Jonathan Hunter
2016-Sep-11 18:03 UTC
[Samba] Computer accounts belonging to groups, using winbind on file server
Hi All, Some time ago I reluctantly moved DC functionality off my file server and onto a separate machine, due to the well-known challenges using the same machine as both a file server and a DC. This went mostly fine, with one exception - I have one piece of functionality that worked before, but I still don't have working now. I use wpkg for software distribution, having all relevant computer accounts be a member of a group (lets' call it sw-dist) and setting the ownership of my /data/wpkg directory on the server appropriately so that all members of that group (i.e. all relevant computer accounts) can access the files - see below. I am using rfc2307 attributes to specify UIDs and GIDs where I can. This worked just fine when the file server was also a DC (I was using sssd at the time for user/group resolution on the machine) but I can't work out how to get it working now. Normal user accounts work fine, but if I try to get information on a computer account, I can't: [root at fileserver ~]# wbinfo -i "computer$" failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user computer$ This is probably explained by me not seeing the option to allocate a UNIX UID / GID to a computer account in ADUC, of course - it shows me different options instead and doesn't have the box to specify UID/GID etc. Nothing shows up in 'net cache list' on the file server, either, for this computer: [root at fileserver ~]# net cache list | grep -i computer The group itself can be resolved just fine, even though the computer accounts can't - and it shows that the computer accounts are definitely members of the group in question: [root at fileserver ~]# wbinfo --group-info sw-dist sw-dist:x:12345:computer$,computer2$,computer3$,computer4$ All of this inevitably leads to the key directories in question not being accessible by the computers who need them. When the computer account connects to the file server, its group memberships don't really seem to work. I suspect that sssd had different behaviour to winbind in this regard. Has anybody else successfully served out files to a computer account belonging to a specific group, using samba and winbind? I don't really see how I can practically have computer accounts as a member of a group if I'm using winbind. Cheers, Jonathan [root at fileserver ~]# getfacl /data/wpkg getfacl: Removing leading '/' from absolute path names # file: data/wpkg # owner: root # group: sw-dist # flags: -s- user::rwx user:root:rwx group::rwx group:sw-dist:r-x group:domain\040admins:rwx group:3000075:rwx mask::rwx other::r-x default:user::rwx default:user:root:rwx default:group::rwx default:group:sw-dist:r-x default:group:domain\040admins:rwx default:group:3000075:rwx default:group:3000166:r-x default:mask::rwx default:other::rwx -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Rowland Penny
2016-Sep-11 19:02 UTC
[Samba] Computer accounts belonging to groups, using winbind on file server
On Sun, 11 Sep 2016 19:03:05 +0100 Jonathan Hunter via samba <samba at lists.samba.org> wrote:> Hi All, > > Some time ago I reluctantly moved DC functionality off my file server > and onto a separate machine, due to the well-known challenges using > the same machine as both a file server and a DC. This went mostly > fine, with one exception - I have one piece of functionality that > worked before, but I still don't have working now. > > I use wpkg for software distribution, having all relevant computer > accounts be a member of a group (lets' call it sw-dist) and setting > the ownership of my /data/wpkg directory on the server appropriately > so that all members of that group (i.e. all relevant computer > accounts) can access the files - see below. I am using rfc2307 > attributes to specify UIDs and GIDs where I can. > > This worked just fine when the file server was also a DC (I was using > sssd at the time for user/group resolution on the machine) but I > can't work out how to get it working now. > > Normal user accounts work fine, but if I try to get information on a > computer account, I can't: > > [root at fileserver ~]# wbinfo -i "computer$" > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user computer$ > > This is probably explained by me not seeing the option to allocate a > UNIX UID / GID to a computer account in ADUC, of course - it shows me > different options instead and doesn't have the box to specify UID/GID > etc. > > Nothing shows up in 'net cache list' on the file server, either, for > this computer: > > [root at fileserver ~]# net cache list | grep -i computer > > The group itself can be resolved just fine, even though the computer > accounts can't - and it shows that the computer accounts are > definitely members of the group in question: > > [root at fileserver ~]# wbinfo --group-info sw-dist > sw-dist:x:12345:computer$,computer2$,computer3$,computer4$ > > All of this inevitably leads to the key directories in question not > being accessible by the computers who need them. When the computer > account connects to the file server, its group memberships don't > really seem to work. I suspect that sssd had different behaviour to > winbind in this regard. > > Has anybody else successfully served out files to a computer account > belonging to a specific group, using samba and winbind? I don't > really see how I can practically have computer accounts as a member > of a group if I'm using winbind. > > Cheers, > > Jonathan > > > [root at fileserver ~]# getfacl /data/wpkg > getfacl: Removing leading '/' from absolute path names > # file: data/wpkg > # owner: root > # group: sw-dist > # flags: -s- > user::rwx > user:root:rwx > group::rwx > group:sw-dist:r-x > group:domain\040admins:rwx > group:3000075:rwx > mask::rwx > other::r-x > default:user::rwx > default:user:root:rwx > default:group::rwx > default:group:sw-dist:r-x > default:group:domain\040admins:rwx > default:group:3000075:rwx > default:group:3000166:r-x > default:mask::rwx > default:other::rwx > > > -- > "If we knew what it was we were doing, it would not be called > research, would it?" > - Albert EinsteinOK, never used a computer as a user, so I tried your command: rowland at devstation:~/programming/samba/sadms/saddm-2.0.15$ wbinfo -i devstation\$ failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user devstation$ I then thought, a computers samaccountname is in uppercase, so I tried that: rowland at devstation:~/programming/samba/sadms/saddm-2.0.15$ wbinfo -i DEVSTATION\$ failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user DEVSTATION$ So that didn't work, added a uidNumber to devstation's AD object, that didn't work, so had a thought and then it came to, computers have a different primary gid to normal users and if Domain Users doesn't have a gidNumber, winbindd ignores the users. I added a gidNumber to Domain Computers and: rowland at devstation:~/programming/samba/sadms/saddm-2.0.15$ getent passwd DEVSTATION\$ devstation$:*:10009:10003:DEVSTATION:/home/SAMDOM/devstation_:/bin/false rowland at devstation:~/programming/samba/sadms/saddm-2.0.15$ wbinfo -i DEVSTATION\$ devstation$:*:10009:10003:DEVSTATION:/home/SAMDOM/devstation_:/bin/false Try it, I feel sure it will fix your problem. Rowland
Jonathan Hunter
2016-Sep-11 19:18 UTC
[Samba] Computer accounts belonging to groups, using winbind on file server
Thank you Rowland, I like your thinking - made sense to me. I had already allocated a GID to Domain Computers: [root at fileserver ~]# getent group Domain\ Computers domain computers:x:12345: however I just now tried adding a uidNumber attribute to one of my computer objects using ADSIEdit and hey presto, that computer now appears in 'getent passwd'! I wonder if there is some fix that could be made on the samba side - I don't know exactly how if I'm honest.. but for every domain computer I will now have to: - manually add a uidNumber attribute - manually reset the AD attribute containing the max uidNumber allocated, so that ADUC doesn't duplicate UIDs That'll work - and I'm happy to do that in my case as it will work around the issue (thank you!!) but it doesn't seem to be the best replacement for the MS behaviour of just adding a computer object to a group, and that's it :) But at the moment I can't think of what we might be able to do better? Many thanks for the pointer, Jonathan On 11 September 2016 at 20:02, Rowland Penny <rpenny at samba.org> wrote:> On Sun, 11 Sep 2016 19:03:05 +0100 > Jonathan Hunter via samba <samba at lists.samba.org> wrote: > > > Hi All, > > > > Some time ago I reluctantly moved DC functionality off my file server > > and onto a separate machine, due to the well-known challenges using > > the same machine as both a file server and a DC. This went mostly > > fine, with one exception - I have one piece of functionality that > > worked before, but I still don't have working now. > > > > I use wpkg for software distribution, having all relevant computer > > accounts be a member of a group (lets' call it sw-dist) and setting > > the ownership of my /data/wpkg directory on the server appropriately > > so that all members of that group (i.e. all relevant computer > > accounts) can access the files - see below. I am using rfc2307 > > attributes to specify UIDs and GIDs where I can. > > > > This worked just fine when the file server was also a DC (I was using > > sssd at the time for user/group resolution on the machine) but I > > can't work out how to get it working now. > > > > Normal user accounts work fine, but if I try to get information on a > > computer account, I can't: > > > > [root at fileserver ~]# wbinfo -i "computer$" > > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > > Could not get info for user computer$ > > > > This is probably explained by me not seeing the option to allocate a > > UNIX UID / GID to a computer account in ADUC, of course - it shows me > > different options instead and doesn't have the box to specify UID/GID > > etc. > > > > Nothing shows up in 'net cache list' on the file server, either, for > > this computer: > > > > [root at fileserver ~]# net cache list | grep -i computer > > > > The group itself can be resolved just fine, even though the computer > > accounts can't - and it shows that the computer accounts are > > definitely members of the group in question: > > > > [root at fileserver ~]# wbinfo --group-info sw-dist > > sw-dist:x:12345:computer$,computer2$,computer3$,computer4$ > > > > All of this inevitably leads to the key directories in question not > > being accessible by the computers who need them. When the computer > > account connects to the file server, its group memberships don't > > really seem to work. I suspect that sssd had different behaviour to > > winbind in this regard. > > > > Has anybody else successfully served out files to a computer account > > belonging to a specific group, using samba and winbind? I don't > > really see how I can practically have computer accounts as a member > > of a group if I'm using winbind. > > > > Cheers, > > > > Jonathan > > > > > > [root at fileserver ~]# getfacl /data/wpkg > > getfacl: Removing leading '/' from absolute path names > > # file: data/wpkg > > # owner: root > > # group: sw-dist > > # flags: -s- > > user::rwx > > user:root:rwx > > group::rwx > > group:sw-dist:r-x > > group:domain\040admins:rwx > > group:3000075:rwx > > mask::rwx > > other::r-x > > default:user::rwx > > default:user:root:rwx > > default:group::rwx > > default:group:sw-dist:r-x > > default:group:domain\040admins:rwx > > default:group:3000075:rwx > > default:group:3000166:r-x > > default:mask::rwx > > default:other::rwx > > > > > > -- > > "If we knew what it was we were doing, it would not be called > > research, would it?" > > - Albert Einstein > > OK, never used a computer as a user, so I tried your command: > > rowland at devstation:~/programming/samba/sadms/saddm-2.0.15$ wbinfo -i > devstation\$ > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user devstation$ > > I then thought, a computers samaccountname is in uppercase, so I tried > that: > > rowland at devstation:~/programming/samba/sadms/saddm-2.0.15$ wbinfo -i > DEVSTATION\$ > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user DEVSTATION$ > > So that didn't work, added a uidNumber to devstation's AD object, that > didn't work, so had a thought and then it came to, computers have a > different primary gid to normal users and if Domain Users doesn't have a > gidNumber, winbindd ignores the users. I added a gidNumber to Domain > Computers and: > > rowland at devstation:~/programming/samba/sadms/saddm-2.0.15$ getent passwd > DEVSTATION\$ > devstation$:*:10009:10003:DEVSTATION:/home/SAMDOM/devstation_:/bin/false > rowland at devstation:~/programming/samba/sadms/saddm-2.0.15$ wbinfo -i > DEVSTATION\$ > devstation$:*:10009:10003:DEVSTATION:/home/SAMDOM/devstation_:/bin/false > > Try it, I feel sure it will fix your problem. > > Rowland > > >-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein