[Samba] New AD user cannot access file share from member server

Viktor Trojanovic viktor at troja.ch
Mon Jun 19 12:46:34 UTC 2017 

On 19 June 2017 at 14:20, lingpanda101 via samba <samba at lists.samba.org>
wrote:

> On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote:
>
>> That's correct, I don't have "Unix Attributes" but through the advanced
>> view I have access to all attributes.
>>
>> The ldbsearch command is not returning anything in my case, it gives me 0
>> records - no matter which user I try, even the Administrator. I checked
>> the
>> command several times to make sure there are no typos. I even changed the
>> objectclass from "person" to "user" to see if it makes any difference but
>> it doesn't.
>>
>> I tried borth /var/lib/samba/sam.ldb and /var/lib/samba/private/sam.ldb)
>> and the environment environment has LDB_MODULES_PATH set.
>>
>> I can easily look at the objects using the ADUC from the RSAT, not sure
>> why
>> this isn't working...
>>
>> On 19 June 2017 at 12:59, Rowland Penny via samba <samba at lists.samba.org>
>> wrote:
>>
>> On Mon, 19 Jun 2017 12:38:09 +0200
>>> Viktor Trojanovic <viktor at troja.ch> wrote:
>>>
>>> Here is the DC's smb.conf:
>>>>
>>>>
>>>> [global]
>>>>          workgroup = SAMDOM
>>>>          realm = SAMDOM.EXAMPLE.COM
>>>>          netbios name = DC
>>>>          interfaces = lo br-lxc
>>>>          bind interfaces only = Yes
>>>>          server role = active directory domain controller
>>>>          dns forwarder = 192.168.1.2
>>>>          idmap_ldb:use rfc2307 = yes
>>>>
>>>> [netlogon]
>>>>          path = /var/lib/samba/sysvol/samdom.example.com/scripts
>>>>          read only = No
>>>>
>>>> [sysvol]
>>>>          path = /var/lib/samba/sysvol
>>>>          read only = No
>>>>
>>> Nothing wrong there
>>>
>>> I'm not sure what you mean by showing you the user's AD object, can
>>>> you elaborate?
>>>>
>>> OK, install ldb-tools if not installed, then run this:
>>>
>>> ldbsearch -H /usr/local/samba/private/sam.ldb -b
>>> 'cn=users,dc=samdom,dc=example,dc=com' -s sub
>>> "(&(objectclass=person)(samaccountname=rowland))"
>>>
>>> Just in case it has got split up over multiple lines, the above should
>>> just one line.
>>>
>>> Replace:
>>> /usr/local/samba/private/sam.ldb with the path to your sam.ldb
>>>
>>> dc=samdom,dc=example,dc=com with your dns/realm names
>>>
>>> rowland with your users name
>>>
>>> You should get something like this back:
>>>
>>> # record 1
>>> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
>>> CN: Rowland Penny
>>> sn: Penny
>>> description: A Unix user
>>> givenName: Rowland
>>> instanceType: 4
>>> whenCreated: 20151109093821.0Z
>>> displayName: Rowland Penny
>>> uSNCreated: 3365
>>> name: Rowland Penny
>>> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72
>>> userAccountControl: 66048
>>> codePage: 0
>>> countryCode: 0
>>> homeDrive: H:
>>> pwdLastSet: 130915355010000000
>>> primaryGroupID: 513
>>> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
>>> accountExpires: 0
>>> sAMAccountName: rowland
>>> sAMAccountType: 805306368
>>> userPrincipalName: rowland at samdom.example.com
>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=
>>> example,DC=c
>>>   om
>>> unixUserPassword: ABCD!efgh12345$67890
>>> uid: rowland
>>> msSFU30Name: rowland
>>> msSFU30NisDomain: samdom
>>> uidNumber: 10000
>>> gecos: Rowland Penny
>>> unixHomeDirectory: /home/rowland
>>> loginShell: /bin/bash
>>> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
>>> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
>>> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com
>>> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com
>>> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com
>>> homeDirectory: \\MEMBER1\home\rowland
>>> objectClass: top
>>> objectClass: securityPrincipal
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> gidNumber: 10000
>>> lastLogonTimestamp: 131418520439158520
>>> whenChanged: 20170613182723.0Z
>>> uSNChanged: 121030
>>> lastLogon: 131423412865104840
>>> logonCount: 633
>>> distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
>>>
>>> # returned 1 records
>>> # 1 entries
>>> # 0 referrals
>>>
>>> Please post that, though you can sanitise it if you like, but if you
>>> do, use the same changes through out.
>>>
>>> Samba is running on (Arch) Linux with Kernel 4.11. Clients are
>>>> Windows 10 with all the latest updates, I'm running the RSAT from
>>>> there.
>>>>
>>>> In which case you will not have 'Unix Attributes' tab in ADUC.
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>> Use this command replace my name with your username.
>
> /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb -b
> 'dc=samdom,dc=example,dc=local' -s sub "(&(objectclass=person)(samacc
> ountname=james))"
>
> Rowland was linking to the CN=users. Yours may not be located there.
>
>
> I could swear I tried this before, too, but it didn't give me any results.
Now all of a sudden it does. I must have made a mistake. It gives me one
entry and 3 referrals.

[root at DC ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
'dc=samdom,dc=example,dc=ch' -s sub
"(&(objectclass=person)(samaccountname=jd))"
# record 1
dn: CN=First Last,OU=OFFICE,DC=samdom,DC=example,DC=ch
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Jane Doe
sn: Doe
givenName: Jane
instanceType: 4
whenCreated: 20170618195208.0Z
displayName: Jane Doe
uSNCreated: 26951
name: Jane Doe
objectGUID: e2df5086-fa25-4a25-93f2-d8f5e85a47e7
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-4280320235-2980747731-3738778716-1116
accountExpires: 9223372036854775807
sAMAccountName: jd
sAMAccountType: 805306368
userPrincipalName: jd at samdom.example.ch
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example
 ,DC=ch
userAccountControl: 512
msSFU30NisDomain: samdom
homeDrive: P:
homeDirectory: \\fileserver\users\jd
lastLogonTimestamp: 131422908301256970
pwdLastSet: 131422908304075720
uidNumber: 11008
whenChanged: 20170618203831.0Z
uSNChanged: 26964
lastLogon: 131423462588474750
logonCount: 49
distinguishedName: CN=Jane Doe,OU=OFFICE,DC=samdom,DC=example,DC=ch

More information about the samba mailing list