[Samba] New AD user cannot access file share from member server

Rowland Penny rpenny at samba.org
Mon Jun 19 12:56:00 UTC 2017 

On Mon, 19 Jun 2017 14:46:34 +0200
Viktor Trojanovic <viktor at troja.ch> wrote:

> On 19 June 2017 at 14:20, lingpanda101 via samba
> <samba at lists.samba.org> wrote:
> 
> > On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote:
> >
> >> That's correct, I don't have "Unix Attributes" but through the
> >> advanced view I have access to all attributes.
> >>
> >> The ldbsearch command is not returning anything in my case, it
> >> gives me 0 records - no matter which user I try, even the
> >> Administrator. I checked the
> >> command several times to make sure there are no typos. I even
> >> changed the objectclass from "person" to "user" to see if it makes
> >> any difference but it doesn't.
> >>
> >> I tried borth /var/lib/samba/sam.ldb
> >> and /var/lib/samba/private/sam.ldb) and the environment
> >> environment has LDB_MODULES_PATH set.
> >>
> >> I can easily look at the objects using the ADUC from the RSAT, not
> >> sure why
> >> this isn't working...
> >>
> >> On 19 June 2017 at 12:59, Rowland Penny via samba
> >> <samba at lists.samba.org> wrote:
> >>
> >> On Mon, 19 Jun 2017 12:38:09 +0200
> >>> Viktor Trojanovic <viktor at troja.ch> wrote:
> >>>
> >>> Here is the DC's smb.conf:
> >>>>
> >>>>
> >>>> [global]
> >>>>          workgroup = SAMDOM
> >>>>          realm = SAMDOM.EXAMPLE.COM
> >>>>          netbios name = DC
> >>>>          interfaces = lo br-lxc
> >>>>          bind interfaces only = Yes
> >>>>          server role = active directory domain controller
> >>>>          dns forwarder = 192.168.1.2
> >>>>          idmap_ldb:use rfc2307 = yes
> >>>>
> >>>> [netlogon]
> >>>>          path = /var/lib/samba/sysvol/samdom.example.com/scripts
> >>>>          read only = No
> >>>>
> >>>> [sysvol]
> >>>>          path = /var/lib/samba/sysvol
> >>>>          read only = No
> >>>>
> >>> Nothing wrong there
> >>>
> >>> I'm not sure what you mean by showing you the user's AD object,
> >>> can
> >>>> you elaborate?
> >>>>
> >>> OK, install ldb-tools if not installed, then run this:
> >>>
> >>> ldbsearch -H /usr/local/samba/private/sam.ldb -b
> >>> 'cn=users,dc=samdom,dc=example,dc=com' -s sub
> >>> "(&(objectclass=person)(samaccountname=rowland))"
> >>>
> >>> Just in case it has got split up over multiple lines, the above
> >>> should just one line.
> >>>
> >>> Replace:
> >>> /usr/local/samba/private/sam.ldb with the path to your sam.ldb
> >>>
> >>> dc=samdom,dc=example,dc=com with your dns/realm names
> >>>
> >>> rowland with your users name
> >>>
> >>> You should get something like this back:
> >>>
> >>> # record 1
> >>> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> >>> CN: Rowland Penny
> >>> sn: Penny
> >>> description: A Unix user
> >>> givenName: Rowland
> >>> instanceType: 4
> >>> whenCreated: 20151109093821.0Z
> >>> displayName: Rowland Penny
> >>> uSNCreated: 3365
> >>> name: Rowland Penny
> >>> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72
> >>> userAccountControl: 66048
> >>> codePage: 0
> >>> countryCode: 0
> >>> homeDrive: H:
> >>> pwdLastSet: 130915355010000000
> >>> primaryGroupID: 513
> >>> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
> >>> accountExpires: 0
> >>> sAMAccountName: rowland
> >>> sAMAccountType: 805306368
> >>> userPrincipalName: rowland at samdom.example.com
> >>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=
> >>> example,DC=c
> >>>   om
> >>> unixUserPassword: ABCD!efgh12345$67890
> >>> uid: rowland
> >>> msSFU30Name: rowland
> >>> msSFU30NisDomain: samdom
> >>> uidNumber: 10000
> >>> gecos: Rowland Penny
> >>> unixHomeDirectory: /home/rowland
> >>> loginShell: /bin/bash
> >>> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
> >>> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
> >>> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com
> >>> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com
> >>> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com
> >>> homeDirectory: \\MEMBER1\home\rowland
> >>> objectClass: top
> >>> objectClass: securityPrincipal
> >>> objectClass: person
> >>> objectClass: organizationalPerson
> >>> objectClass: user
> >>> gidNumber: 10000
> >>> lastLogonTimestamp: 131418520439158520
> >>> whenChanged: 20170613182723.0Z
> >>> uSNChanged: 121030
> >>> lastLogon: 131423412865104840
> >>> logonCount: 633
> >>> distinguishedName: CN=Rowland
> >>> Penny,CN=Users,DC=samdom,DC=example,DC=com
> >>>
> >>> # returned 1 records
> >>> # 1 entries
> >>> # 0 referrals
> >>>
> >>> Please post that, though you can sanitise it if you like, but if
> >>> you do, use the same changes through out.
> >>>
> >>> Samba is running on (Arch) Linux with Kernel 4.11. Clients are
> >>>> Windows 10 with all the latest updates, I'm running the RSAT from
> >>>> there.
> >>>>
> >>>> In which case you will not have 'Unix Attributes' tab in ADUC.
> >>>
> >>> Rowland
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >>> Use this command replace my name with your username.
> >
> > /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb
> > -b 'dc=samdom,dc=example,dc=local' -s sub
> > "(&(objectclass=person)(samacc ountname=james))"
> >
> > Rowland was linking to the CN=users. Yours may not be located there.
> >
> >
> > I could swear I tried this before, too, but it didn't give me any
> > results.
> Now all of a sudden it does. I must have made a mistake. It gives me
> one entry and 3 referrals.
> 
> [root at DC ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> 'dc=samdom,dc=example,dc=ch' -s sub
> "(&(objectclass=person)(samaccountname=jd))"
> # record 1
> dn: CN=First Last,OU=OFFICE,DC=samdom,DC=example,DC=ch
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Jane Doe
> sn: Doe
> givenName: Jane
> instanceType: 4
> whenCreated: 20170618195208.0Z
> displayName: Jane Doe
> uSNCreated: 26951
> name: Jane Doe
> objectGUID: e2df5086-fa25-4a25-93f2-d8f5e85a47e7
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-4280320235-2980747731-3738778716-1116
> accountExpires: 9223372036854775807
> sAMAccountName: jd
> sAMAccountType: 805306368
> userPrincipalName: jd at samdom.example.ch
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example ,DC=ch
> userAccountControl: 512
> msSFU30NisDomain: samdom
> homeDrive: P:
> homeDirectory: \\fileserver\users\jd
> lastLogonTimestamp: 131422908301256970
> pwdLastSet: 131422908304075720
> uidNumber: 11008
> whenChanged: 20170618203831.0Z
> uSNChanged: 26964
> lastLogon: 131423462588474750
> logonCount: 49
> distinguishedName: CN=Jane Doe,OU=OFFICE,DC=samdom,DC=example,DC=ch

OK, glad we got that sorted out ;-)

Your user 'Jane Doe' does not have a 'gidNumber' attribute, does
'Domain Users have a 'gidNumber attribute' ?

Rowland

More information about the samba mailing list