[Samba] Cannot chown file to active directory user/group on member server

Jeff Dickens jeff at seamanpaper.com
Wed Nov 18 22:32:20 UTC 2015 

On Wed, Nov 18, 2015 at 6:00 AM, Rowland Penny <rowlandpenny241155 at gmail.com
> wrote:

> On 18/11/15 10:27, Jeff Dickens wrote:
>
>>
>>
>> On Nov 18, 2015 4:35 AM, "Rowland Penny" <rowlandpenny241155 at gmail.com
>> <mailto:rowlandpenny241155 at gmail.com>> wrote:
>> >
>> > On 17/11/15 23:09, Jeff Dickens wrote:
>> >>
>> >> So I am still stuck.  For reference here is the smb.conf on the member
>> server:
>> >>
>> >> root at florence:~# more /etc/samba/smb.conf
>> >> [global]
>> >>
>> >>        netbios name = FLORENCE
>> >>        security = ADS
>> >>        workgroup = IOL
>> >>        realm = IOL.SEAMANPAPER.COM <http://IOL.SEAMANPAPER.COM> <
>> http://IOL.SEAMANPAPER.COM>
>>
>> >>
>> >>
>> >>        log file = /var/log/samba/%m.log
>> >>        log level = 1
>> >>
>> >>        dedicated keytab file = /etc/krb5.keytab
>> >>        kerberos method = secrets and keytab
>> >>        winbind refresh tickets = yes
>> >>
>> >>        winbind trusted domains only = no
>> >>        winbind use default domain = yes
>> >>        winbind enum users  = yes
>> >>        winbind enum groups = yes
>> >>
>> >>        # idmap config used for your domain.
>> >>        # Choose one of the following backends fitting to your
>> >>        # requirements and add the corresponding configuration.
>> >>        # idmap config ad
>> >>        #  - idmap config rid
>> >>        #  - idmap config autorid
>> >>         idmap config *:backend = tdb
>> >>         idmap config *:range = 2000-9999
>> >>         idmap config IOL:backend = ad
>> >>         idmap config IOL:schema_mode = rfc2307
>> >>         idmap config IOL:range = 1000000-9999999
>> >>
>> >>         winbind nss info = rfc2307
>> >>
>> >>
>> >> [home]
>> >>         path=/home/
>> >>         read only = No
>> >>
>> >>
>> >> I increased the range because it seems like the DC is using IDs above
>> 1,000,000.  This is on the DC:
>> >
>> >
>> > Ah, I think I see your problem, you think that because a user on the DC
>> gets a uid, it should get one on a domain member without any intervention
>> on your part.
>> >
>> > Did you miss this:
>> >
>> >
>> >    Prerequisites
>> >
>> >  * NIS extensions
>> >    <
>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory
>> >
>> >    installed in AD and RFC2307 enabled
>> >    <
>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_RFC2307_is_used_by_your_Domain_Controllers
>> >
>> >    in each DCs smb.conf
>> >  * Users and groups have RFC2307 attributes set in AD
>> >
>> >
>> > on this wiki page:
>> >
>> > https://wiki.samba.org/index.php/Idmap_config_ad
>> >
>> > This means that any users that must be known to a Unix domain member
>> *must* have a unique uidNumber, also Domain Users (at least) *must* have a
>> unique gidNumber. These numbers must be inside the range you set in
>> smb.conf, in your case '1000000-9999999'
>> >
>> > The numbers used on the DC are 'xidNumbers' and are only used on a DC
>> and they could be different on other DCs
>> >
>> > If you do not want to add rfc2307 attributes, you could use the winbind
>> 'rid' backend instead, see the wiki.
>> >
>> > Rowland
>>
>> I did use the --use-rfc2307 option when I originally provisioned the
>> domain.
>>
>>
> All '--use-rfc2307' does, is to make it possible to use rfc2307
> attributes, it does not add any rfc2307 attributes.
> You need to add these attributes to your users & groups, either by using
> the UNIX Attributes tab in ADUC after creating a user, or by creating a
> user/group with samba-tool, where you can add the rfc2307 attributes at the
> same time.
>
>
> I do want to use that because eventually I will want to have some Linux
>> client machines.
>>
>>
>>
> Then you need to either add uid/gidNumbers and use the winbind 'ad'
> backend, or use the winbind 'rid' backend, all the info is on the wiki, if
> you are struggling to understand the wiki, just say and we will try to make
> it clearer.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

​Ok, so I have it working, sort-of.  It's kind of screwed up.  Here's what
I did, and then a couple of followup questions.


On the DC I ran wbinfo -i to look at some existing groups:

root at athens:/etc/pam.d# wbinfo -i domain\ guests
domain guests:*:3000012:3000012::/home/IOL/domain guests:/bin/false
root at athens:/etc/pam.d# wbinfo -i domain\ admins
domain admins:*:3000008:3000008::/home/IOL/domain admins:/bin/false
root at athens:/etc/pam.d# wbinfo -i domain\ users
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user domain users

On a windows workstation, logged in as the domain administrator, I ran the
"Active Directory Users and Computers" app.  Under iol.seamanpaper.com (my
domain) / Users I double-clicked on "Domain Users" and then clicked on the
"Unix Attributes" tab.  I selected the NIS domain (iol) and picked a gid
that looked like it probably wasn't in use.  Then I clicked on OK.

Then I went to the user "Test One (test1 at ...)" under Users, double clicked
on it and then clicked on 'Unix Attributes".  I picked the NIS domain,
assigned a uid, a shell, a home diectory and left the Primary group
name/GID at "Domain Users".

I then went back to the group "Domain Users" and when I clicked on "Unix
Attributes" it gave me a box that said "Unwilling to Perform".  Not unable,
but unwilling.  We laughed.  But nevertheless I was able to select the Add
button, choose the user "Test One" from the list of Available NIS Users and
click add and ok.

Now on the member server I can do this:
root at florence:/root# wbinfo -i test1
test1:*:3100100:3100000:Test One:/home/test1:/bin/bash

but not this:

root at florence:/root# wbinfo -i domain\ users
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user domain users

I can also do this:

root at florence:/root# touch file.txt
root at florence:/root# ls -l file.txt
-rw-r--r-- 1 root root 0 Nov 18 17:21 file.txt
root at florence:/root# chown test1 file.txt
root at florence:/root# ls -l file.txt
-rw-r--r-- 1 test1 root 0 Nov 18 17:21 file.txt
root at florence:/root#

which was the point of the exercise.

This also works:

root at florence:/root# getent group domain\ users
domain users:x:3100000:
root at florence:/root# chgrp domain\ users file.txt
root at florence:/root# ls -l file.txt
-rw-r--r-- 1 test1 domain users 0 Nov 18 17:21 file.txt
root at florence:/root#

but... ):  on the DC I see this:

root at athens:~# wbinfo -i test1
test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false
root at athens:~# wbinfo -i domain\ users
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user domain users
root at athens:~# getent group domain\ users
domain users:x:100:

while on the member server I see this:

root at florence:/root# wbinfo -i test1
test1:*:3100100:3100000:Test One:/home/test1:/bin/bash
root at florence:/root# wbinfo -i domain\ users
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user domain users
root at florence:/root# getent group domain\ users
domain users:x:3100000:

So my questions are:

How did I end up with different IDs for test1 on the DC and member server ?

How can I list all the IDs already assigned on the member server?

Why was there already a gid assigned for "Domain Admins" and "Domain
Guests" but not for "Domain Users" ?

What does "Unwilling to Perform" mean?

Do I need to set up the idmap backend on the DC ?  Is that even possible?



​



-- 
*     Jeff Dickens*
     IT Manager      978-632-1513

More information about the samba mailing list