[Samba] Permission issue

Rowland Penny rpenny at samba.org
Fri Feb 8 13:03:45 UTC 2019


On Fri, 8 Feb 2019 12:12:34 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:

> Hi Rowland,
> 
> The user's ID range would have been below 3600, the current max rid
> is 3506
> 
> The links have been setup following this link, then restarted the
> samba-ad-dc service
> 
> https://wiki.samba.org/index.php/Libnss_winbind_Links
> 
> 
> I followed the following to configure the winbindd stuff,
> 
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> 
> 
> template shell = /bin/bash
> template homedir = /home/%U
> 
> 9833 pts/0    S+     0:00                      \_ grep --color=auto
> winbind 17196 ?        Ss     0:00  |   \_ /usr/sbin/winbindd -D
> --option=server role check:inhibit=yes --foreground 17199 ?
> S      0:01  |       \_ /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
> 
> 
> 
> Regards,
> 
> Praveen
> 
> 
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of
> Rowland Penny via samba Sent: Friday, 8 February 2019 8:01 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Permission issue
> 
> On Fri, 8 Feb 2019 06:22:05 +0000
> Praveen Ghimire via samba <samba at lists.samba.org> wrote:
> 
> > Hi,
> > 
> > We did a classicupgrade of our Ubuntu Server (4.3.11, TDB), the
> > server DC5 also host shares. Post the migration we are seeing some
> > permission issues.
> > 
> > When trying to give permission to a domain group/user to
> > folder/file we get the following
> > 
> > chown "LIN\\myadmin:LIN\\adgroup" adtest/
> > chown: invalid user: 'LIN\\myadmin:LIN\\adgroup'
> > 
> > wbinfo --ping-dc : checking the NETLOGON for domain[LIN] dc
> > connection to "dc5.LIN.group" succeeded
> > 
> > The getent group comes up with no results getent group
> > "LIN\\adgroup" getent passwd "LIN\\mygroup"
> > 
> > 
> > Here is the smb.conf
> > 
> >         workgroup = LIN
> >         realm = LIN.GROUP
> >         netbios name = dc5
> >         server role = active directory domain controller
> >         idmap_ldb:use rfc2307 = yes
> >         log file = /var/log/samba/log.%m
> >         log level = 1
> > 
> >         winbind nss info = rfc2307
> > 
> >         idmap config * : backend = tdb
> >         idmap config * : range = 4000-7999
> >         idmap config LIN:backend = ad
> >         idmap config LIN:schema_mode = rfc2307
> >         idmap config LIN:range = 10000-999999
> 
> OK, you classicupgraded your NT4-style PDC to an AD DC, did your
> users have ID's in the '10000-999999' range before the upgrade ?
> 
> Have you set up the libnss-winbind links ?
>  
> Rowland
> 
> > 
> >         vfs objects = acl_xattr
> >         map acl inherit = yes
> >         store dos attributes = yes
> > 
> >         # Template settings for login shell and home directory
> >         template shell = /bin/bash
> >         template homedir = /home/%U
> > 
> > 
> > here is nsswitch.conf
> > passwd:         files winbind
> > group:          files winbind
> > shadow:         compat
> > 
> > 
> > If the group in question exist in /etc/group it works, because it
> > is local. But if the group is new or if the group has been removed
> > from /etc/group and AD it doesn't.
> > 
> > We have added the SeDiskOperatorPrivilege to the user making the
> > chown calls.
> > 
> > Any suggestions?

Yes, lets rewind this conversation, Whilst concentrating on the range,
I totally missed the fact you were doing this on a DC :-(

So, remove these lines:

        winbind nss info = rfc2307

        idmap config * : backend = tdb
        idmap config * : range = 4000-7999
        idmap config LIN:backend = ad
        idmap config LIN:schema_mode = rfc2307
        idmap config LIN:range = 10000-999999

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

Did you miss the warning at the top of this wiki page:

https://wiki.samba.org/index.php/Idmap_config_ad

ID mapping back ends are not supported in the smb.conf file on a Samba
Active Directory (AD) domain controller (DC).

Rowland




More information about the samba mailing list