Rowland Penny
2017-Jun-19 10:59 UTC
[Samba] New AD user cannot access file share from member server
On Mon, 19 Jun 2017 12:38:09 +0200 Viktor Trojanovic <viktor at troja.ch> wrote:> Here is the DC's smb.conf: > > > [global] > workgroup = SAMDOM > realm = SAMDOM.EXAMPLE.COM > netbios name = DC > interfaces = lo br-lxc > bind interfaces only = Yes > server role = active directory domain controller > dns forwarder = 192.168.1.2 > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/samdom.example.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = NoNothing wrong there> > I'm not sure what you mean by showing you the user's AD object, can > you elaborate?OK, install ldb-tools if not installed, then run this: ldbsearch -H /usr/local/samba/private/sam.ldb -b 'cn=users,dc=samdom,dc=example,dc=com' -s sub "(&(objectclass=person)(samaccountname=rowland))" Just in case it has got split up over multiple lines, the above should just one line. Replace: /usr/local/samba/private/sam.ldb with the path to your sam.ldb dc=samdom,dc=example,dc=com with your dns/realm names rowland with your users name You should get something like this back: # record 1 dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com CN: Rowland Penny sn: Penny description: A Unix user givenName: Rowland instanceType: 4 whenCreated: 20151109093821.0Z displayName: Rowland Penny uSNCreated: 3365 name: Rowland Penny objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72 userAccountControl: 66048 codePage: 0 countryCode: 0 homeDrive: H: pwdLastSet: 130915355010000000 primaryGroupID: 513 objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107 accountExpires: 0 sAMAccountName: rowland sAMAccountType: 805306368 userPrincipalName: rowland at samdom.example.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c om unixUserPassword: ABCD!efgh12345$67890 uid: rowland msSFU30Name: rowland msSFU30NisDomain: samdom uidNumber: 10000 gecos: Rowland Penny unixHomeDirectory: /home/rowland loginShell: /bin/bash memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com homeDirectory: \\MEMBER1\home\rowland objectClass: top objectClass: securityPrincipal objectClass: person objectClass: organizationalPerson objectClass: user gidNumber: 10000 lastLogonTimestamp: 131418520439158520 whenChanged: 20170613182723.0Z uSNChanged: 121030 lastLogon: 131423412865104840 logonCount: 633 distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com # returned 1 records # 1 entries # 0 referrals Please post that, though you can sanitise it if you like, but if you do, use the same changes through out.> > Samba is running on (Arch) Linux with Kernel 4.11. Clients are > Windows 10 with all the latest updates, I'm running the RSAT from > there. >In which case you will not have 'Unix Attributes' tab in ADUC. Rowland
Viktor Trojanovic
2017-Jun-19 11:51 UTC
[Samba] New AD user cannot access file share from member server
That's correct, I don't have "Unix Attributes" but through the advanced view I have access to all attributes. The ldbsearch command is not returning anything in my case, it gives me 0 records - no matter which user I try, even the Administrator. I checked the command several times to make sure there are no typos. I even changed the objectclass from "person" to "user" to see if it makes any difference but it doesn't. I tried borth /var/lib/samba/sam.ldb and /var/lib/samba/private/sam.ldb) and the environment environment has LDB_MODULES_PATH set. I can easily look at the objects using the ADUC from the RSAT, not sure why this isn't working... On 19 June 2017 at 12:59, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Mon, 19 Jun 2017 12:38:09 +0200 > Viktor Trojanovic <viktor at troja.ch> wrote: > > > Here is the DC's smb.conf: > > > > > > [global] > > workgroup = SAMDOM > > realm = SAMDOM.EXAMPLE.COM > > netbios name = DC > > interfaces = lo br-lxc > > bind interfaces only = Yes > > server role = active directory domain controller > > dns forwarder = 192.168.1.2 > > idmap_ldb:use rfc2307 = yes > > > > [netlogon] > > path = /var/lib/samba/sysvol/samdom.example.com/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > Nothing wrong there > > > > > I'm not sure what you mean by showing you the user's AD object, can > > you elaborate? > > OK, install ldb-tools if not installed, then run this: > > ldbsearch -H /usr/local/samba/private/sam.ldb -b > 'cn=users,dc=samdom,dc=example,dc=com' -s sub > "(&(objectclass=person)(samaccountname=rowland))" > > Just in case it has got split up over multiple lines, the above should > just one line. > > Replace: > /usr/local/samba/private/sam.ldb with the path to your sam.ldb > > dc=samdom,dc=example,dc=com with your dns/realm names > > rowland with your users name > > You should get something like this back: > > # record 1 > dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com > CN: Rowland Penny > sn: Penny > description: A Unix user > givenName: Rowland > instanceType: 4 > whenCreated: 20151109093821.0Z > displayName: Rowland Penny > uSNCreated: 3365 > name: Rowland Penny > objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72 > userAccountControl: 66048 > codePage: 0 > countryCode: 0 > homeDrive: H: > pwdLastSet: 130915355010000000 > primaryGroupID: 513 > objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107 > accountExpires: 0 > sAMAccountName: rowland > sAMAccountType: 805306368 > userPrincipalName: rowland at samdom.example.com > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC> example,DC=c > om > unixUserPassword: ABCD!efgh12345$67890 > uid: rowland > msSFU30Name: rowland > msSFU30NisDomain: samdom > uidNumber: 10000 > gecos: Rowland Penny > unixHomeDirectory: /home/rowland > loginShell: /bin/bash > memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com > memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com > memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com > memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com > memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com > homeDirectory: \\MEMBER1\home\rowland > objectClass: top > objectClass: securityPrincipal > objectClass: person > objectClass: organizationalPerson > objectClass: user > gidNumber: 10000 > lastLogonTimestamp: 131418520439158520 > whenChanged: 20170613182723.0Z > uSNChanged: 121030 > lastLogon: 131423412865104840 > logonCount: 633 > distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com > > # returned 1 records > # 1 entries > # 0 referrals > > Please post that, though you can sanitise it if you like, but if you > do, use the same changes through out. > > > > > Samba is running on (Arch) Linux with Kernel 4.11. Clients are > > Windows 10 with all the latest updates, I'm running the RSAT from > > there. > > > > In which case you will not have 'Unix Attributes' tab in ADUC. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2017-Jun-19 12:06 UTC
[Samba] New AD user cannot access file share from member server
On Mon, 19 Jun 2017 13:51:31 +0200 Viktor Trojanovic <viktor at troja.ch> wrote:> That's correct, I don't have "Unix Attributes" but through the > advanced view I have access to all attributes.the 'Unix Attributes' tab just makes it easier ;-)> > The ldbsearch command is not returning anything in my case, it gives > me 0 records - no matter which user I try, even the Administrator. I > checked the command several times to make sure there are no typos. I > even changed the objectclass from "person" to "user" to see if it > makes any difference but it doesn't. > > I tried borth /var/lib/samba/sam.ldb > and /var/lib/samba/private/sam.ldb) and the environment environment > has LDB_MODULES_PATH set. >OK, try this in a terminal on the Samba AD DC; samba -b | grep 'PRIVATE_DIR' | awk '{print $NF}' This should print the path to the private dir that contains 'sam.ldb' Replace /usr/local/samba/private with whatever the command line above produces. You should then get output similar to what I posted earlier, though you will have to run the commands as 'root' on the Samba DC Rowland
lingpanda101
2017-Jun-19 12:20 UTC
[Samba] New AD user cannot access file share from member server
On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote:> That's correct, I don't have "Unix Attributes" but through the advanced > view I have access to all attributes. > > The ldbsearch command is not returning anything in my case, it gives me 0 > records - no matter which user I try, even the Administrator. I checked the > command several times to make sure there are no typos. I even changed the > objectclass from "person" to "user" to see if it makes any difference but > it doesn't. > > I tried borth /var/lib/samba/sam.ldb and /var/lib/samba/private/sam.ldb) > and the environment environment has LDB_MODULES_PATH set. > > I can easily look at the objects using the ADUC from the RSAT, not sure why > this isn't working... > > On 19 June 2017 at 12:59, Rowland Penny via samba <samba at lists.samba.org> > wrote: > >> On Mon, 19 Jun 2017 12:38:09 +0200 >> Viktor Trojanovic <viktor at troja.ch> wrote: >> >>> Here is the DC's smb.conf: >>> >>> >>> [global] >>> workgroup = SAMDOM >>> realm = SAMDOM.EXAMPLE.COM >>> netbios name = DC >>> interfaces = lo br-lxc >>> bind interfaces only = Yes >>> server role = active directory domain controller >>> dns forwarder = 192.168.1.2 >>> idmap_ldb:use rfc2307 = yes >>> >>> [netlogon] >>> path = /var/lib/samba/sysvol/samdom.example.com/scripts >>> read only = No >>> >>> [sysvol] >>> path = /var/lib/samba/sysvol >>> read only = No >> Nothing wrong there >> >>> I'm not sure what you mean by showing you the user's AD object, can >>> you elaborate? >> OK, install ldb-tools if not installed, then run this: >> >> ldbsearch -H /usr/local/samba/private/sam.ldb -b >> 'cn=users,dc=samdom,dc=example,dc=com' -s sub >> "(&(objectclass=person)(samaccountname=rowland))" >> >> Just in case it has got split up over multiple lines, the above should >> just one line. >> >> Replace: >> /usr/local/samba/private/sam.ldb with the path to your sam.ldb >> >> dc=samdom,dc=example,dc=com with your dns/realm names >> >> rowland with your users name >> >> You should get something like this back: >> >> # record 1 >> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com >> CN: Rowland Penny >> sn: Penny >> description: A Unix user >> givenName: Rowland >> instanceType: 4 >> whenCreated: 20151109093821.0Z >> displayName: Rowland Penny >> uSNCreated: 3365 >> name: Rowland Penny >> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72 >> userAccountControl: 66048 >> codePage: 0 >> countryCode: 0 >> homeDrive: H: >> pwdLastSet: 130915355010000000 >> primaryGroupID: 513 >> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107 >> accountExpires: 0 >> sAMAccountName: rowland >> sAMAccountType: 805306368 >> userPrincipalName: rowland at samdom.example.com >> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC>> example,DC=c >> om >> unixUserPassword: ABCD!efgh12345$67890 >> uid: rowland >> msSFU30Name: rowland >> msSFU30NisDomain: samdom >> uidNumber: 10000 >> gecos: Rowland Penny >> unixHomeDirectory: /home/rowland >> loginShell: /bin/bash >> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com >> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com >> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com >> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com >> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com >> homeDirectory: \\MEMBER1\home\rowland >> objectClass: top >> objectClass: securityPrincipal >> objectClass: person >> objectClass: organizationalPerson >> objectClass: user >> gidNumber: 10000 >> lastLogonTimestamp: 131418520439158520 >> whenChanged: 20170613182723.0Z >> uSNChanged: 121030 >> lastLogon: 131423412865104840 >> logonCount: 633 >> distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com >> >> # returned 1 records >> # 1 entries >> # 0 referrals >> >> Please post that, though you can sanitise it if you like, but if you >> do, use the same changes through out. >> >>> Samba is running on (Arch) Linux with Kernel 4.11. Clients are >>> Windows 10 with all the latest updates, I'm running the RSAT from >>> there. >>> >> In which case you will not have 'Unix Attributes' tab in ADUC. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>Use this command replace my name with your username. /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=local' -s sub "(&(objectclass=person)(samaccountname=james))" Rowland was linking to the CN=users. Yours may not be located there. -- -- James
Reasonably Related Threads
- New AD user cannot access file share from member server
- New AD user cannot access file share from member server
- New AD user cannot access file share from member server
- New AD user cannot access file share from member server
- New AD user cannot access file share from member server