[Samba] New AD user cannot access file share from member server

Viktor Trojanovic viktor at troja.ch
Mon Jun 19 11:51:31 UTC 2017 

That's correct, I don't have "Unix Attributes" but through the advanced
view I have access to all attributes.

The ldbsearch command is not returning anything in my case, it gives me 0
records - no matter which user I try, even the Administrator. I checked the
command several times to make sure there are no typos. I even changed the
objectclass from "person" to "user" to see if it makes any difference but
it doesn't.

I tried borth /var/lib/samba/sam.ldb and /var/lib/samba/private/sam.ldb)
and the environment environment has LDB_MODULES_PATH set.

I can easily look at the objects using the ADUC from the RSAT, not sure why
this isn't working...

On 19 June 2017 at 12:59, Rowland Penny via samba <samba at lists.samba.org>
wrote:

> On Mon, 19 Jun 2017 12:38:09 +0200
> Viktor Trojanovic <viktor at troja.ch> wrote:
>
> > Here is the DC's smb.conf:
> >
> >
> > [global]
> >         workgroup = SAMDOM
> >         realm = SAMDOM.EXAMPLE.COM
> >         netbios name = DC
> >         interfaces = lo br-lxc
> >         bind interfaces only = Yes
> >         server role = active directory domain controller
> >         dns forwarder = 192.168.1.2
> >         idmap_ldb:use rfc2307 = yes
> >
> > [netlogon]
> >         path = /var/lib/samba/sysvol/samdom.example.com/scripts
> >         read only = No
> >
> > [sysvol]
> >         path = /var/lib/samba/sysvol
> >         read only = No
>
> Nothing wrong there
>
> >
> > I'm not sure what you mean by showing you the user's AD object, can
> > you elaborate?
>
> OK, install ldb-tools if not installed, then run this:
>
> ldbsearch -H /usr/local/samba/private/sam.ldb -b
> 'cn=users,dc=samdom,dc=example,dc=com' -s sub
> "(&(objectclass=person)(samaccountname=rowland))"
>
> Just in case it has got split up over multiple lines, the above should
> just one line.
>
> Replace:
> /usr/local/samba/private/sam.ldb with the path to your sam.ldb
>
> dc=samdom,dc=example,dc=com with your dns/realm names
>
> rowland with your users name
>
> You should get something like this back:
>
> # record 1
> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> CN: Rowland Penny
> sn: Penny
> description: A Unix user
> givenName: Rowland
> instanceType: 4
> whenCreated: 20151109093821.0Z
> displayName: Rowland Penny
> uSNCreated: 3365
> name: Rowland Penny
> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72
> userAccountControl: 66048
> codePage: 0
> countryCode: 0
> homeDrive: H:
> pwdLastSet: 130915355010000000
> primaryGroupID: 513
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
> accountExpires: 0
> sAMAccountName: rowland
> sAMAccountType: 805306368
> userPrincipalName: rowland at samdom.example.com
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=
> example,DC=c
>  om
> unixUserPassword: ABCD!efgh12345$67890
> uid: rowland
> msSFU30Name: rowland
> msSFU30NisDomain: samdom
> uidNumber: 10000
> gecos: Rowland Penny
> unixHomeDirectory: /home/rowland
> loginShell: /bin/bash
> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com
> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com
> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com
> homeDirectory: \\MEMBER1\home\rowland
> objectClass: top
> objectClass: securityPrincipal
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> gidNumber: 10000
> lastLogonTimestamp: 131418520439158520
> whenChanged: 20170613182723.0Z
> uSNChanged: 121030
> lastLogon: 131423412865104840
> logonCount: 633
> distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> Please post that, though you can sanitise it if you like, but if you
> do, use the same changes through out.
>
> >
> > Samba is running on (Arch) Linux with Kernel 4.11. Clients are
> > Windows 10 with all the latest updates, I'm running the RSAT from
> > there.
> >
>
> In which case you will not have 'Unix Attributes' tab in ADUC.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list