[Samba] New AD user cannot access file share from member server

Viktor Trojanovic viktor at troja.ch
Mon Jun 19 13:50:48 UTC 2017


On 19 June 2017 at 15:31, lingpanda101 via samba <samba at lists.samba.org>
wrote:

> On 6/19/2017 9:12 AM, Viktor Trojanovic via samba wrote:
>
>> On 19 June 2017 at 14:56, Rowland Penny via samba <samba at lists.samba.org>
>> wrote:
>>
>> On Mon, 19 Jun 2017 14:46:34 +0200
>>> Viktor Trojanovic <viktor at troja.ch> wrote:
>>>
>>> On 19 June 2017 at 14:20, lingpanda101 via samba
>>>> <samba at lists.samba.org> wrote:
>>>>
>>>> On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote:
>>>>>
>>>>> That's correct, I don't have "Unix Attributes" but through the
>>>>>> advanced view I have access to all attributes.
>>>>>>
>>>>>> The ldbsearch command is not returning anything in my case, it
>>>>>> gives me 0 records - no matter which user I try, even the
>>>>>> Administrator. I checked the
>>>>>> command several times to make sure there are no typos. I even
>>>>>> changed the objectclass from "person" to "user" to see if it makes
>>>>>> any difference but it doesn't.
>>>>>>
>>>>>> I tried borth /var/lib/samba/sam.ldb
>>>>>> and /var/lib/samba/private/sam.ldb) and the environment
>>>>>> environment has LDB_MODULES_PATH set.
>>>>>>
>>>>>> I can easily look at the objects using the ADUC from the RSAT, not
>>>>>> sure why
>>>>>> this isn't working...
>>>>>>
>>>>>> On 19 June 2017 at 12:59, Rowland Penny via samba
>>>>>> <samba at lists.samba.org> wrote:
>>>>>>
>>>>>> On Mon, 19 Jun 2017 12:38:09 +0200
>>>>>>
>>>>>>> Viktor Trojanovic <viktor at troja.ch> wrote:
>>>>>>>
>>>>>>> Here is the DC's smb.conf:
>>>>>>>
>>>>>>>>
>>>>>>>> [global]
>>>>>>>>           workgroup = SAMDOM
>>>>>>>>           realm = SAMDOM.EXAMPLE.COM
>>>>>>>>           netbios name = DC
>>>>>>>>           interfaces = lo br-lxc
>>>>>>>>           bind interfaces only = Yes
>>>>>>>>           server role = active directory domain controller
>>>>>>>>           dns forwarder = 192.168.1.2
>>>>>>>>           idmap_ldb:use rfc2307 = yes
>>>>>>>>
>>>>>>>> [netlogon]
>>>>>>>>           path = /var/lib/samba/sysvol/samdom.example.com/scripts
>>>>>>>>           read only = No
>>>>>>>>
>>>>>>>> [sysvol]
>>>>>>>>           path = /var/lib/samba/sysvol
>>>>>>>>           read only = No
>>>>>>>>
>>>>>>>> Nothing wrong there
>>>>>>>
>>>>>>> I'm not sure what you mean by showing you the user's AD object,
>>>>>>> can
>>>>>>>
>>>>>>>> you elaborate?
>>>>>>>>
>>>>>>>> OK, install ldb-tools if not installed, then run this:
>>>>>>>
>>>>>>> ldbsearch -H /usr/local/samba/private/sam.ldb -b
>>>>>>> 'cn=users,dc=samdom,dc=example,dc=com' -s sub
>>>>>>> "(&(objectclass=person)(samaccountname=rowland))"
>>>>>>>
>>>>>>> Just in case it has got split up over multiple lines, the above
>>>>>>> should just one line.
>>>>>>>
>>>>>>> Replace:
>>>>>>> /usr/local/samba/private/sam.ldb with the path to your sam.ldb
>>>>>>>
>>>>>>> dc=samdom,dc=example,dc=com with your dns/realm names
>>>>>>>
>>>>>>> rowland with your users name
>>>>>>>
>>>>>>> You should get something like this back:
>>>>>>>
>>>>>>> # record 1
>>>>>>> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
>>>>>>> CN: Rowland Penny
>>>>>>> sn: Penny
>>>>>>> description: A Unix user
>>>>>>> givenName: Rowland
>>>>>>> instanceType: 4
>>>>>>> whenCreated: 20151109093821.0Z
>>>>>>> displayName: Rowland Penny
>>>>>>> uSNCreated: 3365
>>>>>>> name: Rowland Penny
>>>>>>> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72
>>>>>>> userAccountControl: 66048
>>>>>>> codePage: 0
>>>>>>> countryCode: 0
>>>>>>> homeDrive: H:
>>>>>>> pwdLastSet: 130915355010000000
>>>>>>> primaryGroupID: 513
>>>>>>> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
>>>>>>> accountExpires: 0
>>>>>>> sAMAccountName: rowland
>>>>>>> sAMAccountType: 805306368
>>>>>>> userPrincipalName: rowland at samdom.example.com
>>>>>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=
>>>>>>> example,DC=c
>>>>>>>    om
>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>> uid: rowland
>>>>>>> msSFU30Name: rowland
>>>>>>> msSFU30NisDomain: samdom
>>>>>>> uidNumber: 10000
>>>>>>> gecos: Rowland Penny
>>>>>>> unixHomeDirectory: /home/rowland
>>>>>>> loginShell: /bin/bash
>>>>>>> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
>>>>>>> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
>>>>>>> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com
>>>>>>> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com
>>>>>>> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com
>>>>>>> homeDirectory: \\MEMBER1\home\rowland
>>>>>>> objectClass: top
>>>>>>> objectClass: securityPrincipal
>>>>>>> objectClass: person
>>>>>>> objectClass: organizationalPerson
>>>>>>> objectClass: user
>>>>>>> gidNumber: 10000
>>>>>>> lastLogonTimestamp: 131418520439158520
>>>>>>> whenChanged: 20170613182723.0Z
>>>>>>> uSNChanged: 121030
>>>>>>> lastLogon: 131423412865104840
>>>>>>> logonCount: 633
>>>>>>> distinguishedName: CN=Rowland
>>>>>>> Penny,CN=Users,DC=samdom,DC=example,DC=com
>>>>>>>
>>>>>>> # returned 1 records
>>>>>>> # 1 entries
>>>>>>> # 0 referrals
>>>>>>>
>>>>>>> Please post that, though you can sanitise it if you like, but if
>>>>>>> you do, use the same changes through out.
>>>>>>>
>>>>>>> Samba is running on (Arch) Linux with Kernel 4.11. Clients are
>>>>>>>
>>>>>>>> Windows 10 with all the latest updates, I'm running the RSAT from
>>>>>>>> there.
>>>>>>>>
>>>>>>>> In which case you will not have 'Unix Attributes' tab in ADUC.
>>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>>> Use this command replace my name with your username.
>>>>>>>
>>>>>> /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb
>>>>> -b 'dc=samdom,dc=example,dc=local' -s sub
>>>>> "(&(objectclass=person)(samacc ountname=james))"
>>>>>
>>>>> Rowland was linking to the CN=users. Yours may not be located there.
>>>>>
>>>>>
>>>>> I could swear I tried this before, too, but it didn't give me any
>>>>> results.
>>>>>
>>>> Now all of a sudden it does. I must have made a mistake. It gives me
>>>> one entry and 3 referrals.
>>>>
>>>> [root at DC ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
>>>> 'dc=samdom,dc=example,dc=ch' -s sub
>>>> "(&(objectclass=person)(samaccountname=jd))"
>>>> # record 1
>>>> dn: CN=First Last,OU=OFFICE,DC=samdom,DC=example,DC=ch
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> cn: Jane Doe
>>>> sn: Doe
>>>> givenName: Jane
>>>> instanceType: 4
>>>> whenCreated: 20170618195208.0Z
>>>> displayName: Jane Doe
>>>> uSNCreated: 26951
>>>> name: Jane Doe
>>>> objectGUID: e2df5086-fa25-4a25-93f2-d8f5e85a47e7
>>>> badPwdCount: 0
>>>> codePage: 0
>>>> countryCode: 0
>>>> badPasswordTime: 0
>>>> lastLogoff: 0
>>>> primaryGroupID: 513
>>>> objectSid: S-1-5-21-4280320235-2980747731-3738778716-1116
>>>> accountExpires: 9223372036854775807
>>>> sAMAccountName: jd
>>>> sAMAccountType: 805306368
>>>> userPrincipalName: jd at samdom.example.ch
>>>> objectCategory:
>>>> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example ,DC=ch
>>>> userAccountControl: 512
>>>> msSFU30NisDomain: samdom
>>>> homeDrive: P:
>>>> homeDirectory: \\fileserver\users\jd
>>>> lastLogonTimestamp: 131422908301256970
>>>> pwdLastSet: 131422908304075720
>>>> uidNumber: 11008
>>>> whenChanged: 20170618203831.0Z
>>>> uSNChanged: 26964
>>>> lastLogon: 131423462588474750
>>>> logonCount: 49
>>>> distinguishedName: CN=Jane Doe,OU=OFFICE,DC=samdom,DC=example,DC=ch
>>>>
>>> OK, glad we got that sorted out ;-)
>>>
>>> Your user 'Jane Doe' does not have a 'gidNumber' attribute, does
>>> 'Domain Users have a 'gidNumber attribute' ?
>>>
>>> It does, it's set to 10001.
>>
>> And none of the users have gidNumber set.
>>
>
> Is the users Primary group name/GID set as 'Domain Users'?
>
>
Yes. Primary - and only group.


More information about the samba mailing list