samba - Apr 2019 - Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.

Hi Rowland!

On 29/03/2019 16:33, Rowland Penny via samba wrote
> Roll on 'Buster' ;-) 4.5.x is well EOL.
Its not ideal I know! ;) Unfortunately I (and every other Raspberry Pi 
user) is stuck with this for now since this is the default Samba package 
that Raspbian currently uses unfortunately. I did check to see if it 
could be upgraded using apt to something a little more recent but 
apparently not :(
> dns forwarder = XXX XXX XXX (obliterated here for privacy reasons!)
>
> You might as well 'obliterate' totally, it is only used on a DC.
Duly noted, thanks for the tip.
> So, stephenellwood is an AD user, but is it also a Unix user?
Aha! That's probably why my setup is not working! My passwd file on fs1 
below suggests there is no stephenellwood unix user account

pi at fs1:~ $ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System 
(admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time 
Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network 
Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd 
Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
pi:x:1000:1000:,,,:/home/pi:/bin/bash
messagebus:x:105:109::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
avahi:x:108:112:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false

There is obviously a major gap in my understanding here. Have I 
understood you correctly Rowland? You appear to be suggesting that there 
must be separate individual linux user account on EVERY samba file 
server, one new unix user account corresponding to every  active 
directory account? So what's the point in using a centralised 
authentication service like active directory then - I don't understand - 
what does AD actually achieve in Windows networking?

I used the following Samba tutorials to setup my fileserver fs1 but 
unfortunately these do not mention the need to create user accounts to 
complement those that active directory creates.

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Using_Domain_Accounts_and_Groups_in_Operating_System_Commands

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

How do I rectify this? Can you point me at a suitable tutorial?
> Have you added RFC2307 attributes to AD ?
I don't know what this means, can you please clarify? All I could find 
on google was this link 
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and I believe 
I have already followed the instructions there.
> Have you installed these packages: libpam-winbind libnss-winbind
> libpam-krb5
Yes I definitely installed those packages.
> Have you added 'winbind' to the 'passwd' &
'group' lines
> in /etc/nsswitch.conf ?
Yes, please see my nsswitch.conf below:

pi at fs1:~ $ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Ser
# If you have the `glibc-doc-reference'
# `info libc "Name Service Switch"' for

passwd:         files winbind
group:          files winbind
shadow:         compat
gshadow:        files

hosts:          files mdns4_minimal [NO
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:          files winbind


Thanks
Stephen

On Fri, 29 Mar 2019 17:21:54 +0000
Stephen via samba <samba at lists.samba.org> wrote:
> Hi Rowland!
> 
> On 29/03/2019 16:33, Rowland Penny via samba wrote
> > Roll on 'Buster' ;-) 4.5.x is well EOL.  
> 
> Its not ideal I know! ;) Unfortunately I (and every other Raspberry
> Pi user) is stuck with this for now since this is the default Samba
> package that Raspbian currently uses unfortunately. I did check to
> see if it could be upgraded using apt to something a little more
> recent but apparently not :(
> 
> > dns forwarder = XXX XXX XXX (obliterated here for privacy reasons!)
> >
> > You might as well 'obliterate' totally, it is only used on a
DC.
> 
> Duly noted, thanks for the tip.
> 
> > So, stephenellwood is an AD user, but is it also a Unix user?  
> 
> Aha! That's probably why my setup is not working! My passwd file on
> fs1 below suggests there is no stephenellwood unix user account
> 
> pi at fs1:~ $ cat /etc/passwd
> root:x:0:0:root:/root:/bin/bash
> daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
> bin:x:2:2:bin:/bin:/usr/sbin/nologin
> sys:x:3:3:sys:/dev:/usr/sbin/nologin
> sync:x:4:65534:sync:/bin:/bin/sync
> games:x:5:60:games:/usr/games:/usr/sbin/nologin
> man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
> lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
> mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
> news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
> uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
> proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
> www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
> backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
> list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
> irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
> gnats:x:41:41:Gnats Bug-Reporting System 
> (admin):/var/lib/gnats:/usr/sbin/nologin
> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
> systemd-timesync:x:100:103:systemd Time 
> Synchronization,,,:/run/systemd:/bin/false
> systemd-network:x:101:104:systemd Network 
> Management,,,:/run/systemd/netif:/bin/false
> systemd-resolve:x:102:105:systemd 
> Resolver,,,:/run/systemd/resolve:/bin/false
> systemd-bus-proxy:x:103:106:systemd Bus
> Proxy,,,:/run/systemd:/bin/false
> _apt:x:104:65534::/nonexistent:/bin/false
> pi:x:1000:1000:,,,:/home/pi:/bin/bash
> messagebus:x:105:109::/var/run/dbus:/bin/false
> statd:x:106:65534::/var/lib/nfs:/bin/false
> sshd:x:107:65534::/run/sshd:/usr/sbin/nologin avahi:x:108:112:Avahi
> mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
> 
> There is obviously a major gap in my understanding here. Have I 
> understood you correctly Rowland? You appear to be suggesting that
> there must be separate individual linux user account on EVERY samba
> file server, one new unix user account corresponding to every  active 
> directory account?
Err no, exactly the opposite ;-)

What I was trying to get across is that whilst 'wbinfo -u' shows your
user, it doesn't mean that the Unix OS knows your user. 
For the Unix OS to know your user, you must use Samba to make the
Windows user a Unix user as well.
There are two main ways to do this, using the rid or ad winbind
backends.
Using 'rid' is easiest, you just set up smb.conf correctly, but you
have set up your smb.conf to use the 'ad' backend and this involves
more work. You must add a uidNumber attribute containing a unique
number, inside the range you have set in smb.conf, to every user you
want to be a Unix user AND give 'Domain Users' a gidnumber attribute
containing a number inside the same range.
> So what's the point in using a centralised 
> authentication service like active directory then - I don't
> understand - what does AD actually achieve in Windows networking?
I think I answered that above.
> 
> I used the following Samba tutorials to setup my fileserver fs1 but 
> unfortunately these do not mention the need to create user accounts
> to complement those that active directory creates.
> 
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Using_Domain_Accounts_and_Groups_in_Operating_System_Commands
Under 'Configuring Samba' there is this:

If you need your users to have different login shells and/or Unix home
directory paths, or you want them to have the same ID everywhere, you
will need to use the winbind 'ad' backend and add RFC2307 attributes to
AD. 

Underneath that, in a blue box, with a big blue 'i' sign, there is
this:

The RFC2307 attributes are not added automatically when users or groups
are created.
 
> 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> How do I rectify this? Can you point me at a suitable tutorial?
You don't need to rectify that ;-)
> 
> > Have you added RFC2307 attributes to AD ?  
> 
> I don't know what this means, can you please clarify? 
If you do not know what it means, then you very probably did not do it
and it is compulsory for the 'ad' backend.

The RFC2307 attributes are what you need to add to an AD user to make
Unix know who your users are.
I explained this above, so to make 'stephenellwood' a Unix user, do
this:

Log into a Samba DC as root (or use sudo) and run:

ldbedit -e nano -H /var/lib/samba/private/sam.ldb

search for 'stephenellwood' (use Ctrl-w)

Add into the object:
uidNumber: 10000

Search again for 'dn: cn=Domain Users'

Add into the object:
gidNumber: 10000

Close and save with 'Ctrl-x'

Go back to your fileserver and type 'getent passwd stephenellwood'

This should produce output.
> 
> > Have you installed these packages: libpam-winbind libnss-winbind
> > libpam-krb5  
> Yes I definitely installed those packages.
> > Have you added 'winbind' to the 'passwd' &
'group' lines
> > in /etc/nsswitch.conf ?  
> Yes, please see my nsswitch.conf below:
> 
> pi at fs1:~ $ cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Ser
> # If you have the `glibc-doc-reference'
> # `info libc "Name Service Switch"' for
> 
> passwd:         files winbind
> group:          files winbind
> shadow:         compat
> gshadow:        files
> 
> hosts:          files mdns4_minimal [NO
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:          files winbind
Remove 'winbind' from the 'netgroup' line.

Rowland

Hi Rowland, thanks for your suggestions. I have read and re-read the 
Samba docs to try and understand where I went wrong here.

I added the uidNumber and gidNumber exactly as per your comments and 
that seems to improve the situation markedly. I can now at least see 
that the share exists from SAMDOM\stephenellwood which wasn't possible 
before. File access is now possible from SAMDOM/stephenellwood when I 
configure NTFS security permissions to allow read and write access for 
group Everyone.

I am still seeing issues with fileshare access from custom AD groups 
though. For example, I removed the NTFS security permissions access to 
group Everyone on my share. I then created a group OgdenFilesUsers using 
the ADUC RSAT tool and added SAMDOM/stephenellwood to this. Even when 
security permissions are set for OgdenFilesUsers to allow read and write 
permissions it still won't seem to allow access. For good measure I then 
went and set the gidNumber attribute for my newly created 
OgdenFilesUsers group to 10001 but that didn't make any difference.

Thanks
Stephen Ellwood