[Samba] New AD user cannot access file share from member server

lingpanda101 lingpanda101 at gmail.com
Mon Jun 19 13:31:17 UTC 2017 

On 6/19/2017 9:12 AM, Viktor Trojanovic via samba wrote:
> On 19 June 2017 at 14:56, Rowland Penny via samba <samba at lists.samba.org>
> wrote:
>
>> On Mon, 19 Jun 2017 14:46:34 +0200
>> Viktor Trojanovic <viktor at troja.ch> wrote:
>>
>>> On 19 June 2017 at 14:20, lingpanda101 via samba
>>> <samba at lists.samba.org> wrote:
>>>
>>>> On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote:
>>>>
>>>>> That's correct, I don't have "Unix Attributes" but through the
>>>>> advanced view I have access to all attributes.
>>>>>
>>>>> The ldbsearch command is not returning anything in my case, it
>>>>> gives me 0 records - no matter which user I try, even the
>>>>> Administrator. I checked the
>>>>> command several times to make sure there are no typos. I even
>>>>> changed the objectclass from "person" to "user" to see if it makes
>>>>> any difference but it doesn't.
>>>>>
>>>>> I tried borth /var/lib/samba/sam.ldb
>>>>> and /var/lib/samba/private/sam.ldb) and the environment
>>>>> environment has LDB_MODULES_PATH set.
>>>>>
>>>>> I can easily look at the objects using the ADUC from the RSAT, not
>>>>> sure why
>>>>> this isn't working...
>>>>>
>>>>> On 19 June 2017 at 12:59, Rowland Penny via samba
>>>>> <samba at lists.samba.org> wrote:
>>>>>
>>>>> On Mon, 19 Jun 2017 12:38:09 +0200
>>>>>> Viktor Trojanovic <viktor at troja.ch> wrote:
>>>>>>
>>>>>> Here is the DC's smb.conf:
>>>>>>>
>>>>>>> [global]
>>>>>>>           workgroup = SAMDOM
>>>>>>>           realm = SAMDOM.EXAMPLE.COM
>>>>>>>           netbios name = DC
>>>>>>>           interfaces = lo br-lxc
>>>>>>>           bind interfaces only = Yes
>>>>>>>           server role = active directory domain controller
>>>>>>>           dns forwarder = 192.168.1.2
>>>>>>>           idmap_ldb:use rfc2307 = yes
>>>>>>>
>>>>>>> [netlogon]
>>>>>>>           path = /var/lib/samba/sysvol/samdom.example.com/scripts
>>>>>>>           read only = No
>>>>>>>
>>>>>>> [sysvol]
>>>>>>>           path = /var/lib/samba/sysvol
>>>>>>>           read only = No
>>>>>>>
>>>>>> Nothing wrong there
>>>>>>
>>>>>> I'm not sure what you mean by showing you the user's AD object,
>>>>>> can
>>>>>>> you elaborate?
>>>>>>>
>>>>>> OK, install ldb-tools if not installed, then run this:
>>>>>>
>>>>>> ldbsearch -H /usr/local/samba/private/sam.ldb -b
>>>>>> 'cn=users,dc=samdom,dc=example,dc=com' -s sub
>>>>>> "(&(objectclass=person)(samaccountname=rowland))"
>>>>>>
>>>>>> Just in case it has got split up over multiple lines, the above
>>>>>> should just one line.
>>>>>>
>>>>>> Replace:
>>>>>> /usr/local/samba/private/sam.ldb with the path to your sam.ldb
>>>>>>
>>>>>> dc=samdom,dc=example,dc=com with your dns/realm names
>>>>>>
>>>>>> rowland with your users name
>>>>>>
>>>>>> You should get something like this back:
>>>>>>
>>>>>> # record 1
>>>>>> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
>>>>>> CN: Rowland Penny
>>>>>> sn: Penny
>>>>>> description: A Unix user
>>>>>> givenName: Rowland
>>>>>> instanceType: 4
>>>>>> whenCreated: 20151109093821.0Z
>>>>>> displayName: Rowland Penny
>>>>>> uSNCreated: 3365
>>>>>> name: Rowland Penny
>>>>>> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72
>>>>>> userAccountControl: 66048
>>>>>> codePage: 0
>>>>>> countryCode: 0
>>>>>> homeDrive: H:
>>>>>> pwdLastSet: 130915355010000000
>>>>>> primaryGroupID: 513
>>>>>> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
>>>>>> accountExpires: 0
>>>>>> sAMAccountName: rowland
>>>>>> sAMAccountType: 805306368
>>>>>> userPrincipalName: rowland at samdom.example.com
>>>>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=
>>>>>> example,DC=c
>>>>>>    om
>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>> uid: rowland
>>>>>> msSFU30Name: rowland
>>>>>> msSFU30NisDomain: samdom
>>>>>> uidNumber: 10000
>>>>>> gecos: Rowland Penny
>>>>>> unixHomeDirectory: /home/rowland
>>>>>> loginShell: /bin/bash
>>>>>> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
>>>>>> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
>>>>>> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com
>>>>>> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com
>>>>>> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com
>>>>>> homeDirectory: \\MEMBER1\home\rowland
>>>>>> objectClass: top
>>>>>> objectClass: securityPrincipal
>>>>>> objectClass: person
>>>>>> objectClass: organizationalPerson
>>>>>> objectClass: user
>>>>>> gidNumber: 10000
>>>>>> lastLogonTimestamp: 131418520439158520
>>>>>> whenChanged: 20170613182723.0Z
>>>>>> uSNChanged: 121030
>>>>>> lastLogon: 131423412865104840
>>>>>> logonCount: 633
>>>>>> distinguishedName: CN=Rowland
>>>>>> Penny,CN=Users,DC=samdom,DC=example,DC=com
>>>>>>
>>>>>> # returned 1 records
>>>>>> # 1 entries
>>>>>> # 0 referrals
>>>>>>
>>>>>> Please post that, though you can sanitise it if you like, but if
>>>>>> you do, use the same changes through out.
>>>>>>
>>>>>> Samba is running on (Arch) Linux with Kernel 4.11. Clients are
>>>>>>> Windows 10 with all the latest updates, I'm running the RSAT from
>>>>>>> there.
>>>>>>>
>>>>>>> In which case you will not have 'Unix Attributes' tab in ADUC.
>>>>>> Rowland
>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>> Use this command replace my name with your username.
>>>> /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb
>>>> -b 'dc=samdom,dc=example,dc=local' -s sub
>>>> "(&(objectclass=person)(samacc ountname=james))"
>>>>
>>>> Rowland was linking to the CN=users. Yours may not be located there.
>>>>
>>>>
>>>> I could swear I tried this before, too, but it didn't give me any
>>>> results.
>>> Now all of a sudden it does. I must have made a mistake. It gives me
>>> one entry and 3 referrals.
>>>
>>> [root at DC ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
>>> 'dc=samdom,dc=example,dc=ch' -s sub
>>> "(&(objectclass=person)(samaccountname=jd))"
>>> # record 1
>>> dn: CN=First Last,OU=OFFICE,DC=samdom,DC=example,DC=ch
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> cn: Jane Doe
>>> sn: Doe
>>> givenName: Jane
>>> instanceType: 4
>>> whenCreated: 20170618195208.0Z
>>> displayName: Jane Doe
>>> uSNCreated: 26951
>>> name: Jane Doe
>>> objectGUID: e2df5086-fa25-4a25-93f2-d8f5e85a47e7
>>> badPwdCount: 0
>>> codePage: 0
>>> countryCode: 0
>>> badPasswordTime: 0
>>> lastLogoff: 0
>>> primaryGroupID: 513
>>> objectSid: S-1-5-21-4280320235-2980747731-3738778716-1116
>>> accountExpires: 9223372036854775807
>>> sAMAccountName: jd
>>> sAMAccountType: 805306368
>>> userPrincipalName: jd at samdom.example.ch
>>> objectCategory:
>>> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example ,DC=ch
>>> userAccountControl: 512
>>> msSFU30NisDomain: samdom
>>> homeDrive: P:
>>> homeDirectory: \\fileserver\users\jd
>>> lastLogonTimestamp: 131422908301256970
>>> pwdLastSet: 131422908304075720
>>> uidNumber: 11008
>>> whenChanged: 20170618203831.0Z
>>> uSNChanged: 26964
>>> lastLogon: 131423462588474750
>>> logonCount: 49
>>> distinguishedName: CN=Jane Doe,OU=OFFICE,DC=samdom,DC=example,DC=ch
>> OK, glad we got that sorted out ;-)
>>
>> Your user 'Jane Doe' does not have a 'gidNumber' attribute, does
>> 'Domain Users have a 'gidNumber attribute' ?
>>
> It does, it's set to 10001.
>
> And none of the users have gidNumber set.

Is the users Primary group name/GID set as 'Domain Users'?

-- 
--
James

More information about the samba mailing list