[Samba] Problems with Member server in a Samba AD Domain

Sun Mar 27 17:15:19 UTC 2016

On 27/03/16 17:15, spindles7-2 at yahoo.co.uk wrote:
> I have set up a Samba Active Directory domain controller on a fresh
> install of Debian 8.3 (Jessie) using Samba 4.4.0 and everything works
> fine as far as I can tell.  I had users' home folders with the H:
> drive letter connecting to the share on the DC and folder redirection
> for My Documents, Pictures etc.
>
> Then I decided to add a member server (also Debian Jessie) and put the
> users' home folders on that server.  So I created a second OU with
> folder redirection of Documents, Pictures etc and mapped the H: drive
> to the users' shared folder on the member server.   My problem is that
> whilst the users folders get created automatically and have the
> correct NTFS permissions (as seen from a Windows 7 machine) the user
> cannot access the folder on the member server - Access Denied.
> Permissions say Full Control for the user.     It seems that the newly
> created users are not being recognised by the member server:   getent
> passwd returns just the administrator and the user I created with home
> folder on the DC:
>
> # getent passwd
> [...]
> test2:*:10001:10000:Test 2. user:/home/test2:/bin/sh
> administrator:*:10000:10000:Administrator:/home/Administrator:/bin/sh
>
> The other user with home folder on the member server does not show up.
>
> So I moved the first user into the second OU and changed the H: drive
> mapping to be on the member server.     That user can now access the
> home folder on the member server.   Note though that the My Documents
> folder doesn't appear until the second login.
>
> Here's my smb.conf on the member server:
>
> [global]
>
>         netbios name = debian-m1
>         security = ADS
>         workgroup = MICROLYNX
>         realm = MICROLYNX.LOCAL
>
>         log file = /var/log/samba/%m.log
>         log level = 1
>
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = secrets and keytab
>         winbind refresh tickets = yes
>
>         winbind trusted domains only = no
>         winbind use default domain = yes
>         winbind enum users  = yes
>         winbind enum groups = yes
>   
>         # idmap config used for your domain.
>         # Click on the following links for more information
>         # on the available winbind idmap backends,
>         # Choose the one that fits your requirements
>         # then add the corresponding configuration.
>         
>         # Just adding the following three lines is not enough!!
>         #  - idmap config ad
>
> # Important: The ranges of the default (*) idmap config
>         # and the domain(s) must not overlap!
>
>         # Default idmap config used for BUILTIN and local
> accounts/groups
>         idmap config *:backend = tdb
>         idmap config *:range = 2000-9999
>
>         # idmap config for domain MICROLYNX
>         idmap config MICROLYNX:backend = ad
>         idmap config MICROLYNX:schema_mode = rfc2307
>         idmap config MICROLYNX:range = 10000-99999
>
>         # Use settings from AD for login shell and home directory
>         winbind nss info = rfc2307
>         template homedir = /srv/users/%U
>         template shell = /bin/bash
>
> 	vfs objects = acl_xattr
> 	map acl inherit = yes
> 	store dos attributes = yes
>
> [users]
> 	path = /srv/users
> 	read only = No
>
> This is the output of getent passwd on the DC (debian-dc1):
> # getent passwd
> [...]
> MICROLYNX\test3:*:3000052:100:Test 3. User:/srv/users/test3:/bin/bash
> MICROLYNX\test4:*:3000053:100:test 4. user:/srv/users/test4:/bin/bash
> MICROLYNX\test1:*:3000049:100:Test 1. User:/srv/users/test1:/bin/bash
> MICROLYNX\test2:*:3000013:100:Test 2. user:/srv/users/test2:/bin/bash
> MICROLYNX\administrator:*:0:100::/srv/users/administrator:/bin/bash
> MICROLYNX\krbtgt:*:3000041:100::/srv/users/krbtgt:/bin/bash
> MICROLYNX\guest:*:3000007:100::/srv/users/guest:/bin/bash
>
> So why are these additional users not being recognised by the member
> server (debian-m1)?   Also the template homedir & shell lines in the
> smb.conf seem to be ignored (by debian-m1).
>
> Any help would be appreciated,
>
> spindles7

OK, I think your problems are all probably caused by the same thing, you 
are using the winbind 'ad' backend on the domain member, but *you 
haven't given any of your users 'uidNumber' attributes and you haven't 
given 'Domain Users' a 'gidNumber' attribute*.

Two ways to fix this, use the 'rid' backend instead or give all yours 
users a 'uidNumber' attribute and 'Domain Users' (at least) a 
'gidNumber' attribute, these attributes need to be inside the range you 
set in smb.conf (in your case, 10000-99999)

If you do have these attributes in AD, have you set up PAM and 
/etc/nsswitch.conf correctly.

Rowland