[Samba] Cannot chown file to active directory user/group on member server
Rowland Penny
rowlandpenny241155 at gmail.com
Tue Nov 17 20:54:44 UTC 2015
On 17/11/15 20:46, Jeff Dickens wrote:
> indeed
>
> On Tue, Nov 17, 2015 at 3:37 PM, Rowland Penny
> <rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>>
> wrote:
>
> On 17/11/15 20:28, Jeff Dickens wrote:
>
>
>
> On Sat, Nov 7, 2015 at 11:19 AM, Rowland Penny
> <rowlandpenny241155 at gmail.com
> <mailto:rowlandpenny241155 at gmail.com>
> <mailto:rowlandpenny241155 at gmail.com
> <mailto:rowlandpenny241155 at gmail.com>>> wrote:
>
> On 07/11/15 16:02, Krutskikh Ivan wrote:
>
> Hi,
>
> I need to change ownership of server files to user/group
> defined in active
> directory ( using rfc2307 and unix attributes). Chown
> returns
> no error, but
> 'ls -lia' shows that file ownership is unchanged. What
> am I
> doing wrong?
>
> archive-test:/archive/video # ls -lia ./test.mp4
> 17121 -rw-r--r-- 1 root root 2413096 ноя 2 19:50
> ./test.mp4
> archive-test:/archive/video # wbinfo -u
> administrator
> xviewsion
> videoadm
> viewer1
> krbtgt
> newadm
> guest
> test
> new
> archive-test:/archive/video # wbinfo -g
> allowed rodc password replication group
> enterprise read-only domain controllers
> denied rodc password replication group
> read-only domain controllers
> group policy creator owners
> ras and ias servers
> domain controllers
> enterprise admins
> domain computers
> cert publishers
> dnsupdateproxy
> domain admins
> domain guests
> schema admins
> domain users
> video admins
> dnsadmins
> videotest
> video
> archive-test:/archive/video # chown xviewsion ./test.mp4
> archive-test:/archive/video # ls -lia ./test.mp4
> 17121 -rw-r--r-- 1 root root 2413096 ноя 2 19:50
> ./test.mp4
>
>
> I think that something is wrong with uid/gid mapping:
>
> archive-test:/archive/video # getent passwd
> root:x:0:0:root:/root:/bin/bash
> bin:x:1:1:bin:/bin:/bin/bash
> daemon:x:2:2:Daemon:/sbin:/bin/bash
> lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
> mail:x:8:12:Mailer
> daemon:/var/spool/clientmqueue:/bin/false
> news:x:9:13:News system:/etc/news:/bin/bash
> uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
> games:x:12:100:Games account:/var/games:/bin/bash
> man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
> wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
> ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
> nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
> messagebus:x:499:497:User for D-Bus:/run/dbus:/bin/false
> postfix:x:51:51:Postfix
> Daemon:/var/spool/postfix:/bin/false
> rpc:x:498:65534:user for
> rpcbind:/var/lib/empty:/sbin/nologin
> sshd:x:497:496:SSH daemon:/var/lib/sshd:/bin/false
> statd:x:496:65534:NFS statd
> daemon:/var/lib/nfs:/sbin/nologin
> polkitd:x:495:495:User for
> polkitd:/var/lib/polkit:/sbin/nologin
> usrsokrat:x:1000:100::/home/usrsokrat:/bin/bash
> qemu:x:494:493:qemu user:/:/sbin/nologin
> tftp:x:493:492:TFTP account:/srv/tftpboot:/bin/false
> dnsmasq:x:492:65534:dnsmasq:/var/lib/empty:/bin/false
> avahi:x:491:491:User for
> Avahi:/run/avahi-daemon:/bin/false
> radvd:x:490:2:Router ADVertisement Daemon
> for:/var/lib/empty:/bin/false
> lxdm:x:489:488:LXDE Display Manager
> daemon:/var/lib/lxdm:/bin/false
> avahi-autoipd:x:488:487:User for Avahi
> IPv4LL:/var/lib/avahi-autoipd:/bin/false
> at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
> nscd:x:487:486:User for nscd:/run/nscd:/sbin/nologin
> ntp:x:74:485:NTP daemon:/var/lib/ntp:/bin/false
> mysql:x:60:484:MySQL database
> admin:/var/lib/mysql:/bin/false
> nginx:x:486:483:user for nginx:/var/lib/nginx:/bin/false
> zabbix:x:485:482:Zabbix Agent
> Daemon:/var/lib/zabbix:/bin/false
> privoxy:x:484:481:Daemon user for
> privoxy:/var/lib/privoxy:/bin/false
> vscan:x:65:480:Vscan account:/var/spool/amavis:/bin/false
> lightdm:x:483:478:LightDM
> daemon:/var/lib/lightdm:/bin/false
> kdm:x:482:477:KDM Display Manager daemon:/var:/bin/false
> drweb:x:100:1000:Dr.Web system
> account:/var/opt/drweb.com:/bin/false
> asurkov:x:11114:100::/home/asurkov:/bin/bash
> administrator:*:4294967295:4294967295:Administrator:/home/Administrator:/bin/bash
> xviewsion:*:4294967295:4294967295:xviewsion:/home/xviewsion:/bin/sh
> videoadm:*:4294967295:4294967295:videoadm:/home/videoadm:/bin/sh
> viewer1:*:4294967295:4294967295:Viewer1:/home/TSNR/viewer1:/bin/bash
> krbtgt:*:4294967295:4294967295:krbtgt:/home/TSNR/krbtgt:/bin/bash
> newadm:*:4294967295:4294967295:newadm:/home/TSNR/newadm:/bin/bash
> guest:*:4294967295:4294967295:Guest:/home/TSNR/guest:/bin/bash
> test:*:4294967295:4294967295:test:/home/test:/bin/sh
> new:*:4294967295:4294967295:new:/home/new:/bin/sh
>
>
>
> Can you provide a bit more info,
> What distro are you using?
> What version of samba?
> What is your smb.conf?
> Is this on a DC or a Domain Member?
> Are you using sssd?
> Do your users have a uidNumber?
> does the Domain Users group have a gidNumber?
>
> and most importantly why does every domain user and group
> have the
> ID number of 4294967295? perhaps if you supply the above,
> we may
> be able to work this out.
>
> Rowland
>
> -- To unsubscribe from this list go to the following
> URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> I am having an identical problem. As the OP said (in the
> subject), this is a member server, not on the DC.
>
> I'm using the sernet distribution of samba 4.2 on Ubuntu 14 LTS.
>
> I configured nsswitch.conf on the DC to see if it would work
> there and I see the same behavior:
>
> root at athens:~# ls -l secondfile.txt
> -rw-rw-r-- 1 root users 0 Nov 17 15:15 secondfile.txt
> root at athens:~# chown Administrator:"Domain Users" secondfile.txt
> root at athens:~# ls -l secondfile.txt
> -rw-rw-r-- 1 root users 0 Nov 17 15:15 secondfile.txt
> root at athens:~#
>
> more info:
>
> With getent I get different behavior on the DC and member server:
>
> On the DC:
>
> root at athens:~# getent passwd Administrator
> administrator:*:0:100::/home/IOL/administrator:/bin/false
> root at athens:~# getent group "Domain Users"
> domain users:x:100:
>
> On the member server:
>
> root at florence:/home# getent passwd Administrator
> administrator:*:4294967295:4294967295::/home/IOL/administrator:/bin/false
> root at florence:/home#
> root at florence:/home# getent group "Domain Users"
> domain users:x:4294967295:
>
>
> The smb.conf on the dc:
>
> # Global parameters
> [global]
> workgroup = IOL
> realm = IOL.SEAMANPAPER.COM
> <http://IOL.SEAMANPAPER.COM> <http://IOL.SEAMANPAPER.COM>
> netbios name = ATHENS
> server role = active directory domain controller
> dns forwarder = 75.75.75.75
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path =
> /var/lib/samba/sysvol/iol.seamanpaper.com/scripts
> <http://iol.seamanpaper.com/scripts>
> <http://iol.seamanpaper.com/scripts>
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> The smb.conf on the member server:
>
>
> [global]
>
> netbios name = FLORENCE
> security = ADS
> workgroup = IOL
> realm = IOL.SEAMANPAPER.COM
> <http://IOL.SEAMANPAPER.COM> <http://IOL.SEAMANPAPER.COM>
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
>
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> # idmap config used for your domain.
> # Choose one of the following backends fitting to your
> # requirements and add the corresponding configuration.
> idmap config ad
> # - idmap config rid
> # - idmap config autorid
>
>
> You copied your smb.conf from the samba wiki, didn't you ?
> I take it that you didn't notice that 'idmap config ad' and 'idmap
> config rid' are hyperlinks ???
>
> You need a bit more in your smb.conf :-)
>
> Rowland
>
>
> [home]
> path=/home/
> read only = No
>
>
> Thanks in advance for any help.
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
> * Jeff Dickens*
> IT Manager 978-632-1513
>
No, go here:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
Go to the bottom of the sample smb.conf
Click on 'idmap config ad'
this will take you here:
https://wiki.samba.org/index.php/Idmap_config_ad
This will show this (amongst every thing else)
#*Important: The ranges of the default (*) idmap config*
#*and the domain(s)_must not_ overlap!*
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain SAMDOM
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 10000-99999
# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
There is a bit more required, but I will leave you to find it, it is all
on the wiki.
Rowland
More information about the samba
mailing list