samba - Dec 2016 - Automatic creation of local users

I’ve actually found a solution to my problem, but I wanted to post it here,
since someone else might have the problem in the future, and I think it would be
nice if I could spare them the week of Googling I needed.

Basically, I have an AD member server, running Samba 4.2.10 (on Centos
7.2.1511). Here’s my smb.conf:

[global]
        workgroup = SUBDOMAIN
        server string = Samba Server Version %v
        netbios name = SERVER
        server signing = mandatory
       client signing = mandatory
        log file = /var/log/samba/log.%m
        max log size = 50
        log level = idmap:10 auth:10
        security = ADS
        realm = SUBDOMAIN.MYDOMAIN.COM
        encrypt passwords = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind normalize names = yes
        guest account = pcguest
        idmap config *:backend = tdb
        idmap config *:range = 30000 - 40000
        idmap config SUBDOMAIN:backend = ad
        idmap config SUBDOMAIN:schema_mode = rfc2307
       idmap config SUBDOMAIN:range = 1000 - 20000
        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        preferred master = no
        name resolve order = bcast host lmhosts
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
        wide links = yes
        unix extensions = no
[images]
        comment = Images
        path = /u1/images
        writable = yes
        read only = no
        case sensitive = True
        default case = lower
        preserve case = no
        short preserve case = no
        wide links = yes
        create mask = 664
        directory mask = 775

(I’m guessing some of that is unnecessary, since this is actually a hacked-up
Samba 3 configuration I carried over from an earlier server.)

When I tried to map a drive, I’d get a username/password prompt from Windows,
even though I was logged in as a valid domain user. In the Samba logs, I’d get:

[2016/12/16 13:24:21.264668,  5, pid=19073, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:378(load_auth_module)
  load_auth_module: Attempting to find an auth method to match ntdomain
[2016/12/16 13:24:21.264673,  5, pid=19073, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:403(load_auth_module)
  load_auth_module: auth method ntdomain has a valid init
[2016/12/16 13:24:21.264679,  5, pid=19073, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:403(load_auth_module)
  load_auth_module: auth method winbind has a valid init
[2016/12/16 13:24:21.391184,  3, pid=19073, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
  Kerberos ticket principal name is [myuser at SUBDOMAIN.MYDOMAIN.COM]
[2016/12/16 13:24:21.391203, 10, pid=19073, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/user_krb5.c:83(get_user_from_kerberos_info)
  Domain is [SUBDOMAIN] (using PAC)
[2016/12/16 13:24:22.630245,  3, pid=19073, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username SUBDOMAIN\myuser is invalid on this system

It occurred to me that the username I was using didn’t exist on this system,
yet, since I hadn’t connected to it before, so I tried creating the user
manually (using “useradd” on the Samba server). Then, I was able to connect. I
didn’t believe Samba wouldn’t automatically create the users for you, so I kept
looking, and finally came across this post:

https://lists.samba.org/archive/samba/2013-February/171720.html

When I commented out the “idmap config SUBDOMAIN:range = 1000 – 20000” line, I
was able to connect, even with a username that didn’t already exist on the Samba
server.

On Mon, 19 Dec 2016 21:46:21 +0000 (UTC)
dadoo dadoo via samba <samba at lists.samba.org> wrote:
> 
> I’ve actually found a solution to my problem, but I wanted to post it
> here, since someone else might have the problem in the future, and I
> think it would be nice if I could spare them the week of Googling I
> needed.
> 
> Basically, I have an AD member server, running Samba 4.2.10 (on
> Centos 7.2.1511). Here’s my smb.conf:
> 
> [global]
>         workgroup = SUBDOMAIN
>         server string = Samba Server Version %v
>         netbios name = SERVER
>         server signing = mandatory
>        client signing = mandatory
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         log level = idmap:10 auth:10
>         security = ADS
>         realm = SUBDOMAIN.MYDOMAIN.COM
>         encrypt passwords = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind normalize names = yes
>         guest account = pcguest
>         idmap config *:backend = tdb
>         idmap config *:range = 30000 - 40000
>         idmap config SUBDOMAIN:backend = ad
>         idmap config SUBDOMAIN:schema_mode = rfc2307
>        idmap config SUBDOMAIN:range = 1000 - 20000
>         winbind nss info = rfc2307
>         winbind trusted domains only = no
>         winbind use default domain = yes
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
>         preferred master = no
>         name resolve order = bcast host lmhosts
>         load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes
>         wide links = yes
>         unix extensions = no
> [images]
>         comment = Images
>         path = /u1/images
>         writable = yes
>         read only = no
>         case sensitive = True
>         default case = lower
>         preserve case = no
>         short preserve case = no
>         wide links = yes
>         create mask = 664
>         directory mask = 775
> 
> (I’m guessing some of that is unnecessary, since this is actually a
> hacked-up Samba 3 configuration I carried over from an earlier
> server.)
> 
> When I tried to map a drive, I’d get a username/password prompt from
> Windows, even though I was logged in as a valid domain user. In the
> Samba logs, I’d get:
> 
> [2016/12/16 13:24:21.264668,  5, pid=19073, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth.c:378(load_auth_module)
> load_auth_module: Attempting to find an auth method to match ntdomain
> [2016/12/16 13:24:21.264673,  5, pid=19073, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth.c:403(load_auth_module)
> load_auth_module: auth method ntdomain has a valid init [2016/12/16
> 13:24:21.264679,  5, pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/auth.c:403(load_auth_module)
> load_auth_module: auth method winbind has a valid init [2016/12/16
> 13:24:21.391184,  3, pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
> Kerberos ticket principal name is [myuser at SUBDOMAIN.MYDOMAIN.COM]
> [2016/12/16 13:24:21.391203, 10, pid=19073, effective(0, 0), real(0,
> 0),
> class=auth] ../source3/auth/user_krb5.c:83(get_user_from_kerberos_info)
> Domain is [SUBDOMAIN] (using PAC) [2016/12/16 13:24:22.630245,  3,
> pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> Username SUBDOMAIN\myuser is invalid on this system
> 
> It occurred to me that the username I was using didn’t exist on this
> system, yet, since I hadn’t connected to it before, so I tried
> creating the user manually (using “useradd” on the Samba server).
> Then, I was able to connect. I didn’t believe Samba wouldn’t
> automatically create the users for you, so I kept looking, and
> finally came across this post:
> 
> https://lists.samba.org/archive/samba/2013-February/171720.html
> 
> When I commented out the “idmap config SUBDOMAIN:range = 1000 –
> 20000” line, I was able to connect, even with a username that didn’t
> already exist on the Samba server.
> 
> 
My guess is that, even though you have set up the domain member to use
the winbind 'ad' backend, you haven't given your users a uidNumber
inside '1000-20000' and/or given Domain Users a gidNumber inside the
same range. If your domain user doesn't seem to exist on the domain
member, it is down to a misconfiguration, when you removed the line,
your user got mapped by 'idmap config *:range = 30000 - 40000' and
please note that any user that is in AD, shouldn't exist in /etc/passwd
as well.

Rowland

> When I commented out the ?idmap config SUBDOMAIN:range = 1000 ? 20000?
> line, I was able to connect, even with a username that didn?t already
> exist on the Samba server.
About that 
>         idmap config *:backend = tdb
>         idmap config *:range = 30000 - 40000
>         idmap config SUBDOMAIN:backend = ad
>         idmap config SUBDOMAIN:schema_mode = rfc2307
>         idmap config SUBDOMAIN:range = 1000 - 20000
So you fixed it and not disable-ing it. 

You system used id range 0-1000+   ( and first user gets 1000 ) 
The Windows | BUILDIN matches : idmap config *: 
But is set to wide, it also matched the linux id's. 

Now Samba AD (with AD BACKEND) starts with idmap config DOMAIN 10000-999999 by
default.

A prefferded layout for idmap config. 

	# maps to windows  BUILDIN/LOCAL ID's  
         idmap config *:backend = tdb
         idmap config *:range = 2000 - 9999
	# the AD has as start 10000-99999
         idmap config SUBDOMAIN:backend = ad
         idmap config SUBDOMAIN:schema_mode = rfc2307
         idmap config SUBDOMAIN:range = 10000 - 99999

with this setup you have the followin options. 
1) Linux ids only , range 0-1999
2) Linux id + Windows BUILDIN/Windows local id's. 
3) Windows AD id's

Now thew problem you had with your user was not because it did not exixt in
linux, but it mismatched its id.

If you want a "linux only users" create an user and keep its id below
1999.
If you want a linux user with but with some windows abilities, create a linux
user with id between 2000-9999

And windows users which need linux access, gets id's between 10000-999999

And if you change the id's, dont forget to clear the idmap cache files. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens dadoo dadoo via
> samba
> Verzonden: maandag 19 december 2016 22:46
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Automatic creation of local users
> 
> 
> I?ve actually found a solution to my problem, but I wanted to post it
> here, since someone else might have the problem in the future, and I think
> it would be nice if I could spare them the week of Googling I needed.
> 
> Basically, I have an AD member server, running Samba 4.2.10 (on Centos
> 7.2.1511). Here?s my smb.conf:
> 
> [global]
>         workgroup = SUBDOMAIN
>         server string = Samba Server Version %v
>         netbios name = SERVER
>         server signing = mandatory
>        client signing = mandatory
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         log level = idmap:10 auth:10
>         security = ADS
>         realm = SUBDOMAIN.MYDOMAIN.COM
>         encrypt passwords = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind normalize names = yes
>         guest account = pcguest
>         idmap config *:backend = tdb
>         idmap config *:range = 30000 - 40000
>         idmap config SUBDOMAIN:backend = ad
>         idmap config SUBDOMAIN:schema_mode = rfc2307
>        idmap config SUBDOMAIN:range = 1000 - 20000
>         winbind nss info = rfc2307
>         winbind trusted domains only = no
>         winbind use default domain = yes
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
>         preferred master = no
>         name resolve order = bcast host lmhosts
>         load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes
>         wide links = yes
>         unix extensions = no
> [images]
>         comment = Images
>         path = /u1/images
>         writable = yes
>         read only = no
>         case sensitive = True
>         default case = lower
>         preserve case = no
>         short preserve case = no
>         wide links = yes
>         create mask = 664
>         directory mask = 775
> 
> (I?m guessing some of that is unnecessary, since this is actually a
> hacked-up Samba 3 configuration I carried over from an earlier server.)
> 
> When I tried to map a drive, I?d get a username/password prompt from
> Windows, even though I was logged in as a valid domain user. In the Samba
> logs, I?d get:
> 
> [2016/12/16 13:24:21.264668,  5, pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/auth.c:378(load_auth_module)
>   load_auth_module: Attempting to find an auth method to match ntdomain
> [2016/12/16 13:24:21.264673,  5, pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/auth.c:403(load_auth_module)
>   load_auth_module: auth method ntdomain has a valid init
> [2016/12/16 13:24:21.264679,  5, pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/auth.c:403(load_auth_module)
>   load_auth_module: auth method winbind has a valid init
> [2016/12/16 13:24:21.391184,  3, pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
>   Kerberos ticket principal name is [myuser at SUBDOMAIN.MYDOMAIN.COM]
> [2016/12/16 13:24:21.391203, 10, pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/user_krb5.c:83(get_user_from_kerberos_info)
>   Domain is [SUBDOMAIN] (using PAC)
> [2016/12/16 13:24:22.630245,  3, pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>   Username SUBDOMAIN\myuser is invalid on this system
> 
> It occurred to me that the username I was using didn?t exist on this
> system, yet, since I hadn?t connected to it before, so I tried creating
> the user manually (using ?useradd? on the Samba server). Then, I was able
> to connect. I didn?t believe Samba wouldn?t automatically create the users
> for you, so I kept looking, and finally came across this post:
> 
> https://lists.samba.org/archive/samba/2013-February/171720.html
> 
> When I commented out the ?idmap config SUBDOMAIN:range = 1000 ? 20000?
> line, I was able to connect, even with a username that didn?t already
> exist on the Samba server.
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Tue, 20 Dec 2016 10:03:28 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> > When I commented out the ?idmap config SUBDOMAIN:range = 1000 ?
> > 20000? line, I was able to connect, even with a username that
> > didn?t already exist on the Samba server.
> About that 
The user got mapped by the '*' domain
> 
> >         idmap config *:backend = tdb
> >         idmap config *:range = 30000 - 40000
> 
> >         idmap config SUBDOMAIN:backend = ad
> >         idmap config SUBDOMAIN:schema_mode = rfc2307
> >         idmap config SUBDOMAIN:range = 1000 - 20000
> 
> So you fixed it and not disable-ing it.
No, he borked it.
 
> 
> You system used id range 0-1000+   ( and first user gets 1000 ) 
> The Windows | BUILDIN matches : idmap config *: 
> But is set to wide, it also matched the linux id's. 
I have given up worrying about things like this, if people are stupid
enough to use such low IDs. it is their look out.
> 
> Now Samba AD (with AD BACKEND) starts with idmap config DOMAIN
> 10000-999999 by default.
> 
> A prefferded layout for idmap config. 
> 
> 	# maps to windows  BUILDIN/LOCAL ID's  
>          idmap config *:backend = tdb
>          idmap config *:range = 2000 - 9999
> 	# the AD has as start 10000-99999
>          idmap config SUBDOMAIN:backend = ad
>          idmap config SUBDOMAIN:schema_mode = rfc2307
>          idmap config SUBDOMAIN:range = 10000 - 99999
> 
> with this setup you have the followin options. 
> 1) Linux ids only , range 0-1999
> 2) Linux id + Windows BUILDIN/Windows local id's. 
> 3) Windows AD id's
> 
> Now thew problem you had with your user was not because it did not
> exixt in linux, but it mismatched its id.
No, it was probably because the user didn't have a uidNumber or its
contents were invalid.
 
> 
> If you want a "linux only users" create an user and keep its id
below
> 1999.
Agreed
>  If you want a linux user with but with some windows abilities,
> create a linux user with id between 2000-9999 
No, a user is either a Unix user or a windows user that is also a Unix
user. You cannot have a user in /etc/passwd and in AD.
> 
> And windows users which need linux access, gets id's between
> 10000-999999
Agreed
> 
> And if you change the id's, dont forget to clear the idmap cache
> files.
By running 'net cache flush'

Rowland

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
via
> samba
> > So you fixed it and not disable-ing it.
.....
> 
> No, he borked it.
Yeah, my typos..  :-( thats what i meant.. 
> 
> >
> > You system used id range 0-1000+   ( and first user gets 1000 )
> > The Windows | BUILDIN matches : idmap config *:
> > But is set to wide, it also matched the linux id's.
> 
> I have given up worrying about things like this, if people are stupid
> enough to use such low IDs. it is their look out.
Its not always their look out, maybe its mis interpetation, because english is
not their native language, but lucky this wil be noticed by samba in the future.

I saw the work in progress, look great, and it wil help lots of people :-) 
> 
> >
> > Now Samba AD (with AD BACKEND) starts with idmap config DOMAIN
> > 10000-999999 by default.
> >
> > A prefferded layout for idmap config.
> >
> > 	# maps to windows  BUILDIN/LOCAL ID's
> >          idmap config *:backend = tdb
> >          idmap config *:range = 2000 - 9999
> > 	# the AD has as start 10000-99999
> >          idmap config SUBDOMAIN:backend = ad
> >          idmap config SUBDOMAIN:schema_mode = rfc2307
> >          idmap config SUBDOMAIN:range = 10000 - 99999
> >
> > with this setup you have the followin options.
> > 1) Linux ids only , range 0-1999
> > 2) Linux id + Windows BUILDIN/Windows local id's.
> > 3) Windows AD id's
> >
> > Now thew problem you had with your user was not because it did not
> > exit in linux, but it mismatched its id.
> 
> No, it was probably because the user didn't have a uidNumber or its
> contents were invalid.
Yeah possible, but probably .. as you sad.. we cant 100% be sure here.. 
> 
> >
> > If you want a "linux only users" create an user and keep its
id below
> > 1999.
> 
> Agreed
> 
> >  If you want a linux user with but with some windows abilities,
> > create a linux user with id between 2000-9999
> 
> No, a user is either a Unix user or a windows user that is also a Unix
> user. You cannot have a user in /etc/passwd and in AD.
Thats not what i meant its OR a linux user OR a windows user.
But which you create is depending on the need.
I can create a linux user to manipulate things as windows user on windows shares
per server.
Or i can create a windows "buildin\username" which can be use
"per server"
But with care for both since, the id of this user dont have to be the same. 

Your ok with this? This is how i use it.
I'll try to make these thing more clear next time. 
> 
> >
> > And windows users which need linux access, gets id's between
> > 10000-999999
> 
> Agreed
> 
> >
> > And if you change the id's, dont forget to clear the idmap cache
> > files.
> 
> By running 'net cache flush'
> 
> Rowland
Louis
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba