[Samba] Cannot chown file to active directory user/group on member server

Jeff Dickens jeff at seamanpaper.com
Fri Nov 20 21:20:58 UTC 2015 

On Wed, Nov 18, 2015 at 6:26 PM, Rowland Penny <rowlandpenny241155 at gmail.com
> wrote:

> On 18/11/15 22:32, Jeff Dickens wrote:
>
>>
>> ​Ok, so I have it working, sort-of. It's kind of screwed up.  Here's what
>> I did, and then a couple of followup questions.
>>
>>
>> On the DC I ran wbinfo -i to look at some existing groups:
>>
>> root at athens:/etc/pam.d# wbinfo -i domain\ guests
>> domain guests:*:3000012:3000012::/home/IOL/domain guests:/bin/false
>> root at athens:/etc/pam.d# wbinfo -i domain\ admins
>> domain admins:*:3000008:3000008::/home/IOL/domain admins:/bin/false
>> root at athens:/etc/pam.d# wbinfo -i domain\ users
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user domain users
>>
>
> Never checked using those commands before, but I get virtually the same
> results
>
>
>> On a windows workstation, logged in as the domain administrator, I ran
>> the "Active Directory Users and Computers" app.  Under
>> iol.seamanpaper.com <http://iol.seamanpaper.com> (my domain) / Users I
>> double-clicked on "Domain Users" and then clicked on the "Unix Attributes"
>> tab.  I selected the NIS domain (iol) and picked a gid that looked like it
>> probably wasn't in use.  Then I clicked on OK.
>>
>> Then I went to the user "Test One (test1 at ...)" under Users, double
>> clicked on it and then clicked on 'Unix Attributes".  I picked the NIS
>> domain, assigned a uid, a shell, a home diectory and left the Primary group
>> name/GID at "Domain Users".
>>
>> I then went back to the group "Domain Users" and when I clicked on "Unix
>> Attributes" it gave me a box that said "Unwilling to Perform".  Not unable,
>> but unwilling.  We laughed.  But nevertheless I was able to select the Add
>> button, choose the user "Test One" from the list of Available NIS Users and
>> click add and ok.
>>
>
> You don't need to do this.
>
>
>> Now on the member server I can do this:
>> root at florence:/root# wbinfo -i test1
>> test1:*:3100100:3100000:Test One:/home/test1:/bin/bash
>>
>> but not this:
>>
>> root at florence:/root# wbinfo -i domain\ users
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user domain users
>>
>
> Exactly the same for me
>
>
>> I can also do this:
>>
>> root at florence:/root# touch file.txt
>> root at florence:/root# ls -l file.txt
>> -rw-r--r-- 1 root root 0 Nov 18 17:21 file.txt
>> root at florence:/root# chown test1 file.txt
>> root at florence:/root# ls -l file.txt
>> -rw-r--r-- 1 test1 root 0 Nov 18 17:21 file.txt
>> root at florence:/root#
>>
>> which was the point of the exercise.
>>
>>
> Good, this is how it is supposed to work.
>
>
> This also works:
>>
>> root at florence:/root# getent group domain\ users
>> domain users:x:3100000:
>> root at florence:/root# chgrp domain\ users file.txt
>> root at florence:/root# ls -l file.txt
>> -rw-r--r-- 1 test1 domain users 0 Nov 18 17:21 file.txt
>> root at florence:/root#
>>
>> but... ):  on the DC I see this:
>>
>> root at athens:~# wbinfo -i test1
>> test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false
>> root at athens:~# wbinfo -i domain\ users
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user domain users
>> root at athens:~# getent group domain\ users
>> domain users:x:100:
>>
>> while on the member server I see this:
>>
>> root at florence:/root# wbinfo -i test1
>> test1:*:3100100:3100000:Test One:/home/test1:/bin/bash
>> root at florence:/root# wbinfo -i domain\ users
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user domain users
>> root at florence:/root# getent group domain\ users
>> domain users:x:3100000:
>>
>> So my questions are:
>>
>> How did I end up with different IDs for test1 on the DC and member server
>> ?
>>
>
​Michael Adam suggested I do "net cache flush" and that seemed to resolve
that problem:

​DC:

jeff at athens:~$ getent group Domain\ Users
domain users:x:3100000:
jeff at athens:~$ getent passwd test1
test1:*:3100100:3100000:Test One:/home/IOL/test1:/bin/false​

Member Server:

jeff at florence:~$ getent group Domain\ Users
domain users:x:3100000:
jeff at florence:~$ getent passwd test1
test1:*:3100100:3100000:Test One:/home/test1:/bin/bash

Well that's one down.
​


>
> Right, On the DC, Samba uses xidNumbers that are stored in idmap.ldb,
> unless you use uidNumber & gidNumber attributes. If you don't do anything
> and ask for a users or groups info, you will get a number in the 3000000
> range. but if you add the uidNumber & gidNumber attributes, you will get
> them instead i.e. I use numbers starting at 10000
>
> root at dc1:~# getent group Domain\ Users
> SAMDOM\domain users:x:10000:
>
> root at dc1:~# getent passwd rowland
> SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
>
> If I run the same two commands on a domain member:
>
> root at member1:~# getent group Domain\ Users
>
> domain_users:x:10000:dns-dc1,dns-dc2,dhcpduser,rowland,cifsuser,administrator,krbtgt
>
> root at member1:~# getent passwd rowland
> rowland:*:10000:10000::/home/rowland:/bin/bash
>
> Virtually the same info.
>
> This still doesn't answer why you are getting different info though.
>
> Have you set up nsswitch correctly and do you have the required
> libnss_winbind links in place ?
>
> Are the uid/gidNumbers, you added, inside the range you set in the domain
> member smb.conf ?
>
>
>> How can I list all the IDs already assigned on the member server?
>>
>
> They aren't assigned on the member server, they are assigned in AD. You
> could write a short script to extract the uid/gidnumber attributes using
> ldaptools or ldbtools.
>
>
>> Why was there already a gid assigned for "Domain Admins" and "Domain
>> Guests" but not for "Domain Users" ?
>>
>
> They haven't, they have a xidNumber from idmap.ldb
>
>
>
>> What does "Unwilling to Perform" mean?
>>
>
> Basically what it is says, it cannot do what you are asking.
>
>
>> Do I need to set up the idmap backend on the DC ?  Is that even possible?
>>
>
> No, because this is what idmap.ldb and the underlying code is for, it is
> also the subject of an ongoing plea for it to be changed. At the moment the
> DC on the surface seems to work like the winbind 'rid' backend on a domain
> member (it is different, but at the first glance it is very similar), i.e.
> a user or group has the ID set automatically and the Unix home directory
> and shell are set from templates, the only real visible difference is that
> on the DC the range is fixed and on a domain member you can set the start
> number.
>
> Now, when you add uidNumbers & gidNumbers, on the DC you stop using the
> xidNumbers from idmap.ldb, but you have to continue using the templates.
> However on a domain member using the winbind 'ad' backend, you can pull the
> full range of rfc2307 attributes, this includes the unixHomeDirectory &
> loginShell attributes, this allows having different homedir paths & shells
> for users.
>
> Note, xidNumbers are never used on a domain member, you need to use the
> 'ad', 'rid' or one of the other lesser used winbind backends.
>
> Again, any questions, please ask.
>
> Rowland
>
>
>>
>>
>>>>
>>
>>
>> --
>> *Jeff Dickens*
>>      IT Manager 978-632-1513
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
*     Jeff Dickens*
     IT Manager      978-632-1513

More information about the samba mailing list