[Samba] Cannot chown file to active directory user/group on member server

Jeff Dickens jeff at seamanpaper.com
Tue Nov 17 20:28:55 UTC 2015


On Sat, Nov 7, 2015 at 11:19 AM, Rowland Penny <rowlandpenny241155 at gmail.com
> wrote:

> On 07/11/15 16:02, Krutskikh Ivan wrote:
>
>> Hi,
>>
>> I need to change ownership of server files to user/group defined in active
>> directory ( using rfc2307 and unix attributes). Chown returns no error,
>> but
>> 'ls -lia' shows that file ownership is unchanged. What am I doing wrong?
>>
>> archive-test:/archive/video # ls -lia ./test.mp4
>> 17121 -rw-r--r-- 1 root root 2413096 ноя  2 19:50 ./test.mp4
>> archive-test:/archive/video # wbinfo -u
>> administrator
>> xviewsion
>> videoadm
>> viewer1
>> krbtgt
>> newadm
>> guest
>> test
>> new
>> archive-test:/archive/video # wbinfo -g
>> allowed rodc password replication group
>> enterprise read-only domain controllers
>> denied rodc password replication group
>> read-only domain controllers
>> group policy creator owners
>> ras and ias servers
>> domain controllers
>> enterprise admins
>> domain computers
>> cert publishers
>> dnsupdateproxy
>> domain admins
>> domain guests
>> schema admins
>> domain users
>> video admins
>> dnsadmins
>> videotest
>> video
>> archive-test:/archive/video # chown xviewsion ./test.mp4
>> archive-test:/archive/video # ls -lia ./test.mp4
>> 17121 -rw-r--r-- 1 root root 2413096 ноя  2 19:50 ./test.mp4
>>
>>
>> I think that something is wrong with uid/gid mapping:
>>
>> archive-test:/archive/video # getent passwd
>> root:x:0:0:root:/root:/bin/bash
>> bin:x:1:1:bin:/bin:/bin/bash
>> daemon:x:2:2:Daemon:/sbin:/bin/bash
>> lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
>> mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
>> news:x:9:13:News  system:/etc/news:/bin/bash
>> uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
>> games:x:12:100:Games account:/var/games:/bin/bash
>> man:x:13:62:Manual  pages viewer:/var/cache/man:/bin/bash
>> wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
>> ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
>> nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
>> messagebus:x:499:497:User for D-Bus:/run/dbus:/bin/false
>> postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
>> rpc:x:498:65534:user for rpcbind:/var/lib/empty:/sbin/nologin
>> sshd:x:497:496:SSH daemon:/var/lib/sshd:/bin/false
>> statd:x:496:65534:NFS statd daemon:/var/lib/nfs:/sbin/nologin
>> polkitd:x:495:495:User for polkitd:/var/lib/polkit:/sbin/nologin
>> usrsokrat:x:1000:100::/home/usrsokrat:/bin/bash
>> qemu:x:494:493:qemu user:/:/sbin/nologin
>> tftp:x:493:492:TFTP account:/srv/tftpboot:/bin/false
>> dnsmasq:x:492:65534:dnsmasq:/var/lib/empty:/bin/false
>> avahi:x:491:491:User for Avahi:/run/avahi-daemon:/bin/false
>> radvd:x:490:2:Router ADVertisement Daemon for:/var/lib/empty:/bin/false
>> lxdm:x:489:488:LXDE Display Manager daemon:/var/lib/lxdm:/bin/false
>> avahi-autoipd:x:488:487:User for Avahi
>> IPv4LL:/var/lib/avahi-autoipd:/bin/false
>> at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
>> nscd:x:487:486:User for nscd:/run/nscd:/sbin/nologin
>> ntp:x:74:485:NTP daemon:/var/lib/ntp:/bin/false
>> mysql:x:60:484:MySQL database admin:/var/lib/mysql:/bin/false
>> nginx:x:486:483:user for nginx:/var/lib/nginx:/bin/false
>> zabbix:x:485:482:Zabbix Agent Daemon:/var/lib/zabbix:/bin/false
>> privoxy:x:484:481:Daemon user for privoxy:/var/lib/privoxy:/bin/false
>> vscan:x:65:480:Vscan account:/var/spool/amavis:/bin/false
>> lightdm:x:483:478:LightDM daemon:/var/lib/lightdm:/bin/false
>> kdm:x:482:477:KDM Display Manager daemon:/var:/bin/false
>> drweb:x:100:1000:Dr.Web system account:/var/opt/drweb.com:/bin/false
>> asurkov:x:11114:100::/home/asurkov:/bin/bash
>>
>> administrator:*:4294967295:4294967295:Administrator:/home/Administrator:/bin/bash
>> xviewsion:*:4294967295:4294967295:xviewsion:/home/xviewsion:/bin/sh
>> videoadm:*:4294967295:4294967295:videoadm:/home/videoadm:/bin/sh
>> viewer1:*:4294967295:4294967295:Viewer1:/home/TSNR/viewer1:/bin/bash
>> krbtgt:*:4294967295:4294967295:krbtgt:/home/TSNR/krbtgt:/bin/bash
>> newadm:*:4294967295:4294967295:newadm:/home/TSNR/newadm:/bin/bash
>> guest:*:4294967295:4294967295:Guest:/home/TSNR/guest:/bin/bash
>> test:*:4294967295:4294967295:test:/home/test:/bin/sh
>> new:*:4294967295:4294967295:new:/home/new:/bin/sh
>>
>>
>>
> Can you provide a bit more info,
> What distro are you using?
> What version of samba?
> What is your smb.conf?
> Is this on a DC or a Domain Member?
> Are you using sssd?
> Do your users have a uidNumber?
> does the Domain Users group have a gidNumber?
>
> and most importantly why does every domain user and group have the ID
> number of  4294967295? perhaps if you supply the above, we may be able to
> work this out.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


​I am having an identical problem.  As the OP said (in the subject), this
is a member server, not on the DC.

I'm using the sernet distribution of samba 4.2 on Ubuntu 14 LTS.

I configured nsswitch.conf on the DC to see if it would work there and I
see the same behavior:

root at athens:~# ls -l secondfile.txt
-rw-rw-r-- 1 root users 0 Nov 17 15:15 secondfile.txt
root at athens:~# chown Administrator:"Domain Users" secondfile.txt
root at athens:~# ls -l secondfile.txt
-rw-rw-r-- 1 root users 0 Nov 17 15:15 secondfile.txt
root at athens:~#

more info:

With getent I get different behavior on the DC and member server:

On the DC:

root at athens:~# getent passwd Administrator
administrator:*:0:100::/home/IOL/administrator:/bin/false
root at athens:~# getent group "Domain Users"
domain users:x:100:

On the member server:

root at florence:/home# getent passwd Administrator
administrator:*:4294967295:4294967295::/home/IOL/administrator:/bin/false
root at florence:/home#
root at florence:/home# getent group "Domain Users"
domain users:x:4294967295:


The smb.conf on the dc:

# Global parameters
[global]
        workgroup = IOL
        realm = IOL.SEAMANPAPER.COM
        netbios name = ATHENS
        server role = active directory domain controller
        dns forwarder = 75.75.75.75
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/iol.seamanpaper.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

The smb.conf on the member server:


[global]

       netbios name = FLORENCE
       security = ADS
       workgroup = IOL
       realm = IOL.SEAMANPAPER.COM

       log file = /var/log/samba/%m.log
       log level = 1

       dedicated keytab file = /etc/krb5.keytab
       kerberos method = secrets and keytab
       winbind refresh tickets = yes

       winbind trusted domains only = no
       winbind use default domain = yes
       winbind enum users  = yes
       winbind enum groups = yes

       # idmap config used for your domain.
       # Choose one of the following backends fitting to your
       # requirements and add the corresponding configuration.
       idmap config ad
       #  - idmap config rid
       #  - idmap config autorid

[home]
        path=/home/
        read only = No


Thanks in advance for any help.


More information about the samba mailing list