[Samba] New AD user cannot access file share from member server

Viktor Trojanovic viktor at troja.ch
Mon Jun 19 13:08:45 UTC 2017 

Not sure if it matters but here is the AD object of a user with no issues:

[root at GJSERVER ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
'ou=office,dc=samdom,dc=example,dc=ch' -s sub
"(&(objectclass=person)(samaccountname=jd))"
# record 1
dn: CN=John Doe,OU=OFFICE,DC=samdom,DC=example,DC=ch
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: John Doe
sn: Doe
givenName: John
instanceType: 4
whenCreated: 20151228014125.0Z
displayName: John Doe
uSNCreated: 3788
name: John Doe
objectGUID: 15d6c679-5877-452d-a498-183f78d3fb39
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-4280320235-2980747731-3738778716-1105
accountExpires: 9223372036854775807
sAMAccountName: jd
sAMAccountType: 805306368
userPrincipalName: jd at samdom.example.ch
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example
 ,DC=ch
userAccountControl: 512
uidNumber: 11001
msSFU30NisDomain: samdom
homeDirectory: \\fileserver\users\jd
homeDrive: P:
pwdLastSet: 131405963619168070
lastLogonTimestamp: 131420723196760820
whenChanged: 20170616073839.0Z
uSNChanged: 26797
lastLogon: 131423508299965620
logonCount: 1630
distinguishedName: CN=John Doe,OU=OFFICE,DC=samdom,DC=example,DC=ch

Except for the fact that the attributes are not in the same order, I can't
seem to find a relevant difference.

On 19 June 2017 at 14:48, Viktor Trojanovic <viktor at troja.ch> wrote:

> I missed to mention it. But I actually did try changing the CN=users to
> OU=ouname, and even leaving it out. I don't know why it didn't return any
> results before, it does now - see my reply to James.
>
> On 19 June 2017 at 14:30, Rowland Penny via samba <samba at lists.samba.org>
> wrote:
>
>> On Mon, 19 Jun 2017 08:20:35 -0400
>> lingpanda101 via samba <samba at lists.samba.org> wrote:
>>
>> > On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote:
>> > > That's correct, I don't have "Unix Attributes" but through the
>> > > advanced view I have access to all attributes.
>> > >
>> > > The ldbsearch command is not returning anything in my case, it
>> > > gives me 0 records - no matter which user I try, even the
>> > > Administrator. I checked the command several times to make sure
>> > > there are no typos. I even changed the objectclass from "person" to
>> > > "user" to see if it makes any difference but it doesn't.
>> > >
>> > > I tried borth /var/lib/samba/sam.ldb
>> > > and /var/lib/samba/private/sam.ldb) and the environment environment
>> > > has LDB_MODULES_PATH set.
>> > >
>> > > I can easily look at the objects using the ADUC from the RSAT, not
>> > > sure why this isn't working...
>> > >
>> > > On 19 June 2017 at 12:59, Rowland Penny via samba
>> > > <samba at lists.samba.org> wrote:
>> > >
>> > >> On Mon, 19 Jun 2017 12:38:09 +0200
>> > >> Viktor Trojanovic <viktor at troja.ch> wrote:
>> > >>
>> > >>> Here is the DC's smb.conf:
>> > >>>
>> > >>>
>> > >>> [global]
>> > >>>          workgroup = SAMDOM
>> > >>>          realm = SAMDOM.EXAMPLE.COM
>> > >>>          netbios name = DC
>> > >>>          interfaces = lo br-lxc
>> > >>>          bind interfaces only = Yes
>> > >>>          server role = active directory domain controller
>> > >>>          dns forwarder = 192.168.1.2
>> > >>>          idmap_ldb:use rfc2307 = yes
>> > >>>
>> > >>> [netlogon]
>> > >>>          path = /var/lib/samba/sysvol/samdom.example.com/scripts
>> > >>>          read only = No
>> > >>>
>> > >>> [sysvol]
>> > >>>          path = /var/lib/samba/sysvol
>> > >>>          read only = No
>> > >> Nothing wrong there
>> > >>
>> > >>> I'm not sure what you mean by showing you the user's AD object,
>> > >>> can you elaborate?
>> > >> OK, install ldb-tools if not installed, then run this:
>> > >>
>> > >> ldbsearch -H /usr/local/samba/private/sam.ldb -b
>> > >> 'cn=users,dc=samdom,dc=example,dc=com' -s sub
>> > >> "(&(objectclass=person)(samaccountname=rowland))"
>> > >>
>> > >> Just in case it has got split up over multiple lines, the above
>> > >> should just one line.
>> > >>
>> > >> Replace:
>> > >> /usr/local/samba/private/sam.ldb with the path to your sam.ldb
>> > >>
>> > >> dc=samdom,dc=example,dc=com with your dns/realm names
>> > >>
>> > >> rowland with your users name
>> > >>
>> > >> You should get something like this back:
>> > >>
>> > >> # record 1
>> > >> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
>> > >> CN: Rowland Penny
>> > >> sn: Penny
>> > >> description: A Unix user
>> > >> givenName: Rowland
>> > >> instanceType: 4
>> > >> whenCreated: 20151109093821.0Z
>> > >> displayName: Rowland Penny
>> > >> uSNCreated: 3365
>> > >> name: Rowland Penny
>> > >> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72
>> > >> userAccountControl: 66048
>> > >> codePage: 0
>> > >> countryCode: 0
>> > >> homeDrive: H:
>> > >> pwdLastSet: 130915355010000000
>> > >> primaryGroupID: 513
>> > >> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
>> > >> accountExpires: 0
>> > >> sAMAccountName: rowland
>> > >> sAMAccountType: 805306368
>> > >> userPrincipalName: rowland at samdom.example.com
>> > >> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=
>> > >> example,DC=c
>> > >>   om
>> > >> unixUserPassword: ABCD!efgh12345$67890
>> > >> uid: rowland
>> > >> msSFU30Name: rowland
>> > >> msSFU30NisDomain: samdom
>> > >> uidNumber: 10000
>> > >> gecos: Rowland Penny
>> > >> unixHomeDirectory: /home/rowland
>> > >> loginShell: /bin/bash
>> > >> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
>> > >> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
>> > >> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com
>> > >> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com
>> > >> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com
>> > >> homeDirectory: \\MEMBER1\home\rowland
>> > >> objectClass: top
>> > >> objectClass: securityPrincipal
>> > >> objectClass: person
>> > >> objectClass: organizationalPerson
>> > >> objectClass: user
>> > >> gidNumber: 10000
>> > >> lastLogonTimestamp: 131418520439158520
>> > >> whenChanged: 20170613182723.0Z
>> > >> uSNChanged: 121030
>> > >> lastLogon: 131423412865104840
>> > >> logonCount: 633
>> > >> distinguishedName: CN=Rowland
>> > >> Penny,CN=Users,DC=samdom,DC=example,DC=com
>> > >>
>> > >> # returned 1 records
>> > >> # 1 entries
>> > >> # 0 referrals
>> > >>
>> > >> Please post that, though you can sanitise it if you like, but if
>> > >> you do, use the same changes through out.
>> > >>
>> > >>> Samba is running on (Arch) Linux with Kernel 4.11. Clients are
>> > >>> Windows 10 with all the latest updates, I'm running the RSAT from
>> > >>> there.
>> > >>>
>> > >> In which case you will not have 'Unix Attributes' tab in ADUC.
>> > >>
>> > >> Rowland
>> > >>
>> > >> --
>> > >> To unsubscribe from this list go to the following URL and read the
>> > >> instructions:  https://lists.samba.org/mailman/options/samba
>> > >>
>> > Use this command replace my name with your username.
>> >
>> > /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb -b
>> > 'dc=samdom,dc=example,dc=local' -s sub
>> > "(&(objectclass=person)(samaccountname=james))"
>> >
>> > Rowland was linking to the CN=users. Yours may not be located there.
>> >
>>
>> Good point, but it is the default location for users and groups and the
>> OP never mentioned creating an OU (unless I missed it)
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

More information about the samba mailing list