[Samba] Samba 4 users - UID/GID - or how to migrate

Rowland Penny rpenny at samba.org
Mon Jan 14 09:48:34 UTC 2019 

On Sun, 13 Jan 2019 23:11:53 +0100
Anton Blau via samba <samba at lists.samba.org> wrote:

> Am 13.01.2019 um 22:40 schrieb Rowland Penny via samba:
> > On Sun, 13 Jan 2019 21:41:39 +0100
> > Anton Blau via samba <samba at lists.samba.org> wrote:
> >
> >> Am 13.01.2019 um 20:41 schrieb Rowland Penny via samba:
> >>> On Sun, 13 Jan 2019 20:22:22 +0100
> >>> Anton Blau via samba <samba at lists.samba.org> wrote:
> >>>
> >>>
> Rowland - thank you for your super help.
> > So, you only have the DC running in container but you do not want
> > to run another container with a Unix domain member in it. This does
> > not make sense, why not just run the DC on the computer without all
> > the bother of the container ?
> 
> 
> The Server is a Proxmox/KVM- System. I thougt that is a good Idea to
> put the fileserver - like all another server daemons (Mail, ...) in a
> LXC.

Yes, but you don't appear to be using a separate fileserver, you are
using the DC as a fileserver and there are problems with doing this,
which is why it isn't recommended. 
> 
> 
> > Where did all those lines in your smb.conf come from ?
> 
> I posted the output of "testparm".

Please don't, just post what is there.

> 
> This is the /etc/samba/smb.conf
> 
> [global]
>          netbios name = FILESERVER
>          realm = SMBDOMAIN.DUCK
>          workgroup = SMBDOMAIN
>          dns forwarder = 192.168.1.254
>          server role = active directory domain controller
>          idmap_ldb:use rfc2307 = yes
> 
>    printing = bsd
>    load printers = no
>    printcap name = /dev/null
>    disable spoolss = yes
> 
> [Allgemein]
>     comment = Fuer jeden User zugreifbares Verzeichnis
>     path = /srv/user
>     public = yes
>     browseable = yes
>     writeable = yes
>     read only = no
>     create mode = 0777
>     create mask = 0777
>     directory mask = 0777

Remember what I said about problems using a DC as a fileserver, well
the above share is a prime example of one of them. You cannot use POSIX
ACLs on a DC, you must use Windows ACLs, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Your share needs to be just this:

[Allgemein]
    comment = Fuer jeden User zugreifbares Verzeichnis
    path = /srv/user
    read only = no

> 
> #[home]
> # comment = Home Directories
> #  path = /home/%D/%U
> #  read only = no
> 
> [Daten]
>    comment = Daten
>    path = /srv
>    read only = no
> 
> [netlogon]
>          path = /var/lib/samba/sysvol/smbdomain.duck/scripts
>          read only = No
> 
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> 
> 
> > By default, a Samba AD DC is only used for authentication and it
> > isn't set up to allow users to login or connect. To allow this on a
> > Debian computer, you need to install the libpam-winbind,
> > libnss-winbind and libpam-krb5 packages, you will also have to
> > change /etc/nsswitch, so that the passwd and group lines look like
> > this:
> >
> > passwd:         compat winbind
> > group:          compat winbind
> >
> I added this:
> 
> /etc/nsswitch.conf
> 
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> (other lines unchanged).
> 
> 
> > You should then be able to run 'getent passwd AN_AD_USER' and get
> > something like this:
> >
> > root at dc4:~# getent passwd rowland
> > SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> 
> I get
> 
> root at fileserver:~# getent passwd testuser
> SMBDOMAIN\testuser:*:501:100::/home/SMBDOMAIN/testuser:/bin/false

Well that shows that your users are now know to the underlying OS

> 
> 
> root at fileserver:~# ls /srv/user -la
> total 2259116
> drwxrwxrwx  6 SMBDOMAIN\testuser users         24 Jan 13 13:26 .
> drwxr-xr-x 11 root              root          11 Jan 13 14:40 ..
> drwx------  2 SMBDOMAIN\testuser users          7 Jan 13
> 13:26 .Papierkorb -rw-r--r--  1              1000  1002    1327771
> Nov 11 15:14 test.pdf drwxr-xr-x  2 SMBDOMAIN\testuser users
> 18 Nov  4 15:44 Englisch Passiv ??bungen
> -rwxrwxr--  1              1012  1012      15593 Aug 12  2017 
> Checkliste.dotx
> 
> But if I try to connect from win 10 I get the Error-Message: Auf 
> \\fileserver.duck\Allgemein kann nicht zugegriffen werden ...

For those of us that do not speak German (isn't google great):

On \\fileserver.duck\Allgemein can not be accessed ...

The above shows three problems, you have data that belongs to users and
groups that are unknown to the DC e.g. user 1012. You seem to have
users and groups with the same name e.g. user 1012 & group 1012, this
isn't allowed in AD. Finally you cannot connect, I think the fix for
this is fairly easy, add this line to smb.conf:

    template shell = /bin/bash

and restart Samba 

Rowland

More information about the samba mailing list