samba - Oct 2019 - Samba domain users AWOL from Samba file server.

Using samba-tool on my samba DC, I created several users.  On my separate
samba file server, joined to the domain, all the users are listed as
belonging to Domain Users ( getent group "Domain Users").  However,
several
domain users are missing from the passwd database on the file server (i.e.,
nothing returned when I run getent passwd user3).   Why would that be?
Each user has its own uidNumber set using the Windows ADUC RSAT tool.

Thank you.

John Redmond

On 22/10/2019 17:56, John Redmond via samba wrote:
> Using samba-tool on my samba DC, I created several users.  On my separate
> samba file server, joined to the domain, all the users are listed as
> belonging to Domain Users ( getent group "Domain Users"). 
However, several
> domain users are missing from the passwd database on the file server (i.e.,
> nothing returned when I run getent passwd user3).   Why would that be?
> Each user has its own uidNumber set using the Windows ADUC RSAT tool.
>
> Thank you.
>
> John Redmond
If you are using the 'ad' backend for the main domain on a Unix domain 
member, then you will have a line similar to this:

idmap config DOMAIN : range = 10000-199999

Provided Domain Users has a gidNumber attribute containing a number 
inside the range set in smb.conf (10000-199999 above) and the users have 
a uidNumber attribute containing a unique number in the same range, then 
they should be found by getent. Any uidNumber attributes containing 
numbers outside the range will be ignored.

Rowland

On 22/10/2019 18:58, John Redmond wrote:
> Thanks, Rowland.? Here's the smb.conf file on the Unix domain member.? 
> I know you are not a fan of winbind enum, but I add it to see if it 
> helped.
It isn't that I am not a fan of 'winbind enum', it is that it only
does
two things:

It enumerates users and groups (which isn't actually required)

It slows things down

I would only use the two lines for testing purposes, once you are sure 
everything is working, I would suggest you comment them out.
>
> #/etc/samba/smb.conf
> [global]
>
> ? ?workgroup = SAMDOM
> ? ?realm = SAMDOM.EXAMPLE.COM <http://SAMDOM.EXAMPLE.COM>
> ? ?security = ADS
> ? ?dedicated keytab file = /etc/krb5.keytab
> ? ?kerberos method = secrets and keytab
> ? ?server string = Samba File Server %h (Ubuntu 18.04)
>
> ? ?idmap config * : backend = tbd
> ? ?idmap config * : range = 3000-7999
> ? ?idmap config SAMDOM : backend = ad
> # ? idmap config SAMDOM : backend = rid
> ? ?idmap config SAMDOM : schema_mode = rfc2307
> ? ?idmap config SAMDOM : range = 10000-99999
>
> ? ?template homedir = /home/samdom/%U
> ? ?template shell = /bin/bash
>
> ? ?winbind use default domain = true
> ? ?winbind expand groups = 2
> ? ?winbind refresh tickets = yes
> ? ?winbind normalize names = yes
> # ? winbind offline logon = yes
> ? ?winbind nss info = rfc2307
> ? ?winbind enum users = yes
> ? ?winbind enum groups = yes
>
> ? ?domain master = no
> ? ?local master = no
> ? ?preferred master = no
> # ? os level = 20
> # ? map to guest = bad user
> # ? host msdfs = no
>
> ? ?vfs objects = acl_xattr
> ? ?map acl inherit = yes
> ? ?store dos attributes = yes
>
> # ? dns proxy = no
>
> ? ?log file = /var/log/samba/log.%m
> ? ?max log size = 1000
>
> ? ?syslog = 0
> ? ?log level = 1
> #auth:5 winbind:5
>
> #Disable printing completely
> ? ?load printers = no
> ? ?printing = bsd
> ? ?printcap name = /dev/null
> ? ?disable spoolss = yes
>
>
> [profiles]
> ? ?comment = User and group files
> ? ?path = /home/lan
> ? ?guest ok = no
> ? ?browseable = no
> ? ?create mask = 0600
> ? ?directory mask = 0700
>
> [allusers]
> ? ?comment = Company-wide files
> ? ?path = /home/lan/allusers
> ? ?guest ok = no
> ? ?browseable = yes
> ? ?create mask = 0600
> ? ?directory mask = 0700
>
> [accounting]
> ? ?comment = Bookkeeping and accounting files
> ? ?path = /home/lan/accounting
> ? ?guest ok = no
> ? ?browseable = no
> ? ?create mask = 0600
> ? ?directory mask = 0700
If you think that the missing users shouldn't be missing because they 
have the correct uidNumber attributes, then I suggest you check in AD, 
the easiest way would be to use samba-tool on the DC:

samba-tool user show <username>

Look for the uidNumber attribute

Rowland

Unfortunately, the the Ubuntu 18.04 samba-tool package doesn't have
"user
show" as an option.  The Windows ADUC tool shows user1 uidNumber =10001,
user2 uidNumber=10002,  user3 uidNumber =10003, and user4 uidNumber=10004

Here are the getent command results on the file server/ domain member:

*admin at fsvr0:~$ getent passwd user1*
hq-user1:*:11103:10513::/home/lan/user1:/bin/bash
*admin at fsvr0:~$ getent passwd user2*
hq-user2:*:11106:10513::/home/lan/user2:/bin/bash
*admin at fsvr0:~$ getent passwd user3*
*admin at fsvr0:~$ getent passwd user4*
*admin at fsvr0:~$ getent group "Domain Users"*
domain_users:x:10513:user1,user2,user3,user4,administrator,krbtgt


On Tue, Oct 22, 2019 at 2:12 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 22/10/2019 18:58, John Redmond wrote:
> > Thanks, Rowland.  Here's the smb.conf file on the Unix domain
member.
> > I know you are not a fan of winbind enum, but I add it to see if it
> > helped.
>
> It isn't that I am not a fan of 'winbind enum', it is that it
only does
> two things:
>
> It enumerates users and groups (which isn't actually required)
>
> It slows things down
>
> I would only use the two lines for testing purposes, once you are sure
> everything is working, I would suggest you comment them out.
>
> >
> > #/etc/samba/smb.conf
> > [global]
> >
> >    workgroup = SAMDOM
> >    realm = SAMDOM.EXAMPLE.COM <http://SAMDOM.EXAMPLE.COM>
> >    security = ADS
> >    dedicated keytab file = /etc/krb5.keytab
> >    kerberos method = secrets and keytab
> >    server string = Samba File Server %h (Ubuntu 18.04)
> >
> >    idmap config * : backend = tbd
> >    idmap config * : range = 3000-7999
> >    idmap config SAMDOM : backend = ad
> > #   idmap config SAMDOM : backend = rid
> >    idmap config SAMDOM : schema_mode = rfc2307
> >    idmap config SAMDOM : range = 10000-99999
> >
> >    template homedir = /home/samdom/%U
> >    template shell = /bin/bash
> >
> >    winbind use default domain = true
> >    winbind expand groups = 2
> >    winbind refresh tickets = yes
> >    winbind normalize names = yes
> > #   winbind offline logon = yes
> >    winbind nss info = rfc2307
> >    winbind enum users = yes
> >    winbind enum groups = yes
> >
> >    domain master = no
> >    local master = no
> >    preferred master = no
> > #   os level = 20
> > #   map to guest = bad user
> > #   host msdfs = no
> >
> >    vfs objects = acl_xattr
> >    map acl inherit = yes
> >    store dos attributes = yes
> >
> > #   dns proxy = no
> >
> >    log file = /var/log/samba/log.%m
> >    max log size = 1000
> >
> >    syslog = 0
> >    log level = 1
> > #auth:5 winbind:5
> >
> > #Disable printing completely
> >    load printers = no
> >    printing = bsd
> >    printcap name = /dev/null
> >    disable spoolss = yes
> >
> >
> > [profiles]
> >    comment = User and group files
> >    path = /home/lan
> >    guest ok = no
> >    browseable = no
> >    create mask = 0600
> >    directory mask = 0700
> >
> > [allusers]
> >    comment = Company-wide files
> >    path = /home/lan/allusers
> >    guest ok = no
> >    browseable = yes
> >    create mask = 0600
> >    directory mask = 0700
> >
> > [accounting]
> >    comment = Bookkeeping and accounting files
> >    path = /home/lan/accounting
> >    guest ok = no
> >    browseable = no
> >    create mask = 0600
> >    directory mask = 0700
>
> If you think that the missing users shouldn't be missing because they
> have the correct uidNumber attributes, then I suggest you check in AD,
> the easiest way would be to use samba-tool on the DC:
>
> samba-tool user show <username>
>
> Look for the uidNumber attribute
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>