[Samba] Cannot chown file to active directory user/group on member server
Jeff Dickens
jeff at seamanpaper.com
Wed Nov 18 22:32:20 UTC 2015
On Wed, Nov 18, 2015 at 6:00 AM, Rowland Penny <rowlandpenny241155 at gmail.com
> wrote:
> On 18/11/15 10:27, Jeff Dickens wrote:
>
>>
>>
>> On Nov 18, 2015 4:35 AM, "Rowland Penny" <rowlandpenny241155 at gmail.com
>> <mailto:rowlandpenny241155 at gmail.com>> wrote:
>> >
>> > On 17/11/15 23:09, Jeff Dickens wrote:
>> >>
>> >> So I am still stuck. For reference here is the smb.conf on the member
>> server:
>> >>
>> >> root at florence:~# more /etc/samba/smb.conf
>> >> [global]
>> >>
>> >> netbios name = FLORENCE
>> >> security = ADS
>> >> workgroup = IOL
>> >> realm = IOL.SEAMANPAPER.COM <http://IOL.SEAMANPAPER.COM> <
>> http://IOL.SEAMANPAPER.COM>
>>
>> >>
>> >>
>> >> log file = /var/log/samba/%m.log
>> >> log level = 1
>> >>
>> >> dedicated keytab file = /etc/krb5.keytab
>> >> kerberos method = secrets and keytab
>> >> winbind refresh tickets = yes
>> >>
>> >> winbind trusted domains only = no
>> >> winbind use default domain = yes
>> >> winbind enum users = yes
>> >> winbind enum groups = yes
>> >>
>> >> # idmap config used for your domain.
>> >> # Choose one of the following backends fitting to your
>> >> # requirements and add the corresponding configuration.
>> >> # idmap config ad
>> >> # - idmap config rid
>> >> # - idmap config autorid
>> >> idmap config *:backend = tdb
>> >> idmap config *:range = 2000-9999
>> >> idmap config IOL:backend = ad
>> >> idmap config IOL:schema_mode = rfc2307
>> >> idmap config IOL:range = 1000000-9999999
>> >>
>> >> winbind nss info = rfc2307
>> >>
>> >>
>> >> [home]
>> >> path=/home/
>> >> read only = No
>> >>
>> >>
>> >> I increased the range because it seems like the DC is using IDs above
>> 1,000,000. This is on the DC:
>> >
>> >
>> > Ah, I think I see your problem, you think that because a user on the DC
>> gets a uid, it should get one on a domain member without any intervention
>> on your part.
>> >
>> > Did you miss this:
>> >
>> >
>> > Prerequisites
>> >
>> > * NIS extensions
>> > <
>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory
>> >
>> > installed in AD and RFC2307 enabled
>> > <
>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_RFC2307_is_used_by_your_Domain_Controllers
>> >
>> > in each DCs smb.conf
>> > * Users and groups have RFC2307 attributes set in AD
>> >
>> >
>> > on this wiki page:
>> >
>> > https://wiki.samba.org/index.php/Idmap_config_ad
>> >
>> > This means that any users that must be known to a Unix domain member
>> *must* have a unique uidNumber, also Domain Users (at least) *must* have a
>> unique gidNumber. These numbers must be inside the range you set in
>> smb.conf, in your case '1000000-9999999'
>> >
>> > The numbers used on the DC are 'xidNumbers' and are only used on a DC
>> and they could be different on other DCs
>> >
>> > If you do not want to add rfc2307 attributes, you could use the winbind
>> 'rid' backend instead, see the wiki.
>> >
>> > Rowland
>>
>> I did use the --use-rfc2307 option when I originally provisioned the
>> domain.
>>
>>
> All '--use-rfc2307' does, is to make it possible to use rfc2307
> attributes, it does not add any rfc2307 attributes.
> You need to add these attributes to your users & groups, either by using
> the UNIX Attributes tab in ADUC after creating a user, or by creating a
> user/group with samba-tool, where you can add the rfc2307 attributes at the
> same time.
>
>
> I do want to use that because eventually I will want to have some Linux
>> client machines.
>>
>>
>>
> Then you need to either add uid/gidNumbers and use the winbind 'ad'
> backend, or use the winbind 'rid' backend, all the info is on the wiki, if
> you are struggling to understand the wiki, just say and we will try to make
> it clearer.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Ok, so I have it working, sort-of. It's kind of screwed up. Here's what
I did, and then a couple of followup questions.
On the DC I ran wbinfo -i to look at some existing groups:
root at athens:/etc/pam.d# wbinfo -i domain\ guests
domain guests:*:3000012:3000012::/home/IOL/domain guests:/bin/false
root at athens:/etc/pam.d# wbinfo -i domain\ admins
domain admins:*:3000008:3000008::/home/IOL/domain admins:/bin/false
root at athens:/etc/pam.d# wbinfo -i domain\ users
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user domain users
On a windows workstation, logged in as the domain administrator, I ran the
"Active Directory Users and Computers" app. Under iol.seamanpaper.com (my
domain) / Users I double-clicked on "Domain Users" and then clicked on the
"Unix Attributes" tab. I selected the NIS domain (iol) and picked a gid
that looked like it probably wasn't in use. Then I clicked on OK.
Then I went to the user "Test One (test1 at ...)" under Users, double clicked
on it and then clicked on 'Unix Attributes". I picked the NIS domain,
assigned a uid, a shell, a home diectory and left the Primary group
name/GID at "Domain Users".
I then went back to the group "Domain Users" and when I clicked on "Unix
Attributes" it gave me a box that said "Unwilling to Perform". Not unable,
but unwilling. We laughed. But nevertheless I was able to select the Add
button, choose the user "Test One" from the list of Available NIS Users and
click add and ok.
Now on the member server I can do this:
root at florence:/root# wbinfo -i test1
test1:*:3100100:3100000:Test One:/home/test1:/bin/bash
but not this:
root at florence:/root# wbinfo -i domain\ users
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user domain users
I can also do this:
root at florence:/root# touch file.txt
root at florence:/root# ls -l file.txt
-rw-r--r-- 1 root root 0 Nov 18 17:21 file.txt
root at florence:/root# chown test1 file.txt
root at florence:/root# ls -l file.txt
-rw-r--r-- 1 test1 root 0 Nov 18 17:21 file.txt
root at florence:/root#
which was the point of the exercise.
This also works:
root at florence:/root# getent group domain\ users
domain users:x:3100000:
root at florence:/root# chgrp domain\ users file.txt
root at florence:/root# ls -l file.txt
-rw-r--r-- 1 test1 domain users 0 Nov 18 17:21 file.txt
root at florence:/root#
but... ): on the DC I see this:
root at athens:~# wbinfo -i test1
test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false
root at athens:~# wbinfo -i domain\ users
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user domain users
root at athens:~# getent group domain\ users
domain users:x:100:
while on the member server I see this:
root at florence:/root# wbinfo -i test1
test1:*:3100100:3100000:Test One:/home/test1:/bin/bash
root at florence:/root# wbinfo -i domain\ users
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user domain users
root at florence:/root# getent group domain\ users
domain users:x:3100000:
So my questions are:
How did I end up with different IDs for test1 on the DC and member server ?
How can I list all the IDs already assigned on the member server?
Why was there already a gid assigned for "Domain Admins" and "Domain
Guests" but not for "Domain Users" ?
What does "Unwilling to Perform" mean?
Do I need to set up the idmap backend on the DC ? Is that even possible?
--
* Jeff Dickens*
IT Manager 978-632-1513
More information about the samba
mailing list