[Samba] New AD user cannot access file share from member server

Rowland Penny rpenny at samba.org
Mon Jun 19 12:30:32 UTC 2017 

On Mon, 19 Jun 2017 08:20:35 -0400
lingpanda101 via samba <samba at lists.samba.org> wrote:

> On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote:
> > That's correct, I don't have "Unix Attributes" but through the
> > advanced view I have access to all attributes.
> >
> > The ldbsearch command is not returning anything in my case, it
> > gives me 0 records - no matter which user I try, even the
> > Administrator. I checked the command several times to make sure
> > there are no typos. I even changed the objectclass from "person" to
> > "user" to see if it makes any difference but it doesn't.
> >
> > I tried borth /var/lib/samba/sam.ldb
> > and /var/lib/samba/private/sam.ldb) and the environment environment
> > has LDB_MODULES_PATH set.
> >
> > I can easily look at the objects using the ADUC from the RSAT, not
> > sure why this isn't working...
> >
> > On 19 June 2017 at 12:59, Rowland Penny via samba
> > <samba at lists.samba.org> wrote:
> >
> >> On Mon, 19 Jun 2017 12:38:09 +0200
> >> Viktor Trojanovic <viktor at troja.ch> wrote:
> >>
> >>> Here is the DC's smb.conf:
> >>>
> >>>
> >>> [global]
> >>>          workgroup = SAMDOM
> >>>          realm = SAMDOM.EXAMPLE.COM
> >>>          netbios name = DC
> >>>          interfaces = lo br-lxc
> >>>          bind interfaces only = Yes
> >>>          server role = active directory domain controller
> >>>          dns forwarder = 192.168.1.2
> >>>          idmap_ldb:use rfc2307 = yes
> >>>
> >>> [netlogon]
> >>>          path = /var/lib/samba/sysvol/samdom.example.com/scripts
> >>>          read only = No
> >>>
> >>> [sysvol]
> >>>          path = /var/lib/samba/sysvol
> >>>          read only = No
> >> Nothing wrong there
> >>
> >>> I'm not sure what you mean by showing you the user's AD object,
> >>> can you elaborate?
> >> OK, install ldb-tools if not installed, then run this:
> >>
> >> ldbsearch -H /usr/local/samba/private/sam.ldb -b
> >> 'cn=users,dc=samdom,dc=example,dc=com' -s sub
> >> "(&(objectclass=person)(samaccountname=rowland))"
> >>
> >> Just in case it has got split up over multiple lines, the above
> >> should just one line.
> >>
> >> Replace:
> >> /usr/local/samba/private/sam.ldb with the path to your sam.ldb
> >>
> >> dc=samdom,dc=example,dc=com with your dns/realm names
> >>
> >> rowland with your users name
> >>
> >> You should get something like this back:
> >>
> >> # record 1
> >> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> >> CN: Rowland Penny
> >> sn: Penny
> >> description: A Unix user
> >> givenName: Rowland
> >> instanceType: 4
> >> whenCreated: 20151109093821.0Z
> >> displayName: Rowland Penny
> >> uSNCreated: 3365
> >> name: Rowland Penny
> >> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72
> >> userAccountControl: 66048
> >> codePage: 0
> >> countryCode: 0
> >> homeDrive: H:
> >> pwdLastSet: 130915355010000000
> >> primaryGroupID: 513
> >> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
> >> accountExpires: 0
> >> sAMAccountName: rowland
> >> sAMAccountType: 805306368
> >> userPrincipalName: rowland at samdom.example.com
> >> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=
> >> example,DC=c
> >>   om
> >> unixUserPassword: ABCD!efgh12345$67890
> >> uid: rowland
> >> msSFU30Name: rowland
> >> msSFU30NisDomain: samdom
> >> uidNumber: 10000
> >> gecos: Rowland Penny
> >> unixHomeDirectory: /home/rowland
> >> loginShell: /bin/bash
> >> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
> >> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
> >> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com
> >> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com
> >> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com
> >> homeDirectory: \\MEMBER1\home\rowland
> >> objectClass: top
> >> objectClass: securityPrincipal
> >> objectClass: person
> >> objectClass: organizationalPerson
> >> objectClass: user
> >> gidNumber: 10000
> >> lastLogonTimestamp: 131418520439158520
> >> whenChanged: 20170613182723.0Z
> >> uSNChanged: 121030
> >> lastLogon: 131423412865104840
> >> logonCount: 633
> >> distinguishedName: CN=Rowland
> >> Penny,CN=Users,DC=samdom,DC=example,DC=com
> >>
> >> # returned 1 records
> >> # 1 entries
> >> # 0 referrals
> >>
> >> Please post that, though you can sanitise it if you like, but if
> >> you do, use the same changes through out.
> >>
> >>> Samba is running on (Arch) Linux with Kernel 4.11. Clients are
> >>> Windows 10 with all the latest updates, I'm running the RSAT from
> >>> there.
> >>>
> >> In which case you will not have 'Unix Attributes' tab in ADUC.
> >>
> >> Rowland
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> Use this command replace my name with your username.
> 
> /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb -b 
> 'dc=samdom,dc=example,dc=local' -s sub 
> "(&(objectclass=person)(samaccountname=james))"
> 
> Rowland was linking to the CN=users. Yours may not be located there.
> 

Good point, but it is the default location for users and groups and the
OP never mentioned creating an OU (unless I missed it)

Rowland

More information about the samba mailing list