samba - Mar 2017 - Allow user without uidNumber to access to a Samba member file server

Hi everybody,

I have a samba server member for file sharing configured like below. 
Domains controllers are on samba too. 
Every servers are on samba 4.5.3.
When I created the domain I activated rfc2307.

Now I think rfc2307 was a bad idea...

My problem is that I'd like to allow users and computers to access to
the file server even if uidNumber is not set.
If I create an user without uidNumber, he is able to access to sysvol
(by exemple) on all DC without problems. But if he try to access to the
file server (from a Windows 10 client), he get an "Access refused".
I understand that the problem come from uidNumber not set. And I think
that the solution is in relation with idmap, winbind and rfc2307.

So I'm completely lost with those features : How can I disable
idmapping for get the same behavior on the file server than the Domain
controller ?
And if I do that, is the MacOS users will have problems to access to
the shares with afp protocol (netatalk).

I'd like this behavior to permit computers to access to shares for
installing application with GPO set on DC and applied to computers
instead of users section in the GPO.

Thanks

Below my smb.conf on the file server :

========================================================[global]
       netbios name = FS1
       security = ADS
       workgroup = IFPOAD
       realm = IFPOAD.IFPORIENT.ORG

       log file = /var/log/samba/%m.log
       log level = 1
       
       interfaces=lo eth0
       bind interfaces only=yes

       server string = %h samba server
       wins support = yes

       # Default idmap config used for BUILTIN and local
accounts/groups
       idmap config *:backend = tdb
       idmap config *:range = 2000-9999

       idmap config IFPOAD:backend = ad
       idmap config IFPOAD:schema_mode = rfc2307
       idmap config IFPOAD:range = 10000-99999

       winbind nss info = rfc2307
       winbind enum users = yes
       winbind enum groups = yes
       winbind trusted domains only = no
       winbind use default domain = yes

       # Activation des attributs Etendus Windows
       vfs objects = acl_xattr
       map acl inherit = yes
       store dos attributes = yes

       # For Mac OS compatibility ?
        unix extensions = no

	# Spool d'impression
	rpc_server:spoolss = external
	rpc_daemon:spoolssd = fork
	spoolss: architecture = Windows x64

	veto files = /._*/.DS_Store/~*/
	delete veto files = yes

[Shares]
       path = /srv/samba/shares
       read only = no

[home]
       path = /home/samba
       read only = no

[profile$]
       path = /srv/samba/Profiles
       read only = no

[deploy$]
       path = /srv/samba/deploy
       read only = no

[BkShares]
       path = /srv/Backups/bkIFPO/shares
       read only = no

[printers]
       path = /var/spool/samba/
       printable = yes
       printing = CUPS
=========================================================

-- 

Arnaud Cruzel
Administrateur Système et Réseau
Institut français du Proche-Orient (Ifpo)


المعهد الفرنسي للشرق الأدنى


UMIFRE 6 - MAEDI - CNRS - USR 3135
Tél. Liban : +961 76 596 131
Tél. France : +33 6 67 51 68 50
a.cruzel at ifporient.org 

On Wed, 15 Mar 2017 14:23:23 +0200
Arnaud Cruzel via samba <samba at lists.samba.org> wrote:
> Hi everybody,
> 
> I have a samba server member for file sharing configured like below. 
> Domains controllers are on samba too. 
> Every servers are on samba 4.5.3.
> When I created the domain I activated rfc2307.
> 
> Now I think rfc2307 was a bad idea...
> 
You could use the winbind 'rid' backend instead, this will mean that
your users will get different 'IDs', so you will have to change the
ownership of any files and directories stored on the fileserver.

You will also have to use 'template' lines in smb.conf for Unix home
dirs and shell.

Rowland

> But if he try to access to the file server (from a Windows 10 client), 
> he get an "Access refused".
How did he access the share. 
\\servername\share  or  \\servername.dnsdom.tld\share 
(or by \\ip ) 

Can he access \\servername  without the share.

And the Win10 eventid + discription of the "Access refused" would be
nice.
The "Share Security" settings are? 

It should work with rfc2307, i works fine for me
ADDC 4.5.3 + members 4.5.3/4.6.0 
All servers in rfc2307 mode.

But i did set extra things, so before i advice something i need the above info
first.


Greetz, 

Louis

On Wed, Mar 15, 2017 at 7:56 AM Arnaud Cruzel via samba <
samba at lists.samba.org> wrote:
>
> I'd like this behavior to permit computers to access to shares for
> installing application with GPO set on DC and applied to computers
> instead of users section in the GPO.

when a client connects to a share, smbd spawns a new process owned by that
user, which is why it needs a uid.  if you want your share to be readable
by anyone, look into the "map to guest" option to give users that
can't be
validated an alternate uid.

Le mercredi 15 mars 2017 à 13:17 +0000, Rowland Penny via samba a
écrit :
> On Wed, 15 Mar 2017 14:23:23 +0200
> Arnaud Cruzel via samba <samba at lists.samba.org> wrote:
> 
> > Hi everybody,
> > 
> > I have a samba server member for file sharing configured like
> > below. 
> > Domains controllers are on samba too. 
> > Every servers are on samba 4.5.3.
> > When I created the domain I activated rfc2307.
> > 
> > Now I think rfc2307 was a bad idea...
> > 
> 
> You could use the winbind 'rid' backend instead, this will mean
that
> your users will get different 'IDs', so you will have to change the
> ownership of any files and directories stored on the fileserver.
> 
> You will also have to use 'template' lines in smb.conf for Unix
home
> dirs and shell.
> 
> Rowland 
> 
Thanks for your answer.

OK, I tried that. After what there is no long problems for access to file server
by an user without uidNumber.
But now it's impossible for unix client to access to samba shares on this
server. I think because of uid are differents.
For information I didn't have to change shares owner, the server kept the
same uids for users (I think because of caching ?)

What I did :

# diff smb.conf.ad smb.conf.rid 
37,39c37,39
<        idmap config IFPOAD:backend = ad
<        idmap config IFPOAD:schema_mode = rfc2307
<        idmap config IFPOAD:range = 10000-99999
---
> #       idmap config IFPOAD:backend = ad
> #       idmap config IFPOAD:schema_mode = rfc2307
> #       idmap config IFPOAD:range = 10000-99999
41,42c41,42
< #       idmap config IFPOAD : backend = rid
< #       idmap config IFPOAD : range = 10000-999999
---
>        idmap config IFPOAD : backend = rid
>        idmap config IFPOAD : range = 10000-999999
45,46c45,46
< #       winbind nss info = template
< #       template shell = /bin/bash
---
>        winbind nss info = template
>        template shell = /bin/bash
47a48,50
>        template homedir = /Users/%U
> 
> #       winbind nss info = rfc2307
49d51
<        winbind nss info = rfc2307
61c63
<        unix extensions = no
---
> #       unix extensions = no
75c77
<         #username map = /usr/local/samba/etc/user.map
---
>         username map = /usr/local/samba/etc/user.map

Le mercredi 15 mars 2017 à 15:16 +0100, L.P.H. van Belle via samba a
écrit :
> > But if he try to access to the file server (from a Windows 10
> > client), 
> > he get an "Access refused".
> 
> How did he access the share. 
> \\servername\share  or  \\servername.dnsdom.tld\share 
> (or by \\ip ) 
by \\servername\share

> 
> Can he access \\servername  without the share.
no it can't
> 
> And the Win10 eventid + discription of the "Access refused" would
be
> nice.
There is no event ID neither descriptions. I don't find any entry on
Windows event viewer.
>  
> The "Share Security" settings are? 
by exemple for the share 'Shares' :
For Administrator / Domain Admins / System / Creator Owner = Full
Control on folder, subfolders and files
For Authenticated Users / Domain Users = Read and Execute on this
folder only

> 
> It should work with rfc2307, i works fine for me
> ADDC 4.5.3 + members 4.5.3/4.6.0 
> All servers in rfc2307 mode.
Yes I don't say it's not working. The problem is for set a GPO to
deploy applications, I have to deploy it by user GPO.
If I want to do that by computer GPO I have to set uidNumber to all
computers. I'm lazy to do that :)
And now with Windows 10 who don't allow to set rfc2307 easily with ADUC
 it become very complicate to set uidNumber manually for each user.
> 
> But i did set extra things, so before i advice something i need the
> above info first. 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> 
> 
> 
>

Le mercredi 15 mars 2017 à 14:31 +0000, Chris Weiss via samba a
écrit :
> On Wed, Mar 15, 2017 at 7:56 AM Arnaud Cruzel via samba <
> samba at lists.samba.org> wrote:
> 
> > 
> > I'd like this behavior to permit computers to access to shares for
> > installing application with GPO set on DC and applied to computers
> > instead of users section in the GPO.
> 
> 
> when a client connects to a share, smbd spawns a new process owned by
> that
> user, which is why it needs a uid.  if you want your share to be
> readable
> by anyone, look into the "map to guest" option to give users that
> can't be
> validated an alternate uid.
> 
Ok thanks 
I understand why it does that now. So your suggestion can be a solution but 
it's not very safe.

Ok, these : 
> For Administrator / Domain Admins / System / Creator Owner = Full
> Control on folder, subfolders and files 
Are not available on the "Share security" but are on the
"Security"

So the "Share security settings" need only.
Everyone FULL CONTROLL  ( or Verified users ) 

And i think your done. 
> For Administrator / Domain Admins / System / Creator Owner = Full Control
on folder, subfolders and files
> For Authenticated Users / Domain Users = Read and Execute on this folder
only
In your case i suggest, 

Domain Admins 
SYSTEM 
CREATOR OWNER ( or better GROUP ) 
CREATOR GROUP
All full controll. 

Authenticated users OR Domain Users. Setting both isnt needed. With at least
read.
I suggest you set ( in case of GPO things ) Authenticated users.
Since that include also the computers. 

In other cases, use "domain users" and/or the other groups you need.


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: Arnaud Cruzel [mailto:a.cruzel at ifporient.org]
> Verzonden: woensdag 15 maart 2017 16:40
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Allow user without uidNumber to access to a Samba
> member file server
> 
> Le mercredi 15 mars 2017 à 15:16 +0100, L.P.H. van Belle via samba a
> écrit :
> > > But if he try to access to the file server (from a Windows 10
> > > client),
> > > he get an "Access refused".
> >
> > How did he access the share.
> > \\servername\share  or  \\servername.dnsdom.tld\share
> > (or by \\ip )
> by \\servername\share
> 
> 
> >
> > Can he access \\servername  without the share.
> no it can't
> >
> > And the Win10 eventid + discription of the "Access refused"
would be
> > nice.
> There is no event ID neither descriptions. I don't find any entry on
> Windows event viewer.
> >
> > The "Share Security" settings are?
> by exemple for the share 'Shares' :
> For Administrator / Domain Admins / System / Creator Owner = Full
> Control on folder, subfolders and files
> For Authenticated Users / Domain Users = Read and Execute on this
> folder only
> 
> 
> >
> > It should work with rfc2307, i works fine for me
> > ADDC 4.5.3 + members 4.5.3/4.6.0
> > All servers in rfc2307 mode.
> Yes I don't say it's not working. The problem is for set a GPO to
> deploy applications, I have to deploy it by user GPO.
> If I want to do that by computer GPO I have to set uidNumber to all
> computers. I'm lazy to do that :)
> And now with Windows 10 who don't allow to set rfc2307 easily with ADUC
>  it become very complicate to set uidNumber manually for each user.
> 
> >
> > But i did set extra things, so before i advice something i need the
> > above info first.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> >
> >