[Samba] New AD user cannot access file share from member server

Viktor Trojanovic viktor at troja.ch
Mon Jun 19 12:48:10 UTC 2017


I missed to mention it. But I actually did try changing the CN=users to
OU=ouname, and even leaving it out. I don't know why it didn't return any
results before, it does now - see my reply to James.

On 19 June 2017 at 14:30, Rowland Penny via samba <samba at lists.samba.org>
wrote:

> On Mon, 19 Jun 2017 08:20:35 -0400
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>
> > On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote:
> > > That's correct, I don't have "Unix Attributes" but through the
> > > advanced view I have access to all attributes.
> > >
> > > The ldbsearch command is not returning anything in my case, it
> > > gives me 0 records - no matter which user I try, even the
> > > Administrator. I checked the command several times to make sure
> > > there are no typos. I even changed the objectclass from "person" to
> > > "user" to see if it makes any difference but it doesn't.
> > >
> > > I tried borth /var/lib/samba/sam.ldb
> > > and /var/lib/samba/private/sam.ldb) and the environment environment
> > > has LDB_MODULES_PATH set.
> > >
> > > I can easily look at the objects using the ADUC from the RSAT, not
> > > sure why this isn't working...
> > >
> > > On 19 June 2017 at 12:59, Rowland Penny via samba
> > > <samba at lists.samba.org> wrote:
> > >
> > >> On Mon, 19 Jun 2017 12:38:09 +0200
> > >> Viktor Trojanovic <viktor at troja.ch> wrote:
> > >>
> > >>> Here is the DC's smb.conf:
> > >>>
> > >>>
> > >>> [global]
> > >>>          workgroup = SAMDOM
> > >>>          realm = SAMDOM.EXAMPLE.COM
> > >>>          netbios name = DC
> > >>>          interfaces = lo br-lxc
> > >>>          bind interfaces only = Yes
> > >>>          server role = active directory domain controller
> > >>>          dns forwarder = 192.168.1.2
> > >>>          idmap_ldb:use rfc2307 = yes
> > >>>
> > >>> [netlogon]
> > >>>          path = /var/lib/samba/sysvol/samdom.example.com/scripts
> > >>>          read only = No
> > >>>
> > >>> [sysvol]
> > >>>          path = /var/lib/samba/sysvol
> > >>>          read only = No
> > >> Nothing wrong there
> > >>
> > >>> I'm not sure what you mean by showing you the user's AD object,
> > >>> can you elaborate?
> > >> OK, install ldb-tools if not installed, then run this:
> > >>
> > >> ldbsearch -H /usr/local/samba/private/sam.ldb -b
> > >> 'cn=users,dc=samdom,dc=example,dc=com' -s sub
> > >> "(&(objectclass=person)(samaccountname=rowland))"
> > >>
> > >> Just in case it has got split up over multiple lines, the above
> > >> should just one line.
> > >>
> > >> Replace:
> > >> /usr/local/samba/private/sam.ldb with the path to your sam.ldb
> > >>
> > >> dc=samdom,dc=example,dc=com with your dns/realm names
> > >>
> > >> rowland with your users name
> > >>
> > >> You should get something like this back:
> > >>
> > >> # record 1
> > >> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> > >> CN: Rowland Penny
> > >> sn: Penny
> > >> description: A Unix user
> > >> givenName: Rowland
> > >> instanceType: 4
> > >> whenCreated: 20151109093821.0Z
> > >> displayName: Rowland Penny
> > >> uSNCreated: 3365
> > >> name: Rowland Penny
> > >> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72
> > >> userAccountControl: 66048
> > >> codePage: 0
> > >> countryCode: 0
> > >> homeDrive: H:
> > >> pwdLastSet: 130915355010000000
> > >> primaryGroupID: 513
> > >> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
> > >> accountExpires: 0
> > >> sAMAccountName: rowland
> > >> sAMAccountType: 805306368
> > >> userPrincipalName: rowland at samdom.example.com
> > >> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=
> > >> example,DC=c
> > >>   om
> > >> unixUserPassword: ABCD!efgh12345$67890
> > >> uid: rowland
> > >> msSFU30Name: rowland
> > >> msSFU30NisDomain: samdom
> > >> uidNumber: 10000
> > >> gecos: Rowland Penny
> > >> unixHomeDirectory: /home/rowland
> > >> loginShell: /bin/bash
> > >> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
> > >> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
> > >> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com
> > >> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com
> > >> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com
> > >> homeDirectory: \\MEMBER1\home\rowland
> > >> objectClass: top
> > >> objectClass: securityPrincipal
> > >> objectClass: person
> > >> objectClass: organizationalPerson
> > >> objectClass: user
> > >> gidNumber: 10000
> > >> lastLogonTimestamp: 131418520439158520
> > >> whenChanged: 20170613182723.0Z
> > >> uSNChanged: 121030
> > >> lastLogon: 131423412865104840
> > >> logonCount: 633
> > >> distinguishedName: CN=Rowland
> > >> Penny,CN=Users,DC=samdom,DC=example,DC=com
> > >>
> > >> # returned 1 records
> > >> # 1 entries
> > >> # 0 referrals
> > >>
> > >> Please post that, though you can sanitise it if you like, but if
> > >> you do, use the same changes through out.
> > >>
> > >>> Samba is running on (Arch) Linux with Kernel 4.11. Clients are
> > >>> Windows 10 with all the latest updates, I'm running the RSAT from
> > >>> there.
> > >>>
> > >> In which case you will not have 'Unix Attributes' tab in ADUC.
> > >>
> > >> Rowland
> > >>
> > >> --
> > >> To unsubscribe from this list go to the following URL and read the
> > >> instructions:  https://lists.samba.org/mailman/options/samba
> > >>
> > Use this command replace my name with your username.
> >
> > /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb -b
> > 'dc=samdom,dc=example,dc=local' -s sub
> > "(&(objectclass=person)(samaccountname=james))"
> >
> > Rowland was linking to the CN=users. Yours may not be located there.
> >
>
> Good point, but it is the default location for users and groups and the
> OP never mentioned creating an OU (unless I missed it)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list