samba - Mar 2016 - Problems with Member server in a Samba AD Domain

I have set up a Samba Active Directory domain controller on a fresh
install of Debian 8.3 (Jessie) using Samba 4.4.0 and everything works
fine as far as I can tell.  I had users' home folders with the H:
drive letter connecting to the share on the DC and folder redirection
for My Documents, Pictures etc.     

Then I decided to add a member server (also Debian Jessie) and put the
users' home folders on that server.  So I created a second OU with
folder redirection of Documents, Pictures etc and mapped the H: drive
to the users' shared folder on the member server.   My problem is that
whilst the users folders get created automatically and have the
correct NTFS permissions (as seen from a Windows 7 machine) the user
cannot access the folder on the member server - Access Denied.
Permissions say Full Control for the user.     It seems that the newly
created users are not being recognised by the member server:   getent
passwd returns just the administrator and the user I created with home
folder on the DC:

# getent passwd
[...]
test2:*:10001:10000:Test 2. user:/home/test2:/bin/sh
administrator:*:10000:10000:Administrator:/home/Administrator:/bin/sh

The other user with home folder on the member server does not show up.

So I moved the first user into the second OU and changed the H: drive
mapping to be on the member server.     That user can now access the
home folder on the member server.   Note though that the My Documents
folder doesn't appear until the second login.

Here's my smb.conf on the member server:

[global]

       netbios name = debian-m1
       security = ADS
       workgroup = MICROLYNX
       realm = MICROLYNX.LOCAL

       log file = /var/log/samba/%m.log
       log level = 1

       dedicated keytab file = /etc/krb5.keytab
       kerberos method = secrets and keytab
       winbind refresh tickets = yes

       winbind trusted domains only = no
       winbind use default domain = yes
       winbind enum users  = yes
       winbind enum groups = yes
 
       # idmap config used for your domain.
       # Click on the following links for more information
       # on the available winbind idmap backends, 
       # Choose the one that fits your requirements
       # then add the corresponding configuration. 
       
       # Just adding the following three lines is not enough!!
       #  - idmap config ad

# Important: The ranges of the default (*) idmap config
       # and the domain(s) must not overlap!

       # Default idmap config used for BUILTIN and local
accounts/groups
       idmap config *:backend = tdb
       idmap config *:range = 2000-9999

       # idmap config for domain MICROLYNX
       idmap config MICROLYNX:backend = ad
       idmap config MICROLYNX:schema_mode = rfc2307
       idmap config MICROLYNX:range = 10000-99999

       # Use settings from AD for login shell and home directory
       winbind nss info = rfc2307
       template homedir = /srv/users/%U
       template shell = /bin/bash

	vfs objects = acl_xattr
	map acl inherit = yes
	store dos attributes = yes

[users]
	path = /srv/users
	read only = No

This is the output of getent passwd on the DC (debian-dc1):
# getent passwd
[...]
MICROLYNX\test3:*:3000052:100:Test 3. User:/srv/users/test3:/bin/bash
MICROLYNX\test4:*:3000053:100:test 4. user:/srv/users/test4:/bin/bash
MICROLYNX\test1:*:3000049:100:Test 1. User:/srv/users/test1:/bin/bash
MICROLYNX\test2:*:3000013:100:Test 2. user:/srv/users/test2:/bin/bash
MICROLYNX\administrator:*:0:100::/srv/users/administrator:/bin/bash
MICROLYNX\krbtgt:*:3000041:100::/srv/users/krbtgt:/bin/bash
MICROLYNX\guest:*:3000007:100::/srv/users/guest:/bin/bash

So why are these additional users not being recognised by the member
server (debian-m1)?   Also the template homedir & shell lines in the
smb.conf seem to be ignored (by debian-m1).

Any help would be appreciated,

spindles7

On 27/03/16 17:15, spindles7-2 at yahoo.co.uk wrote:
> I have set up a Samba Active Directory domain controller on a fresh
> install of Debian 8.3 (Jessie) using Samba 4.4.0 and everything works
> fine as far as I can tell.  I had users' home folders with the H:
> drive letter connecting to the share on the DC and folder redirection
> for My Documents, Pictures etc.
>
> Then I decided to add a member server (also Debian Jessie) and put the
> users' home folders on that server.  So I created a second OU with
> folder redirection of Documents, Pictures etc and mapped the H: drive
> to the users' shared folder on the member server.   My problem is that
> whilst the users folders get created automatically and have the
> correct NTFS permissions (as seen from a Windows 7 machine) the user
> cannot access the folder on the member server - Access Denied.
> Permissions say Full Control for the user.     It seems that the newly
> created users are not being recognised by the member server:   getent
> passwd returns just the administrator and the user I created with home
> folder on the DC:
>
> # getent passwd
> [...]
> test2:*:10001:10000:Test 2. user:/home/test2:/bin/sh
> administrator:*:10000:10000:Administrator:/home/Administrator:/bin/sh
>
> The other user with home folder on the member server does not show up.
>
> So I moved the first user into the second OU and changed the H: drive
> mapping to be on the member server.     That user can now access the
> home folder on the member server.   Note though that the My Documents
> folder doesn't appear until the second login.
>
> Here's my smb.conf on the member server:
>
> [global]
>
>         netbios name = debian-m1
>         security = ADS
>         workgroup = MICROLYNX
>         realm = MICROLYNX.LOCAL
>
>         log file = /var/log/samba/%m.log
>         log level = 1
>
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = secrets and keytab
>         winbind refresh tickets = yes
>
>         winbind trusted domains only = no
>         winbind use default domain = yes
>         winbind enum users  = yes
>         winbind enum groups = yes
>   
>         # idmap config used for your domain.
>         # Click on the following links for more information
>         # on the available winbind idmap backends,
>         # Choose the one that fits your requirements
>         # then add the corresponding configuration.
>         
>         # Just adding the following three lines is not enough!!
>         #  - idmap config ad
>
> # Important: The ranges of the default (*) idmap config
>         # and the domain(s) must not overlap!
>
>         # Default idmap config used for BUILTIN and local
> accounts/groups
>         idmap config *:backend = tdb
>         idmap config *:range = 2000-9999
>
>         # idmap config for domain MICROLYNX
>         idmap config MICROLYNX:backend = ad
>         idmap config MICROLYNX:schema_mode = rfc2307
>         idmap config MICROLYNX:range = 10000-99999
>
>         # Use settings from AD for login shell and home directory
>         winbind nss info = rfc2307
>         template homedir = /srv/users/%U
>         template shell = /bin/bash
>
> 	vfs objects = acl_xattr
> 	map acl inherit = yes
> 	store dos attributes = yes
>
> [users]
> 	path = /srv/users
> 	read only = No
>
> This is the output of getent passwd on the DC (debian-dc1):
> # getent passwd
> [...]
> MICROLYNX\test3:*:3000052:100:Test 3. User:/srv/users/test3:/bin/bash
> MICROLYNX\test4:*:3000053:100:test 4. user:/srv/users/test4:/bin/bash
> MICROLYNX\test1:*:3000049:100:Test 1. User:/srv/users/test1:/bin/bash
> MICROLYNX\test2:*:3000013:100:Test 2. user:/srv/users/test2:/bin/bash
> MICROLYNX\administrator:*:0:100::/srv/users/administrator:/bin/bash
> MICROLYNX\krbtgt:*:3000041:100::/srv/users/krbtgt:/bin/bash
> MICROLYNX\guest:*:3000007:100::/srv/users/guest:/bin/bash
>
> So why are these additional users not being recognised by the member
> server (debian-m1)?   Also the template homedir & shell lines in the
> smb.conf seem to be ignored (by debian-m1).
>
> Any help would be appreciated,
>
> spindles7
OK, I think your problems are all probably caused by the same thing, you 
are using the winbind 'ad' backend on the domain member, but *you 
haven't given any of your users 'uidNumber' attributes and you
haven't
given 'Domain Users' a 'gidNumber' attribute*.

Two ways to fix this, use the 'rid' backend instead or give all yours 
users a 'uidNumber' attribute and 'Domain Users' (at least) a 
'gidNumber' attribute, these attributes need to be inside the range you 
set in smb.conf (in your case, 10000-99999)

If you do have these attributes in AD, have you set up PAM and 
/etc/nsswitch.conf correctly.

Rowland

On Sun, 27 Mar 2016 18:15:19 +0100, Rowland penny <rpenny at samba.org>
wrote:
>On 27/03/16 17:15, spindles7-2 at yahoo.co.uk wrote:
>> I have set up a Samba Active Directory domain controller on a fresh
>> install of Debian 8.3 (Jessie) using Samba 4.4.0 and everything works
>> fine as far as I can tell.  I had users' home folders with the H:
>> drive letter connecting to the share on the DC and folder redirection
>> for My Documents, Pictures etc.
>>
>> Then I decided to add a member server (also Debian Jessie) and put the
>> users' home folders on that server.  So I created a second OU with
>> folder redirection of Documents, Pictures etc and mapped the H: drive
>> to the users' shared folder on the member server.   My problem is
that
>> whilst the users folders get created automatically and have the
>> correct NTFS permissions (as seen from a Windows 7 machine) the user
>> cannot access the folder on the member server - Access Denied.
>> Permissions say Full Control for the user.     It seems that the newly
>> created users are not being recognised by the member server:   getent
>> passwd returns just the administrator and the user I created with home
>> folder on the DC:
>>
>> # getent passwd
>> [...]
>> test2:*:10001:10000:Test 2. user:/home/test2:/bin/sh
>> administrator:*:10000:10000:Administrator:/home/Administrator:/bin/sh
>>
>> The other user with home folder on the member server does not show up.
>>
>> So I moved the first user into the second OU and changed the H: drive
>> mapping to be on the member server.     That user can now access the
>> home folder on the member server.   Note though that the My Documents
>> folder doesn't appear until the second login.
>>
>> Here's my smb.conf on the member server:
>>
>> [global]
>>
>>         netbios name = debian-m1
>>         security = ADS
>>         workgroup = MICROLYNX
>>         realm = MICROLYNX.LOCAL
>>
>>         log file = /var/log/samba/%m.log
>>         log level = 1
>>
>>         dedicated keytab file = /etc/krb5.keytab
>>         kerberos method = secrets and keytab
>>         winbind refresh tickets = yes
>>
>>         winbind trusted domains only = no
>>         winbind use default domain = yes
>>         winbind enum users  = yes
>>         winbind enum groups = yes
>>   
>>         # idmap config used for your domain.
>>         # Click on the following links for more information
>>         # on the available winbind idmap backends,
>>         # Choose the one that fits your requirements
>>         # then add the corresponding configuration.
>>         
>>         # Just adding the following three lines is not enough!!
>>         #  - idmap config ad
>>
>> # Important: The ranges of the default (*) idmap config
>>         # and the domain(s) must not overlap!
>>
>>         # Default idmap config used for BUILTIN and local
>> accounts/groups
>>         idmap config *:backend = tdb
>>         idmap config *:range = 2000-9999
>>
>>         # idmap config for domain MICROLYNX
>>         idmap config MICROLYNX:backend = ad
>>         idmap config MICROLYNX:schema_mode = rfc2307
>>         idmap config MICROLYNX:range = 10000-99999
>>
>>         # Use settings from AD for login shell and home directory
>>         winbind nss info = rfc2307
>>         template homedir = /srv/users/%U
>>         template shell = /bin/bash
>>
>> 	vfs objects = acl_xattr
>> 	map acl inherit = yes
>> 	store dos attributes = yes
>>
>> [users]
>> 	path = /srv/users
>> 	read only = No
>>
>> This is the output of getent passwd on the DC (debian-dc1):
>> # getent passwd
>> [...]
>> MICROLYNX\test3:*:3000052:100:Test 3. User:/srv/users/test3:/bin/bash
>> MICROLYNX\test4:*:3000053:100:test 4. user:/srv/users/test4:/bin/bash
>> MICROLYNX\test1:*:3000049:100:Test 1. User:/srv/users/test1:/bin/bash
>> MICROLYNX\test2:*:3000013:100:Test 2. user:/srv/users/test2:/bin/bash
>> MICROLYNX\administrator:*:0:100::/srv/users/administrator:/bin/bash
>> MICROLYNX\krbtgt:*:3000041:100::/srv/users/krbtgt:/bin/bash
>> MICROLYNX\guest:*:3000007:100::/srv/users/guest:/bin/bash
>>
>> So why are these additional users not being recognised by the member
>> server (debian-m1)?   Also the template homedir & shell lines in
the
>> smb.conf seem to be ignored (by debian-m1).
>>
>> Any help would be appreciated,
>>
>> spindles7
>
>OK, I think your problems are all probably caused by the same thing, you 
>are using the winbind 'ad' backend on the domain member, but *you 
>haven't given any of your users 'uidNumber' attributes and you
haven't
>given 'Domain Users' a 'gidNumber' attribute*.
>
>Two ways to fix this, use the 'rid' backend instead or give all
yours
>users a 'uidNumber' attribute and 'Domain Users' (at least)
a
>'gidNumber' attribute, these attributes need to be inside the range
you
>set in smb.conf (in your case, 10000-99999)
>
>If you do have these attributes in AD, have you set up PAM and 
>/etc/nsswitch.conf correctly.
>
>Rowland
Thanks for that.   You are right, or partially so.   I had given user test2 Unix
attributes using ADUC, and also Domain Users and
Domain Admins.   However, when you go back into ADUC Unix Attributes tab for
Domain Users and Domain Admins I get the error:
"Unwilling to Perform".  When I dismiss that the correct settings are
there.

So now I've allocated uidNumbers to all users and getent passwd on the
domain member server now lists all the users.  However, the
auto-crreated folders, whilst they show the correct permissions the user still
gets "access denied" and the Drive letter is not
connected at logon.   On the other hand users with home folders on the DC work
OK.    So there's still something wrong.   Do I still
need to setup rid as the backend?

On the DC the owner and group are shown thus:
root at debian-dc1:~# ls -l /srv/users
total 16
drwxrwx---+ 2 root                                             root  4096 Mar 27
23:30 test1
drwxrwx---+ 4 MICROLYNX\denied rodc password replication group users 4096 Mar 27
14:47 test2

On the Member server they are shown:
root at debian-m1:~# ls -l /srv/users
total 32
drwxrwx---+ 2 administrator domain users 4096 Mar 24 23:42 test1
drwxrwx---+ 2 administrator domain users 4096 Mar 27 14:48 test2
drwxrwx---+ 2 administrator domain users 4096 Mar 27 14:45 test3
drwxrwx---+ 2 administrator domain users 4096 Mar 27 14:45 test4

Also shouldn't the uidNumbers and gidNumbers be the same on both the DC and
the member server?  (the DC's range seems to be 30000
upwards whereas the member server is as specified in ADUC.)

The smb.conf on the DC has the line:
       idmap config MICROLYNX:range = 10000-99999

or is that something different?

I haven't setup PAM as I thought that was only needed if users need to log
into the member server's console, which they don't.   My
/etc/nsswitch.conf is as follows:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

#passwd:         compat
passwd:         files winbind
#group:          compat
group:          files winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

and I had created the two symbolic links to libnss_winbind.so.2:

root at debian-m1:~# ls -l /lib/i386-linux-gnu/libnss_winbind.so*
lrwxrwxrwx 1 root root 39 Mar 21 19:24 /lib/i386-linux-gnu/libnss_winbind.so
-> /lib/i386-linux-gnu/libnss_winbind.so.2
lrwxrwxrwx 1 root root 40 Mar 21 19:26 /lib/i386-linux-gnu/libnss_winbind.so.2
-> /usr/local/samba/lib/libnss_winbind.so.2

Users can connect to the \\debian-m1\users share but not to the own folder, so I
assumed authentication is working without the need
for PAM.

Incidentally the log-winbind-idmap logfile is full of errors like this:

[2016/03/28 00:24:31.265357,  1]
../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
  Could not get unix ID for SID S-1-5-21-477877664-3821138561-3089784001-572
[2016/03/28 00:24:31.265690,  1]
../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
  Could not get unix ID for SID S-1-5-21-477877664-3821138561-3089784001-520
[2016/03/28 00:24:31.265916,  1]
../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
  Could not get unix ID for SID S-1-5-21-477877664-3821138561-3089784001-519
[2016/03/28 00:24:31.266139,  1]
../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
  Could not get unix ID for SID S-1-5-21-477877664-3821138561-3089784001-518

Let me know if you need more info.   Once again many thanks for your help.
spindles7