Hello Rowland, Am 13.10.2016 um 16:53 schrieb Rowland Penny via samba:> On Thu, 13 Oct 2016 16:22:47 +0200 > Udo Willke via samba <samba at lists.samba.org> wrote: > >> Hello Rowland, >> >> I have removed the rfc2307-IDs now. I guess going to the "Unix >> Attributes" tab in ADUC and setting "NIS Domain" to "none" is >> sufficient? > No, it should show your domain name.Hmm, the "NIS Domain" setting is a drop-down menu. When I choose mydomain (in lower case this time) a UID Number is automatically assigned, when I choose <none> the fields are greyed out. So "no uidNumber" and "should show your domain name" don't work at the same time. Or should I choose mydomain and delete the remaining field entries?> >> Checking the getent commands: >> >> root at fileserver:/var/log/samba# getent passwd | grep ^MYDOMAIN >> MYDOMAIN\kbanre:*:10003:10001:XXXXXXXXXX:/var/share/samba/homes/kbanre:/bin/sh >> MYDOMAIN\kbmamu:*:10004:10001:Max >> Mustermann:/var/share/samba//homes/kbmamu:/bin/sh >> MYDOMAIN\kbudwi:*:10002:10001:Udo >> Willke:/var/share/samba/homes/kbudwi:/bin/sh >> >> root at fileserver:/var/log/samba# getent group | grep ^MYDOMAIN >> MYDOMAIN\domain admins:x:10000: >> MYDOMAIN\domain users:x:10001: >> MYDOMAIN\workgroup-1:x:10010: >> >> Does this look good? > Yes > >> Should I recreate the /var/share/samba/homes directory? The owner >> with UID 10000 is not known to Linux now: > Probably easiest, as long as the old dirs don't contain anything you > need.Yes, already made this. Now Administrator account is not shown as locked (!) in ADUC but still not able to assign rights to the "Creator Owner". HOWEVER: In the Advanced View the check marks are there (!) together with the restriction "Files and Subfolders only". But, still the unwanted accounts "Everyone", "root" and "Creator Group" are listed on the Security tab?!? And still no home folders ....> >> root at fileserver:~# getfacl /var/share/samba/homes/ >> getfacl: Removing leading '/' from absolute path names >> # file: var/share/samba/homes/ >> # owner: 10000 >> # group: MYDOMAIN\134domain\040admins >> >> .... >> >> Apart from that: Still no home folders, even not able to create them >> manually. All the initial symptoms persist :-( >> > Altering the PAM config should create the home dirs as the users > connect, but why are you putting them in /var ?? > What is wrong with /home/DOMAIN/%UNothing at all. I somewhere read that this was a "recommendation" for user shares on Linux. So I mounted my xattr-enabled partition underneath /var/share, but maybe that's wrong? However, would prefer not changing this right now. This is /etc/pam.d/common-account - just for verification: # # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # # here are the per-package modules (the "Primary" block) account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) account required pam_krb5.so minimum_uid=1000 # end of pam-auth-update config # # Modification for Samba # session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 Entries are TAB-separated. Also checked the syslog for PAM errors with no result. pam_mkhomedir.so is installed. root at fileserver:/var/log# locate pam_mkhomedir.so /lib/x86_64-linux-gnu/security/pam_mkhomedir.so Would be looking forward to continue finding the problem tomorrow. Thanks and best regards Udo> > Rowland > >
On Thu, 13 Oct 2016 17:56:50 +0200 Udo Willke via samba <samba at lists.samba.org> wrote:> Hello Rowland, > > Am 13.10.2016 um 16:53 schrieb Rowland Penny via samba: > > On Thu, 13 Oct 2016 16:22:47 +0200 > > Udo Willke via samba <samba at lists.samba.org> wrote: > > > >> Hello Rowland, > >> > >> I have removed the rfc2307-IDs now. I guess going to the "Unix > >> Attributes" tab in ADUC and setting "NIS Domain" to "none" is > >> sufficient? > > No, it should show your domain name. > Hmm, the "NIS Domain" setting is a drop-down menu. When I choose > mydomain (in lower case this time) a UID Number is automatically > assigned, when I choose <none> the fields are greyed out. So "no > uidNumber" and "should show your domain name" don't work at the same > time. Or should I choose mydomain and delete the remaining field > entries? > > > >> Checking the getent commands: > >> > >> root at fileserver:/var/log/samba# getent passwd | grep ^MYDOMAIN > >> MYDOMAIN\kbanre:*:10003:10001:XXXXXXXXXX:/var/share/samba/homes/kbanre:/bin/sh > >> MYDOMAIN\kbmamu:*:10004:10001:Max > >> Mustermann:/var/share/samba//homes/kbmamu:/bin/sh > >> MYDOMAIN\kbudwi:*:10002:10001:Udo > >> Willke:/var/share/samba/homes/kbudwi:/bin/sh > >> > >> root at fileserver:/var/log/samba# getent group | grep ^MYDOMAIN > >> MYDOMAIN\domain admins:x:10000: > >> MYDOMAIN\domain users:x:10001: > >> MYDOMAIN\workgroup-1:x:10010: > >> > >> Does this look good? > > Yes > > > >> Should I recreate the /var/share/samba/homes directory? The owner > >> with UID 10000 is not known to Linux now: > > Probably easiest, as long as the old dirs don't contain anything you > > need. > Yes, already made this. Now Administrator account is not shown as > locked (!) in ADUC but still not able to assign rights to the > "Creator Owner". HOWEVER: In the Advanced View the check marks are > there (!) together with the restriction "Files and Subfolders only". > But, still the unwanted accounts "Everyone", "root" and "Creator > Group" are listed on the Security tab?!? And still no home > folders .... > > > >> root at fileserver:~# getfacl /var/share/samba/homes/ > >> getfacl: Removing leading '/' from absolute path names > >> # file: var/share/samba/homes/ > >> # owner: 10000 > >> # group: MYDOMAIN\134domain\040admins > >> > >> .... > >> > >> Apart from that: Still no home folders, even not able to create > >> them manually. All the initial symptoms persist :-( > >> > > Altering the PAM config should create the home dirs as the users > > connect, but why are you putting them in /var ?? > > What is wrong with /home/DOMAIN/%U > Nothing at all. I somewhere read that this was a "recommendation" for > user shares on Linux. So I mounted my xattr-enabled partition > underneath /var/share, but maybe that's wrong? However, would prefer > not changing this right now. > > This is /etc/pam.d/common-account - just for verification: > > # > # /etc/pam.d/common-account - authorization settings common to all > services # > # This file is included from other service-specific PAM config files, > # and should contain a list of the authorization modules that define > # the central access policy for use on the system. The default is to > # only deny service to users whose accounts are expired > in /etc/shadow. # > # As of pam 1.0.1-6, this file is managed by pam-auth-update by > default. # To take advantage of this, it is recommended that you > configure any # local modules either before or after the default > block, and use # pam-auth-update to manage selection of other > modules. See # pam-auth-update(8) for details. > # > > # here are the per-package modules (the "Primary" block) > account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so > account [success=1 new_authtok_reqd=done default=ignore] > pam_winbind.so # here's the fallback if no module succeeds > account requisite pam_deny.so > # prime the stack with a positive return value if there isn't one > already; # this avoids us returning an error just because nothing > sets a success code # since the modules above will each just jump > around account required pam_permit.so > # and here are more per-package modules (the "Additional" block) > account required pam_krb5.so minimum_uid=1000 > # end of pam-auth-update config > # > # Modification for Samba > # > session required pam_mkhomedir.so skel=/etc/skel/ > umask=0022 > > > Entries are TAB-separated. Also checked the syslog for PAM errors > with no result. pam_mkhomedir.so is installed. > > root at fileserver:/var/log# locate pam_mkhomedir.so > /lib/x86_64-linux-gnu/security/pam_mkhomedir.so > > Would be looking forward to continue finding the problem tomorrow. > > Thanks and best regards > > Udo > > > > > > > Rowland > > > > > >It sounds like you don't have IDMU installed, not sure if you can install it on 2012. Rowland
Hello Rowland, Am 13.10.2016 um 18:25 schrieb Rowland Penny via samba:> It sounds like you don't have IDMU installed, not sure if you can > install it on 2012.are you trying to say that I should install "Identity Management for Unix" on a Windows Server 2012? If yes, I am afraid we have a misunderstanding here: I don't use any Windows Server in my set-up. I use a Fileserver with two network interfaces, one connected to a private network, the other connected to our university network. A Samba AD DC is supposed to manage a small Windows Domain in the private net. The fileserver also serves as a gateway to the Windows 7 workstations in the private net. Fileserver and AD DC are both running ubuntu 16.04 and have the respective Samba packages installed. For testing I have set up two Windows 7 Instances on ESXi inside the private net, one with the RSAT Tools installed and one as a user PC. Update: I spent the morning setting up a fresh member server ("FILESERVER2") for testing inside the private net (with 1 NIC only, thereby reducing complexity) I think, I have made all the necessary steps and did not forget to grant the SeDiskOperatorPrivilege rights to the Domain Admins root at fileserver2:/var/log/samba# net rpc rights list 'MYDOMAIN\Domain Admins' -U'MYDOMAIN\Administrator' -S addc01 Enter MYDOMAIN\Administrator's password: SeDiskOperatorPrivilege Now I'm stuck in the RSAT Computer Management Console where I am denied access to the share configuration. On the navigation tree in the left window "Local users and groups" is shown as locked (and I remember this went only away after I assigned a uidNumber to the Adminstrator account and made it a member of the Domain Admins Unix Group). Can't tell if this is a useful hint. Best Regards Udo
> Now I'm stuck in the RSAT Computer Management Console where I am denied > access to the share configuration.So can someone tell me which of the below Se Privileges should not be on the "Domain Admins" group? Because setting only SeDiskOperatorPrivilege is just stupid, really this needs to be changed on the wiki. root = Adminstrator and Adminsitrator is in "Domain Admins" .... so why not giving all privileges. This should be always on Domain Admins imo, how else are you going to manage a domain without all needed privleges. net rpc rights list "NTDOM\Domain Admins" -S ADDC1.dnsdomain.tld \ -UAdministrator Enter Administrator's password: SeDiskOperatorPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeMachineAccountPrivilege On my domain member. cat /etc/samba/samba_usermapping !root = NTDOM\Administrator NTDOM\administrator And in smb.conf (global) # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/samba_usermapping .. reboot ! the server.. and dont forget to login into the domain as DOMAIN\Adminstrator on you pc. now try again. And right clik choose connect to , select your server name (not localhost) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Udo Willke via > samba > Verzonden: vrijdag 14 oktober 2016 14:33 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Unable to set up home share correctly > > Hello Rowland, > > Am 13.10.2016 um 18:25 schrieb Rowland Penny via samba: > > It sounds like you don't have IDMU installed, not sure if you can > > install it on 2012. > > are you trying to say that I should install "Identity Management for > Unix" on a Windows Server 2012? If yes, I am afraid we have a > misunderstanding here: I don't use any Windows Server in my set-up. > > I use a Fileserver with two network interfaces, one connected to a > private network, the other connected to our university network. A Samba > AD DC is supposed to manage a small Windows Domain in the private net. > The fileserver also serves as a gateway to the Windows 7 workstations in > the private net. Fileserver and AD DC are both running ubuntu 16.04 and > have the respective Samba packages installed. For testing I have set up > two Windows 7 Instances on ESXi inside the private net, one with the > RSAT Tools installed and one as a user PC. > > Update: I spent the morning setting up a fresh member server > ("FILESERVER2") for testing inside the private net (with 1 NIC only, > thereby reducing complexity) I think, I have made all the necessary > steps and did not forget to grant the SeDiskOperatorPrivilege rights to > the Domain Admins > > root at fileserver2:/var/log/samba# net rpc rights list 'MYDOMAIN\Domain > Admins' -U'MYDOMAIN\Administrator' -S addc01 > Enter MYDOMAIN\Administrator's password: > SeDiskOperatorPrivilege > > Now I'm stuck in the RSAT Computer Management Console where I am denied > access to the share configuration. On the navigation tree in the left > window "Local users and groups" is shown as locked (and I remember this > went only away after I assigned a uidNumber to the Adminstrator account > and made it a member of the Domain Admins Unix Group). Can't tell if > this is a useful hint. > > Best Regards > > Udo > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba