[Samba] Cannot chown file to active directory user/group on member server
Jeff Dickens
jeff at seamanpaper.com
Tue Nov 17 23:09:54 UTC 2015
So I am still stuck. For reference here is the smb.conf on the member
server:
root at florence:~# more /etc/samba/smb.conf
[global]
netbios name = FLORENCE
security = ADS
workgroup = IOL
realm = IOL.SEAMANPAPER.COM
log file = /var/log/samba/%m.log
log level = 1
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
# idmap config used for your domain.
# Choose one of the following backends fitting to your
# requirements and add the corresponding configuration.
# idmap config ad
# - idmap config rid
# - idmap config autorid
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config IOL:backend = ad
idmap config IOL:schema_mode = rfc2307
idmap config IOL:range = 1000000-9999999
winbind nss info = rfc2307
[home]
path=/home/
read only = No
I increased the range because it seems like the DC is using IDs above
1,000,000. This is on the DC:
root at athens:~# wbinfo -u
administrator
test1
krbtgt
guest
root at athens:~# wbinfo -i administrator
administrator:*:0:100::/home/IOL/administrator:/bin/false
root at athens:~# wbinfo -i test1
test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false
root at athens:~#
And on the member server:
root at florence:~# wbinfo -u
administrator
test1
krbtgt
guest
root at florence:~# wbinfo -i administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user administrator
root at florence:~# wbinfo -i test1
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user test1
root at florence:~#
Also:
root at florence:~# wbinfo -n test1
S-1-5-21-870066441-3049097475-1009130827-1105 SID_USER (1)
root at florence:~# wbinfo -n administrator
S-1-5-21-870066441-3049097475-1009130827-500 SID_USER (1)
Thought it might have something to do with the fact that the Kerberos user
tools were not installed -but I set them up and no change.
root at florence:~# kinit administrator at IOL.SEAMANPAPER.COM
Password for administrator at IOL.SEAMANPAPER.COM:
root at florence:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at IOL.SEAMANPAPER.COM
Valid starting Expires Service principal
11/17/2015 17:20:51 11/18/2015 03:20:51 krbtgt/
IOL.SEAMANPAPER.COM at IOL.SEAMANPAPER.COM
renew until 11/18/2015 17:19:59
root at florence:~# wbinfo -i test1
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user test1
root at florence:~# !smbc
smbcontrol all reload-config
root at florence:~# wbinfo -i test1
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user test1
root at florence:~#
I found a note about a missing link to libnss_winbind.so.2.. fixed that and
no difference.
So it can list the users but not get the IDs... So it seems to have some
kind of authentication issue.
I've been all through the wiki and can't find anything else that seems
relevant.
On Tue, Nov 17, 2015 at 3:54 PM, Rowland Penny <rowlandpenny241155 at gmail.com
> wrote:
> On 17/11/15 20:46, Jeff Dickens wrote:
>
>> indeed
>>
>> On Tue, Nov 17, 2015 at 3:37 PM, Rowland Penny <
>> rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>>
>> wrote:
>>
>> On 17/11/15 20:28, Jeff Dickens wrote:
>>
>>
>>
>> On Sat, Nov 7, 2015 at 11:19 AM, Rowland Penny
>> <rowlandpenny241155 at gmail.com
>> <mailto:rowlandpenny241155 at gmail.com>
>> <mailto:rowlandpenny241155 at gmail.com
>>
>> <mailto:rowlandpenny241155 at gmail.com>>> wrote:
>>
>> On 07/11/15 16:02, Krutskikh Ivan wrote:
>>
>> Hi,
>>
>> I need to change ownership of server files to user/group
>> defined in active
>> directory ( using rfc2307 and unix attributes). Chown
>> returns
>> no error, but
>> 'ls -lia' shows that file ownership is unchanged. What
>> am I
>> doing wrong?
>>
>> archive-test:/archive/video # ls -lia ./test.mp4
>> 17121 -rw-r--r-- 1 root root 2413096 ноя 2 19:50
>> ./test.mp4
>> archive-test:/archive/video # wbinfo -u
>> administrator
>> xviewsion
>> videoadm
>> viewer1
>> krbtgt
>> newadm
>> guest
>> test
>> new
>> archive-test:/archive/video # wbinfo -g
>> allowed rodc password replication group
>> enterprise read-only domain controllers
>> denied rodc password replication group
>> read-only domain controllers
>> group policy creator owners
>> ras and ias servers
>> domain controllers
>> enterprise admins
>> domain computers
>> cert publishers
>> dnsupdateproxy
>> domain admins
>> domain guests
>> schema admins
>> domain users
>> video admins
>> dnsadmins
>> videotest
>> video
>> archive-test:/archive/video # chown xviewsion ./test.mp4
>> archive-test:/archive/video # ls -lia ./test.mp4
>> 17121 -rw-r--r-- 1 root root 2413096 ноя 2 19:50
>> ./test.mp4
>>
>>
>> I think that something is wrong with uid/gid mapping:
>>
>> archive-test:/archive/video # getent passwd
>> root:x:0:0:root:/root:/bin/bash
>> bin:x:1:1:bin:/bin:/bin/bash
>> daemon:x:2:2:Daemon:/sbin:/bin/bash
>> lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
>> mail:x:8:12:Mailer
>> daemon:/var/spool/clientmqueue:/bin/false
>> news:x:9:13:News system:/etc/news:/bin/bash
>> uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
>> games:x:12:100:Games account:/var/games:/bin/bash
>> man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
>> wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
>> ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
>> nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
>> messagebus:x:499:497:User for D-Bus:/run/dbus:/bin/false
>> postfix:x:51:51:Postfix
>> Daemon:/var/spool/postfix:/bin/false
>> rpc:x:498:65534:user for
>> rpcbind:/var/lib/empty:/sbin/nologin
>> sshd:x:497:496:SSH daemon:/var/lib/sshd:/bin/false
>> statd:x:496:65534:NFS statd
>> daemon:/var/lib/nfs:/sbin/nologin
>> polkitd:x:495:495:User for
>> polkitd:/var/lib/polkit:/sbin/nologin
>> usrsokrat:x:1000:100::/home/usrsokrat:/bin/bash
>> qemu:x:494:493:qemu user:/:/sbin/nologin
>> tftp:x:493:492:TFTP account:/srv/tftpboot:/bin/false
>> dnsmasq:x:492:65534:dnsmasq:/var/lib/empty:/bin/false
>> avahi:x:491:491:User for
>> Avahi:/run/avahi-daemon:/bin/false
>> radvd:x:490:2:Router ADVertisement Daemon
>> for:/var/lib/empty:/bin/false
>> lxdm:x:489:488:LXDE Display Manager
>> daemon:/var/lib/lxdm:/bin/false
>> avahi-autoipd:x:488:487:User for Avahi
>> IPv4LL:/var/lib/avahi-autoipd:/bin/false
>> at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
>> nscd:x:487:486:User for nscd:/run/nscd:/sbin/nologin
>> ntp:x:74:485:NTP daemon:/var/lib/ntp:/bin/false
>> mysql:x:60:484:MySQL database
>> admin:/var/lib/mysql:/bin/false
>> nginx:x:486:483:user for nginx:/var/lib/nginx:/bin/false
>> zabbix:x:485:482:Zabbix Agent
>> Daemon:/var/lib/zabbix:/bin/false
>> privoxy:x:484:481:Daemon user for
>> privoxy:/var/lib/privoxy:/bin/false
>> vscan:x:65:480:Vscan account:/var/spool/amavis:/bin/false
>> lightdm:x:483:478:LightDM
>> daemon:/var/lib/lightdm:/bin/false
>> kdm:x:482:477:KDM Display Manager daemon:/var:/bin/false
>> drweb:x:100:1000:Dr.Web system
>> account:/var/opt/drweb.com:/bin/false
>> asurkov:x:11114:100::/home/asurkov:/bin/bash
>>
>> administrator:*:4294967295:4294967295:Administrator:/home/Administrator:/bin/bash
>>
>> xviewsion:*:4294967295:4294967295:xviewsion:/home/xviewsion:/bin/sh
>> videoadm:*:4294967295:4294967295:videoadm:/home/videoadm:/bin/sh
>>
>> viewer1:*:4294967295:4294967295:Viewer1:/home/TSNR/viewer1:/bin/bash
>> krbtgt:*:4294967295:4294967295:krbtgt:/home/TSNR/krbtgt:/bin/bash
>> newadm:*:4294967295:4294967295:newadm:/home/TSNR/newadm:/bin/bash
>> guest:*:4294967295:4294967295:Guest:/home/TSNR/guest:/bin/bash
>> test:*:4294967295:4294967295:test:/home/test:/bin/sh
>> new:*:4294967295:4294967295:new:/home/new:/bin/sh
>>
>>
>>
>> Can you provide a bit more info,
>> What distro are you using?
>> What version of samba?
>> What is your smb.conf?
>> Is this on a DC or a Domain Member?
>> Are you using sssd?
>> Do your users have a uidNumber?
>> does the Domain Users group have a gidNumber?
>>
>> and most importantly why does every domain user and group
>> have the
>> ID number of 4294967295? perhaps if you supply the above,
>> we may
>> be able to work this out.
>>
>> Rowland
>>
>> -- To unsubscribe from this list go to the following
>> URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>> I am having an identical problem. As the OP said (in the
>> subject), this is a member server, not on the DC.
>>
>> I'm using the sernet distribution of samba 4.2 on Ubuntu 14 LTS.
>>
>> I configured nsswitch.conf on the DC to see if it would work
>> there and I see the same behavior:
>>
>> root at athens:~# ls -l secondfile.txt
>> -rw-rw-r-- 1 root users 0 Nov 17 15:15 secondfile.txt
>> root at athens:~# chown Administrator:"Domain Users" secondfile.txt
>> root at athens:~# ls -l secondfile.txt
>> -rw-rw-r-- 1 root users 0 Nov 17 15:15 secondfile.txt
>> root at athens:~#
>>
>> more info:
>>
>> With getent I get different behavior on the DC and member server:
>>
>> On the DC:
>>
>> root at athens:~# getent passwd Administrator
>> administrator:*:0:100::/home/IOL/administrator:/bin/false
>> root at athens:~# getent group "Domain Users"
>> domain users:x:100:
>>
>> On the member server:
>>
>> root at florence:/home# getent passwd Administrator
>>
>> administrator:*:4294967295:4294967295::/home/IOL/administrator:/bin/false
>> root at florence:/home#
>> root at florence:/home# getent group "Domain Users"
>> domain users:x:4294967295:
>>
>>
>> The smb.conf on the dc:
>>
>> # Global parameters
>> [global]
>> workgroup = IOL
>> realm = IOL.SEAMANPAPER.COM
>> <http://IOL.SEAMANPAPER.COM> <http://IOL.SEAMANPAPER.COM>
>> netbios name = ATHENS
>> server role = active directory domain controller
>> dns forwarder = 75.75.75.75
>> idmap_ldb:use rfc2307 = yes
>>
>> [netlogon]
>> path =
>> /var/lib/samba/sysvol/iol.seamanpaper.com/scripts
>> <http://iol.seamanpaper.com/scripts>
>> <http://iol.seamanpaper.com/scripts>
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>> The smb.conf on the member server:
>>
>>
>> [global]
>>
>> netbios name = FLORENCE
>> security = ADS
>> workgroup = IOL
>> realm = IOL.SEAMANPAPER.COM
>> <http://IOL.SEAMANPAPER.COM> <http://IOL.SEAMANPAPER.COM>
>>
>>
>> log file = /var/log/samba/%m.log
>> log level = 1
>>
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> winbind refresh tickets = yes
>>
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>>
>> # idmap config used for your domain.
>> # Choose one of the following backends fitting to your
>> # requirements and add the corresponding configuration.
>> idmap config ad
>> # - idmap config rid
>> # - idmap config autorid
>>
>>
>> You copied your smb.conf from the samba wiki, didn't you ?
>> I take it that you didn't notice that 'idmap config ad' and 'idmap
>> config rid' are hyperlinks ???
>>
>> You need a bit more in your smb.conf :-)
>>
>> Rowland
>>
>>
>> [home]
>> path=/home/
>> read only = No
>>
>>
>> Thanks in advance for any help.
>>
>>
>>
>>
>>
>> -- To unsubscribe from this list go to the following URL and read
>> the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>>
>> --
>> * Jeff Dickens*
>> IT Manager 978-632-1513
>>
>>
> No, go here:
>
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
> Go to the bottom of the sample smb.conf
> Click on 'idmap config ad'
>
> this will take you here:
>
> https://wiki.samba.org/index.php/Idmap_config_ad
>
> This will show this (amongst every thing else)
>
> #*Important: The ranges of the default (*) idmap config*
> #*and the domain(s)_must not_ overlap!*
>
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> # idmap config for domain SAMDOM
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 10000-99999
>
> # Use settings from AD for login shell and home directory
> winbind nss info = rfc2307
>
>
> There is a bit more required, but I will leave you to find it, it is all
> on the wiki.
>
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
* Jeff Dickens*
IT Manager 978-632-1513
More information about the samba
mailing list