[Samba] Member Server SeDiskOperatorPrivilege

Rowland Penny rowlandpenny at googlemail.com
Sat Jan 10 03:08:20 MST 2015

On 10/01/15 05:58, BISI wrote:
> On 15-01-09 09:19 AM, Tim wrote:
>> It's definitely a problem with backend ad. I don't know what, but 
>> with ad backend I also cannot list rpc rights on the server because 
>> it cannot find the user. With rid: no problem.
>> Bug?
> I appear to be about 12 hours behind Tim, except that I am using 
> Debian 7.7, and (now) following Louis van Belle's script for making a 
> member server with the sernet repos (smbd reports Version 
> 4.1.14-SerNet-Debian-9.wheezy)
> The script is at
> https://secure.bazuin.nl/scripts/4-setup-sernet-samba4-MEMBER-wheezy.sh
> Louis' script hangs up at line 406
>> echo {$PASSWORD} | net rpc rights list accounts -UAdministrator
> with
> Enter Administrator's password:
> Could not connect to server
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
> I chose to  set up PAMauth in the script, based on the comment
>> ##########  pam autheristation modifications.
>> ## the original files /etc/pam.d/samba and sshd wil be backuped to 
>> *.original
>> ## set to 1 if you want winbindd to work.
> unfortunately for me, Louis is off enjoying himself on a ski hill 
> somewhere.
> any guidance would be greatly appreciated.
> BTW - script and sernet packages do not make the links in /lib64 that 
> the wiki calls for, but the script does replace the default krb5.conf 
> file.

OK, I normally use the samba packages from backports (4.1.11 at present) 
and also install libpam-winbind & libnss-winbind, you cannot install 
these with the sernet packages because they depend on samba packages 
that do not start with 'sernet'. This is not really a problem because 
the files in the two packages are in 'sernet-samba-libs', there is 
however one file missing. The missing file is 
/usr/share/pam-configs/winbind, this file configures pam for winbind 
authentication by running 'pam-auth-update --package' after installing 
the file, this way you do not need Louis's pam modifications.

The reference to /lib64 on the wiki refers to redhat based distros, the 
links on Debian are in /lib/x86_64-linux-gnu

My big problem now, after installing a member server following Louis's 
script, is that though I can ssh into the server as a domain user, I 
cannot connect to a share via smbclient, I just get 'tree connect 
failed: NT_STATUS_ACCESS_DENIED'. I can connect to the DC from the 
member server and a client and I can connect from the DC to the client, 
I just cannot connect to the member server from anywhere via smbclient.

> also  the DC in this case is a windows 2008 R2 server running at 
> server 2003 forest and domain functional level
> And before he left, he also mentioned assigning UID/GID to 
> users/groups in the AD -- what UID and GID numbers would I assign to a 
> windows DC, and to which users?  The reference he gave didn't really 
> shed any light on the subject for me.

The smb.conf is setup to use rfc2307 attributes:

    idmap config INTERNAL:backend = ad
    idmap config INTERNAL:schema_mode = rfc2307
    idmap config INTERNAL:range = 2000-40000

NOTE: that is a bug in the script, what if you change this line: 

The first two lines say to use the winbind 'ad' backend with rfc2307 
attributes, the next line tells what range to use, ignore any ID number 
below 2000 or above 40000.

You set these two numbers on a user or group basis and use the 
'uidNumber' attribute for users, 'gidNumber' attribute for groups. You 
only need to give the 'uidnumber' to users that you want to connect from 
Unix, you do not have to give all users a 'uidNumber'. It is usual to 
only give the 'Domain Users' group a 'gidNumber' but you can if you so 
wish also give 'Domain Admins' a 'gidNumber'. There is no need to give 
all groups a 'gidNumber', although some people do, but you must give at 
least one group a 'gidNumber' if you want winbind to work.


> Thanks in advance!
> Derek.
>> Am 9. Januar 2015 17:56:59 MEZ, schrieb Rowland Penny 
>> <rowlandpenny at googlemail.com>:
>>> On 09/01/15 16:48, Tim wrote:
>>>> Definitely.
>>>> With backend=ad only two user can be seen by getent passwd. Then
>>>> changing backend=rid, all users are resolved by getent passwd
>>>> Am 9. Januar 2015 17:09:19 MEZ, schrieb Rowland Penny
>>>> <rowlandpenny at googlemail.com>:
>>>>      On 09/01/15 15:45, Tim wrote:
>>>>          That's what I tried to say. I set the gid/uid attribs in Unix
>>>>          tab. Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny
>>>>          <rowlandpenny at googlemail.com>: On 09/01/15 15:40, Tim wrote:
>>>>              When I switch back to backend ad, getent passwd returns
>>>>              nothing - getent group only returns by adding a dedicated
>>>>              group name. There is at least one user and one group with
>>>>              Id set in ad.
>>>>          Yes, but do *any* of your AD users have a uidNumber
>>> attribute.
>>>>          Rowland
>>>>              Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny
>>>>              <rowlandpenny at googlemail.com>: On 09/01/15 15:19, Tim
>>>>              wrote: I switched to rid module of idmapping and now
>>>>              winbind offers all groups and I can set
>>>>              SeDiskOperatorPrivilege. getent group and getent passwd
>>>>              are now working! Am 9. Januar 2015 15:21:32 MEZ, schrieb
>>>>              Rowland Penny <rowlandpenny at googlemail.com>: On 09/01/15
>>>>              13:47, Tim wrote: Hello all, I have a AD DC based on
>>>>              CentOS7 with sernet samba 4.1.14 with rfc2307 and
>>> function
>>>>              level 2008_R2. This one works so far and I can manage the
>>>>              AD from a windows client. Now I setup a member server
>>>>              based on CentOS7 with sernet samba 4.1.14 just like the
>>>>              wiki advises with the same smb.conf (realm etc is
>>>>              configured to my needs. I joined the AD and configured
>>>>              nsswitch. wbinfo works so far but getent passwd or getent
>>>>              group doesn't list domain objects. getent group
>>> testgroup1
>>>>              works, but getent passwd testuser1 does not. I created a
>>>>              share in smb.conf. Now I want to set the
>>>>              SeDiskOperatorPrivilege like the wiki advises. But it
>>>>              doesn't work. It says that it can't connect to server
>>>>     <> <>
>>>>              <>. I tried it with net rpc rights grant
>>>>              'DOM\Domain Admins' SeDiskOperatorPrivilege
>>>>              -U'DOM\administrator' Now I can not access the server
>>> from
>>>>              windows to set share permissions. What to do? The wiki
>>>>              told nothing about kerberos so I did not do anything to
>>>>              it. Thanks in advance Hi, you appear to be the second
>>>>              person in two days having a similar, if not the same
>>>>              problem with the sernet packages. I don't think it is a
>>>>              kerberos problem, can you check if you have
>>>>              'libnss_winbind.so <http://winbind.so>
>>> <http://winbind.so>
>>>> <http://winbind.so>.2' anywhere. Rowland I take it from
>>>>              this, that you do not have any uidNumber or gidNumber
>>>>              attributes in AD. Rowland
>>>>      OK, then where they inside the range set in smb.conf i.e. idmap
>>> config
>>>>      DOMAIN : range = 10000-999999
>>>>      Rowland
>>> That is strange, if you use the winbind 'ad' backend and have AD users
>>> with a uidNumber, then all the users with uidNumbers should be shown by
>>> getent passwd, but any users without a uidNumber will not be shown.
>>> The 'rid' backend works differently, it allocates id numbers to each
>>> and
>>> every user.
>>> Rowland
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list