samba - Oct 2016 - Unable to set up home share correctly

Hi everyone,

after some struggling I have finally set up a Samba AD DC and a file 
server more or less successfully. Unfortunately I am failing at one of 
the last steps: the configuration of the home share, where I can't set 
the permissions correctly which, as a consequence, seems to prevent the 
creation of the users' folders on the home share

I am using the standard Samba packages on ubuntu 16.04 LTS 
("2:4.3.11+dfsg-0ubuntu0.16.04") and opted for winbind and the AD 
backend for id mapping of the domain users. My smb.conf of the member 
server looks like this:

[global]
      netbios name = FILESERVER
      security = ADS
      workgroup = MYDOMAIN
      realm = MYDOMAIN.LAN

      log level = 5
      log file = /var/log/samba/%m.log

      password server = 192.168.6.8

      interfaces = lo br0
      bind interfaces only = yes

      dedicated keytab file = /etc/krb5.keytab
      kerberos method = secrets and keytab

      winbind nss info = rfc2307
      winbind trusted domains only = no
      winbind use default domain = no
      winbind enum users  = yes
      winbind enum groups = yes
      winbind refresh tickets = Yes
      winbind cache time = 60

      ;; Default idmap config used for BUILTIN and local accounts/groups
      idmap config * : backend = tdb
      idmap config * : range = 100000-4294967295

      ;; idmap config for domain MYDOMAIN
      idmap config MYDOMAIN : backend = ad
      idmap config MYDOMAIN : schema_mode = rfc2307
      idmap config MYDOMAIN : range = 10000-99999

      vfs objects = acl_xattr
      map acl inherit = yes
      store dos attributes = yes

      load printers = no
      printing = bsd
      printcap name = /dev/null
      disable spoolss = yes

      template homedir = /var/share/samba/homes/%U

[home]
      path = /var/share/samba/homes
      guest ok = no
      read only = no
      browseable = yes


[profiles]
      path = /var/share/samba/profiles
      read only = no
      store dos attributes = yes
      create mask = 0600
      directory mask = 0700
      guest ok = no
      profile acls = yes
      csc policy = disable

"interfaces" and "bind interfaces only = yes" is needed
because the
server is dual-homed. By setting the tdb id range to 100000-4294967295, 
I hoped to get the Windows system accounts mapped.

winbind seems to work ok. "getent passwd" and "getent group"
show the AD
users with the uidNumber and gidNumber attributes set on the AD in the 
right range. Example

root at fileserver:/var/share/samba# id MYDOMAIN\\Administrator
uid=10000(MYDOMAIN\administrator) gid=10000(MYDOMAIN\domain admins) 
groups=10000(MYDOMAIN\domain admins),10004(MYDOMAIN\enterprise 
admins),10003(MYDOMAIN\schema admins),10001(MYDOMAIN\domain 
users),100000(BUILTIN\administrators),100001(BUILTIN\users)

After adding the [home] section to smb.conf  I create the directory as 
described in the Samba wiki

root at fileserver:/var/share/samba# mkdir homes
root at fileserver:/var/share/samba# chgrp MYDOMAIN\\Domain\ Admins homes/
root at fileserver:/var/share/samba# chmod g=rwx homes/
root at fileserver:/var/share/samba# ls -ld homes/
drwxrwxr-x 2 root MYDOMAIN\domain admins 4096 Okt 12 16:05 homes/

Then I continue with the RSAT Tools (German Language Version) on Windows 
7 where I log in as "MYDOMAIN\Administrator" and use the
"Computer
Management" Console to configure the home share.


Here I face two problems on the "Security" tab:

1) When I add the Administrator user, the account is shown as "locked"
(red dot with cross) but I can set "Full Control"

2) When I add the Creator Owner (in my case, I have to look for 
ERSTELLER-BESITZER) I can check "Full Control", but when I click
"Apply"
all the check marks disappear

Additionally, extra users like "Everyone", "root" or
"Creator Group" are
already listed in the dialogue box without me doing anything.


On the Linux side, the extended permissions of the 
/var/share/samba/homes directory look like this

root at fileserver:/var/share/samba# getfacl homes/
# file: homes/
# owner: MYDOMAIN\134administrator
# group: MYDOMAIN\134domain\040admins
user::rwx
user:MYDOMAIN\134administrator:rwx
group::rwx
group:MYDOMAIN\134domain\040admins:rwx
group:100004:r-x
group:100005:rwx
mask::rwx
other::---
default:user::rwx
default:user:MYDOMAIN\134administrator:rwx
default:group::---
default:group:MYDOMAIN\134domain\040admins:rwx
default:group:100004:r-x
default:group:100005:rwx
default:mask::rwx
default:other::---

I noticed GIDs 100004 and 100005 are not resolved so I tried to find out why

root at fileserver:/var/share/samba# net idmap dump
dumping id mapping from /var/lib/samba/winbindd_idmap.tdb
GID 100004 S-1-5-11
GID 100005 S-1-5-18
GID 100006 S-1-3-0
USER HWM 100000
GID 100002 S-1-1-0
GID 100007 S-1-5-4
GID 100003 S-1-5-2
GROUP HWM 100008

With wbinfo --sid-to-fullname I find

GID 100004 S-1-5-11 --> NT AUTHORITY\Authenticated Users 5

GID 100005 S-1-5-18 --> NT AUTHORITY\SYSTEM 5

S-1-3-0 is the well-known SID of the Creator Owner (thus known to the 
server)

Finally, when I log into a Windows 7 workstation (previously joined to 
the domain) with my test user account

root at fileserver:/var/share/samba# id MYDOMAIN\\kbudwi
uid=10002(MYDOMAIN\kbudwi) gid=10001(MYDOMAIN\domain users) 
groups=10001(MYDOMAIN\domain 
users),10010(MYDOMAIN\workgroup-1),100001(BUILTIN\users)

my home folder "kbudwi" is neither created nor mounted.

When I navigate manually to the home base folder by entering 
"\\fileserver\home" into Windows Explorer, I get an empty folder.

When I try to create my home folder manually I get a message box saying 
something like "home: You need permissions to continue the operation" 
(loosely translated from German). I suspect, the missing "Creator
Owner"
rights block the folder creation.

Generally speaking, I am very unsure how to handle the id mapping for 
the ad backend. The documentation (I found) does not specify, whether I 
have to set the Unix UIDs and GIDs on system accounts or on user 
accounts only. Maybe I have messed it up at this level?

Any help would by highly appreciated as I am seriously running out of ideas

Thanks and best regards

Udo

On Thu, 13 Oct 2016 10:33:20 +0200
Udo Willke via samba <samba at lists.samba.org> wrote:
> Hi everyone,
> 
> after some struggling I have finally set up a Samba AD DC and a file 
> server more or less successfully. Unfortunately I am failing at one
> of the last steps: the configuration of the home share, where I can't
> set the permissions correctly which, as a consequence, seems to
> prevent the creation of the users' folders on the home share
> 
> I am using the standard Samba packages on ubuntu 16.04 LTS 
> ("2:4.3.11+dfsg-0ubuntu0.16.04") and opted for winbind and the AD
> backend for id mapping of the domain users. My smb.conf of the member 
> server looks like this:
> 
> [global]
>       netbios name = FILESERVER
>       security = ADS
>       workgroup = MYDOMAIN
>       realm = MYDOMAIN.LAN
> 
>       log level = 5
>       log file = /var/log/samba/%m.log
> 
>       password server = 192.168.6.8
> 
>       interfaces = lo br0
>       bind interfaces only = yes
> 
>       dedicated keytab file = /etc/krb5.keytab
>       kerberos method = secrets and keytab
> 
>       winbind nss info = rfc2307
>       winbind trusted domains only = no
>       winbind use default domain = no
>       winbind enum users  = yes
>       winbind enum groups = yes
>       winbind refresh tickets = Yes
>       winbind cache time = 60
> 
>       ;; Default idmap config used for BUILTIN and local
> accounts/groups idmap config * : backend = tdb
>       idmap config * : range = 100000-4294967295
> 
>       ;; idmap config for domain MYDOMAIN
>       idmap config MYDOMAIN : backend = ad
>       idmap config MYDOMAIN : schema_mode = rfc2307
>       idmap config MYDOMAIN : range = 10000-99999
> 
>       vfs objects = acl_xattr
>       map acl inherit = yes
>       store dos attributes = yes
> 
>       load printers = no
>       printing = bsd
>       printcap name = /dev/null
>       disable spoolss = yes
> 
>       template homedir = /var/share/samba/homes/%U
> 
> [home]
>       path = /var/share/samba/homes
>       guest ok = no
>       read only = no
>       browseable = yes
> 
> 
> [profiles]
>       path = /var/share/samba/profiles
>       read only = no
>       store dos attributes = yes
>       create mask = 0600
>       directory mask = 0700
>       guest ok = no
>       profile acls = yes
>       csc policy = disable
> 
> "interfaces" and "bind interfaces only = yes" is needed
because the
> server is dual-homed. By setting the tdb id range to
> 100000-4294967295, I hoped to get the Windows system accounts mapped.
> 
> winbind seems to work ok. "getent passwd" and "getent
group" show the
> AD users with the uidNumber and gidNumber attributes set on the AD in
> the right range. Example
> 
> root at fileserver:/var/share/samba# id MYDOMAIN\\Administrator
> uid=10000(MYDOMAIN\administrator) gid=10000(MYDOMAIN\domain admins) 
> groups=10000(MYDOMAIN\domain admins),10004(MYDOMAIN\enterprise 
> admins),10003(MYDOMAIN\schema admins),10001(MYDOMAIN\domain 
> users),100000(BUILTIN\administrators),100001(BUILTIN\users)
> 
> After adding the [home] section to smb.conf  I create the directory
> as described in the Samba wiki
> 
> root at fileserver:/var/share/samba# mkdir homes
> root at fileserver:/var/share/samba# chgrp MYDOMAIN\\Domain\ Admins
> homes/ root at fileserver:/var/share/samba# chmod g=rwx homes/
> root at fileserver:/var/share/samba# ls -ld homes/
> drwxrwxr-x 2 root MYDOMAIN\domain admins 4096 Okt 12 16:05 homes/
> 
> Then I continue with the RSAT Tools (German Language Version) on
> Windows 7 where I log in as "MYDOMAIN\Administrator" and use the
> "Computer Management" Console to configure the home share.
> 
> 
> Here I face two problems on the "Security" tab:
> 
> 1) When I add the Administrator user, the account is shown as
> "locked" (red dot with cross) but I can set "Full
Control"
> 
> 2) When I add the Creator Owner (in my case, I have to look for 
> ERSTELLER-BESITZER) I can check "Full Control", but when I click
> "Apply" all the check marks disappear
> 
> Additionally, extra users like "Everyone", "root" or
"Creator Group"
> are already listed in the dialogue box without me doing anything.
> 
> 
> On the Linux side, the extended permissions of the 
> /var/share/samba/homes directory look like this
> 
> root at fileserver:/var/share/samba# getfacl homes/
> # file: homes/
> # owner: MYDOMAIN\134administrator
> # group: MYDOMAIN\134domain\040admins
> user::rwx
> user:MYDOMAIN\134administrator:rwx
> group::rwx
> group:MYDOMAIN\134domain\040admins:rwx
> group:100004:r-x
> group:100005:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:MYDOMAIN\134administrator:rwx
> default:group::---
> default:group:MYDOMAIN\134domain\040admins:rwx
> default:group:100004:r-x
> default:group:100005:rwx
> default:mask::rwx
> default:other::---
> 
> I noticed GIDs 100004 and 100005 are not resolved so I tried to find
> out why
> 
> root at fileserver:/var/share/samba# net idmap dump
> dumping id mapping from /var/lib/samba/winbindd_idmap.tdb
> GID 100004 S-1-5-11
> GID 100005 S-1-5-18
> GID 100006 S-1-3-0
> USER HWM 100000
> GID 100002 S-1-1-0
> GID 100007 S-1-5-4
> GID 100003 S-1-5-2
> GROUP HWM 100008
> 
> With wbinfo --sid-to-fullname I find
> 
> GID 100004 S-1-5-11 --> NT AUTHORITY\Authenticated Users 5
> 
> GID 100005 S-1-5-18 --> NT AUTHORITY\SYSTEM 5
> 
> S-1-3-0 is the well-known SID of the Creator Owner (thus known to the 
> server)
> 
> Finally, when I log into a Windows 7 workstation (previously joined
> to the domain) with my test user account
> 
> root at fileserver:/var/share/samba# id MYDOMAIN\\kbudwi
> uid=10002(MYDOMAIN\kbudwi) gid=10001(MYDOMAIN\domain users) 
> groups=10001(MYDOMAIN\domain 
> users),10010(MYDOMAIN\workgroup-1),100001(BUILTIN\users)
> 
> my home folder "kbudwi" is neither created nor mounted.
> 
> When I navigate manually to the home base folder by entering 
> "\\fileserver\home" into Windows Explorer, I get an empty folder.
> 
> When I try to create my home folder manually I get a message box
> saying something like "home: You need permissions to continue the
> operation" (loosely translated from German). I suspect, the missing
> "Creator Owner" rights block the folder creation.
> 
> Generally speaking, I am very unsure how to handle the id mapping for 
> the ad backend. The documentation (I found) does not specify, whether
> I have to set the Unix UIDs and GIDs on system accounts or on user 
> accounts only. Maybe I have messed it up at this level?
> 
> Any help would by highly appreciated as I am seriously running out of
> ideas
> 
> Thanks and best regards
> 
> Udo
> 
Do you really need '4294867295' spaces for the '*' range, I only
have
'7999' and feel that is an overkill, see here for more info:

https://support.microsoft.com/en-us/kb/243330

As for your users home dir not getting created, try running this on the
fileserver:

echo "session    required   pam_mkhomedir.so skel=/etc/skel/
umask=0022" >> /etc/pam.d/common-account

Add this line to smb.conf:

username map = /etc/samba/user.map

And create the the /etc/samba/user.map with this content:

!root = MYDOMAIN\Administrator MYDOMAIN\administrator Administrator
administrator

That will map the windows administrator to the Unix root user

To make windows users visible to the domain member whilst using the
winbind 'ad' backend, you must give each user a unique uidNumber
attribute inside the range you set for the domain (MYDOMAIN) in
smb.conf, you MUST also give Domain Users a gidNumber attribute inside
the range.

Rowland

Hello Rowland,

thank you for your swift reply. I made the modifications you suggested, 
which unfortunately did not better the situation. No change as to the 
"Creator Owner" rights and the Administrator account still shown as 
locked. Also, I couldn't spot any suspicious messages in the Samba 
logfiles besides maybe

get_referred_path: |profiles| in dfs path 
\fileserver.mydomain.lan\profiles is not a dfs root.
get_referred_path: |home| in dfs path \fileserver.mydomain.lan\home is 
not a dfs root.

My test users have uidNumbers und gidNumbers defined. I found this nifty 
command to list them

root at fileserver:/var/log/samba# net ads search 
'(|(uidNumber=*)(gidNumber=*))' sAMAccountName uidNumber gidNumber -P
Got 15 replies

sAMAccountName: Enterprise Read-Only Domain Controllers
gidNumber: 10005

sAMAccountName: Administrator
uidNumber: 10000
gidNumber: 10000

sAMAccountName: Enterprise Admins
gidNumber: 10004

sAMAccountName: workgroup-1
gidNumber: 10010

sAMAccountName: Users
gidNumber: 10008

sAMAccountName: DnsAdmins
gidNumber: 10006

sAMAccountName: kbudwi
uidNumber: 10002
gidNumber: 10001

sAMAccountName: kbmamu
uidNumber: 10004
gidNumber: 10001

sAMAccountName: Guest
uidNumber: 10001
gidNumber: 10000

sAMAccountName: Schema Admins
gidNumber: 10003

sAMAccountName: Administrators
gidNumber: 10007

sAMAccountName: Domain Admins
gidNumber: 10000

sAMAccountName: Domain Users
gidNumber: 10001

uidNumber: 10003
gidNumber: 10001
sAMAccountName: kbanre

sAMAccountName: Domain Guests
gidNumber: 10002

I can list those users and groups on the member server using "getent 
passwd" and "getent group".

What else could be wrong? My impression is that samba and winbind caches 
a lot of information. Should I start over with the member server?

BTW: I rebooted the server after making the changes - just to be sure.

Thanks in advance an best regards

Udo


Am 13.10.2016 um 11:04 schrieb Rowland Penny via samba:
> On Thu, 13 Oct 2016 10:33:20 +0200
> Udo Willke via samba <samba at lists.samba.org> wrote:
>
>> Hi everyone,
>>
>> after some struggling I have finally set up a Samba AD DC and a file
>> server more or less successfully. Unfortunately I am failing at one
>> of the last steps: the configuration of the home share, where I
can't
>> set the permissions correctly which, as a consequence, seems to
>> prevent the creation of the users' folders on the home share
>>
>> I am using the standard Samba packages on ubuntu 16.04 LTS
>> ("2:4.3.11+dfsg-0ubuntu0.16.04") and opted for winbind and
the AD
>> backend for id mapping of the domain users. My smb.conf of the member
>> server looks like this:
>>
>> [global]
>>        netbios name = FILESERVER
>>        security = ADS
>>        workgroup = MYDOMAIN
>>        realm = MYDOMAIN.LAN
>>
>>        log level = 5
>>        log file = /var/log/samba/%m.log
>>
>>        password server = 192.168.6.8
>>
>>        interfaces = lo br0
>>        bind interfaces only = yes
>>
>>        dedicated keytab file = /etc/krb5.keytab
>>        kerberos method = secrets and keytab
>>
>>        winbind nss info = rfc2307
>>        winbind trusted domains only = no
>>        winbind use default domain = no
>>        winbind enum users  = yes
>>        winbind enum groups = yes
>>        winbind refresh tickets = Yes
>>        winbind cache time = 60
>>
>>        ;; Default idmap config used for BUILTIN and local
>> accounts/groups idmap config * : backend = tdb
>>        idmap config * : range = 100000-4294967295
>>
>>        ;; idmap config for domain MYDOMAIN
>>        idmap config MYDOMAIN : backend = ad
>>        idmap config MYDOMAIN : schema_mode = rfc2307
>>        idmap config MYDOMAIN : range = 10000-99999
>>
>>        vfs objects = acl_xattr
>>        map acl inherit = yes
>>        store dos attributes = yes
>>
>>        load printers = no
>>        printing = bsd
>>        printcap name = /dev/null
>>        disable spoolss = yes
>>
>>        template homedir = /var/share/samba/homes/%U
>>
>> [home]
>>        path = /var/share/samba/homes
>>        guest ok = no
>>        read only = no
>>        browseable = yes
>>
>>
>> [profiles]
>>        path = /var/share/samba/profiles
>>        read only = no
>>        store dos attributes = yes
>>        create mask = 0600
>>        directory mask = 0700
>>        guest ok = no
>>        profile acls = yes
>>        csc policy = disable
>>
>> "interfaces" and "bind interfaces only = yes" is
needed because the
>> server is dual-homed. By setting the tdb id range to
>> 100000-4294967295, I hoped to get the Windows system accounts mapped.
>>
>> winbind seems to work ok. "getent passwd" and "getent
group" show the
>> AD users with the uidNumber and gidNumber attributes set on the AD in
>> the right range. Example
>>
>> root at fileserver:/var/share/samba# id MYDOMAIN\\Administrator
>> uid=10000(MYDOMAIN\administrator) gid=10000(MYDOMAIN\domain admins)
>> groups=10000(MYDOMAIN\domain admins),10004(MYDOMAIN\enterprise
>> admins),10003(MYDOMAIN\schema admins),10001(MYDOMAIN\domain
>> users),100000(BUILTIN\administrators),100001(BUILTIN\users)
>>
>> After adding the [home] section to smb.conf  I create the directory
>> as described in the Samba wiki
>>
>> root at fileserver:/var/share/samba# mkdir homes
>> root at fileserver:/var/share/samba# chgrp MYDOMAIN\\Domain\ Admins
>> homes/ root at fileserver:/var/share/samba# chmod g=rwx homes/
>> root at fileserver:/var/share/samba# ls -ld homes/
>> drwxrwxr-x 2 root MYDOMAIN\domain admins 4096 Okt 12 16:05 homes/
>>
>> Then I continue with the RSAT Tools (German Language Version) on
>> Windows 7 where I log in as "MYDOMAIN\Administrator" and use
the
>> "Computer Management" Console to configure the home share.
>>
>>
>> Here I face two problems on the "Security" tab:
>>
>> 1) When I add the Administrator user, the account is shown as
>> "locked" (red dot with cross) but I can set "Full
Control"
>>
>> 2) When I add the Creator Owner (in my case, I have to look for
>> ERSTELLER-BESITZER) I can check "Full Control", but when I
click
>> "Apply" all the check marks disappear
>>
>> Additionally, extra users like "Everyone", "root"
or "Creator Group"
>> are already listed in the dialogue box without me doing anything.
>>
>>
>> On the Linux side, the extended permissions of the
>> /var/share/samba/homes directory look like this
>>
>> root at fileserver:/var/share/samba# getfacl homes/
>> # file: homes/
>> # owner: MYDOMAIN\134administrator
>> # group: MYDOMAIN\134domain\040admins
>> user::rwx
>> user:MYDOMAIN\134administrator:rwx
>> group::rwx
>> group:MYDOMAIN\134domain\040admins:rwx
>> group:100004:r-x
>> group:100005:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:MYDOMAIN\134administrator:rwx
>> default:group::---
>> default:group:MYDOMAIN\134domain\040admins:rwx
>> default:group:100004:r-x
>> default:group:100005:rwx
>> default:mask::rwx
>> default:other::---
>>
>> I noticed GIDs 100004 and 100005 are not resolved so I tried to find
>> out why
>>
>> root at fileserver:/var/share/samba# net idmap dump
>> dumping id mapping from /var/lib/samba/winbindd_idmap.tdb
>> GID 100004 S-1-5-11
>> GID 100005 S-1-5-18
>> GID 100006 S-1-3-0
>> USER HWM 100000
>> GID 100002 S-1-1-0
>> GID 100007 S-1-5-4
>> GID 100003 S-1-5-2
>> GROUP HWM 100008
>>
>> With wbinfo --sid-to-fullname I find
>>
>> GID 100004 S-1-5-11 --> NT AUTHORITY\Authenticated Users 5
>>
>> GID 100005 S-1-5-18 --> NT AUTHORITY\SYSTEM 5
>>
>> S-1-3-0 is the well-known SID of the Creator Owner (thus known to the
>> server)
>>
>> Finally, when I log into a Windows 7 workstation (previously joined
>> to the domain) with my test user account
>>
>> root at fileserver:/var/share/samba# id MYDOMAIN\\kbudwi
>> uid=10002(MYDOMAIN\kbudwi) gid=10001(MYDOMAIN\domain users)
>> groups=10001(MYDOMAIN\domain
>> users),10010(MYDOMAIN\workgroup-1),100001(BUILTIN\users)
>>
>> my home folder "kbudwi" is neither created nor mounted.
>>
>> When I navigate manually to the home base folder by entering
>> "\\fileserver\home" into Windows Explorer, I get an empty
folder.
>>
>> When I try to create my home folder manually I get a message box
>> saying something like "home: You need permissions to continue the
>> operation" (loosely translated from German). I suspect, the
missing
>> "Creator Owner" rights block the folder creation.
>>
>> Generally speaking, I am very unsure how to handle the id mapping for
>> the ad backend. The documentation (I found) does not specify, whether
>> I have to set the Unix UIDs and GIDs on system accounts or on user
>> accounts only. Maybe I have messed it up at this level?
>>
>> Any help would by highly appreciated as I am seriously running out of
>> ideas
>>
>> Thanks and best regards
>>
>> Udo
>>
> Do you really need '4294867295' spaces for the '*' range, I
only have
> '7999' and feel that is an overkill, see here for more info:
>
> https://support.microsoft.com/en-us/kb/243330
>
> As for your users home dir not getting created, try running this on the
> fileserver:
>
> echo "session    required   pam_mkhomedir.so skel=/etc/skel/
> umask=0022" >> /etc/pam.d/common-account
>
> Add this line to smb.conf:
>
> username map = /etc/samba/user.map
>
> And create the the /etc/samba/user.map with this content:
>
> !root = MYDOMAIN\Administrator MYDOMAIN\administrator Administrator
> administrator
>
> That will map the windows administrator to the Unix root user
>
> To make windows users visible to the domain member whilst using the
> winbind 'ad' backend, you must give each user a unique uidNumber
> attribute inside the range you set for the domain (MYDOMAIN) in
> smb.conf, you MUST also give Domain Users a gidNumber attribute inside
> the range.
>
> Rowland
>
>
>
>