[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Sat Aug 9 13:55:44 MDT 2014
As a C/C++ programmer, I love building the latest stable and enjoy
having it, but I am beginning to think maybe I should be using the
backports S4. I will have to do that on Monday however, since I need
physical access to wipe and reinstall the VM. It would be fewer packages
to install though, since I would not need the headers and such. Oh wait,
it's a VM. I still have to build the virtualized drivers. Still, I may
give it a go. The version you stated is only two versions behind what I
am running (4.1.11), so no big loss there. For now however, I am going
to attempt to make this work. If I have failed then Monday i will try
your suggestion when I can get access to the physical system.
On 8/9/2014 2:20 PM, Rowland Penny wrote:
> On 09/08/14 18:58, Ryan Ashley wrote:
>> I have been working on this alone for a while since the thread is so
>> long and have tried a few things and discovered others. One REALLY
>> strange thing is that when I use getent to look up users, some users
>> show the 70001 and up IDs, and others do not show a thing. This is
>> normal users now, not my domain admin account. For example, "getent
>> passwd yolandab" returns nothing while "getent passwd cynthiaj"
>> returns two ID's above 70k. Even my normal user account,
>> reach_support, returns nothing. This one has me a tad lost, but the
>> next thing I discovered may be the solution.
>> If I attempt to install libnss-winbind or libpam-winbind from the
>> repos, it tries to install the Samba stuff from the repos. Aren't
>> those two built when you build S4? I am currently looking for them
>> and have a "find" command running on the system in a screen session.
>> I imagine I need to symlink those to /lib, right? Assuming they were
>> built, I will try this and if it doesn't work, I will let you know.
>> If it does, I will also tell you. I hope this has been my issue all
>> along, but we should know soon.
>> Finally, I delete both /var/lib/samba AND /var/cache/samba. I
>> found the latter afterwards. I also deleted /etc/krb5.keytab once I
>> left the domain and before joining again. Just being safe. I do know
>> that the keytab does not store ID's or anything, I am just trying to
>> be thorough. Thank you again for your help and I do know of the
>> manpages, but I normally get headaches reading them. I wish they had
>> the info on a wiki page so I could go right to the section I want to
>> study.
>>
>> On 8/8/2014 1:12 PM, Rowland Penny wrote:
>>> On 08/08/14 17:49, Ryan Ashley wrote:
>>>> Thanks, Rowland. I do not have some of the things you have on your
>>>> laptop. Our server configs are almost identical, and I use BIND9
>>>> also. I am going to assume then, based on that, that my issue lies
>>>> in my client configuration. I can run getent on the server and get
>>>> the correct results. Just not on the two member servers, more proof
>>>> that it is indeed an issue on them.
>>>>
>>>> If I may ask, you have a LOT of entries not shown in any of the
>>>> guides, including the ones you already had me add, such as the
>>>> keytab. Several of your entries catch my eye.
>>>>
>>> OK, if on the client, you run 'man smb.conf' you will get displayed
>>> what is called the 'manpage' for what you can put into smb.conf and
>>> what they do.
>>>
>>>
>>>> winbind expand groups = 4
>>>
>>> This option controls the maximum depth that winbindd will
>>> traverse
>>> when flattening nested group memberships of Windows
>>> domain groups.
>>>
>>>>
>>>> winbind normalize names = yes
>>>
>>> This parameter controls whether winbindd will replace
>>> whitespace in
>>> user and group names with an underscore (_) character.
>>>
>>>> printcap name = cups
>>>
>>> This parameter may be used to override the compiled-in
>>> default
>>> printcap name used by the server (usually /etc/printcap).
>>>
>>>> cups options = raw
>>>
>>> This parameter is only applicable if printing is set to
>>> cups. Its
>>> value is a free form string of options passed directly to
>>> the cups
>>> library.
>>>
>>>> usershare allow guests = yes
>>>
>>> Controls if usershares can permit guest access.
>>>
>>>> os level = 20
>>>
>>> This integer value controls what level Samba advertises
>>> itself as
>>> for browse elections. The value of this parameter determines
>>> whether nmbd(8) has a chance of becoming a local master
>>> browser for
>>> the workgroup in the local broadcast area.
>>>
>>>> map to guest = bad user
>>>
>>> This parameter can take four different values, which tell
>>> smbd(8)
>>> what to do with user login requests that don't match a
>>> valid UNIX
>>> user in some way.
>>>
>>> · Bad User - Means user logins with an invalid password
>>> are
>>> rejected, unless the username does not exist, in
>>> which case it
>>> is treated as a guest login and mapped into the guest
>>> account.
>>>
>>>> username map = /etc/samba/smbmap
>>>
>>> This option allows you to specify a file containing a
>>> mapping of
>>> usernames from the clients to the server.
>>>
>>> This is my smbmap file
>>>
>>> !root = EXAMPLE\Administrator Administrator administrator
>>>
>>> As I said there is more info available in the smb.conf manpage.
>>>
>>>>
>>>> I have never seen these before. The last entry on my list may be
>>>> the key if it does what I think it does. Before I add these lines I
>>>> need to ask if there is a cache of ID's to names somewhere. See, I
>>>> find it VERY odd that as often as I have removed the system from
>>>> the domain, wiped out everything in "/var/lib/samba", and rejoined
>>>> the domain, it keeps mapping the EXACT same ID numbers on each box
>>>> to the same usernames. My belief is that there is a cache I am not
>>>> deleting somewhere. Would you mind telling me if there is a file
>>>> somewhere I should delete to remove the old mappings?
>>>
>>> If you are deleting /var/lib/samba then you are deleting the cache,
>>> provided of course you are doing this on the client. The fact that
>>> you are getting the right uidNumber's on the server shows that this
>>> seems to be set up correctly, the problem does seem to be with the
>>> client. Do you have all these packages installed on the client:
>>>
>>> samba libnss-winbind winbind libpam-winbind krb5-config libpam-krb5
>>> krb5-user
>>>
>>> After that, I can only think that we are going to have to walk
>>> through the setup file by file.
>>>
>>> Rowland
>>>
>>>>
>>>> On 08/08/2014 12:30 PM, Rowland Penny wrote:
>>>>> On 08/08/14 15:50, Ryan Ashley wrote:
>>>>>> Actually, I am quite cool. I am confused with the mountain of
>>>>>> information I have been handed. I am very appreciative (as I said
>>>>>> before) of the help you and Steve have offered. I do not believe
>>>>>> you understand me however. I am a VERY logical person. Telling me
>>>>>> something without an understanding of why, I am hesitant to just
>>>>>> accept it. Try it? Sure! But I need to understand why it works or
>>>>>> does not work. I am honestly not angry and am not trying to get
>>>>>> under your skin. I am simply trying to solve a problem that must
>>>>>> be over my head.
>>>>>>
>>>>>> As to your question, I answered it in my last post. All of my
>>>>>> users have uidNumber and gidNumber set, and they are ALL in the
>>>>>> 10001-40000 range. I stated this in the last post. The one you
>>>>>> replied to. This is why I am confused. I DID go read a lot of
>>>>>> information over the past 24hr period and I have all of my
>>>>>> uidNumber and gidNumber attributes between 10001 and 40000. In
>>>>>> fact, I max these somewhere between 10040 and 10050, though I do
>>>>>> not remember EXACTLY what it is. I can look if needed.
>>>>>>
>>>>>> Also, I was not using the domain admin as a normal account. We
>>>>>> simply rename the account as a security measure. We did not do
>>>>>> anything else to it. I do not even login on the boxes with it
>>>>>> unless it is absolutely needed. I simply used it because I was
>>>>>> not told not to get the information requested from the domain
>>>>>> admin account. Had I been told to use a regular account and not
>>>>>> the domain admin, I would have happily done so.
>>>>>>
>>>>>> So let me recap. You see my config. Every user and group is
>>>>>> assigned a unique ID between 10001 and 40000. They are still
>>>>>> being assigned 70001 and above. Winbind and all of the S4
>>>>>> utilities appear to be working. SIDs are resolved and can be
>>>>>> resolved back to names. My only issue is likely a configuration
>>>>>> problem, but based on what you two have told me AND what I have
>>>>>> read, my configuration APPEARS to be correct. So from my
>>>>>> perspective, I have a correct configuration based on what I have
>>>>>> been told, but it is not working. I am sorry if this comes across
>>>>>> and being a nuisance, but I am genuinely NOT trying to offend
>>>>>> anybody, I just want it working. I am sorry for whatever was said
>>>>>> to offend you because I have VERY MUCH appreciated your time
>>>>>> which you are not being paid for. Just remember that you are the
>>>>>> Samba professional, I am still learning the new S4 stuff.
>>>>>>
>>>>>> uidNumber/gidNumber in AD: 10001-40000 (matches config)
>>>>>>
>>>>>> On 08/08/2014 10:21 AM, Rowland Penny wrote:
>>>>>>> On 08/08/14 14:45, Ryan Ashley wrote:
>>>>>>>> Alright, I believe I figured something out, but may be
>>>>>>>> mistaken. Again, I don't see anything in plain English
>>>>>>>> explaining, so this is my guess. Please let me know if I am right.
>>>>>>>>
>>>>>>>> [global]
>>>>>>>> netbios name = FS01
>>>>>>>> workgroup = TRUEVINE
>>>>>>>> security = ADS
>>>>>>>> realm = TRUEVINE.LAN
>>>>>>>> encrypt passwords = yes
>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>> kerberos method = secrets and keytab
>>>>>>>>
>>>>>>>> idmap config *:backend = tdb
>>>>>>>> idmap config *:range = 70001-80000
>>>>>>>> idmap config TRUEVINE:backend = ad
>>>>>>>> idmap config TRUEVINE:schema_mode = rfc2307
>>>>>>>> idmap config TRUEVINE:range = 10001-40000
>>>>>>>>
>>>>>>>> winbind nss info = rfc2307
>>>>>>>> winbind trusted domains only = no
>>>>>>>> winbind use default domain = yes
>>>>>>>> winbind enum users = yes
>>>>>>>> winbind enum groups = yes
>>>>>>>>
>>>>>>>> vfs objects = acl_xattr
>>>>>>>> map acl inherit = yes
>>>>>>>> store dos attributes = yes
>>>>>>>> auth methods = winbind
>>>>>>>>
>>>>>>>> The line "idmap config *:range = 70001-80000" assigns a unique
>>>>>>>> ID to anybody who is not in the Truevine domain or who does not
>>>>>>>> have a uidNumber/gidNumber attribute set. Is this correct? This
>>>>>>>> is where all of my users and groups are getting ID's from.
>>>>>>>>
>>>>>>>> Now, the line "idmap config TRUEVINE:range = 10001-40000" is
>>>>>>>> the range of uidNumber/gidNumber attributes to search. This is
>>>>>>>> the range set aside for domain users and groups, so I assume if
>>>>>>>> I set this to something over 100k, it would never find
>>>>>>>> anything. However, it is not finding the uidNumber/gidNumber
>>>>>>>> attributes in this range (which is everybody) for some reason,
>>>>>>>> and the users wind up with 70001 and above for their ID's. So
>>>>>>>> what am I doing wrong?
>>>>>>>>
>>>>>>>> On 08/08/2014 09:14 AM, Ryan Ashley wrote:
>>>>>>>>> I am still stuck here. Both member servers are ignoring the
>>>>>>>>> gidNumber and uidNumber attributes and are assigning their own
>>>>>>>>> numbers and I cannot figure out why. Leaving the domain,
>>>>>>>>> uninstalling S4, building the latest, and reinstalling does
>>>>>>>>> not fix the issue.
>>>>>>>>>
>>>>>>>>> On 08/07/2014 02:28 PM, Ryan Ashley wrote:
>>>>>>>>>> Alright, I also checked and I was right, I set "uidNumber"
>>>>>>>>>> and "gidNumber". Pictures are attached. So with these set,
>>>>>>>>>> why are they not pulling across to my member servers?
>>>>>>>>>>
>>>>>>>>>> I do have screenshots showing the correct attributes set in
>>>>>>>>>> ADUC, but they're note pulling across to my member servers.
>>>>>>>>>>
>>>>>>>>>> On 08/07/2014 11:22 AM, Ryan Ashley wrote:
>>>>>>>>>>> I figured it out, but it won't let me import it.
>>>>>>>>>>>
>>>>>>>>>>> root at dc01:~# ldbmodify -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>> /root/ypServ30.ldif --option="dsdb:schema update allowed"=true
>>>>>>>>>>> ERR: (Entry already exists) "Entry
>>>>>>>>>>> CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan
>>>>>>>>>>> already exists" on DN
>>>>>>>>>>> CN=ypServ30,CN=RpcServices,CN=System,dc=truevine,dc=lan at
>>>>>>>>>>> block before line 5
>>>>>>>>>>> Modify failed after processing 0 records
>>>>>>>>>>> root at dc01:~#
>>>>>>>>>>>
>>>>>>>>>>> So this means it is already there, right? If so, what must I
>>>>>>>>>>> do here? I am going to check, but I do not remember seeing
>>>>>>>>>>> an attribute called "gidNumber", only "gid".
>>>>>>>>>>>
>>>>>>>>>>> On 08/07/2014 10:24 AM, Ryan Ashley wrote:
>>>>>>>>>>>> Alright, new problem. That ypServ30.ldif file is asking for
>>>>>>>>>>>> all kinds of information I do not know or know how to get.
>>>>>>>>>>>> I am ASSUMING the "domain dn" it is asking for is
>>>>>>>>>>>> "dc=truevine,dc=lan". However, it also needs to know a
>>>>>>>>>>>> NISDOMAIN variable and that I do not have a clue about. Is
>>>>>>>>>>>> there a guide dedicated just to editing this file? I don't
>>>>>>>>>>>> have a NIS domain to my knowledge. I just want to import
>>>>>>>>>>>> the file so I can set my attributes. This is kind of
>>>>>>>>>>>> complicated just to add a few (four?) attributes to my schema.
>>>>>>>>>>>>
>>>>>>>>>>>> So, what do I set all these things in the LDIF file to? Is
>>>>>>>>>>>> there a way I can look them up?
>>>>>>>>>>>>
>>>>>>>>>>>> On 08/07/2014 09:42 AM, Ryan Ashley wrote:
>>>>>>>>>>>>> Thanks, Rowland. I just got in this morning and think it
>>>>>>>>>>>>> finally all fell into place. You mentioned an LDIF file in
>>>>>>>>>>>>> a prior email. I assume that if I import that LDIF file,
>>>>>>>>>>>>> it creates the attributes I need. After that, I should be
>>>>>>>>>>>>> able to set them as you stated. Is this correct?
>>>>>>>>>>>>>
>>>>>>>>>>>>> My current plan is to re-read your emails and find the
>>>>>>>>>>>>> file you mentioned. If it does indeed add those
>>>>>>>>>>>>> attributes, I will import it and try setting them as you
>>>>>>>>>>>>> stated. If it works, I will report success and summarize
>>>>>>>>>>>>> what this entire thread was about for others to learn from
>>>>>>>>>>>>> without reading it all.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 08/07/2014 05:16 AM, Rowland Penny wrote:
>>>>>>>>>>>>>> On 06/08/14 22:24, Ryan Ashley wrote:
>>>>>>>>>>>>>>> I have tried your suggestions, and some I had found
>>>>>>>>>>>>>>> prior to falling back on the mailing list so I already
>>>>>>>>>>>>>>> knew some would not work. I was not asked for a response
>>>>>>>>>>>>>>> after being pointed to the material so I did not provide
>>>>>>>>>>>>>>> one.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Yes, I am very busy as I work as the lead IT and IS
>>>>>>>>>>>>>>> specialist in a small business. I cannot devote weeks to
>>>>>>>>>>>>>>> a single problem as I handle dozens a day, many resolved
>>>>>>>>>>>>>>> within 24hrs. This issue has been on-going due to the
>>>>>>>>>>>>>>> fact that I have already tried a ton of what is out
>>>>>>>>>>>>>>> there, and as for your "Google search", dozens of those
>>>>>>>>>>>>>>> are the same posts regurgitated on numerous sites. I
>>>>>>>>>>>>>>> went through an entire page a week or so back and every
>>>>>>>>>>>>>>> single link on the page was to the exact same post, on
>>>>>>>>>>>>>>> numerous sits that have board-readers that simply read
>>>>>>>>>>>>>>> the samba lists among others and duplicate the posts.
>>>>>>>>>>>>>>> Useless! I'd say out of 1.9mil results, about 500k are
>>>>>>>>>>>>>>> unique. I am getting to where I dislike Google for this
>>>>>>>>>>>>>>> reason, but that is another discussion.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I am also happy to hear that you can afford to blow
>>>>>>>>>>>>>>> thousands on a simple DVD. Low-income businesses,
>>>>>>>>>>>>>>> churches, and what-not cannot. Yes, we know of
>>>>>>>>>>>>>>> open-licensing and manage it for several clients, but
>>>>>>>>>>>>>>> many people are not willing to spend anything right now
>>>>>>>>>>>>>>> if there is a viable alternative. Seeing that S4 has
>>>>>>>>>>>>>>> worked flawlessly for two years at a few locations, this
>>>>>>>>>>>>>>> fit the client's needs and we installed it. Something is
>>>>>>>>>>>>>>> just different this time. I am learning a lot and intend
>>>>>>>>>>>>>>> to apply things like the group and user ID's to other
>>>>>>>>>>>>>>> domains once we have it working here to avoid future
>>>>>>>>>>>>>>> problems.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Also, Windows has MUCH higher resource requirements than
>>>>>>>>>>>>>>> Linux. On top of that $3k, how much would we have to pay
>>>>>>>>>>>>>>> to bring up the hardware? Too expensive for such little
>>>>>>>>>>>>>>> gain.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Finally, if you have taken some personal offense to
>>>>>>>>>>>>>>> something, speak up. You offered assistance, I took what
>>>>>>>>>>>>>>> I had not already tried and tried it. You did not ask
>>>>>>>>>>>>>>> for results, so I assumed the fact that I was still
>>>>>>>>>>>>>>> asking for help would have been a clue that the
>>>>>>>>>>>>>>> suggestion was no good. Every time anybody asked for
>>>>>>>>>>>>>>> anything, including configuration files, I posted them,
>>>>>>>>>>>>>>> so there's no need to be bitter. Simply point out that I
>>>>>>>>>>>>>>> may have missed something and I'll try it or let you
>>>>>>>>>>>>>>> know I already did.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 8/6/2014 3:57 PM, steve wrote:
>>>>>>>>>>>>>>>> On Wed, 2014-08-06 at 13:50 -0400, Ryan Ashley wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> What information have I not answered fully?
>>>>>>>>>>>>>>>> Most of the suggestions and tips we have given. As an
>>>>>>>>>>>>>>>> example, you said
>>>>>>>>>>>>>>>> that you wanted to add IDs to your users. You were sent
>>>>>>>>>>>>>>>> a link to help
>>>>>>>>>>>>>>>> you look up what you said you, 'had no idea how'. You
>>>>>>>>>>>>>>>> ignored that, so
>>>>>>>>>>>>>>>> we sent you concrete examples to try. Still nothing.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> You are a, 'VERY BUSY person', are you? Well, I can
>>>>>>>>>>>>>>>> only urge everyone
>>>>>>>>>>>>>>>> here to jump on your case. I repeat. With a 2012 R2
>>>>>>>>>>>>>>>> licence and 90 days
>>>>>>>>>>>>>>>> reduced rate licence, you would have been up days ago
>>>>>>>>>>>>>>>> for this side of
>>>>>>>>>>>>>>>> $3000
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Cheers, and EOT from us,
>>>>>>>>>>>>>>>> Steve
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Active Directory works differently from Linux, it uses
>>>>>>>>>>>>>> SID's and RID's, Linux uses UID's and GID's. To use AD
>>>>>>>>>>>>>> users as Linux users you somehow have to convert the
>>>>>>>>>>>>>> SID's and RID's to UID's and GID's. There are several
>>>>>>>>>>>>>> ways to do this by using programs like winbind, nslcd or
>>>>>>>>>>>>>> sssd, but they all boil down to the same two ways, you
>>>>>>>>>>>>>> either create a UID/GID from the RID or you give the
>>>>>>>>>>>>>> user/group a uidNumber/gidNumber.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> That is:
>>>>>>>>>>>>>> A user is given a uidNumber and gidNumber
>>>>>>>>>>>>>> A group is given a gidNumber
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> uidNumber and gidNumber are the attribute names, not uid
>>>>>>>>>>>>>> or gid or anything else.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The only way (at the moment) to ensure that your
>>>>>>>>>>>>>> users/groups get the same ID everywhere in the domain is
>>>>>>>>>>>>>> to use RFC2307 attributes.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> see here for info on RFC2307:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> https://www.ietf.org/rfc/rfc2307.txt
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> How you add these RFC2307 attributes is up to you, the
>>>>>>>>>>>>>> easiest way is to use ADUC, but you say that you do not
>>>>>>>>>>>>>> have the UNIX-Attributes tab on your users and groups, I
>>>>>>>>>>>>>> also had this problem and solved it by searching the
>>>>>>>>>>>>>> internet. I posted a link to one of the pages I used, so
>>>>>>>>>>>>>> I do not propose to go over old ground yet again.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If you cannot get the ADUC tab to work for you, then you
>>>>>>>>>>>>>> can always use ldb-tools to add the attributes, either by
>>>>>>>>>>>>>> using ldbedit and directly modifying the user/group or by
>>>>>>>>>>>>>> creating an ldif and using ldbmodify to add this. A
>>>>>>>>>>>>>> typical ldif for a user called John Doe created on a
>>>>>>>>>>>>>> windows machine would be:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> dn: CN=John Doe,CN=Users,DC=example,DC=com
>>>>>>>>>>>>>> changetype: modify
>>>>>>>>>>>>>> add: uid
>>>>>>>>>>>>>> uid: john
>>>>>>>>>>>>>> -
>>>>>>>>>>>>>> add: msSFU30Name
>>>>>>>>>>>>>> msSFU30Name: john
>>>>>>>>>>>>>> -
>>>>>>>>>>>>>> add: msSFU30NisDomain
>>>>>>>>>>>>>> msSFU30NisDomain: example
>>>>>>>>>>>>>> -
>>>>>>>>>>>>>> add: uidNumber
>>>>>>>>>>>>>> uidNumber: 10000
>>>>>>>>>>>>>> -
>>>>>>>>>>>>>> add: gidNumber
>>>>>>>>>>>>>> gidNumber: 10000
>>>>>>>>>>>>>> -
>>>>>>>>>>>>>> add: loginShell
>>>>>>>>>>>>>> loginShell: /bin/bash
>>>>>>>>>>>>>> -
>>>>>>>>>>>>>> add: unixHomeDirectory
>>>>>>>>>>>>>> unixHomeDirectory: /home/john
>>>>>>>>>>>>>> -
>>>>>>>>>>>>>> add: unixUserPassword
>>>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The above ldif is exactly the way that ADUC does it
>>>>>>>>>>>>>> (ABCD!efgh12345$67890 is the unixUserPassword that ADUC
>>>>>>>>>>>>>> gives every unix user), but you only really need the
>>>>>>>>>>>>>> uidNumber & gidNumber. the uidNumber needs to be a unique
>>>>>>>>>>>>>> number and the gidNumber will be the users primary Unix
>>>>>>>>>>>>>> group (usually Domain Users) so that number needs to be
>>>>>>>>>>>>>> what ever you gave to your main Unix group i.e. Domain
>>>>>>>>>>>>>> Users needs to have the gidNumber '10000'
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> You would add the above ldif like this:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> root at dc1:~# kinit
>>>>>>>>>>>>>> Password for administrator at EXAMPLE.COM:
>>>>>>>>>>>>>> root at dc1:~# ldbmodify --url=ldap://dc1.example.com
>>>>>>>>>>>>>> --kerberos=yes --krb5-ccache=/tmp/krb5cc_0" /path_to/ldif
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Replacing 'dc1.example.com' with your S4 AD DC FQDN and
>>>>>>>>>>>>>> '/path_to/ldif' with the full path and name of your ldif,
>>>>>>>>>>>>>> and of course you need to run all of this on the S4 AD DC.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> the uidNumber and gidNumber ranges can be identical, in
>>>>>>>>>>>>>> fact this is the way that ADUC works, but whatever range
>>>>>>>>>>>>>> you do use, must be reflected in smb.conf
>>>>>>>>>>>>>> i.e. 'idmap config EXAMPLE : range = 10000-999999'.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Just why you renamed the Administrator account, before
>>>>>>>>>>>>>> you got everything working, escapes me, in fact most
>>>>>>>>>>>>>> people probably never bother, so I would suggest that you
>>>>>>>>>>>>>> rename the account back again, at least until you get
>>>>>>>>>>>>>> everything working correctly.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Do not give the Administrator account a uidNumber or
>>>>>>>>>>>>>> gidNumber, create a new user and give this new user the
>>>>>>>>>>>>>> required RFC2307 attributes.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Once you have added the gidNumber to Domain Users and
>>>>>>>>>>>>>> added the ldif to John Doe, running (on a client joined
>>>>>>>>>>>>>> to the domain) 'getent passwd' should show a line for
>>>>>>>>>>>>>> John Doe and 'getent group Domain\ Users' should show the
>>>>>>>>>>>>>> info for Domain Users.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> This will be my last post on this thread.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>> I know I said that I wouldn't post on this thread again, but you
>>>>>>> are doing my head in, you have taken a simple task and turned it
>>>>>>> into a farce!!!
>>>>>>>
>>>>>>> I advised you at least once to remove this line:
>>>>>>>
>>>>>>> auth methods = winbind
>>>>>>>
>>>>>>> Here is why (taken from 'man smb.conf')
>>>>>>>
>>>>>>> auth methods (G)
>>>>>>>
>>>>>>> This option allows the administrator to chose what
>>>>>>> authentication
>>>>>>> methods smbd will use when authenticating a user.
>>>>>>> This option
>>>>>>> defaults to sensible values based on security. This
>>>>>>> should be
>>>>>>> considered a developer option and used only in rare
>>>>>>> circumstances.
>>>>>>> In the majority (if not all) of production servers,
>>>>>>> the default
>>>>>>> setting should be adequate.
>>>>>>>
>>>>>>> Default: auth methods =
>>>>>>>
>>>>>>> This is also from 'man smb.conf' (abridged):
>>>>>>>
>>>>>>> idmap config:OPTION (G)
>>>>>>>
>>>>>>> ID mapping in Samba is the mapping between Windows
>>>>>>> SIDs and Unix
>>>>>>> user and group IDs. This is performed by Winbindd with a
>>>>>>> configurable plugin interface. Samba's ID mapping is
>>>>>>> configured by
>>>>>>> options starting with the idmap config prefix. An
>>>>>>> idmap option
>>>>>>> consists of the idmap config prefix, followed by a
>>>>>>> domain name or
>>>>>>> the asterisk character (*), a colon, and the name of
>>>>>>> an idmap
>>>>>>> setting for the chosen domain.
>>>>>>>
>>>>>>> The following example illustrates how to configure
>>>>>>> the idmap_ad(8)
>>>>>>> backend for the CORP domain and the idmap_tdb(8)
>>>>>>> backend for all
>>>>>>> other domains. This configuration assumes that the
>>>>>>> admin of CORP
>>>>>>> assigns unix ids below 1000000 via the SFU
>>>>>>> extensions, and winbind
>>>>>>> is supposed to use the next million entries for its
>>>>>>> own mappings
>>>>>>> from trusted domains and for local groups for example.
>>>>>>>
>>>>>>> idmap config * : backend = tdb
>>>>>>> idmap config * : range = 1000000-1999999
>>>>>>>
>>>>>>> idmap config CORP : backend = ad
>>>>>>> idmap config CORP : range = 1000-999999
>>>>>>>
>>>>>>> YOURS:
>>>>>>>
>>>>>>> idmap config *:backend = tdb
>>>>>>> idmap config *:range = 70001-80000
>>>>>>> idmap config TRUEVINE:backend = ad
>>>>>>> idmap config TRUEVINE:schema_mode = rfc2307
>>>>>>> idmap config TRUEVINE:range = 10001-40000
>>>>>>>
>>>>>>> What the above means is that trusted domains and local groups
>>>>>>> will get mapped to numbers between 70001 and 80000, local groups
>>>>>>> etc being the windows builtin ones not UNIX ones.
>>>>>>>
>>>>>>> Your AD users will ONLY get pulled from AD if the
>>>>>>> uidNumber's/gidNumber's are between 10001 and 40000, ARE THEY ????
>>>>>>>
>>>>>>> Have you actually got any normal users with uidNumber's &
>>>>>>> gidNumber's, the last time I heard, you were trying to use the
>>>>>>> renamed Administrator account as a normal account.
>>>>>>>
>>>>>>> I would suggest that you go and take a running jump into
>>>>>>> Glenville Lake to cool off, then come back and re-read your
>>>>>>> posts again, you might then realise just what a Prat you are
>>>>>>> coming over as.
>>>>>>>
>>>>>>> This is definitely my last post on this thread
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>> Hopefully this is definitely going to be my last post on this thread.
>>>>>
>>>>> My S4 AD DC runs on Debian Wheezy 7.5 with samba 4.1.7 from
>>>>> backports and was provisioned with rfc2307.
>>>>>
>>>>> My laptop runs Linux Mint 17 (aka Ubuntu 14.04) with samba 4.1.6
>>>>>
>>>>> This is smb.conf on the S4 server:
>>>>>
>>>>> [global]
>>>>> workgroup = EXAMPLE
>>>>> realm = example.com
>>>>> netbios name = DC1
>>>>> server role = active directory domain controller
>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>>> idmap_ldb:use rfc2307 = yes
>>>>>
>>>>> [netlogon]
>>>>> path = /var/lib/samba/sysvol/example.com/scripts
>>>>> read only = No
>>>>>
>>>>> [sysvol]
>>>>> path = /var/lib/samba/sysvol
>>>>> read only = No
>>>>>
>>>>> NOTE: I use Bind9 instead of the internal DNS server.
>>>>>
>>>>> This is my AD entry:
>>>>>
>>>>> dn: CN=Rowland Penny,CN=Users,DC=example,DC=com
>>>>> objectClass: top
>>>>> objectClass: person
>>>>> objectClass: organizationalPerson
>>>>> objectClass: user
>>>>> cn: Rowland Penny
>>>>> sn: Penny
>>>>> givenName: Rowland
>>>>> instanceType: 4
>>>>> whenCreated: 20140604153749.0Z
>>>>> displayName: Rowland Penny
>>>>> uSNCreated: 3812
>>>>> name: Rowland Penny
>>>>> objectGUID: 79e251c6-70c0-4b8b-8fa7-e10eb1d603ae
>>>>> badPwdCount: 0
>>>>> codePage: 0
>>>>> badPasswordTime: 0
>>>>> lastLogoff: 0
>>>>> lastLogon: 0
>>>>> primaryGroupID: 513
>>>>> objectSid: S-1-5-21-2624802715-3731723941-638006480-1106
>>>>> logonCount: 0
>>>>> sAMAccountName: rowland
>>>>> sAMAccountType: 805306368
>>>>> userPrincipalName: rowland at example.com
>>>>> objectCategory:
>>>>> CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
>>>>> pwdLastSet: 130463698700000000
>>>>> uid: rowland
>>>>> msSFU30Name: rowland
>>>>> msSFU30NisDomain: example
>>>>> uidNumber: 10000
>>>>> gidNumber: 10000
>>>>> loginShell: /bin/bash
>>>>> unixHomeDirectory: /home/rowland
>>>>> unixUserPassword: ABCD!efgh123457890
>>>>> userAccountControl: 66048
>>>>> accountExpires: 0
>>>>> co: United Kingdom
>>>>> countryCode: 826
>>>>> c: GB
>>>>> l: Clitheroe
>>>>> postalCode: BB7 1ND
>>>>> st: Lancashire
>>>>> profilePath: \\dc1\profiles\rowland
>>>>> homeDirectory: \\dc1\rowland
>>>>> homeDrive: G:
>>>>> memberOf: CN=Domain Admins,CN=Users,DC=example,DC=com
>>>>> memberOf: CN=administration,CN=Users,DC=example,DC=com
>>>>> description: A Unix User
>>>>> whenChanged: 20140707145726.0Z
>>>>> uSNChanged: 8309
>>>>> distinguishedName: CN=Rowland Penny,CN=Users,DC=example,DC=com
>>>>>
>>>>> This is smb.conf on the laptop
>>>>>
>>>>> [global]
>>>>> workgroup = EXAMPLE
>>>>> security = ADS
>>>>> realm = EXAMPLE.COM
>>>>> #client signing = yes
>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>> kerberos method = secrets and keytab
>>>>> server string = Samba 4 Client %h
>>>>> winbind enum users = yes
>>>>> winbind enum groups = yes
>>>>> winbind use default domain = yes
>>>>> winbind expand groups = 4
>>>>> winbind nss info = rfc2307
>>>>> winbind refresh tickets = Yes
>>>>> winbind offline logon = yes
>>>>> winbind normalize names = Yes
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 2000-9999
>>>>> idmap config EXAMPLE : backend = ad
>>>>> idmap config EXAMPLE : range = 10000-999999
>>>>> idmap config EXAMPLE : schema_mode = rfc2307
>>>>> printcap name = cups
>>>>> cups options = raw
>>>>> usershare allow guests = yes
>>>>> domain master = no
>>>>> local master = no
>>>>> preferred master = no
>>>>> os level = 20
>>>>> map to guest = bad user
>>>>> username map = /etc/samba/smbmap
>>>>> vfs objects = acl_xattr
>>>>> map acl inherit = Yes
>>>>> store dos attributes = Yes
>>>>>
>>>>> If, on the laptop, I run 'getent passwd rowland' I get this:
>>>>>
>>>>> rowland:*:10000:10000::/home/rowland:/bin/bash
>>>>>
>>>>> If I also run 'getent group Domain\ Users' I get this:
>>>>>
>>>>> domain_users:x:10000:
>>>>>
>>>>> I have also this afternoon set up a new linux computer, just as
>>>>> the laptop and it just works, so somewhere you are doing something
>>>>> very wrong, It is easy to set up a linux client, well easy for
>>>>> everybody else except you, it would seem.
>>>>>
>>>>> I repeat that you have something very wrong, you need to check
>>>>> your set up, both the S4 server and the client, compare everything
>>>>> with mine and try and see just where you are going wrong.
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>
>>
> This is one of the problems with building samba4 yourself, on the
> server you do not need the 'extra' packages, but when it comes to the
> clients, you do. As you are using Debian, have you considered using
> samba from backports, this would give you samba4 version 4.1.9 (at the
> moment).
>
> Rowland
>
More information about the samba
mailing list