[Samba] New AD user cannot access file share from member server

lingpanda101 lingpanda101 at gmail.com
Mon Jun 19 14:01:19 UTC 2017


On 6/19/2017 9:50 AM, Viktor Trojanovic wrote:
>
>
> On 19 June 2017 at 15:31, lingpanda101 via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>
>     On 6/19/2017 9:12 AM, Viktor Trojanovic via samba wrote:
>
>         On 19 June 2017 at 14:56, Rowland Penny via samba
>         <samba at lists.samba.org <mailto:samba at lists.samba.org>>
>         wrote:
>
>             On Mon, 19 Jun 2017 14:46:34 +0200
>             Viktor Trojanovic <viktor at troja.ch
>             <mailto:viktor at troja.ch>> wrote:
>
>                 On 19 June 2017 at 14:20, lingpanda101 via samba
>                 <samba at lists.samba.org <mailto:samba at lists.samba.org>>
>                 wrote:
>
>                     On 6/19/2017 7:51 AM, Viktor Trojanovic via samba
>                     wrote:
>
>                         That's correct, I don't have "Unix Attributes"
>                         but through the
>                         advanced view I have access to all attributes.
>
>                         The ldbsearch command is not returning
>                         anything in my case, it
>                         gives me 0 records - no matter which user I
>                         try, even the
>                         Administrator. I checked the
>                         command several times to make sure there are
>                         no typos. I even
>                         changed the objectclass from "person" to
>                         "user" to see if it makes
>                         any difference but it doesn't.
>
>                         I tried borth /var/lib/samba/sam.ldb
>                         and /var/lib/samba/private/sam.ldb) and the
>                         environment
>                         environment has LDB_MODULES_PATH set.
>
>                         I can easily look at the objects using the
>                         ADUC from the RSAT, not
>                         sure why
>                         this isn't working...
>
>                         On 19 June 2017 at 12:59, Rowland Penny via samba
>                         <samba at lists.samba.org
>                         <mailto:samba at lists.samba.org>> wrote:
>
>                         On Mon, 19 Jun 2017 12:38:09 +0200
>
>                             Viktor Trojanovic <viktor at troja.ch
>                             <mailto:viktor at troja.ch>> wrote:
>
>                             Here is the DC's smb.conf:
>
>
>                                 [global]
>                                           workgroup = SAMDOM
>                                           realm = SAMDOM.EXAMPLE.COM
>                                 <http://SAMDOM.EXAMPLE.COM>
>                                           netbios name = DC
>                                           interfaces = lo br-lxc
>                                           bind interfaces only = Yes
>                                           server role = active
>                                 directory domain controller
>                                           dns forwarder = 192.168.1.2
>                                           idmap_ldb:use rfc2307 = yes
>
>                                 [netlogon]
>                                           path =
>                                 /var/lib/samba/sysvol/samdom.example.com/scripts
>                                 <http://samdom.example.com/scripts>
>                                           read only = No
>
>                                 [sysvol]
>                                           path = /var/lib/samba/sysvol
>                                           read only = No
>
>                             Nothing wrong there
>
>                             I'm not sure what you mean by showing you
>                             the user's AD object,
>                             can
>
>                                 you elaborate?
>
>                             OK, install ldb-tools if not installed,
>                             then run this:
>
>                             ldbsearch -H
>                             /usr/local/samba/private/sam.ldb -b
>                             'cn=users,dc=samdom,dc=example,dc=com' -s sub
>                             "(&(objectclass=person)(samaccountname=rowland))"
>
>                             Just in case it has got split up over
>                             multiple lines, the above
>                             should just one line.
>
>                             Replace:
>                             /usr/local/samba/private/sam.ldb with the
>                             path to your sam.ldb
>
>                             dc=samdom,dc=example,dc=com with your
>                             dns/realm names
>
>                             rowland with your users name
>
>                             You should get something like this back:
>
>                             # record 1
>                             dn: CN=Rowland
>                             Penny,CN=Users,DC=samdom,DC=example,DC=com
>                             CN: Rowland Penny
>                             sn: Penny
>                             description: A Unix user
>                             givenName: Rowland
>                             instanceType: 4
>                             whenCreated: 20151109093821.0Z
>                             displayName: Rowland Penny
>                             uSNCreated: 3365
>                             name: Rowland Penny
>                             objectGUID:
>                             28103293-9fc9-4681-b19c-ae1150fe2b72
>                             userAccountControl: 66048
>                             codePage: 0
>                             countryCode: 0
>                             homeDrive: H:
>                             pwdLastSet: 130915355010000000
>                             primaryGroupID: 513
>                             objectSid:
>                             S-1-5-21-1768301897-3342589593-1064908849-1107
>                             accountExpires: 0
>                             sAMAccountName: rowland
>                             sAMAccountType: 805306368
>                             userPrincipalName:
>                             rowland at samdom.example.com
>                             <mailto:rowland at samdom.example.com>
>                             objectCategory:
>                             CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=
>                             example,DC=c
>                                om
>                             unixUserPassword: ABCD!efgh12345$67890
>                             uid: rowland
>                             msSFU30Name: rowland
>                             msSFU30NisDomain: samdom
>                             uidNumber: 10000
>                             gecos: Rowland Penny
>                             unixHomeDirectory: /home/rowland
>                             loginShell: /bin/bash
>                             memberOf:
>                             CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
>                             memberOf:
>                             CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
>                             memberOf:
>                             CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com
>                             memberOf: CN=Unix
>                             Admins,CN=Users,DC=samdom,DC=example,DC=com
>                             memberOf:
>                             CN=Group12,CN=Users,DC=samdom,DC=example,DC=com
>                             homeDirectory: \\MEMBER1\home\rowland
>                             objectClass: top
>                             objectClass: securityPrincipal
>                             objectClass: person
>                             objectClass: organizationalPerson
>                             objectClass: user
>                             gidNumber: 10000
>                             lastLogonTimestamp: 131418520439158520
>                             whenChanged: 20170613182723.0Z
>                             uSNChanged: 121030
>                             lastLogon: 131423412865104840
>                             logonCount: 633
>                             distinguishedName: CN=Rowland
>                             Penny,CN=Users,DC=samdom,DC=example,DC=com
>
>                             # returned 1 records
>                             # 1 entries
>                             # 0 referrals
>
>                             Please post that, though you can sanitise
>                             it if you like, but if
>                             you do, use the same changes through out.
>
>                             Samba is running on (Arch) Linux with
>                             Kernel 4.11. Clients are
>
>                                 Windows 10 with all the latest
>                                 updates, I'm running the RSAT from
>                                 there.
>
>                                 In which case you will not have 'Unix
>                                 Attributes' tab in ADUC.
>
>                             Rowland
>
>                             --
>                             To unsubscribe from this list go to the
>                             following URL and read the
>                             instructions:
>                             https://lists.samba.org/mailman/options/samba
>                             <https://lists.samba.org/mailman/options/samba>
>
>                             Use this command replace my name with your
>                             username.
>
>                     /usr/local/samba/bin/ldbsearch -H
>                     /usr/local/samba/private/sam.ldb
>                     -b 'dc=samdom,dc=example,dc=local' -s sub
>                     "(&(objectclass=person)(samacc ountname=james))"
>
>                     Rowland was linking to the CN=users. Yours may not
>                     be located there.
>
>
>                     I could swear I tried this before, too, but it
>                     didn't give me any
>                     results.
>
>                 Now all of a sudden it does. I must have made a
>                 mistake. It gives me
>                 one entry and 3 referrals.
>
>                 [root at DC ~]# ldbsearch -H
>                 /var/lib/samba/private/sam.ldb -b
>                 'dc=samdom,dc=example,dc=ch' -s sub
>                 "(&(objectclass=person)(samaccountname=jd))"
>                 # record 1
>                 dn: CN=First Last,OU=OFFICE,DC=samdom,DC=example,DC=ch
>                 objectClass: top
>                 objectClass: person
>                 objectClass: organizationalPerson
>                 objectClass: user
>                 cn: Jane Doe
>                 sn: Doe
>                 givenName: Jane
>                 instanceType: 4
>                 whenCreated: 20170618195208.0Z
>                 displayName: Jane Doe
>                 uSNCreated: 26951
>                 name: Jane Doe
>                 objectGUID: e2df5086-fa25-4a25-93f2-d8f5e85a47e7
>                 badPwdCount: 0
>                 codePage: 0
>                 countryCode: 0
>                 badPasswordTime: 0
>                 lastLogoff: 0
>                 primaryGroupID: 513
>                 objectSid: S-1-5-21-4280320235-2980747731-3738778716-1116
>                 accountExpires: 9223372036854775807
>                 sAMAccountName: jd
>                 sAMAccountType: 805306368
>                 userPrincipalName: jd at samdom.example.ch
>                 <mailto:jd at samdom.example.ch>
>                 objectCategory:
>                 CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example
>                 ,DC=ch
>                 userAccountControl: 512
>                 msSFU30NisDomain: samdom
>                 homeDrive: P:
>                 homeDirectory: \\fileserver\users\jd
>                 lastLogonTimestamp: 131422908301256970
>                 pwdLastSet: 131422908304075720
>                 uidNumber: 11008
>                 whenChanged: 20170618203831.0Z
>                 uSNChanged: 26964
>                 lastLogon: 131423462588474750
>                 logonCount: 49
>                 distinguishedName: CN=Jane
>                 Doe,OU=OFFICE,DC=samdom,DC=example,DC=ch
>
>             OK, glad we got that sorted out ;-)
>
>             Your user 'Jane Doe' does not have a 'gidNumber'
>             attribute, does
>             'Domain Users have a 'gidNumber attribute' ?
>
>         It does, it's set to 10001.
>
>         And none of the users have gidNumber set.
>
>
>     Is the users Primary group name/GID set as 'Domain Users'?
>
>
> Yes. Primary - and only group.

I missed that as I was focused on a GID being present. Thanks. I wonder 
if this has to do with the recent change in 4.6 to winbind

With 4.6, it will be possible to optionally use the primary group as
set in the "Unix Attributes" tab for the local unix token of a domain
user.  Before 4.6, the Windows primary group was always chosen as
primary group for the local unix token.

To activate the unix primary group, set

idmap config <DOMAIN> : unix_primary_group = yes

Similarly, set

idmap config <DOMAIN> : unix_nss_info = yes

to retrieve the home directory and login shell from the "Unix
Attributes" of the user. This supersedes the "winbind nss info"
parameter with a per-domain configuration option.

-- 
--
James



More information about the samba mailing list