[Samba] New AD user cannot access file share from member server

lingpanda101 lingpanda101 at gmail.com
Mon Jun 19 12:20:35 UTC 2017 

On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote:
> That's correct, I don't have "Unix Attributes" but through the advanced
> view I have access to all attributes.
>
> The ldbsearch command is not returning anything in my case, it gives me 0
> records - no matter which user I try, even the Administrator. I checked the
> command several times to make sure there are no typos. I even changed the
> objectclass from "person" to "user" to see if it makes any difference but
> it doesn't.
>
> I tried borth /var/lib/samba/sam.ldb and /var/lib/samba/private/sam.ldb)
> and the environment environment has LDB_MODULES_PATH set.
>
> I can easily look at the objects using the ADUC from the RSAT, not sure why
> this isn't working...
>
> On 19 June 2017 at 12:59, Rowland Penny via samba <samba at lists.samba.org>
> wrote:
>
>> On Mon, 19 Jun 2017 12:38:09 +0200
>> Viktor Trojanovic <viktor at troja.ch> wrote:
>>
>>> Here is the DC's smb.conf:
>>>
>>>
>>> [global]
>>>          workgroup = SAMDOM
>>>          realm = SAMDOM.EXAMPLE.COM
>>>          netbios name = DC
>>>          interfaces = lo br-lxc
>>>          bind interfaces only = Yes
>>>          server role = active directory domain controller
>>>          dns forwarder = 192.168.1.2
>>>          idmap_ldb:use rfc2307 = yes
>>>
>>> [netlogon]
>>>          path = /var/lib/samba/sysvol/samdom.example.com/scripts
>>>          read only = No
>>>
>>> [sysvol]
>>>          path = /var/lib/samba/sysvol
>>>          read only = No
>> Nothing wrong there
>>
>>> I'm not sure what you mean by showing you the user's AD object, can
>>> you elaborate?
>> OK, install ldb-tools if not installed, then run this:
>>
>> ldbsearch -H /usr/local/samba/private/sam.ldb -b
>> 'cn=users,dc=samdom,dc=example,dc=com' -s sub
>> "(&(objectclass=person)(samaccountname=rowland))"
>>
>> Just in case it has got split up over multiple lines, the above should
>> just one line.
>>
>> Replace:
>> /usr/local/samba/private/sam.ldb with the path to your sam.ldb
>>
>> dc=samdom,dc=example,dc=com with your dns/realm names
>>
>> rowland with your users name
>>
>> You should get something like this back:
>>
>> # record 1
>> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
>> CN: Rowland Penny
>> sn: Penny
>> description: A Unix user
>> givenName: Rowland
>> instanceType: 4
>> whenCreated: 20151109093821.0Z
>> displayName: Rowland Penny
>> uSNCreated: 3365
>> name: Rowland Penny
>> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72
>> userAccountControl: 66048
>> codePage: 0
>> countryCode: 0
>> homeDrive: H:
>> pwdLastSet: 130915355010000000
>> primaryGroupID: 513
>> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
>> accountExpires: 0
>> sAMAccountName: rowland
>> sAMAccountType: 805306368
>> userPrincipalName: rowland at samdom.example.com
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=
>> example,DC=c
>>   om
>> unixUserPassword: ABCD!efgh12345$67890
>> uid: rowland
>> msSFU30Name: rowland
>> msSFU30NisDomain: samdom
>> uidNumber: 10000
>> gecos: Rowland Penny
>> unixHomeDirectory: /home/rowland
>> loginShell: /bin/bash
>> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
>> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
>> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com
>> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com
>> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com
>> homeDirectory: \\MEMBER1\home\rowland
>> objectClass: top
>> objectClass: securityPrincipal
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> gidNumber: 10000
>> lastLogonTimestamp: 131418520439158520
>> whenChanged: 20170613182723.0Z
>> uSNChanged: 121030
>> lastLogon: 131423412865104840
>> logonCount: 633
>> distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
>>
>> # returned 1 records
>> # 1 entries
>> # 0 referrals
>>
>> Please post that, though you can sanitise it if you like, but if you
>> do, use the same changes through out.
>>
>>> Samba is running on (Arch) Linux with Kernel 4.11. Clients are
>>> Windows 10 with all the latest updates, I'm running the RSAT from
>>> there.
>>>
>> In which case you will not have 'Unix Attributes' tab in ADUC.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
Use this command replace my name with your username.

/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb -b 
'dc=samdom,dc=example,dc=local' -s sub 
"(&(objectclass=person)(samaccountname=james))"

Rowland was linking to the CN=users. Yours may not be located there.

-- 
--
James

More information about the samba mailing list