[Samba] Member Server SeDiskOperatorPrivilege

BISI d3r3kshaw at gmail.com
Fri Jan 9 22:58:07 MST 2015 

On 15-01-09 09:19 AM, Tim wrote:
> It's definitely a problem with backend ad. I don't know what, but with ad backend I also cannot list rpc rights on the server because it cannot find the user. With rid: no problem.
>
> Bug?

I appear to be about 12 hours behind Tim, except that I am using Debian 
7.7, and (now) following Louis van Belle's script for making a member 
server with the sernet repos (smbd reports Version 
4.1.14-SerNet-Debian-9.wheezy)
The script is at
https://secure.bazuin.nl/scripts/4-setup-sernet-samba4-MEMBER-wheezy.sh

Louis' script hangs up at line 406
> echo {$PASSWORD} | net rpc rights list accounts -UAdministrator
with
Enter Administrator's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

I chose to  set up PAMauth in the script, based on the comment
> ##########  pam autheristation modifications.
> ## the original files /etc/pam.d/samba and sshd wil be backuped to *.original
> ## set to 1 if you want winbindd to work.

unfortunately for me, Louis is off enjoying himself on a ski hill somewhere.

any guidance would be greatly appreciated.

BTW - script and sernet packages do not make the links in /lib64 that 
the wiki calls for, but the script does replace the default krb5.conf file.

also  the DC in this case is a windows 2008 R2 server running at server 
2003 forest and domain functional level


And before he left, he also mentioned assigning UID/GID to users/groups 
in the AD -- what UID and GID numbers would I assign to a windows DC, 
and to which users?  The reference he gave didn't really shed any light 
on the subject for me.

Thanks in advance!

Derek.

>
>
> Am 9. Januar 2015 17:56:59 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:
>> On 09/01/15 16:48, Tim wrote:
>>> Definitely.
>>>
>>> With backend=ad only two user can be seen by getent passwd. Then
>>> changing backend=rid, all users are resolved by getent passwd
>>>
>>> Am 9. Januar 2015 17:09:19 MEZ, schrieb Rowland Penny
>>> <rowlandpenny at googlemail.com>:
>>>
>>>      On 09/01/15 15:45, Tim wrote:
>>>
>>>          That's what I tried to say. I set the gid/uid attribs in Unix
>>>          tab. Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny
>>>          <rowlandpenny at googlemail.com>: On 09/01/15 15:40, Tim wrote:
>>>
>>>              When I switch back to backend ad, getent passwd returns
>>>              nothing - getent group only returns by adding a dedicated
>>>              group name. There is at least one user and one group with
>>>              Id set in ad.
>>>
>>>          Yes, but do *any* of your AD users have a uidNumber
>> attribute.
>>>          Rowland
>>>
>>>              Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny
>>>              <rowlandpenny at googlemail.com>: On 09/01/15 15:19, Tim
>>>              wrote: I switched to rid module of idmapping and now
>>>              winbind offers all groups and I can set
>>>              SeDiskOperatorPrivilege. getent group and getent passwd
>>>              are now working! Am 9. Januar 2015 15:21:32 MEZ, schrieb
>>>              Rowland Penny <rowlandpenny at googlemail.com>: On 09/01/15
>>>              13:47, Tim wrote: Hello all, I have a AD DC based on
>>>              CentOS7 with sernet samba 4.1.14 with rfc2307 and
>> function
>>>              level 2008_R2. This one works so far and I can manage the
>>>              AD from a windows client. Now I setup a member server
>>>              based on CentOS7 with sernet samba 4.1.14 just like the
>>>              wiki advises with the same smb.conf (realm etc is
>>>              configured to my needs. I joined the AD and configured
>>>              nsswitch. wbinfo works so far but getent passwd or getent
>>>              group doesn't list domain objects. getent group
>> testgroup1
>>>              works, but getent passwd testuser1 does not. I created a
>>>              share in smb.conf. Now I want to set the
>>>              SeDiskOperatorPrivilege like the wiki advises. But it
>>>              doesn't work. It says that it can't connect to server
>>>              127.0.0.1 <http://127.0.0.1> <http://127.0.0.1>
>>>              <http://127.0.0.1>. I tried it with net rpc rights grant
>>>              'DOM\Domain Admins' SeDiskOperatorPrivilege
>>>              -U'DOM\administrator' Now I can not access the server
>> from
>>>              windows to set share permissions. What to do? The wiki
>>>              told nothing about kerberos so I did not do anything to
>>>              it. Thanks in advance Hi, you appear to be the second
>>>              person in two days having a similar, if not the same
>>>              problem with the sernet packages. I don't think it is a
>>>              kerberos problem, can you check if you have
>>>              'libnss_winbind.so <http://winbind.so>
>> <http://winbind.so>
>>>              <http://winbind.so>.2' anywhere. Rowland I take it from
>>>              this, that you do not have any uidNumber or gidNumber
>>>              attributes in AD. Rowland
>>>
>>>
>>>      OK, then where they inside the range set in smb.conf i.e. idmap
>> config
>>>      DOMAIN : range = 10000-999999
>>>
>>>      Rowland
>>>
>>
>> That is strange, if you use the winbind 'ad' backend and have AD users
>> with a uidNumber, then all the users with uidNumbers should be shown by
>>
>> getent passwd, but any users without a uidNumber will not be shown.
>>
>> The 'rid' backend works differently, it allocates id numbers to each
>> and
>> every user.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list