[Samba] Antw: Re: Samba 4.5.8 ADS user not showing in directory tree - chown "invalid user"

Franz Gansberger franz.gansberger at boku.ac.at
Fri May 19 12:08:40 UTC 2017 

Hi Rowland,

thank you for your almost immediate answer, and your tips. :-)
And well - it is solved now. :-))

I've overseen this rediculous obvious double entry in the nsswitch.conf.
After correcting this mistake a 

# getent passwd demo1

resloves to

H955\demo1:*:3000019:100:demo1:/home/H955/demo1:/bin/false

So directory listing is now more human readable, and 3000019 is displayed as demo1

# ls -al
total 56
drwxrwxrwx  8 root   			    root  4096 May 19 10:03 .
drwxr-xr-x  3 root   			    root  4096 May  8 15:36 ..
drwxrwxr-x+ 2 H955\demo1			 users 4096 May 19 09:40 demo2
drwxrwxr-x+ 2 H955\demo1			 users 4096 May 19 10:03 demo1_new
drwxrwxr-x+ 2 BUILTIN\administrators users 4096 May 18 16:12 admin

Good. :-)

Nonetheless the packages 
libpam-winbind libpam-krb5 
are not installed - yet. 


Thank you for doing this great job!!

Franz



>>> Rowland Penny <rpenny at samba.org> 19.05.2017 12:42 >>>
On Fri, 19 May 2017 11:49:26 +0200
Franz Gansberger via samba <samba at lists.samba.org> wrote:

> Hi,
> I'm currently working on evalutating a AD-Domain for my Department.
> Since I have a couple of year experince in running a NT-Style Domain,
> my choice is samba - nowadays AD-DS.
> 
> Now I'm stuck, and I would really appreciate some more thoughts and a
> push in the right direction. :-) 
> 
> Thank your in advance
> Franz
> 
> 
> The facts:
> A quick test installation is working as expected - Debian Jessie,
> Samba 4.2.14 from official repository. A wbinfo - u lists domain
> users, and I can chown as neccesary. Of course, the list is without
> the Realm in front.
> 
> # wbinfo -u
> demo1
> administrator
> krbtgt
> 
> Over to the designated production server, which behaves different:
> Here I have a Stretch with Samba 4.5.8, also from the standard reps 
> deb http://ftp.de.debian.org/debian stretch main

> deb-src http://ftp.de.debian.org/debian stretch main

> 
> This commands are all executed on the PDC.

Please don't call it a PDC, your old machine was a PDC, your new one is
just a DC and if you add any other DCs, they will be just a DC as
well ;-)

> 
> 
> The same command produces different output:
> # wbinfo -u
> H955\administrator
> H955\krbtgt
> H955\guest
> H955\demo1
> 
> I get the mentioned error on chown - invalid user.

OK, 'wbinfo' == this is windows user or group
You need to use 'getent passwd username' or 'getent group groupname' 
If either of the above commands doesn't produce output, the user or
group is unknown to the OS.
> 
> ls produces this- uid are korrekt.
> 
> #ls -al
> total 56
> drwxrwxrwx  8 root    root  4096 May 19 10:03 .
> drwxr-xr-x  3 root    root  4096 May  8 15:36 ..
> 
> drwxrwxr-x+ 2 3000019 users 4096 May 19 09:40 demo1
> drwxrwxr-x+ 2 3000019 users 4096 May 19 10:03 demo1_new
> drwxrwxr-x+ 2 3000000 users 4096 May 18 16:12 admin

Who is '3000019' ?
You can find out by running ldbedit on idmap.ldb and then searching for
'3000019'
'users' is correct, Domain Users is mapped to 'users' in idmap.ldb

> 
> 
> Here's my system environment:
> # uname -a
> Linux vw-ads 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30)
> x86_64 GNU/Linux
> 
> # samba -V
> Version 4.5.8-Debian
> 
> #samba-tool domain provision --server-role=dc --use-rfc2307
> --dns-backend=SAMBA_INTERNAL --realm=H955.TEST.AC.AT --domain=H955
> --adminpass=passw0rd
> 
> #net rpc rights grant 'H955\Domain Admins' SeDiskOperatorPrivilege
> -Uadministrator
> 
> 
> # cat /etc/samba/smb.conf
> # Global parameters
> [global]
> 	    netbios name = VW1-ADS
> 	    realm = H955.TEST.AC.AT
> 	    workgroup = H955
> 	    dns forwarder = 8.8.8.8
> 	    server role = active directory domain controller
> 	    idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
> 	    path = /data/data-nfs-vw/netlogon-ads/
> 	    read only = No
> 
> [sysvol]
> 	    path = /var/lib/samba/sysvol
> 	    read only = No
> 
> [profiles]
> comment = Roaming Profiles
> path = /data/data-nfs-vw/profiles-ads/
> writeable = yes
> store dos attributes = yes
> profile acls = yes
> csc policy = disable

You can remove the above three lines, they do nothing a DC.

> 
> 
> [test]
> path = /data/data/test
> writeable = yes
> 
> 
> # locate libnss_winbind.so
> /lib/x86_64-linux-gnu/libnss_winbind.so
> /lib/x86_64-linux-gnu/libnss_winbind.so.2
> /lib64/libnss_winbind.so
> /lib64/libnss_winbind.so.2
> 
>  #ls -al /etc/krb5.conf
> lrwxrwxrwx 1 root root 32 May 16 20:40 /etc/krb5.conf
> -> /var/lib/samba/private/krb5.conf
> 
> # cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> 
> passwd: files winbind
> group:  files winbind
> passwd:		 compat
> group:		  compat

You seem to have 'passwd' and 'group' twice, remove the second two, the
first is correct.

Do you have these packages installed:
libpam-winbind libpam-krb5 libnss-winbind

Rowland

More information about the samba mailing list