samba - Dec 2015 - samba4 as ADS member: some users visible, others not

Am 2015-12-29 um 18:05 schrieb Rowland penny:
> On 29/12/15 16:32, Stefan G. Weichinger wrote:
>> I have to add a brand new fedora 23 server with samba 4.3.3 to an
>> existing Windows ADS domain.
>>
>> The join is OK:
>>
>> # net ads testjoin
>> Join is OK
>>
>> I use winbind as I still have to learn about sssd (and I am unsure
which
>> one to prefer).
>>
>> config (workgroup and realm edited):
>>
>> [global]
>>     workgroup = customer
>>     realm = my.customer
>>     server string >>     security = ADS
>>     map to guest = Bad User
>>     username map = /etc/samba/smbusers
>>     map untrusted to domain = Yes
>>     load printers = No
>>     printcap name = /dev/null
>>     disable spoolss = Yes
>>     template shell = /bin/bash
>>     winbind enum users = Yes
>>     winbind enum groups = Yes
>>     winbind use default domain = Yes
>>     winbind nss info = rfc2307
>>     idmap config customer:range = 10000-999999
>>     idmap config customer:schema_mode = rfc2307
>>     idmap config customer:backend = ad
>>     idmap config *:range = 2000-9999
>>     idmap config * : backend = tdb
>>     force create mode = 0664
>>     force directory mode = 0775
>>     printing = bsd
>>     level2 oplocks = No
>>
>> ---
>>
>> issues:
>>
>> wbinfo -u
>> wbinfo -g list all users and groups from ADS
>>
>> getent passwd only gives me around 20 users from ADS ...
>>
>> -> some users get access to shares, some not!
>>
>> I assume this has to do with "idmap config customer:range" ?
>>
>> How to determine the values of the max ids?
>>
>> Do I have to "reset" some mappings after changing this
parameter?
>>
>> What else to check for?
>>
>> thanks for any help on this, Stefan
>>
> 
> The only mappings you should have, are the ones for the 'builtin'
users
> & groups, all the others should have a uidNumber or gidNumber attribute
> in AD, these should be between '10000-999999'
> I would also recommend you remove these lines:
> 
> force create mode = 0664
> force directory mode = 0775
I agree, sure.
> They really only belong in a share, but you should be using Posix ACLs
> anyway.
> 
> If a user isn't shown by getent, then they are unknown to the OS and
> will not be able to access shares unless the share also allows guest
> access.
So I understand you suggest to use this instead ?

->

[global]
	workgroup = CUSTOMER
	realm = MY.CUSTOMER
	server string 	security = ADS
	map to guest = Bad User
	username map = /etc/samba/smbusers
	map untrusted to domain = Yes
	load printers = No
	printcap name = /dev/null
	disable spoolss = Yes
	template shell = /bin/bash
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind use default domain = Yes
	winbind nss info = rfc2307
	idmap config *:range = 2000-9999
	idmap config * : backend = tdb
	printing = bsd
	level2 oplocks = No

I will test later as there are some users working (early evening here) ...

thanks! Stefan

On 29/12/15 17:30, Stefan G. Weichinger wrote:
> Am 2015-12-29 um 18:05 schrieb Rowland penny:
>> On 29/12/15 16:32, Stefan G. Weichinger wrote:
>>> I have to add a brand new fedora 23 server with samba 4.3.3 to an
>>> existing Windows ADS domain.
>>>
>>> The join is OK:
>>>
>>> # net ads testjoin
>>> Join is OK
>>>
>>> I use winbind as I still have to learn about sssd (and I am unsure
which
>>> one to prefer).
>>>
>>> config (workgroup and realm edited):
>>>
>>> [global]
>>>      workgroup = customer
>>>      realm = my.customer
>>>      server string >>>      security = ADS
>>>      map to guest = Bad User
>>>      username map = /etc/samba/smbusers
>>>      map untrusted to domain = Yes
>>>      load printers = No
>>>      printcap name = /dev/null
>>>      disable spoolss = Yes
>>>      template shell = /bin/bash
>>>      winbind enum users = Yes
>>>      winbind enum groups = Yes
>>>      winbind use default domain = Yes
>>>      winbind nss info = rfc2307
>>>      idmap config customer:range = 10000-999999
>>>      idmap config customer:schema_mode = rfc2307
>>>      idmap config customer:backend = ad
>>>      idmap config *:range = 2000-9999
>>>      idmap config * : backend = tdb
>>>      force create mode = 0664
>>>      force directory mode = 0775
>>>      printing = bsd
>>>      level2 oplocks = No
>>>
>>> ---
>>>
>>> issues:
>>>
>>> wbinfo -u
>>> wbinfo -g list all users and groups from ADS
>>>
>>> getent passwd only gives me around 20 users from ADS ...
>>>
>>> -> some users get access to shares, some not!
>>>
>>> I assume this has to do with "idmap config
customer:range" ?
>>>
>>> How to determine the values of the max ids?
>>>
>>> Do I have to "reset" some mappings after changing this
parameter?
>>>
>>> What else to check for?
>>>
>>> thanks for any help on this, Stefan
>>>
>> The only mappings you should have, are the ones for the
'builtin' users
>> & groups, all the others should have a uidNumber or gidNumber
attribute
>> in AD, these should be between '10000-999999'
>> I would also recommend you remove these lines:
>>
>> force create mode = 0664
>> force directory mode = 0775
> I agree, sure.
>
>> They really only belong in a share, but you should be using Posix ACLs
>> anyway.
>>
>> If a user isn't shown by getent, then they are unknown to the OS
and
>> will not be able to access shares unless the share also allows guest
>> access.
> So I understand you suggest to use this instead ?
>
> ->
>
> [global]
> 	workgroup = CUSTOMER
> 	realm = MY.CUSTOMER
> 	server string > 	security = ADS
> 	map to guest = Bad User
> 	username map = /etc/samba/smbusers
> 	map untrusted to domain = Yes
> 	load printers = No
> 	printcap name = /dev/null
> 	disable spoolss = Yes
> 	template shell = /bin/bash
> 	winbind enum users = Yes
> 	winbind enum groups = Yes
> 	winbind use default domain = Yes
> 	winbind nss info = rfc2307
> 	idmap config *:range = 2000-9999
> 	idmap config * : backend = tdb
> 	printing = bsd
> 	level2 oplocks = No
>
> I will test later as there are some users working (early evening here) ...
>
> thanks! Stefan
>
NO! This will give you precisely 0 users

config * == the range the 'builtin' users will be mapped to.
config customer == the range for all the domain users that have a 
uidNumber attribute. If a user doesn't have a uidNumber attribute 
containing a number inside the range set in smb.conf (in your case 
10000-999999) it will be ignored, the user will also be ignored if it 
doesn't have a uidNumber attribute. There is also another gotchya, the 
'Domain Users' group *must* have a gidNumber attribute inside the range,
or all users will be ignored even if they have a uidNumber attribute.

This all boils down to, have you manually given your users & groups the 
required uidNumber & gidNumber attributes ? they are not added 
automatically, they must be added manually.

Rowland

in the same ADS I have another member server with Samba-3.6.25

[global]
	workgroup = CUSTOMER
	realm = MY.CUSTOMER
	server string = backup
	security = ADS
	map to guest = Bad User
	printcap name = /dev/null
	os level = 65
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind use default domain = Yes
	idmap config * : range = 1000-29999
	idmap config * : backend = tdb

# nsswitch.conf

passwd:      compat winbind
shadow:      compat
group:       compat winbind

this one gives me all users with "getent passwd" !


For the 4.x server I now tried:

[global]
	workgroup = CUSTOMER
	realm = MY.CUSTOMER
	server string 	security = ADS
	map to guest = Bad User
	username map = /etc/samba/smbusers
	map untrusted to domain = Yes
	load printers = No
	printcap name = /dev/null
	disable spoolss = Yes
	template shell = /bin/bash
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind use default domain = Yes
	idmap config * : range = 1000-29999
	idmap config * : backend = tdb
	printing = bsd
	level2 oplocks = No

And now it works here as well!

We will see if it stays this way ;-)
Thanks, Stefan

Am 2015-12-29 um 18:59 schrieb Rowland penny:
> NO! This will give you precisely 0 users
> 
> config * == the range the 'builtin' users will be mapped to.
> config customer == the range for all the domain users that have a
> uidNumber attribute. If a user doesn't have a uidNumber attribute
> containing a number inside the range set in smb.conf (in your case
> 10000-999999) it will be ignored, the user will also be ignored if it
> doesn't have a uidNumber attribute. There is also another gotchya, the
> 'Domain Users' group *must* have a gidNumber attribute inside the
range,
> or all users will be ignored even if they have a uidNumber attribute.
> 
> This all boils down to, have you manually given your users & groups the
> required uidNumber & gidNumber attributes ? they are not added
> automatically, they must be added manually.
Thanks a lot for that explanation.
I read it after it started working here yesterday so excuse my late
reply. I never understood it the way you described it above, this would
have helped me with other servers earlier as well.

thanks, Stefan