[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Sat Aug 9 13:55:44 MDT 2014

As a C/C++ programmer, I love building the latest stable and enjoy 
having it, but I am beginning to think maybe I should be using the 
backports S4. I will have to do that on Monday however, since I need 
physical access to wipe and reinstall the VM. It would be fewer packages 
to install though, since I would not need the headers and such. Oh wait, 
it's a VM. I still have to build the virtualized drivers. Still, I may 
give it a go. The version you stated is only two versions behind what I 
am running (4.1.11), so no big loss there. For now however, I am going 
to attempt to make this work. If I have failed then Monday i will try 
your suggestion when I can get access to the physical system.

On 8/9/2014 2:20 PM, Rowland Penny wrote:
> On 09/08/14 18:58, Ryan Ashley wrote:
>> I have been working on this alone for a while since the thread is so 
>> long and have tried a few things and discovered others. One REALLY 
>> strange thing is that when I use getent to look up users, some users 
>> show the 70001 and up IDs, and others do not show a thing. This is 
>> normal users now, not my domain admin account. For example, "getent 
>> passwd yolandab" returns nothing while "getent passwd cynthiaj" 
>> returns two ID's above 70k. Even my normal user account, 
>> reach_support, returns nothing. This one has me a tad lost, but the 
>> next thing I discovered may be the solution.
>>     If I attempt to install libnss-winbind or libpam-winbind from the 
>> repos, it tries to install the Samba stuff from the repos. Aren't 
>> those two built when you build S4? I am currently looking for them 
>> and have a "find" command running on the system in a screen session. 
>> I imagine I need to symlink those to /lib, right? Assuming they were 
>> built, I will try this and if it doesn't work, I will let you know. 
>> If it does, I will also tell you. I hope this has been my issue all 
>> along, but we should know soon.
>>     Finally, I delete both /var/lib/samba AND /var/cache/samba. I 
>> found the latter afterwards. I also deleted /etc/krb5.keytab once I 
>> left the domain and before joining again. Just being safe. I do know 
>> that the keytab does not store ID's or anything, I am just trying to 
>> be thorough. Thank you again for your help and I do know of the 
>> manpages, but I normally get headaches reading them. I wish they had 
>> the info on a wiki page so I could go right to the section I want to 
>> study.
>> On 8/8/2014 1:12 PM, Rowland Penny wrote:
>>> On 08/08/14 17:49, Ryan Ashley wrote:
>>>> Thanks, Rowland. I do not have some of the things you have on your 
>>>> laptop. Our server configs are almost identical, and I use BIND9 
>>>> also. I am going to assume then, based on that, that my issue lies 
>>>> in my client configuration. I can run getent on the server and get 
>>>> the correct results. Just not on the two member servers, more proof 
>>>> that it is indeed an issue on them.
>>>> If I may ask, you have a LOT of entries not shown in any of the 
>>>> guides, including the ones you already had me add, such as the 
>>>> keytab. Several of your entries catch my eye.
>>> OK, if on the client, you run 'man smb.conf' you will get displayed 
>>> what is called the 'manpage' for what you can put into smb.conf and 
>>> what they do.
>>>> winbind expand groups = 4
>>>            This option controls the maximum depth that winbindd will 
>>> traverse
>>>            when flattening nested group memberships of Windows 
>>> domain groups.
>>>> winbind normalize names = yes
>>>            This parameter controls whether winbindd will replace 
>>> whitespace in
>>>            user and group names with an underscore (_) character.
>>>> printcap name = cups
>>>            This parameter may be used to override the compiled-in 
>>> default
>>>            printcap name used by the server (usually /etc/printcap).
>>>> cups options = raw
>>>            This parameter is only applicable if printing is set to 
>>> cups. Its
>>>            value is a free form string of options passed directly to 
>>> the cups
>>>            library.
>>>> usershare allow guests = yes
>>> Controls if usershares can permit guest access.
>>>> os level = 20
>>>            This integer value controls what level Samba advertises 
>>> itself as
>>>            for browse elections. The value of this parameter determines
>>>            whether nmbd(8) has a chance of becoming a local master 
>>> browser for
>>>            the workgroup in the local broadcast area.
>>>> map to guest = bad user
>>>            This parameter can take four different values, which tell 
>>> smbd(8)
>>>            what to do with user login requests that don't match a 
>>> valid UNIX
>>>            user in some way.
>>>            ·   Bad User - Means user logins with an invalid password 
>>> are
>>>                rejected, unless the username does not exist, in 
>>> which case it
>>>                is treated as a guest login and mapped into the guest 
>>> account.
>>>> username map = /etc/samba/smbmap
>>>            This option allows you to specify a file containing a 
>>> mapping of
>>>            usernames from the clients to the server.
>>> This is my smbmap file
>>> !root = EXAMPLE\Administrator Administrator administrator
>>> As I said there is more info available in the smb.conf manpage.
>>>> I have never seen these before. The last entry on my list may be 
>>>> the key if it does what I think it does. Before I add these lines I 
>>>> need to ask if there is a cache of ID's to names somewhere. See, I 
>>>> find it VERY odd that as often as I have removed the system from 
>>>> the domain, wiped out everything in "/var/lib/samba", and rejoined 
>>>> the domain, it keeps mapping the EXACT same ID numbers on each box 
>>>> to the same usernames. My belief is that there is a cache I am not 
>>>> deleting somewhere. Would you mind telling me if there is a file 
>>>> somewhere I should delete to remove the old mappings?
>>> If you are deleting /var/lib/samba then you are deleting the cache, 
>>> provided of course you are doing this on the client. The fact that 
>>> you are getting the right uidNumber's on the server shows that this 
>>> seems to be set up correctly, the problem does seem to be with the 
>>> client. Do you have all these packages installed on the client:
>>> samba libnss-winbind winbind libpam-winbind krb5-config libpam-krb5 
>>> krb5-user
>>> After that, I can only think that we are going to have to walk 
>>> through the setup file by file.
>>> Rowland
>>>> On 08/08/2014 12:30 PM, Rowland Penny wrote:
>>>>> On 08/08/14 15:50, Ryan Ashley wrote:
>>>>>> Actually, I am quite cool. I am confused with the mountain of 
>>>>>> information I have been handed. I am very appreciative (as I said 
>>>>>> before) of the help you and Steve have offered. I do not believe 
>>>>>> you understand me however. I am a VERY logical person. Telling me 
>>>>>> something without an understanding of why, I am hesitant to just 
>>>>>> accept it. Try it? Sure! But I need to understand why it works or 
>>>>>> does not work. I am honestly not angry and am not trying to get 
>>>>>> under your skin. I am simply trying to solve a problem that must 
>>>>>> be over my head.
>>>>>> As to your question, I answered it in my last post. All of my 
>>>>>> users have uidNumber and gidNumber set, and they are ALL in the 
>>>>>> 10001-40000 range. I stated this in the last post. The one you 
>>>>>> replied to. This is why I am confused. I DID go read a lot of 
>>>>>> information over the past 24hr period and I have all of my 
>>>>>> uidNumber and gidNumber attributes between 10001 and 40000. In 
>>>>>> fact, I max these somewhere between 10040 and 10050, though I do 
>>>>>> not remember EXACTLY what it is. I can look if needed.
>>>>>> Also, I was not using the domain admin as a normal account. We 
>>>>>> simply rename the account as a security measure. We did not do 
>>>>>> anything else to it. I do not even login on the boxes with it 
>>>>>> unless it is absolutely needed. I simply used it because I was 
>>>>>> not told not to get the information requested from the domain 
>>>>>> admin account. Had I been told to use a regular account and not 
>>>>>> the domain admin, I would have happily done so.
>>>>>> So let me recap. You see my config. Every user and group is 
>>>>>> assigned a unique ID between 10001 and 40000. They are still 
>>>>>> being assigned 70001 and above. Winbind and all of the S4 
>>>>>> utilities appear to be working. SIDs are resolved and can be 
>>>>>> resolved back to names. My only issue is likely a configuration 
>>>>>> problem, but based on what you two have told me AND what I have 
>>>>>> read, my configuration APPEARS to be correct. So from my 
>>>>>> perspective, I have a correct configuration based on what I have 
>>>>>> been told, but it is not working. I am sorry if this comes across 
>>>>>> and being a nuisance, but I am genuinely NOT trying to offend 
>>>>>> anybody, I just want it working. I am sorry for whatever was said 
>>>>>> to offend you because I have VERY MUCH appreciated your time 
>>>>>> which you are not being paid for. Just remember that you are the 
>>>>>> Samba professional, I am still learning the new S4 stuff.
>>>>>> uidNumber/gidNumber in AD: 10001-40000 (matches config)
>>>>>> On 08/08/2014 10:21 AM, Rowland Penny wrote:
>>>>>>> On 08/08/14 14:45, Ryan Ashley wrote:
>>>>>>>> Alright, I believe I figured something out, but may be 
>>>>>>>> mistaken. Again, I don't see anything in plain English 
>>>>>>>> explaining, so this is my guess. Please let me know if I am right.
>>>>>>>> [global]
>>>>>>>>   netbios name = FS01
>>>>>>>>   workgroup = TRUEVINE
>>>>>>>>   security = ADS
>>>>>>>>   realm = TRUEVINE.LAN
>>>>>>>>   encrypt passwords = yes
>>>>>>>>   dedicated keytab file = /etc/krb5.keytab
>>>>>>>>   kerberos method = secrets and keytab
>>>>>>>>   idmap config *:backend = tdb
>>>>>>>>   idmap config *:range = 70001-80000
>>>>>>>>   idmap config TRUEVINE:backend = ad
>>>>>>>>   idmap config TRUEVINE:schema_mode = rfc2307
>>>>>>>>   idmap config TRUEVINE:range = 10001-40000
>>>>>>>>   winbind nss info = rfc2307
>>>>>>>>   winbind trusted domains only = no
>>>>>>>>   winbind use default domain = yes
>>>>>>>>   winbind enum users = yes
>>>>>>>>   winbind enum groups = yes
>>>>>>>>   vfs objects = acl_xattr
>>>>>>>>   map acl inherit = yes
>>>>>>>>   store dos attributes = yes
>>>>>>>>   auth methods = winbind
>>>>>>>> The line "idmap config *:range = 70001-80000" assigns a unique 
>>>>>>>> ID to anybody who is not in the Truevine domain or who does not 
>>>>>>>> have a uidNumber/gidNumber attribute set. Is this correct? This 
>>>>>>>> is where all of my users and groups are getting ID's from.
>>>>>>>> Now, the line "idmap config TRUEVINE:range = 10001-40000" is 
>>>>>>>> the range of uidNumber/gidNumber attributes to search. This is 
>>>>>>>> the range set aside for domain users and groups, so I assume if 
>>>>>>>> I set this to something over 100k, it would never find 
>>>>>>>> anything. However, it is not finding the uidNumber/gidNumber 
>>>>>>>> attributes in this range (which is everybody) for some reason, 
>>>>>>>> and the users wind up with 70001 and above for their ID's. So 
>>>>>>>> what am I doing wrong?
>>>>>>>> On 08/08/2014 09:14 AM, Ryan Ashley wrote:
>>>>>>>>> I am still stuck here. Both member servers are ignoring the 
>>>>>>>>> gidNumber and uidNumber attributes and are assigning their own 
>>>>>>>>> numbers and I cannot figure out why. Leaving the domain, 
>>>>>>>>> uninstalling S4, building the latest, and reinstalling does 
>>>>>>>>> not fix the issue.
>>>>>>>>> On 08/07/2014 02:28 PM, Ryan Ashley wrote:
>>>>>>>>>> Alright, I also checked and I was right, I set "uidNumber" 
>>>>>>>>>> and "gidNumber". Pictures are attached. So with these set, 
>>>>>>>>>> why are they not pulling across to my member servers?
>>>>>>>>>> I do have screenshots showing the correct attributes set in 
>>>>>>>>>> ADUC, but they're note pulling across to my member servers.
>>>>>>>>>> On 08/07/2014 11:22 AM, Ryan Ashley wrote:
>>>>>>>>>>> I figured it out, but it won't let me import it.
>>>>>>>>>>> root at dc01:~# ldbmodify -H /var/lib/samba/private/sam.ldb 
>>>>>>>>>>> /root/ypServ30.ldif --option="dsdb:schema update allowed"=true
>>>>>>>>>>> ERR: (Entry already exists) "Entry 
>>>>>>>>>>> CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan 
>>>>>>>>>>> already exists" on DN 
>>>>>>>>>>> CN=ypServ30,CN=RpcServices,CN=System,dc=truevine,dc=lan at 
>>>>>>>>>>> block before line 5
>>>>>>>>>>> Modify failed after processing 0 records
>>>>>>>>>>> root at dc01:~#
>>>>>>>>>>> So this means it is already there, right? If so, what must I 
>>>>>>>>>>> do here? I am going to check, but I do not remember seeing 
>>>>>>>>>>> an attribute called "gidNumber", only "gid".
>>>>>>>>>>> On 08/07/2014 10:24 AM, Ryan Ashley wrote:
>>>>>>>>>>>> Alright, new problem. That ypServ30.ldif file is asking for 
>>>>>>>>>>>> all kinds of information I do not know or know how to get. 
>>>>>>>>>>>> I am ASSUMING the "domain dn" it is asking for is 
>>>>>>>>>>>> "dc=truevine,dc=lan". However, it also needs to know a 
>>>>>>>>>>>> NISDOMAIN variable and that I do not have a clue about. Is 
>>>>>>>>>>>> there a guide dedicated just to editing this file? I don't 
>>>>>>>>>>>> have a NIS domain to my knowledge. I just want to import 
>>>>>>>>>>>> the file so I can set my attributes. This is kind of 
>>>>>>>>>>>> complicated just to add a few (four?) attributes to my schema.
>>>>>>>>>>>> So, what do I set all these things in the LDIF file to? Is 
>>>>>>>>>>>> there a way I can look them up?
>>>>>>>>>>>> On 08/07/2014 09:42 AM, Ryan Ashley wrote:
>>>>>>>>>>>>> Thanks, Rowland. I just got in this morning and think it 
>>>>>>>>>>>>> finally all fell into place. You mentioned an LDIF file in 
>>>>>>>>>>>>> a prior email. I assume that if I import that LDIF file, 
>>>>>>>>>>>>> it creates the attributes I need. After that, I should be 
>>>>>>>>>>>>> able to set them as you stated. Is this correct?
>>>>>>>>>>>>> My current plan is to re-read your emails and find the 
>>>>>>>>>>>>> file you mentioned. If it does indeed add those 
>>>>>>>>>>>>> attributes, I will import it and try setting them as you 
>>>>>>>>>>>>> stated. If it works, I will report success and summarize 
>>>>>>>>>>>>> what this entire thread was about for others to learn from 
>>>>>>>>>>>>> without reading it all.
>>>>>>>>>>>>> On 08/07/2014 05:16 AM, Rowland Penny wrote:
>>>>>>>>>>>>>> On 06/08/14 22:24, Ryan Ashley wrote:
>>>>>>>>>>>>>>> I have tried your suggestions, and some I had found 
>>>>>>>>>>>>>>> prior to falling back on the mailing list so I already 
>>>>>>>>>>>>>>> knew some would not work. I was not asked for a response 
>>>>>>>>>>>>>>> after being pointed to the material so I did not provide 
>>>>>>>>>>>>>>> one.
>>>>>>>>>>>>>>> Yes, I am very busy as I work as the lead IT and IS 
>>>>>>>>>>>>>>> specialist in a small business. I cannot devote weeks to 
>>>>>>>>>>>>>>> a single problem as I handle dozens a day, many resolved 
>>>>>>>>>>>>>>> within 24hrs. This issue has been on-going due to the 
>>>>>>>>>>>>>>> fact that I have already tried a ton of what is out 
>>>>>>>>>>>>>>> there, and as for your "Google search", dozens of those 
>>>>>>>>>>>>>>> are the same posts regurgitated on numerous sites. I 
>>>>>>>>>>>>>>> went through an entire page a week or so back and every 
>>>>>>>>>>>>>>> single link on the page was to the exact same post, on 
>>>>>>>>>>>>>>> numerous sits that have board-readers that simply read 
>>>>>>>>>>>>>>> the samba lists among others and duplicate the posts. 
>>>>>>>>>>>>>>> Useless! I'd say out of 1.9mil results, about 500k are 
>>>>>>>>>>>>>>> unique. I am getting to where I dislike Google for this 
>>>>>>>>>>>>>>> reason, but that is another discussion.
>>>>>>>>>>>>>>> I am also happy to hear that you can afford to blow 
>>>>>>>>>>>>>>> thousands on a simple DVD. Low-income businesses, 
>>>>>>>>>>>>>>> churches, and what-not cannot. Yes, we know of 
>>>>>>>>>>>>>>> open-licensing and manage it for several clients, but 
>>>>>>>>>>>>>>> many people are not willing to spend anything right now 
>>>>>>>>>>>>>>> if there is a viable alternative. Seeing that S4 has 
>>>>>>>>>>>>>>> worked flawlessly for two years at a few locations, this 
>>>>>>>>>>>>>>> fit the client's needs and we installed it. Something is 
>>>>>>>>>>>>>>> just different this time. I am learning a lot and intend 
>>>>>>>>>>>>>>> to apply things like the group and user ID's to other 
>>>>>>>>>>>>>>> domains once we have it working here to avoid future 
>>>>>>>>>>>>>>> problems.
>>>>>>>>>>>>>>> Also, Windows has MUCH higher resource requirements than 
>>>>>>>>>>>>>>> Linux. On top of that $3k, how much would we have to pay 
>>>>>>>>>>>>>>> to bring up the hardware? Too expensive for such little 
>>>>>>>>>>>>>>> gain.
>>>>>>>>>>>>>>> Finally, if you have taken some personal offense to 
>>>>>>>>>>>>>>> something, speak up. You offered assistance, I took what 
>>>>>>>>>>>>>>> I had not already tried and tried it. You did not ask 
>>>>>>>>>>>>>>> for results, so I assumed the fact that I was still 
>>>>>>>>>>>>>>> asking for help would have been a clue that the 
>>>>>>>>>>>>>>> suggestion was no good. Every time anybody asked for 
>>>>>>>>>>>>>>> anything, including configuration files, I posted them, 
>>>>>>>>>>>>>>> so there's no need to be bitter. Simply point out that I 
>>>>>>>>>>>>>>> may have missed something and I'll try it or let you 
>>>>>>>>>>>>>>> know I already did.
>>>>>>>>>>>>>>> On 8/6/2014 3:57 PM, steve wrote:
>>>>>>>>>>>>>>>> On Wed, 2014-08-06 at 13:50 -0400, Ryan Ashley wrote:
>>>>>>>>>>>>>>>>> What information have I not answered fully?
>>>>>>>>>>>>>>>> Most of the suggestions and tips we have given. As an 
>>>>>>>>>>>>>>>> example, you said
>>>>>>>>>>>>>>>> that you wanted to add IDs to your users. You were sent 
>>>>>>>>>>>>>>>> a link to help
>>>>>>>>>>>>>>>> you look up what you said you, 'had no idea how'. You 
>>>>>>>>>>>>>>>> ignored that, so
>>>>>>>>>>>>>>>> we sent you concrete examples to try. Still nothing.
>>>>>>>>>>>>>>>> You are a, 'VERY BUSY person', are you? Well, I can 
>>>>>>>>>>>>>>>> only urge everyone
>>>>>>>>>>>>>>>> here to jump on your case. I repeat. With a 2012 R2 
>>>>>>>>>>>>>>>> licence and 90 days
>>>>>>>>>>>>>>>> reduced rate licence, you would have been up days ago 
>>>>>>>>>>>>>>>> for this side of
>>>>>>>>>>>>>>>> $3000
>>>>>>>>>>>>>>>> Cheers, and EOT from us,
>>>>>>>>>>>>>>>> Steve
>>>>>>>>>>>>>> Active Directory works differently from Linux, it uses 
>>>>>>>>>>>>>> SID's and RID's, Linux uses UID's and GID's. To use AD 
>>>>>>>>>>>>>> users as Linux users you somehow have to convert the 
>>>>>>>>>>>>>> SID's and RID's to UID's and GID's. There are several 
>>>>>>>>>>>>>> ways to do this by using programs like winbind, nslcd or 
>>>>>>>>>>>>>> sssd, but they all boil down to the same two ways, you 
>>>>>>>>>>>>>> either create a UID/GID from the RID or you give the 
>>>>>>>>>>>>>> user/group a uidNumber/gidNumber.
>>>>>>>>>>>>>> That is:
>>>>>>>>>>>>>> A user is given a uidNumber and gidNumber
>>>>>>>>>>>>>> A group is given a gidNumber
>>>>>>>>>>>>>> uidNumber and gidNumber are the attribute names, not uid 
>>>>>>>>>>>>>> or gid or anything else.
>>>>>>>>>>>>>> The only way (at the moment) to ensure that your 
>>>>>>>>>>>>>> users/groups get the same ID everywhere in the domain is 
>>>>>>>>>>>>>> to use RFC2307 attributes.
>>>>>>>>>>>>>> see here for info on RFC2307:
>>>>>>>>>>>>>> https://www.ietf.org/rfc/rfc2307.txt
>>>>>>>>>>>>>> How you add these RFC2307 attributes is up to you, the 
>>>>>>>>>>>>>> easiest way is to use ADUC, but you say that you do not 
>>>>>>>>>>>>>> have the UNIX-Attributes tab on your users and groups, I 
>>>>>>>>>>>>>> also had this problem and solved it by searching the 
>>>>>>>>>>>>>> internet. I posted a link to one of the pages I used, so 
>>>>>>>>>>>>>> I do not propose to go over old ground yet again.
>>>>>>>>>>>>>> If you cannot get the ADUC tab to work for you, then you 
>>>>>>>>>>>>>> can always use ldb-tools to add the attributes, either by 
>>>>>>>>>>>>>> using ldbedit and directly modifying the user/group or by 
>>>>>>>>>>>>>> creating an ldif and using ldbmodify to add this. A 
>>>>>>>>>>>>>> typical ldif for a user called John Doe created on a 
>>>>>>>>>>>>>> windows machine would be:
>>>>>>>>>>>>>> dn: CN=John Doe,CN=Users,DC=example,DC=com
>>>>>>>>>>>>>> changetype: modify
>>>>>>>>>>>>>> add: uid
>>>>>>>>>>>>>> uid: john
>>>>>>>>>>>>>> -
>>>>>>>>>>>>>> add: msSFU30Name
>>>>>>>>>>>>>> msSFU30Name: john
>>>>>>>>>>>>>> -
>>>>>>>>>>>>>> add: msSFU30NisDomain
>>>>>>>>>>>>>> msSFU30NisDomain: example
>>>>>>>>>>>>>> -
>>>>>>>>>>>>>> add: uidNumber
>>>>>>>>>>>>>> uidNumber: 10000
>>>>>>>>>>>>>> -
>>>>>>>>>>>>>> add: gidNumber
>>>>>>>>>>>>>> gidNumber: 10000
>>>>>>>>>>>>>> -
>>>>>>>>>>>>>> add: loginShell
>>>>>>>>>>>>>> loginShell: /bin/bash
>>>>>>>>>>>>>> -
>>>>>>>>>>>>>> add: unixHomeDirectory
>>>>>>>>>>>>>> unixHomeDirectory: /home/john
>>>>>>>>>>>>>> -
>>>>>>>>>>>>>> add: unixUserPassword
>>>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>> The above ldif is exactly the way that ADUC does it 
>>>>>>>>>>>>>> (ABCD!efgh12345$67890 is the unixUserPassword that ADUC 
>>>>>>>>>>>>>> gives every unix user), but you only really need the 
>>>>>>>>>>>>>> uidNumber & gidNumber. the uidNumber needs to be a unique 
>>>>>>>>>>>>>> number and the gidNumber will be the users primary Unix 
>>>>>>>>>>>>>> group (usually Domain Users) so that number needs to be 
>>>>>>>>>>>>>> what ever you gave to your main Unix group i.e. Domain 
>>>>>>>>>>>>>> Users needs to have the gidNumber '10000'
>>>>>>>>>>>>>> You would add the above ldif like this:
>>>>>>>>>>>>>> root at dc1:~# kinit
>>>>>>>>>>>>>> Password for administrator at EXAMPLE.COM:
>>>>>>>>>>>>>> root at dc1:~# ldbmodify --url=ldap://dc1.example.com 
>>>>>>>>>>>>>> --kerberos=yes --krb5-ccache=/tmp/krb5cc_0" /path_to/ldif
>>>>>>>>>>>>>> Replacing 'dc1.example.com' with your S4 AD DC FQDN and 
>>>>>>>>>>>>>> '/path_to/ldif' with the full path and name of your ldif, 
>>>>>>>>>>>>>> and of course you need to run all of this on the S4 AD DC.
>>>>>>>>>>>>>> the uidNumber and gidNumber ranges can be identical, in 
>>>>>>>>>>>>>> fact this is the way that ADUC works, but whatever range 
>>>>>>>>>>>>>> you do use, must be reflected in smb.conf
>>>>>>>>>>>>>> i.e. 'idmap config EXAMPLE : range = 10000-999999'.
>>>>>>>>>>>>>> Just why you renamed the Administrator account, before 
>>>>>>>>>>>>>> you got everything working, escapes me, in fact most 
>>>>>>>>>>>>>> people probably never bother, so I would suggest that you 
>>>>>>>>>>>>>> rename the account back again, at least until you get 
>>>>>>>>>>>>>> everything working correctly.
>>>>>>>>>>>>>> Do not give the Administrator account a uidNumber or 
>>>>>>>>>>>>>> gidNumber, create a new user and give this new user the 
>>>>>>>>>>>>>> required RFC2307 attributes.
>>>>>>>>>>>>>> Once you have added the gidNumber to Domain Users and 
>>>>>>>>>>>>>> added the ldif to John Doe, running (on a client joined 
>>>>>>>>>>>>>> to the domain) 'getent passwd' should show a line for 
>>>>>>>>>>>>>> John Doe and 'getent group Domain\ Users' should show the 
>>>>>>>>>>>>>> info for Domain Users.
>>>>>>>>>>>>>> This will be my last post on this thread.
>>>>>>>>>>>>>> Rowland
>>>>>>> I know I said that I wouldn't post on this thread again, but you 
>>>>>>> are doing my head in, you have taken a simple task and turned it 
>>>>>>> into a farce!!!
>>>>>>> I advised you at least once to remove this line:
>>>>>>> auth methods = winbind
>>>>>>> Here is why (taken from 'man smb.conf')
>>>>>>>       auth methods (G)
>>>>>>>            This option allows the administrator to chose what 
>>>>>>> authentication
>>>>>>>            methods smbd will use when authenticating a user. 
>>>>>>> This option
>>>>>>>            defaults to sensible values based on security. This 
>>>>>>> should be
>>>>>>>            considered a developer option and used only in rare 
>>>>>>> circumstances.
>>>>>>>            In the majority (if not all) of production servers, 
>>>>>>> the default
>>>>>>>            setting should be adequate.
>>>>>>>            Default: auth methods =
>>>>>>> This is also from 'man smb.conf' (abridged):
>>>>>>>        idmap config:OPTION (G)
>>>>>>>            ID mapping in Samba is the mapping between Windows 
>>>>>>> SIDs and Unix
>>>>>>>            user and group IDs. This is performed by Winbindd with a
>>>>>>>            configurable plugin interface. Samba's ID mapping is 
>>>>>>> configured by
>>>>>>>            options starting with the idmap config prefix. An 
>>>>>>> idmap option
>>>>>>>            consists of the idmap config prefix, followed by a 
>>>>>>> domain name or
>>>>>>>            the asterisk character (*), a colon, and the name of 
>>>>>>> an idmap
>>>>>>>            setting for the chosen domain.
>>>>>>>            The following example illustrates how to configure 
>>>>>>> the idmap_ad(8)
>>>>>>>            backend for the CORP domain and the idmap_tdb(8) 
>>>>>>> backend for all
>>>>>>>            other domains. This configuration assumes that the 
>>>>>>> admin of CORP
>>>>>>>            assigns unix ids below 1000000 via the SFU 
>>>>>>> extensions, and winbind
>>>>>>>            is supposed to use the next million entries for its 
>>>>>>> own mappings
>>>>>>>            from trusted domains and for local groups for example.
>>>>>>>                     idmap config * : backend = tdb
>>>>>>>                     idmap config * : range = 1000000-1999999
>>>>>>>                     idmap config CORP : backend  = ad
>>>>>>>                     idmap config CORP : range = 1000-999999
>>>>>>> YOURS:
>>>>>>>                      idmap config *:backend = tdb
>>>>>>>                       idmap config *:range = 70001-80000
>>>>>>>                       idmap config TRUEVINE:backend = ad
>>>>>>>                       idmap config TRUEVINE:schema_mode = rfc2307
>>>>>>>                       idmap config TRUEVINE:range = 10001-40000
>>>>>>> What the above means is that trusted domains and local groups 
>>>>>>> will get mapped to numbers between 70001 and 80000, local groups 
>>>>>>> etc being the windows builtin ones not UNIX ones.
>>>>>>> Your AD users will ONLY get pulled from AD if the 
>>>>>>> uidNumber's/gidNumber's are between 10001 and 40000, ARE THEY ????
>>>>>>> Have you actually got any normal users with uidNumber's & 
>>>>>>> gidNumber's, the last time I heard, you were trying to use the 
>>>>>>> renamed Administrator account as a normal account.
>>>>>>> I would suggest that you go and take a running jump into 
>>>>>>> Glenville Lake to cool off, then come back and re-read your 
>>>>>>> posts again, you might then realise just what a Prat you are 
>>>>>>> coming over as.
>>>>>>> This is definitely my last post on this thread
>>>>>>> Rowland
>>>>> Hopefully this is definitely going to be my last post on this thread.
>>>>> My S4 AD DC runs on Debian Wheezy 7.5 with samba 4.1.7 from 
>>>>> backports and was provisioned with rfc2307.
>>>>> My laptop runs Linux Mint 17 (aka Ubuntu 14.04) with samba 4.1.6
>>>>> This is smb.conf on the S4 server:
>>>>> [global]
>>>>>         workgroup = EXAMPLE
>>>>>         realm = example.com
>>>>>         netbios name = DC1
>>>>>         server role = active directory domain controller
>>>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>>>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>>>         idmap_ldb:use rfc2307 = yes
>>>>> [netlogon]
>>>>>         path = /var/lib/samba/sysvol/example.com/scripts
>>>>>         read only = No
>>>>> [sysvol]
>>>>>         path = /var/lib/samba/sysvol
>>>>>         read only = No
>>>>> NOTE: I use Bind9 instead of the internal DNS server.
>>>>> This is my AD entry:
>>>>> dn: CN=Rowland Penny,CN=Users,DC=example,DC=com
>>>>> objectClass: top
>>>>> objectClass: person
>>>>> objectClass: organizationalPerson
>>>>> objectClass: user
>>>>> cn: Rowland Penny
>>>>> sn: Penny
>>>>> givenName: Rowland
>>>>> instanceType: 4
>>>>> whenCreated: 20140604153749.0Z
>>>>> displayName: Rowland Penny
>>>>> uSNCreated: 3812
>>>>> name: Rowland Penny
>>>>> objectGUID: 79e251c6-70c0-4b8b-8fa7-e10eb1d603ae
>>>>> badPwdCount: 0
>>>>> codePage: 0
>>>>> badPasswordTime: 0
>>>>> lastLogoff: 0
>>>>> lastLogon: 0
>>>>> primaryGroupID: 513
>>>>> objectSid: S-1-5-21-2624802715-3731723941-638006480-1106
>>>>> logonCount: 0
>>>>> sAMAccountName: rowland
>>>>> sAMAccountType: 805306368
>>>>> userPrincipalName: rowland at example.com
>>>>> objectCategory: 
>>>>> CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
>>>>> pwdLastSet: 130463698700000000
>>>>> uid: rowland
>>>>> msSFU30Name: rowland
>>>>> msSFU30NisDomain: example
>>>>> uidNumber: 10000
>>>>> gidNumber: 10000
>>>>> loginShell: /bin/bash
>>>>> unixHomeDirectory: /home/rowland
>>>>> unixUserPassword: ABCD!efgh123457890
>>>>> userAccountControl: 66048
>>>>> accountExpires: 0
>>>>> co: United Kingdom
>>>>> countryCode: 826
>>>>> c: GB
>>>>> l: Clitheroe
>>>>> postalCode: BB7 1ND
>>>>> st: Lancashire
>>>>> profilePath: \\dc1\profiles\rowland
>>>>> homeDirectory: \\dc1\rowland
>>>>> homeDrive: G:
>>>>> memberOf: CN=Domain Admins,CN=Users,DC=example,DC=com
>>>>> memberOf: CN=administration,CN=Users,DC=example,DC=com
>>>>> description: A Unix User
>>>>> whenChanged: 20140707145726.0Z
>>>>> uSNChanged: 8309
>>>>> distinguishedName: CN=Rowland Penny,CN=Users,DC=example,DC=com
>>>>> This is smb.conf on the laptop
>>>>> [global]
>>>>>         workgroup = EXAMPLE
>>>>>         security = ADS
>>>>>         realm = EXAMPLE.COM
>>>>>         #client signing = yes
>>>>>         dedicated keytab file = /etc/krb5.keytab
>>>>>         kerberos method = secrets and keytab
>>>>>         server string = Samba 4 Client %h
>>>>>         winbind enum users = yes
>>>>>         winbind enum groups = yes
>>>>>         winbind use default domain = yes
>>>>>         winbind expand groups = 4
>>>>>         winbind nss info = rfc2307
>>>>>         winbind refresh tickets = Yes
>>>>>         winbind offline logon = yes
>>>>>         winbind normalize names = Yes
>>>>>         idmap config * : backend = tdb
>>>>>         idmap config * : range = 2000-9999
>>>>>         idmap config EXAMPLE : backend  = ad
>>>>>         idmap config EXAMPLE : range = 10000-999999
>>>>>         idmap config EXAMPLE : schema_mode = rfc2307
>>>>>         printcap name = cups
>>>>>         cups options = raw
>>>>>         usershare allow guests = yes
>>>>>         domain master = no
>>>>>         local master = no
>>>>>         preferred master = no
>>>>>         os level = 20
>>>>>         map to guest = bad user
>>>>>         username map = /etc/samba/smbmap
>>>>>         vfs objects = acl_xattr
>>>>>         map acl inherit = Yes
>>>>>         store dos attributes = Yes
>>>>> If, on the laptop, I run 'getent passwd rowland' I get this:
>>>>> rowland:*:10000:10000::/home/rowland:/bin/bash
>>>>> If I also run 'getent group Domain\ Users' I get this:
>>>>> domain_users:x:10000:
>>>>> I have also this afternoon set up a new linux computer, just as 
>>>>> the laptop and it just works, so somewhere you are doing something 
>>>>> very wrong, It is easy to set up a linux client, well easy for 
>>>>> everybody else except you, it would seem.
>>>>> I repeat that you have something very wrong, you need to check 
>>>>> your set up, both the S4 server and the client, compare everything 
>>>>> with mine and try and see just where you are going wrong.
>>>>> Rowland
> This is one of the problems with building samba4 yourself, on the 
> server you do not need the 'extra' packages, but when it comes to the 
> clients, you do. As you are using Debian, have you considered using 
> samba from backports, this would give you samba4 version 4.1.9 (at the 
> moment).
> Rowland

More information about the samba mailing list