[Samba] Unable to add AD users to local groups
Robert Martel
r.martel at csuohio.edu
Wed Nov 23 15:00:28 UTC 2016
On 11/17/2016 04:23 PM, Rowland Penny via samba wrote:
> On Thu, 17 Nov 2016 16:13:50 -0500
> Robert Martel via samba <samba at lists.samba.org> wrote:
>
>>
>> On 11/17/2016 02:42 PM, Rowland Penny via samba wrote:
>>> On Thu, 17 Nov 2016 14:32:16 -0500
>>> Robert Martel via samba <samba at lists.samba.org> wrote:
>>>
>>>> On 11/16/2016 04:34 PM, Rowland Penny via samba wrote:
>>>>> Provided that the group urbanweb exists in /etc/group and your
>>>>> users are shown by getent passwd or id, then you could try the
>>>>> unix tools i.e. usermod -G urbanweb ADDOMAIN\\1001362
>>>>>
>>>>> Rowland
>>>> Greetings,
>>>>
>>>> Thank you for the response.
>>>>
>>>> the matching UNIX group exists. Been using local groups on Samba
>>>> for years.
>>>>
>>>> # getent passwd "ADDOMAIN\\1001362"
>>>> 1001362:*:2091888:2000513:Robert M
>>>> Martel:/home/1001362:/usr/bin/bash
>>>>
>>>> wbinfo returns useful information
>>>>
>>>> # wbinfo -i 1001362
>>>> 1001362:*:2091888:2000513:Robert M
>>>> Martel:/home/1001362:/usr/bin/bash
>>>>
>>>>
>>>> I can "su" to an AD user without a problem.
>>>>
>>>> I can access shared folders as that user, I just cant add anyone
>>>> to a samba local group. My test Solaris 10 machine running same
>>>> version of samba does not exhibit this problem.
>>>>
>>>> usermod said the user did not exist - but I want to add user to
>>>> Samba local group, not the UNIX group in /etc/group.
>>>>
>>>> # usermod -G urbanweb ADDOMAIN\\1001362
>>>> UX: usermod: ERROR: ADDOMAIN\1001362 is not a local user.
>>>>
>>>> -Bob
>>>>
>>>>
>>> You said 'local' group, a group can be a local group or a Samba
>>> group, it cannot be both.
>>>
>> A Samba group local to the AD member server - not an Active
>> Directory group.
>> Sorry if I chose the incorrect term.
>>
> no problem, it just confused me and I am still confused ;-)
>
> How can you add a group to Samba on a joined domain member, but not to
> AD ??
>
> It might help if you posted the smb.conf from the domain member.
>
> Rowland
>
There is a UNIX group called "urbanweb"
urbanweb::104:
I create a group for samba's usage on the member server called urbanweb
as well.
net groupmap add rid=1209 ntgroup="urbanweb" unixgroup=urbanweb type=l
Than I add the AD users I want in that group
net sam addmem urbanweb ADDOMAIN\\1001362
Adding domain group member failed with NT_STATUS_NO_SUCH_USER
the addmem step is what is failing. saying the user does not exist.
This is happening on the machines running Samba 4.4.7 and Solaris 9.
Worked fine with Samba 3.6 series. Samba 4.4.7 on Solaris 10 does not
show this issue.
Saw this in the log log.wb-ADDOMAN this morning:
[2016/11/23 02:22:45.241517, 1]
../source3/libads/ldap_utils.c:93(ads_do_search_retry_internal)
Reducing LDAP page size from 500 to 250 due to IO_TIMEOUT
[2016/11/23 09:37:53.389714, 1]
../source3/winbindd/winbindd_pam.c:1439(winbind_samlogon_retry_loop)
winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED. Maybe
the DC has Restrict NTLM set or the trust account password was changed
and we didn't know it. Killing connections to domain ADDOMAIN
[2016/11/23 09:37:56.758381, 1]
../source3/rpc_client/cli_pipe.c:421(cli_pipe_validate_current_pdu)
../source3/rpc_client/cli_pipe.c:421: Bind NACK received from host
ADDOMAIN-MAIN-III.csunet.csuohio.edu!
[2016/11/23 09:37:56.768962, 1]
../source3/rpc_client/cli_pipe.c:3316(cli_rpc_pipe_open_schannel_with_creds)
cli_rpc_pipe_open_schannel_with_creds: rpc_pipe_bind failed with
error NT_STATUS_NETWORK_ACCESS_DENIED
The AD user CAN access Samba shares, I can su to an AD user, I can ssh
into the host as an AD user so authentication is working for nearly
everything else.
--
***********************************************************************
Robert M. Martel I met someone who looks a lot like you
System Administrator She does the things you do
Levin College of Urban Affairs But she is an IBM
Cleveland State University -Jeff Lynne
(216) 687-2214
r.martel at csuohio.edu
***********************************************************************
-------------- next part --------------
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not many any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]
netbios name = hopper
security = ADS
workgroup = ADDOMAIN
realm = ADDOMAIN.csuohio.edu
# server string is the equivalent of the NT Description field
server string = %h Samba %v external web host server
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
hosts allow = 127. 137.148.92. 137.148.93.
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/smblog.%m
log level = 1
# Put a capping on the size of the log files (in Kb).
max log size = 1500000
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
# idmap config used for your domain. taken right from Samba wiki page
idmap config * : backend = autorid
#idmap config * : default = yes
idmap config * : range = 1000000-19999999
idmap config * : rangesize = 1000000
client ldap sasl wrapping = plain
template homedir = /home/%U
template shell = /usr/bin/bash
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
wins server = 137.148.49.33
utmp = yes
#panic action = /usr/bin/sleep 9999
#
#Get rid of /etc/printcap messages in the logs
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#============================ Share Definitions ==============================
#User home directories
#based on settings on meeker as of 9/15/2009
[homes]
guest ok = no
read only = no
create mask = 600
directory mask = 711
# case sensitive = no
# default case = lower
# preserve case = no
preexec = /usr/local/sbin/touchmefile.sh %U
[nhlink]
comment = NHLink files
path = /var/data/www/nhlink
public = yes
writable = yes
printable = no
create mode = 774
directory mask = 775
guest ok = no
[passages]
comment = Passages nonprofit website
path = /var/data/www/passages
public = yes
writable = yes
printable = no
create mode = 774
directory mask = 775
guest ok = no
force group = urbanweb
valid users = @hopper\urbanweb
[wgm-web]
comment = Mather web pages
path = /var/data/www/wgm
public = yes
writable = yes
printable = no
create mode = 774
directory mask = 775
guest ok = no
[weblogs]
comment = web server logs
path = /var/data/www/logs
public = yes
writable = yes
printable = no
create mode = 774
directory mask = 775
guest ok = no
# A publicly accessible directory.
[public]
comment = Test Public Stuff
path = /var/spool/uucppublic2
public = yes
writable = yes
printable = no
create mode = 777
case sensitive = no
default case = lower
preserve case = no
guest ok = yes
case sensitive = no
default case = lower
preserve case = no
More information about the samba
mailing list