Rowland penny
2020-Dec-16 17:25 UTC
[Samba] Users can't mount shares on a domain member file server
On 16/12/2020 17:01, MAS Jean-Louis via samba wrote:> Le 16/12/2020 ? 17:17, Rowland penny via samba a ?crit?: > >> You are getting ID's in the 400000 range because that is what you >> have set in the '*' domain and as you are getting number such as >> '400002', then 'jlmas' does not have a uidNumber attribute containing >> a number inside the '500-400000' range or Domain Users does not have >> a gidNumber attribute containing a number inside the same range, or >> to put it another way: >> >> Have you manually added uidNumber and gidNumber attributes to your >> users & groups in AD ? > > Yes. In fact our only source of authentication for Linux and Windows > is our AD Samba4. > We have added all the posix accounts attributes to our users when we > created them. > > For example, this is my account directly from our Samba4 AD-DC, my > uidNumber and gidNumber are within the "example" domain range we > defined in smb.confI think I might know what is the problem, but first, you do not need these: objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson You have changed the primaryGroupID, why ? Windows expects that every users primary group is Domain Users and now it is whatever '2906' is, this is what I think your problem is. Samba also requires Domain Users, though to be honest I am unsure whether it requires the name or the numeric ID, but it looks like which ever it is that winbind does not like this. Rowland
MAS Jean-Louis
2020-Dec-18 14:15 UTC
[Samba] Users can't mount shares on a domain member file server
Le 16/12/2020 ? 18:25, Rowland penny via samba a ?crit?:> I think I might know what is the problem, but first, you do not need these: > > objectClass: posixAccount > objectClass: shadowAccount > objectClass: inetOrgPersonThose objectclass provides a lot of attributes we currently use, mostly for our Linux users. If I delete them, I guess our users will not be able to connect to Linux servers, which are not part of our Samba domain but use our AD for authentication (with nslcd mappings)> You have changed the primaryGroupID, why ?Old accounts, such as mine as been created like that, most of them has been changed to 'Domain users' times ago. Now my primaryGroupID is correct # ldbsearch --url=/var/lib/samba/private/sam.ldb -b dc=example,dc=com sAMAccountName=jlmas | grep primaryGroupID primaryGroupID: 513 I checked our AD, and all our users have the right primaryGroupID> Windows expects that every users primary group is Domain Users and now > it is whatever '2906' is, this is what I think your problem is. Samba > also requires Domain Users, though to be honest I am unsure whether it > requires the name or the numeric ID, but it looks like which ever it is > that winbind does not like this.I have flushed the winbind cache Now uid and gid are OK, but unixHomeDirectory and loginShell are not $ getent passwd jlmas jlmas:*:20025:20000:MAS Jean-Louis:/home/EXAMPLE/jlmas:/bin/false I followed all the tips in the troubleshooting page : https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting The only wrong point came from 'net ads testjoin' # net ads testjoin kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/our-ad.example.com with user[OUR-FILESERVER$] realm[EXAMPLE.COM]: An invalid parameter was passed to a service or function. kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/our-ad.example.com with user[OUR-FILESERVER$] realm[EXAMPLE.COM]: An invalid parameter was passed to a service or function. Join to domain is not valid: An invalid parameter was passed to a service or function. same command with full debug (-d 10) we've got this just before the above logs gensec_update_done: gse_krb5[0x5642b959ab30]: NT_STATUS_INVALID_PARAMETER tevent_req[0x5642b95a6f70/../../source3/librpc/crypto/gse.c:843]: state[3] error[-7963671676338569203 (0x917B5ACDC000000D)] state[struct gensec_gse_update_state (0x5642b95a7120)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:856] gensec_spnego_create_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for ldap/our-ad.example.com failed (next[(null)]): NT_STATUS_INVALID_PARAMETER gensec_update_done: spnego[0x5642b95a2780]: NT_STATUS_INVALID_PARAMETER tevent_req[0x5642b95a73d0/../../auth/gensec/spnego.c:1631]: state[3] error[-7963671676338569203 (0x917B5ACDC000000D)] state[struct gensec_spnego_update_state (0x5642b95a7580)] timer[(nil)] finish[../../auth/gensec/spnego.c:2038] Regards -- Jean Louis Mas