[Samba] Cannot chown file to active directory user/group on member server

Rowland Penny rowlandpenny241155 at gmail.com
Wed Nov 18 23:26:59 UTC 2015


On 18/11/15 22:32, Jeff Dickens wrote:
>
> ​Ok, so I have it working, sort-of. It's kind of screwed up.  Here's 
> what I did, and then a couple of followup questions.
>
>
> On the DC I ran wbinfo -i to look at some existing groups:
>
> root at athens:/etc/pam.d# wbinfo -i domain\ guests
> domain guests:*:3000012:3000012::/home/IOL/domain guests:/bin/false
> root at athens:/etc/pam.d# wbinfo -i domain\ admins
> domain admins:*:3000008:3000008::/home/IOL/domain admins:/bin/false
> root at athens:/etc/pam.d# wbinfo -i domain\ users
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user domain users

Never checked using those commands before, but I get virtually the same 
results

>
> On a windows workstation, logged in as the domain administrator, I ran 
> the "Active Directory Users and Computers" app.  Under 
> iol.seamanpaper.com <http://iol.seamanpaper.com> (my domain) / Users I 
> double-clicked on "Domain Users" and then clicked on the "Unix 
> Attributes" tab.  I selected the NIS domain (iol) and picked a gid 
> that looked like it probably wasn't in use.  Then I clicked on OK.
>
> Then I went to the user "Test One (test1 at ...)" under Users, double 
> clicked on it and then clicked on 'Unix Attributes".  I picked the NIS 
> domain, assigned a uid, a shell, a home diectory and left the Primary 
> group name/GID at "Domain Users".
>
> I then went back to the group "Domain Users" and when I clicked on 
> "Unix Attributes" it gave me a box that said "Unwilling to Perform".  
> Not unable, but unwilling.  We laughed.  But nevertheless I was able 
> to select the Add button, choose the user "Test One" from the list of 
> Available NIS Users and click add and ok.

You don't need to do this.

>
> Now on the member server I can do this:
> root at florence:/root# wbinfo -i test1
> test1:*:3100100:3100000:Test One:/home/test1:/bin/bash
>
> but not this:
>
> root at florence:/root# wbinfo -i domain\ users
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user domain users

Exactly the same for me

>
> I can also do this:
>
> root at florence:/root# touch file.txt
> root at florence:/root# ls -l file.txt
> -rw-r--r-- 1 root root 0 Nov 18 17:21 file.txt
> root at florence:/root# chown test1 file.txt
> root at florence:/root# ls -l file.txt
> -rw-r--r-- 1 test1 root 0 Nov 18 17:21 file.txt
> root at florence:/root#
>
> which was the point of the exercise.
>

Good, this is how it is supposed to work.

> This also works:
>
> root at florence:/root# getent group domain\ users
> domain users:x:3100000:
> root at florence:/root# chgrp domain\ users file.txt
> root at florence:/root# ls -l file.txt
> -rw-r--r-- 1 test1 domain users 0 Nov 18 17:21 file.txt
> root at florence:/root#
>
> but... ):  on the DC I see this:
>
> root at athens:~# wbinfo -i test1
> test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false
> root at athens:~# wbinfo -i domain\ users
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user domain users
> root at athens:~# getent group domain\ users
> domain users:x:100:
>
> while on the member server I see this:
>
> root at florence:/root# wbinfo -i test1
> test1:*:3100100:3100000:Test One:/home/test1:/bin/bash
> root at florence:/root# wbinfo -i domain\ users
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user domain users
> root at florence:/root# getent group domain\ users
> domain users:x:3100000:
>
> So my questions are:
>
> How did I end up with different IDs for test1 on the DC and member 
> server ?

Right, On the DC, Samba uses xidNumbers that are stored in idmap.ldb, 
unless you use uidNumber & gidNumber attributes. If you don't do 
anything and ask for a users or groups info, you will get a number in 
the 3000000 range. but if you add the uidNumber & gidNumber attributes, 
you will get them instead i.e. I use numbers starting at 10000

root at dc1:~# getent group Domain\ Users
SAMDOM\domain users:x:10000:

root at dc1:~# getent passwd rowland
SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash


If I run the same two commands on a domain member:

root at member1:~# getent group Domain\ Users
domain_users:x:10000:dns-dc1,dns-dc2,dhcpduser,rowland,cifsuser,administrator,krbtgt

root at member1:~# getent passwd rowland
rowland:*:10000:10000::/home/rowland:/bin/bash

Virtually the same info.

This still doesn't answer why you are getting different info though.

Have you set up nsswitch correctly and do you have the required 
libnss_winbind links in place ?

Are the uid/gidNumbers, you added, inside the range you set in the 
domain member smb.conf ?

>
> How can I list all the IDs already assigned on the member server?

They aren't assigned on the member server, they are assigned in AD. You 
could write a short script to extract the uid/gidnumber attributes using 
ldaptools or ldbtools.

>
> Why was there already a gid assigned for "Domain Admins" and "Domain 
> Guests" but not for "Domain Users" ?

They haven't, they have a xidNumber from idmap.ldb


>
> What does "Unwilling to Perform" mean?

Basically what it is says, it cannot do what you are asking.

>
> Do I need to set up the idmap backend on the DC ?  Is that even possible?

No, because this is what idmap.ldb and the underlying code is for, it is 
also the subject of an ongoing plea for it to be changed. At the moment 
the DC on the surface seems to work like the winbind 'rid' backend on a 
domain member (it is different, but at the first glance it is very 
similar), i.e. a user or group has the ID set automatically and the Unix 
home directory and shell are set from templates, the only real visible 
difference is that on the DC the range is fixed and on a domain member 
you can set the start number.

Now, when you add uidNumbers & gidNumbers, on the DC you stop using the 
xidNumbers from idmap.ldb, but you have to continue using the templates. 
However on a domain member using the winbind 'ad' backend, you can pull 
the full range of rfc2307 attributes, this includes the 
unixHomeDirectory & loginShell attributes, this allows having different 
homedir paths & shells for users.

Note, xidNumbers are never used on a domain member, you need to use the 
'ad', 'rid' or one of the other lesser used winbind backends.

Again, any questions, please ask.

Rowland

>
>
>
>>
>
>
> -- 
> *Jeff Dickens*
>      IT Manager 978-632-1513
>



More information about the samba mailing list