[Samba] Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.

Rowland Penny rpenny at samba.org
Mon Apr 1 16:05:51 UTC 2019

On Mon, 1 Apr 2019 16:03:59 +0100
Stephen via samba <samba at lists.samba.org> wrote:

> Cheers, that fixed it! :O) So, if I may summarise what we have just 
> discussed.
> 1) All newly created samba users need to have the uidNumber attribute 
> set to a unique value (within the range specified in smb.conf for 
> SAMDOM) when using ad backend with RFC2307.
> 2) All new groups need to have the gidNumber set to a unique value 
> (within the range specified in smb.conf for SAMDOM) when using ad 
> backend with RFC2307.
> 3) Don't delete group Everyone - even though the Windows UI will let
> you do this it will actually break your file permissions :(
> Could I possibly ask you a couple of further related questions about 
> this uidnumber and gidnumber issue please?
> 1) Previously I found I could access the share I created as 
> SAMDOM/Administrator. However when I checked using Windows RSAT ADUC 
> there is apparently no uidNumber set for this Administrator account
> by default. Is that what you would expect to see, presumably I do not
> need to supply uidNumbers for built-in default accounts?

If you were to check on a Samba DC, you would find that Administrator
does have a Unix ID, it is '0', does this look familiar ?
To answer your question fully, yes it is expected for 'Administrator'
to not have a uidNumber attribute.

> 2) I originally created SAMDOM/stephenellwood at the the DC
> command-line like so:
> sudo samba-tool user add your_domain_user --given-name=your_name 
> --surname=your_username --mail-address=your_domain_user at tecmint.lan 
> --login-shell=/bin/bash
> The Samba docs here https://wiki.samba.org/index.php/Idmap_config_ad 
> appear to suggest that the syntax I have used for my account creation 
> command above is essentially incomplete given that I have also
> specified winbind nss info = rfc2307 in my smb.conf.
> I am pretty sure that I need to add some extra command-line switches
> to my example above specify UID, home directory path, and primary
> group at account creation time as per the docs. Unfortunately though
> man samba-tool does not provide a full list of supported samba-tool
> user create command-line switches. 

Yes, 'man samba-tool' could do with some love ;-)
You can find out just what there is available with:

samba-tool user create --help

Though there is a bit of a strange problem (if 'problem' is the right
word). In the examples there is this:

samba-tool user create User5 passw5rd --nis-domain=samdom --unix-
home=/home/User5            --uid-number=10005 --login-shell=/bin/false --gid-

Example5 shows how to create an RFC2307/NIS domain enabled user account. If
--nis-domain is set, then the other four parameters are mandatory.

Yes, if do set '--nis-domain', you have to set '--unix-home',
'--uid-number', '--login-shell' and '--gid-number'. However, if any or
all those are set, there is no need to set '--nis-domain' ;-)

>What syntax would you recommend
> that I use for creating new users in my situation with samba-tool
> user create Rowland?

This is totally dependent on just what your needs are, do you need
users to log into Unix fileservers or workstations, or do you just need
users to store files on a Samba Unix domain member (aka fileserver)

> I do realise creating users in this fashion means having to track the 
> last-used uidNumber manually somehow and thus might not be regarded
> as best practice.

If you have access to Windows 7 and ADUC, you can use the Unix
Attributes tab to manage your users etc. Otherwise you will need to
write your own scripts around samba-tool or ldb-tools, whilst the two
attributes that Windows uses to track the next uidNumber & gidNumber
are not in Samba AD ( msSFU30MaxUidNumber & msSFU30MaxGidNumber), the
framework to store them is.

> 3) Related to point two, had I instead created user 
> SAMDOM/stephenellwood using the Windows RSAT ADUC tools would
> sensible uidNumber and gidNumber values have been chosen
> automatically potentially avoiding this entire problem?
> The Samba docs here
> (https://wiki.samba.org/index.php/Idmap_config_ad) are a little
> unclear about this point. They say "When using the ADUC utility, the
> user and group IDs are automatically tracked inside AD and
> incremented when creating a new user or group."

If you are using ADUC and use the Unix attributes tab, it normally
defaults to starting the Unix ID's at 10000 and then stores the next ID
in AD.

> The problem is I am unsure if userID == uidNumber, and likewise
> groupID = gidNumber or if these are actually different parameters.

Active directory uses a SID-RID to identify accounts, these accounts
can be a user, group or computer etc, to AD they are all the same. The
SID identifies the domain and all objects use the same one, it is the
RID that is unique. Unix knows nothing of these SID-RID's, this is
where the RFC2307 attributes come in, Unix uses UID's & GID's and
winbind will, if using the 'ad' backend, search AD for the users
uidNumber attribute and if found, return this as the users Unix ID
(UID). What all this means is that on Windows, a user can (and usually
will) have one ID number and on Unix a totally different ID number.

More information about the samba mailing list