[Samba] Samba 4.5.8 ADS user not showing in directory tree - chown "invalid user"

Rowland Penny rpenny at samba.org
Fri May 19 10:42:06 UTC 2017 

On Fri, 19 May 2017 11:49:26 +0200
Franz Gansberger via samba <samba at lists.samba.org> wrote:

> Hi,
> I'm currently working on evalutating a AD-Domain for my Department.
> Since I have a couple of year experince in running a NT-Style Domain,
> my choice is samba - nowadays AD-DS.
> 
> Now I'm stuck, and I would really appreciate some more thoughts and a
> push in the right direction. :-) 
> 
> Thank your in advance
> Franz
> 
> 
> The facts:
> A quick test installation is working as expected - Debian Jessie,
> Samba 4.2.14 from official repository. A wbinfo - u lists domain
> users, and I can chown as neccesary. Of course, the list is without
> the Realm in front.
> 
> # wbinfo -u
> demo1
> administrator
> krbtgt
> 
> Over to the designated production server, which behaves different:
> Here I have a Stretch with Samba 4.5.8, also from the standard reps 
> deb http://ftp.de.debian.org/debian stretch main
> deb-src http://ftp.de.debian.org/debian stretch main
> 
> This commands are all executed on the PDC.

Please don't call it a PDC, your old machine was a PDC, your new one is
just a DC and if you add any other DCs, they will be just a DC as
well ;-)

> 
> 
> The same command produces different output:
> # wbinfo -u
> H955\administrator
> H955\krbtgt
> H955\guest
> H955\demo1
> 
> I get the mentioned error on chown - invalid user.

OK, 'wbinfo' == this is windows user or group
You need to use 'getent passwd username' or 'getent group groupname' 
If either of the above commands doesn't produce output, the user or
group is unknown to the OS.
 
> 
> ls produces this- uid are korrekt.
> 
> #ls -al
> total 56
> drwxrwxrwx  8 root    root  4096 May 19 10:03 .
> drwxr-xr-x  3 root    root  4096 May  8 15:36 ..
> 
> drwxrwxr-x+ 2 3000019 users 4096 May 19 09:40 demo1
> drwxrwxr-x+ 2 3000019 users 4096 May 19 10:03 demo1_new
> drwxrwxr-x+ 2 3000000 users 4096 May 18 16:12 admin

Who is '3000019' ?
You can find out by running ldbedit on idmap.ldb and then searching for
'3000019'
'users' is correct, Domain Users is mapped to 'users' in idmap.ldb

> 
> 
> Here's my system environment:
> # uname -a
> Linux vw-ads 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30)
> x86_64 GNU/Linux
> 
> # samba -V
> Version 4.5.8-Debian
> 
> #samba-tool domain provision --server-role=dc --use-rfc2307
> --dns-backend=SAMBA_INTERNAL --realm=H955.TEST.AC.AT --domain=H955
> --adminpass=passw0rd
> 
> #net rpc rights grant 'H955\Domain Admins' SeDiskOperatorPrivilege
> -Uadministrator
> 
> 
> # cat /etc/samba/smb.conf
> # Global parameters
> [global]
> 	    netbios name = VW1-ADS
> 	    realm = H955.TEST.AC.AT
> 	    workgroup = H955
> 	    dns forwarder = 8.8.8.8
> 	    server role = active directory domain controller
> 	    idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
> 	    path = /data/data-nfs-vw/netlogon-ads/
> 	    read only = No
> 
> [sysvol]
> 	    path = /var/lib/samba/sysvol
> 	    read only = No
> 
> [profiles]
> comment = Roaming Profiles
> path = /data/data-nfs-vw/profiles-ads/
> writeable = yes
> store dos attributes = yes
> profile acls = yes
> csc policy = disable

You can remove the above three lines, they do nothing a DC.

> 
> 
> [test]
> path = /data/data/test
> writeable = yes
> 
> 
> # locate libnss_winbind.so
> /lib/x86_64-linux-gnu/libnss_winbind.so
> /lib/x86_64-linux-gnu/libnss_winbind.so.2
> /lib64/libnss_winbind.so
> /lib64/libnss_winbind.so.2
> 
>  #ls -al /etc/krb5.conf
> lrwxrwxrwx 1 root root 32 May 16 20:40 /etc/krb5.conf
> -> /var/lib/samba/private/krb5.conf
> 
> # cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> 
> passwd: files winbind
> group:  files winbind
> passwd:		 compat
> group:		  compat

You seem to have 'passwd' and 'group' twice, remove the second two, the
first is correct.

Do you have these packages installed:
libpam-winbind libpam-krb5 libnss-winbind

Rowland

More information about the samba mailing list