>>
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 1000000-1999999
>>>>>
>>>>> idmap config CORP : backend = ad
>>>>> idmap config CORP : range = 1000-999999
>>>>>
>>>>> YOURS:
>>>>>
>>>>> idmap config *:backend = tdb
>>>>> idmap config *:range = 70001-80000
>>>>> idmap config TRUEVINE:backend = ad
>>>>> idmap config TRUEVINE:schema_mode = rfc2307
>>>>> idmap config TRUEVINE:range = 10001-40000
>>>>>
>>>>> What the above means is that trusted domains and local groups will
>>>>> get mapped to numbers between 70001 and 80000, local groups etc
>>>>> being the windows builtin ones not UNIX ones.
>>>>>
>>>>> Your AD users will ONLY get pulled from AD if the
>>>>> uidNumber's/gidNumber's are between 10001 and 40000, ARE THEY ????
>>>>>
>>>>> Have you actually got any normal users with uidNumber's &
>>>>> gidNumber's, the last time I heard, you were trying to use the
>>>>> renamed Administrator account as a normal account.
>>>>>
>>>>> I would suggest that you go and take a running jump into Glenville
>>>>> Lake to cool off, then come back and re-read your posts again, you
>>>>> might then realise just what a Prat you are coming over as.
>>>>>
>>>>> This is definitely my last post on this thread
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>> Hopefully this is definitely going to be my last post on this thread.
>>>
>>> My S4 AD DC runs on Debian Wheezy 7.5 with samba 4.1.7 from
>>> backports and was provisioned with rfc2307.
>>>
>>> My laptop runs Linux Mint 17 (aka Ubuntu 14.04) with samba 4.1.6
>>>
>>> This is smb.conf on the S4 server:
>>>
>>> [global]
>>> workgroup = EXAMPLE
>>> realm = example.com
>>> netbios name = DC1
>>> server role = active directory domain controller
>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>> idmap_ldb:use rfc2307 = yes
>>>
>>> [netlogon]
>>> path = /var/lib/samba/sysvol/example.com/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>>
>>> NOTE: I use Bind9 instead of the internal DNS server.
>>>
>>> This is my AD entry:
>>>
>>> dn: CN=Rowland Penny,CN=Users,DC=example,DC=com
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> cn: Rowland Penny
>>> sn: Penny
>>> givenName: Rowland
>>> instanceType: 4
>>> whenCreated: 20140604153749.0Z
>>> displayName: Rowland Penny
>>> uSNCreated: 3812
>>> name: Rowland Penny
>>> objectGUID: 79e251c6-70c0-4b8b-8fa7-e10eb1d603ae
>>> badPwdCount: 0
>>> codePage: 0
>>> badPasswordTime: 0
>>> lastLogoff: 0
>>> lastLogon: 0
>>> primaryGroupID: 513
>>> objectSid: S-1-5-21-2624802715-3731723941-638006480-1106
>>> logonCount: 0
>>> sAMAccountName: rowland
>>> sAMAccountType: 805306368
>>> userPrincipalName: rowland at example.com
>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
>>> pwdLastSet: 130463698700000000
>>> uid: rowland
>>> msSFU30Name: rowland
>>> msSFU30NisDomain: example
>>> uidNumber: 10000
>>> gidNumber: 10000
>>> loginShell: /bin/bash
>>> unixHomeDirectory: /home/rowland
>>> unixUserPassword: ABCD!efgh123457890
>>> userAccountControl: 66048
>>> accountExpires: 0
>>> co: United Kingdom
>>> countryCode: 826
>>> c: GB
>>> l: Clitheroe
>>> postalCode: BB7 1ND
>>> st: Lancashire
>>> profilePath: \\dc1\profiles\rowland
>>> homeDirectory: \\dc1\rowland
>>> homeDrive: G:
>>> memberOf: CN=Domain Admins,CN=Users,DC=example,DC=com
>>> memberOf: CN=administration,CN=Users,DC=example,DC=com
>>> description: A Unix User
>>> whenChanged: 20140707145726.0Z
>>> uSNChanged: 8309
>>> distinguishedName: CN=Rowland Penny,CN=Users,DC=example,DC=com
>>>
>>> This is smb.conf on the laptop
>>>
>>> [global]
>>> workgroup = EXAMPLE
>>> security = ADS
>>> realm = EXAMPLE.COM
>>> #client signing = yes
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>> server string = Samba 4 Client %h
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind use default domain = yes
>>> winbind expand groups = 4
>>> winbind nss info = rfc2307
>>> winbind refresh tickets = Yes
>>> winbind offline logon = yes
>>> winbind normalize names = Yes
>>> idmap config * : backend = tdb
>>> idmap config * : range = 2000-9999
>>> idmap config EXAMPLE : backend = ad
>>> idmap config EXAMPLE : range = 10000-999999
>>> idmap config EXAMPLE : schema_mode = rfc2307
>>> printcap name = cups
>>> cups options = raw
>>> usershare allow guests = yes
>>> domain master = no
>>> local master = no
>>> preferred master = no
>>> os level = 20
>>> map to guest = bad user
>>> username map = /etc/samba/smbmap
>>> vfs objects = acl_xattr
>>> map acl inherit = Yes
>>> store dos attributes = Yes
>>>
>>> If, on the laptop, I run 'getent passwd rowland' I get this:
>>>
>>> rowland:*:10000:10000::/home/rowland:/bin/bash
>>>
>>> If I also run 'getent group Domain\ Users' I get this:
>>>
>>> domain_users:x:10000:
>>>
>>> I have also this afternoon set up a new linux computer, just as the
>>> laptop and it just works, so somewhere you are doing something very
>>> wrong, It is easy to set up a linux client, well easy for everybody
>>> else except you, it would seem.
>>>
>>> I repeat that you have something very wrong, you need to check your
>>> set up, both the S4 server and the client, compare everything with
>>> mine and try and see just where you are going wrong.
>>>
>>> Rowland
>>>
>>
>
More information about the samba
mailing list