[Samba] Cannot access shared home directories from linux machine

isofx ea4ml3f at gmx.at
Thu Jul 10 14:07:26 MDT 2014 

Am 10.07.2014 20:56, schrieb Rowland Penny:
> On 10/07/14 19:50, isofx wrote:
>> Am 10.07.2014 20:24, schrieb Rowland Penny:
>>> On 10/07/14 19:18, isofx wrote:
>>>> Am 10.07.2014 18:14, schrieb Rowland Penny:
>>>>> On 10/07/14 17:01, isofx wrote:
>>>>>>
>>>>>>> Hi, you seem to be using the 'rid' backend on the machine you 
>>>>>>> are trying to connect from:
>>>>>>>
>>>>>>> idmap config * : backend = rid
>>>>>>> idmap config * : range = 10000 - 49999
>>>>>>> idmap uid = 50000 - 100000
>>>>>>> idmap gid = 50000 - 100000
>>>>>>>
>>>>>>> Doing this will ensure that you will definitely get a different 
>>>>>>> id number for the user on the client against the one that they 
>>>>>>> will have on the Samba4 server (incidentally, you are running an 
>>>>>>> AD DC not a NT style PDC). I would suggest that you give your 
>>>>>>> users & groups uid & gidNumbers and set the client to use these.
>>>>>>>
>>>>>>> Once this is setup, you should be able to connect via smbclient 
>>>>>>> etc to the server, once this is working, you can move onto the 
>>>>>>> cifs setup.
>>>>>>>
>>>>>>> Just what OS is the client running? idmap uid & gid where 
>>>>>>> replaced some time ago.
>>>>>>>
>>>>>>> Rowland
>>>>>>
>>>>>> Thanks for the hint - this is my first samba setup and I got the 
>>>>>> idmap configuration from a guide I found online and used it 
>>>>>> without looking into the rid backend.
>>>>>>
>>>>>> I would configure the UID & GIDs via RSAT-Tools - but how can I 
>>>>>> configure the client (terminal server) to use them?
>>>>>>
>>>>>> Both the server and the client are running Debian Wheezy.
>>>>>>
>>>>>> Kind regards,
>>>>>> Rainhard
>>>>>
>>>>> Just what do you mean by terminal server? If you mean a std linux 
>>>>> client then have a look here:
>>>>>
>>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>>>
>>>>> But if you mean a 'thin-client' or ltsp client, then sorry but I 
>>>>> haven't a clue.
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>> It's just a debian machine that will be used as terminal server 
>>>> (i.e. thin-clients and other windows/linux clients connect via a 
>>>> remote desktop connection).
>>>>
>>>> I read through the link you provided and configured the following:
>>>>
>>>> [global]
>>>> netbios name = TS01
>>>> server string = TS01
>>>>
>>>> workgroup = DOMAIN
>>>> realm = KARMEL.INTERN
>>>>
>>>> security = ADS
>>>> local master = no
>>>> preferred master = no
>>>> dns proxy = no
>>>>
>>>> encrypt passwords = true
>>>> kerberos method = secrets and keytab
>>>>
>>>> winbind use default domain = yes
>>>> winbind trusted domains only = no
>>>> winbind enum groups = yes
>>>> winbind enum users = yes
>>>> winbind nss info = rfc2307
>>>>
>>>> idmap config DOMAIN:backend = ad
>>>> idmap config DOMAIN:schema_mode = rfc2307
>>>> idmap config DOMAIN:range = 10000 - 15000
>>>>
>>>> Via RSAT Tools, I added the group "demo group" with GID 14000 and a 
>>>> member of the group "demo" with UID 12000.
>>>>
>>>> However, it seems I'm missing some configuration:
>>>>
>>>> root at ts01:/var/lib/samba# wbinfo -u
>>>> administrator
>>>> demo
>>>> test
>>>> krbtgt
>>>> guest
>>>> root at ts01:/var/lib/samba# wbinfo -g
>>>> allowed rodc password replication group
>>>> enterprise read-only domain controllers
>>>> denied rodc password replication group
>>>> read-only domain controllers
>>>> group policy creator owners
>>>> ras and ias servers
>>>> domain controllers
>>>> enterprise admins
>>>> domain computers
>>>> cert publishers
>>>> dnsupdateproxy
>>>> domain admins
>>>> domain guests
>>>> schema admins
>>>> domain users
>>>> demo group
>>>> dnsadmins
>>>> root at ts01:/var/lib/samba# wbinfo -i demo
>>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>>> Could not get info for user demo
>>>>
>>>> I ran "net cache flush" to get rid of the mappings from the 
>>>> previous rid configuration. As you can see, the "demo group" and 
>>>> "demo" are availabe through wbinfo -u and -g, however it fails to 
>>>> get any detail information with wbinfo -i .
>>>>
>>>> Any ideas what I may be missing? I did not change anything in the 
>>>> DCs configuration.
>>>>
>>>> Kind regards,
>>>> Rainhard
>>>>
>>>>
>>>>
>>> Have you joined the machine to the domain? what is in 
>>> /etc/nsswitch.conf?
>>>
>>> Rowland
>>>
>>
>>
>> Yes, I joined the domain using "samba-tool domain join domain.intern 
>> member". Here's my /etc/nsswitch.conf:
>>
>> passwd:         compat winbind
>> group:          compat winbind
>> shadow:         compat
>>
>> hosts:          files dns mdns4_minimal [NOTFOUND=return] mdns4
>> hosts:          files dns
>> networks:       files
>>
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>>
>> netgroup:       nis
> OK, try this smb.conf:
>
> [global]
> netbios name = TS01
> workgroup = DOMAIN
> security = ADS
> realm = KARMEL.INTERN
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> server string = TS01
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind expand groups = 4
> winbind nss info = rfc2307
> winbind refresh tickets = yes
> winbind normalize names = yes
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> idmap config DOMAIN : backend = ad
> idmap config DOMAIN : range = 10000-15000
> idmap config DOMAIN : schema_mode = rfc2307
> domain master = no
> local master = no
> preferred master = no
> dns proxy = no
>
> It is based on one I know to work, stop samba, change smb.conf, rejoin 
> the domain, restart samba and try again. This all depends on you 
> having at least one AD user having a uidNumber and Domain Users having 
> a gidNumber.
>
> Rowland
>

So after experimenting a little with different configurations, I ended 
up with the following smb.conf:

[global]
netbios name = TS01
server string = TS01

workgroup = KARMEL
realm = KARMEL.INTERN

security = ADS
domain master = no
local master = no
preferred master = no
dns proxy = no

encrypt passwords = true

kerberos method = secrets and keytab

winbind use default domain = yes
winbind trusted domains only = no
winbind enum groups = yes
winbind enum users = yes
winbind nss info = rfc2307

idmap config * : backend = tdb
idmap config * : schema_mode = rfc2307
idmap config * : range = 10000 - 15000

idmap config KARMEL : backend = ad
idmap config KARMEL : schema_mode = rfc2307
idmap config KARMEL : range = 15000 - 20000

wbinfo -i is now showing information instead of an error, however it's 
not the UID/GID i configured via RSAT (14000/12000):

root at ts01:/home/adm3f# wbinfo -i demo
demo:*:11117:10513:Demo User:/home/KL/demo:/bin/bash

These UID/GIDs are in the range configured for the * : backend = tdb. 
What I really want, are the UID/GID configured in AD right?

Furthermore, how can I use these UID/GIDs to set permissions on shares? 
They won't be available on the DC locally, so I have to configure 
Windows ACLs?

Kind regards,
Rainhard

More information about the samba mailing list