[Samba] Unable to set up home share correctly

Udo Willke udo.willke at freenet.de
Thu Oct 13 12:48:57 UTC 2016 

Hello Rowland,

thank you for your swift reply. I made the modifications you suggested, 
which unfortunately did not better the situation. No change as to the 
"Creator Owner" rights and the Administrator account still shown as 
locked. Also, I couldn't spot any suspicious messages in the Samba 
logfiles besides maybe

get_referred_path: |profiles| in dfs path 
\fileserver.mydomain.lan\profiles is not a dfs root.
get_referred_path: |home| in dfs path \fileserver.mydomain.lan\home is 
not a dfs root.

My test users have uidNumbers und gidNumbers defined. I found this nifty 
command to list them

root at fileserver:/var/log/samba# net ads search 
'(|(uidNumber=*)(gidNumber=*))' sAMAccountName uidNumber gidNumber -P
Got 15 replies

sAMAccountName: Enterprise Read-Only Domain Controllers
gidNumber: 10005

sAMAccountName: Administrator
uidNumber: 10000
gidNumber: 10000

sAMAccountName: Enterprise Admins
gidNumber: 10004

sAMAccountName: workgroup-1
gidNumber: 10010

sAMAccountName: Users
gidNumber: 10008

sAMAccountName: DnsAdmins
gidNumber: 10006

sAMAccountName: kbudwi
uidNumber: 10002
gidNumber: 10001

sAMAccountName: kbmamu
uidNumber: 10004
gidNumber: 10001

sAMAccountName: Guest
uidNumber: 10001
gidNumber: 10000

sAMAccountName: Schema Admins
gidNumber: 10003

sAMAccountName: Administrators
gidNumber: 10007

sAMAccountName: Domain Admins
gidNumber: 10000

sAMAccountName: Domain Users
gidNumber: 10001

uidNumber: 10003
gidNumber: 10001
sAMAccountName: kbanre

sAMAccountName: Domain Guests
gidNumber: 10002

I can list those users and groups on the member server using "getent 
passwd" and "getent group".

What else could be wrong? My impression is that samba and winbind caches 
a lot of information. Should I start over with the member server?

BTW: I rebooted the server after making the changes - just to be sure.

Thanks in advance an best regards

Udo


Am 13.10.2016 um 11:04 schrieb Rowland Penny via samba:
> On Thu, 13 Oct 2016 10:33:20 +0200
> Udo Willke via samba <samba at lists.samba.org> wrote:
>
>> Hi everyone,
>>
>> after some struggling I have finally set up a Samba AD DC and a file
>> server more or less successfully. Unfortunately I am failing at one
>> of the last steps: the configuration of the home share, where I can't
>> set the permissions correctly which, as a consequence, seems to
>> prevent the creation of the users' folders on the home share
>>
>> I am using the standard Samba packages on ubuntu 16.04 LTS
>> ("2:4.3.11+dfsg-0ubuntu0.16.04") and opted for winbind and the AD
>> backend for id mapping of the domain users. My smb.conf of the member
>> server looks like this:
>>
>> [global]
>>        netbios name = FILESERVER
>>        security = ADS
>>        workgroup = MYDOMAIN
>>        realm = MYDOMAIN.LAN
>>
>>        log level = 5
>>        log file = /var/log/samba/%m.log
>>
>>        password server = 192.168.6.8
>>
>>        interfaces = lo br0
>>        bind interfaces only = yes
>>
>>        dedicated keytab file = /etc/krb5.keytab
>>        kerberos method = secrets and keytab
>>
>>        winbind nss info = rfc2307
>>        winbind trusted domains only = no
>>        winbind use default domain = no
>>        winbind enum users  = yes
>>        winbind enum groups = yes
>>        winbind refresh tickets = Yes
>>        winbind cache time = 60
>>
>>        ;; Default idmap config used for BUILTIN and local
>> accounts/groups idmap config * : backend = tdb
>>        idmap config * : range = 100000-4294967295
>>
>>        ;; idmap config for domain MYDOMAIN
>>        idmap config MYDOMAIN : backend = ad
>>        idmap config MYDOMAIN : schema_mode = rfc2307
>>        idmap config MYDOMAIN : range = 10000-99999
>>
>>        vfs objects = acl_xattr
>>        map acl inherit = yes
>>        store dos attributes = yes
>>
>>        load printers = no
>>        printing = bsd
>>        printcap name = /dev/null
>>        disable spoolss = yes
>>
>>        template homedir = /var/share/samba/homes/%U
>>
>> [home]
>>        path = /var/share/samba/homes
>>        guest ok = no
>>        read only = no
>>        browseable = yes
>>
>>
>> [profiles]
>>        path = /var/share/samba/profiles
>>        read only = no
>>        store dos attributes = yes
>>        create mask = 0600
>>        directory mask = 0700
>>        guest ok = no
>>        profile acls = yes
>>        csc policy = disable
>>
>> "interfaces" and "bind interfaces only = yes" is needed because the
>> server is dual-homed. By setting the tdb id range to
>> 100000-4294967295, I hoped to get the Windows system accounts mapped.
>>
>> winbind seems to work ok. "getent passwd" and "getent group" show the
>> AD users with the uidNumber and gidNumber attributes set on the AD in
>> the right range. Example
>>
>> root at fileserver:/var/share/samba# id MYDOMAIN\\Administrator
>> uid=10000(MYDOMAIN\administrator) gid=10000(MYDOMAIN\domain admins)
>> groups=10000(MYDOMAIN\domain admins),10004(MYDOMAIN\enterprise
>> admins),10003(MYDOMAIN\schema admins),10001(MYDOMAIN\domain
>> users),100000(BUILTIN\administrators),100001(BUILTIN\users)
>>
>> After adding the [home] section to smb.conf  I create the directory
>> as described in the Samba wiki
>>
>> root at fileserver:/var/share/samba# mkdir homes
>> root at fileserver:/var/share/samba# chgrp MYDOMAIN\\Domain\ Admins
>> homes/ root at fileserver:/var/share/samba# chmod g=rwx homes/
>> root at fileserver:/var/share/samba# ls -ld homes/
>> drwxrwxr-x 2 root MYDOMAIN\domain admins 4096 Okt 12 16:05 homes/
>>
>> Then I continue with the RSAT Tools (German Language Version) on
>> Windows 7 where I log in as "MYDOMAIN\Administrator" and use the
>> "Computer Management" Console to configure the home share.
>>
>>
>> Here I face two problems on the "Security" tab:
>>
>> 1) When I add the Administrator user, the account is shown as
>> "locked" (red dot with cross) but I can set "Full Control"
>>
>> 2) When I add the Creator Owner (in my case, I have to look for
>> ERSTELLER-BESITZER) I can check "Full Control", but when I click
>> "Apply" all the check marks disappear
>>
>> Additionally, extra users like "Everyone", "root" or "Creator Group"
>> are already listed in the dialogue box without me doing anything.
>>
>>
>> On the Linux side, the extended permissions of the
>> /var/share/samba/homes directory look like this
>>
>> root at fileserver:/var/share/samba# getfacl homes/
>> # file: homes/
>> # owner: MYDOMAIN\134administrator
>> # group: MYDOMAIN\134domain\040admins
>> user::rwx
>> user:MYDOMAIN\134administrator:rwx
>> group::rwx
>> group:MYDOMAIN\134domain\040admins:rwx
>> group:100004:r-x
>> group:100005:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:MYDOMAIN\134administrator:rwx
>> default:group::---
>> default:group:MYDOMAIN\134domain\040admins:rwx
>> default:group:100004:r-x
>> default:group:100005:rwx
>> default:mask::rwx
>> default:other::---
>>
>> I noticed GIDs 100004 and 100005 are not resolved so I tried to find
>> out why
>>
>> root at fileserver:/var/share/samba# net idmap dump
>> dumping id mapping from /var/lib/samba/winbindd_idmap.tdb
>> GID 100004 S-1-5-11
>> GID 100005 S-1-5-18
>> GID 100006 S-1-3-0
>> USER HWM 100000
>> GID 100002 S-1-1-0
>> GID 100007 S-1-5-4
>> GID 100003 S-1-5-2
>> GROUP HWM 100008
>>
>> With wbinfo --sid-to-fullname I find
>>
>> GID 100004 S-1-5-11 --> NT AUTHORITY\Authenticated Users 5
>>
>> GID 100005 S-1-5-18 --> NT AUTHORITY\SYSTEM 5
>>
>> S-1-3-0 is the well-known SID of the Creator Owner (thus known to the
>> server)
>>
>> Finally, when I log into a Windows 7 workstation (previously joined
>> to the domain) with my test user account
>>
>> root at fileserver:/var/share/samba# id MYDOMAIN\\kbudwi
>> uid=10002(MYDOMAIN\kbudwi) gid=10001(MYDOMAIN\domain users)
>> groups=10001(MYDOMAIN\domain
>> users),10010(MYDOMAIN\workgroup-1),100001(BUILTIN\users)
>>
>> my home folder "kbudwi" is neither created nor mounted.
>>
>> When I navigate manually to the home base folder by entering
>> "\\fileserver\home" into Windows Explorer, I get an empty folder.
>>
>> When I try to create my home folder manually I get a message box
>> saying something like "home: You need permissions to continue the
>> operation" (loosely translated from German). I suspect, the missing
>> "Creator Owner" rights block the folder creation.
>>
>> Generally speaking, I am very unsure how to handle the id mapping for
>> the ad backend. The documentation (I found) does not specify, whether
>> I have to set the Unix UIDs and GIDs on system accounts or on user
>> accounts only. Maybe I have messed it up at this level?
>>
>> Any help would by highly appreciated as I am seriously running out of
>> ideas
>>
>> Thanks and best regards
>>
>> Udo
>>
> Do you really need '4294867295' spaces for the '*' range, I only have
> '7999' and feel that is an overkill, see here for more info:
>
> https://support.microsoft.com/en-us/kb/243330
>
> As for your users home dir not getting created, try running this on the
> fileserver:
>
> echo "session    required   pam_mkhomedir.so skel=/etc/skel/
> umask=0022" >> /etc/pam.d/common-account
>
> Add this line to smb.conf:
>
> username map = /etc/samba/user.map
>
> And create the the /etc/samba/user.map with this content:
>
> !root = MYDOMAIN\Administrator MYDOMAIN\administrator Administrator
> administrator
>
> That will map the windows administrator to the Unix root user
>
> To make windows users visible to the domain member whilst using the
> winbind 'ad' backend, you must give each user a unique uidNumber
> attribute inside the range you set for the domain (MYDOMAIN) in
> smb.conf, you MUST also give Domain Users a gidNumber attribute inside
> the range.
>
> Rowland
>
>
>
>

More information about the samba mailing list