[Samba] Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.

Rowland Penny rpenny at samba.org
Fri Mar 29 18:02:15 UTC 2019


On Fri, 29 Mar 2019 17:21:54 +0000
Stephen via samba <samba at lists.samba.org> wrote:

> Hi Rowland!
> 
> On 29/03/2019 16:33, Rowland Penny via samba wrote
> > Roll on 'Buster' ;-) 4.5.x is well EOL.  
> 
> Its not ideal I know! ;) Unfortunately I (and every other Raspberry
> Pi user) is stuck with this for now since this is the default Samba
> package that Raspbian currently uses unfortunately. I did check to
> see if it could be upgraded using apt to something a little more
> recent but apparently not :(
> 
> > dns forwarder = XXX XXX XXX (obliterated here for privacy reasons!)
> >
> > You might as well 'obliterate' totally, it is only used on a DC.  
> 
> Duly noted, thanks for the tip.
> 
> > So, stephenellwood is an AD user, but is it also a Unix user?  
> 
> Aha! That's probably why my setup is not working! My passwd file on
> fs1 below suggests there is no stephenellwood unix user account
> 
> pi at fs1:~ $ cat /etc/passwd
> root:x:0:0:root:/root:/bin/bash
> daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
> bin:x:2:2:bin:/bin:/usr/sbin/nologin
> sys:x:3:3:sys:/dev:/usr/sbin/nologin
> sync:x:4:65534:sync:/bin:/bin/sync
> games:x:5:60:games:/usr/games:/usr/sbin/nologin
> man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
> lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
> mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
> news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
> uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
> proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
> www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
> backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
> list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
> irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
> gnats:x:41:41:Gnats Bug-Reporting System 
> (admin):/var/lib/gnats:/usr/sbin/nologin
> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
> systemd-timesync:x:100:103:systemd Time 
> Synchronization,,,:/run/systemd:/bin/false
> systemd-network:x:101:104:systemd Network 
> Management,,,:/run/systemd/netif:/bin/false
> systemd-resolve:x:102:105:systemd 
> Resolver,,,:/run/systemd/resolve:/bin/false
> systemd-bus-proxy:x:103:106:systemd Bus
> Proxy,,,:/run/systemd:/bin/false
> _apt:x:104:65534::/nonexistent:/bin/false
> pi:x:1000:1000:,,,:/home/pi:/bin/bash
> messagebus:x:105:109::/var/run/dbus:/bin/false
> statd:x:106:65534::/var/lib/nfs:/bin/false
> sshd:x:107:65534::/run/sshd:/usr/sbin/nologin avahi:x:108:112:Avahi
> mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
> 
> There is obviously a major gap in my understanding here. Have I 
> understood you correctly Rowland? You appear to be suggesting that
> there must be separate individual linux user account on EVERY samba
> file server, one new unix user account corresponding to every  active 
> directory account?

Err no, exactly the opposite ;-)

What I was trying to get across is that whilst 'wbinfo -u' shows your
user, it doesn't mean that the Unix OS knows your user. 
For the Unix OS to know your user, you must use Samba to make the
Windows user a Unix user as well.
There are two main ways to do this, using the rid or ad winbind
backends.
Using 'rid' is easiest, you just set up smb.conf correctly, but you
have set up your smb.conf to use the 'ad' backend and this involves
more work. You must add a uidNumber attribute containing a unique
number, inside the range you have set in smb.conf, to every user you
want to be a Unix user AND give 'Domain Users' a gidnumber attribute
containing a number inside the same range.

> So what's the point in using a centralised 
> authentication service like active directory then - I don't
> understand - what does AD actually achieve in Windows networking?

I think I answered that above.

> 
> I used the following Samba tutorials to setup my fileserver fs1 but 
> unfortunately these do not mention the need to create user accounts
> to complement those that active directory creates.
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Using_Domain_Accounts_and_Groups_in_Operating_System_Commands

Under 'Configuring Samba' there is this:

If you need your users to have different login shells and/or Unix home
directory paths, or you want them to have the same ID everywhere, you
will need to use the winbind 'ad' backend and add RFC2307 attributes to
AD. 

Underneath that, in a blue box, with a big blue 'i' sign, there is
this:

The RFC2307 attributes are not added automatically when users or groups
are created.
 
> 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> How do I rectify this? Can you point me at a suitable tutorial?

You don't need to rectify that ;-)

> 
> > Have you added RFC2307 attributes to AD ?  
> 
> I don't know what this means, can you please clarify? 

If you do not know what it means, then you very probably did not do it
and it is compulsory for the 'ad' backend.

The RFC2307 attributes are what you need to add to an AD user to make
Unix know who your users are.
I explained this above, so to make 'stephenellwood' a Unix user, do
this:

Log into a Samba DC as root (or use sudo) and run:

ldbedit -e nano -H /var/lib/samba/private/sam.ldb

search for 'stephenellwood' (use Ctrl-w)

Add into the object:
uidNumber: 10000

Search again for 'dn: cn=Domain Users'

Add into the object:
gidNumber: 10000

Close and save with 'Ctrl-x'

Go back to your fileserver and type 'getent passwd stephenellwood'

This should produce output.

> 
> > Have you installed these packages: libpam-winbind libnss-winbind
> > libpam-krb5  
> Yes I definitely installed those packages.
> > Have you added 'winbind' to the 'passwd' & 'group' lines
> > in /etc/nsswitch.conf ?  
> Yes, please see my nsswitch.conf below:
> 
> pi at fs1:~ $ cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Ser
> # If you have the `glibc-doc-reference'
> # `info libc "Name Service Switch"' for
> 
> passwd:         files winbind
> group:          files winbind
> shadow:         compat
> gshadow:        files
> 
> hosts:          files mdns4_minimal [NO
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:          files winbind

Remove 'winbind' from the 'netgroup' line.

Rowland
 




More information about the samba mailing list