samba - Jan 2015 - W7 client cannot adjust file permissions via ADUC

On 30/01/15 20:48, Bob of Donelson Trophy wrote:
>   
>
> Okay, added 'gidNumber: 10000' to the domain users group on DC1.
(Was
> within my range 500-40000.)
>
> getnet passwd [user] returns nothing on DC1.
>
> W7 client still a "no".
>
> And now?
>
>
Have you tried getent on the member server ?

Lets forget W7 for the moment, get the Unix side working and then go to W7.

If I run getent on the DC I get this:

root at dc01:~# getent passwd rowland
EXAMPLE\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/bash

So lets check a few files:

/etc/resolv.conf should point to itself, I use

search example.com
nameserver 127.0.0.1

/etc/krb5.conf should contain this:

[libdefaults]
         default_realm = EXAMPLE.COM
         dns_lookup_realm = false
         dns_lookup_kdc = true

/etc/nsswitch.conf

should have these two lines set like this:

passwd:         compat winbind
group:          compat winbind

Finally can you run:

pam-auth-update

I have these enabled.

  Kerberos authentication
  Unix authentication
  Winbind NT/Active Directory authentication
  GNOME Keyring Daemon - Login keyring management
  ConsoleKit Session Management
  Inheritable Capabilities Management

Rowland

Both DC1 and member server return nothing on 'getent passwd
Administrator' 

I have no other users other than 'root' and 'Administrator' on
all three
(DC1, DC2 & member.) 

My plan was to get file permissions (aka profiles) working and add some
test users. 

How do I add test users via linux side? (I'm with you, get linux side
working first.) 

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-01-30 15:12, Rowland Penny wrote: 
> On 30/01/15 20:48, Bob of Donelson Trophy wrote:
> 
>> Okay, added 'gidNumber: 10000' to the domain users group on
DC1. (Was within my range 500-40000.) getnet passwd [user] returns nothing on
DC1. W7 client still a "no". And now?
> 
> Have you tried getent on the member server ?
> 
> Lets forget W7 for the moment, get the Unix side working and then go to W7.
> 
> If I run getent on the DC I get this:
> 
> root at dc01:~# getent passwd rowland
> EXAMPLErowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/bash
> 
> So lets check a few files:
> 
> /etc/resolv.conf should point to itself, I use
> 
> search example.com
> nameserver 127.0.0.1
> 
> /etc/krb5.conf should contain this:
> 
> [libdefaults]
> default_realm = EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> 
> /etc/nsswitch.conf
> 
> should have these two lines set like this:
> 
> passwd: compat winbind
> group: compat winbind
> 
> Finally can you run:
> 
> pam-auth-update
> 
> I have these enabled.
> 
> Kerberos authentication
> Unix authentication
> Winbind NT/Active Directory authentication
> GNOME Keyring Daemon - Login keyring management
> ConsoleKit Session Management
> Inheritable Capabilities Management
> 
> Rowland
 

Links:
------
[1] http://www.donelsontrophy.com

On 30/01/15 21:19, Bob of Donelson Trophy wrote:
>   
>
> Both DC1 and member server return nothing on 'getent passwd
> Administrator'
>
> I have no other users other than 'root' and 'Administrator'
on all three
> (DC1, DC2 & member.)
>
> My plan was to get file permissions (aka profiles) working and add some
> test users.
>
> How do I add test users via linux side? (I'm with you, get linux side
> working first.)
>
> ---
>
> -------------------------
>
> Bob Wooden of Donelson Trophy
>
> 615.885.2846 (main)
> www.donelsontrophy.com [1]
>
> "Everyone deserves an award!!"
>
> On 2015-01-30 15:12, Rowland Penny wrote:
>
>> On 30/01/15 20:48, Bob of Donelson Trophy wrote:
>>
>>> Okay, added 'gidNumber: 10000' to the domain users group on
DC1. (Was within my range 500-40000.) getnet passwd [user] returns nothing on
DC1. W7 client still a "no". And now?
>> Have you tried getent on the member server ?
>>
>> Lets forget W7 for the moment, get the Unix side working and then go to
W7.
>>
>> If I run getent on the DC I get this:
>>
>> root at dc01:~# getent passwd rowland
>> EXAMPLErowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/bash
>>
>> So lets check a few files:
>>
>> /etc/resolv.conf should point to itself, I use
>>
>> search example.com
>> nameserver 127.0.0.1
>>
>> /etc/krb5.conf should contain this:
>>
>> [libdefaults]
>> default_realm = EXAMPLE.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> /etc/nsswitch.conf
>>
>> should have these two lines set like this:
>>
>> passwd: compat winbind
>> group: compat winbind
>>
>> Finally can you run:
>>
>> pam-auth-update
>>
>> I have these enabled.
>>
>> Kerberos authentication
>> Unix authentication
>> Winbind NT/Active Directory authentication
>> GNOME Keyring Daemon - Login keyring management
>> ConsoleKit Session Management
>> Inheritable Capabilities Management
>>
>> Rowland
>   
>
> Links:
> ------
> [1] http://www.donelsontrophy.com
OK, you do it with samba-tool on the DC:

if you run samba-tool user add --help, you will get a list of the 
available options, trouble is, you need samba-tool from 4.2rc4 and you 
need to patch this with Marc's patches to get all the Unix attributes

So, I have attached the required files:

samdb.py
user.py
addunixuser

The first two go here:
/usr/share/pyshared/samba/samdb.py
/usr/share/pyshared/samba/netcmd/user.py

the last is a bash script I wrote myself, put this in /usr/sbin/
Make it executable: chmod 0755 /usr/sbin/addunixuser

Run it :
addunixuser

it will print the usage instructions :-)

I am (over the weekend) going to set up a couple of VM's and install a 
DC and a member server using Louis's scripts, your problems are 
beginning to bug me (no disrespect to yourself) it should be easier than 
this :-D

Rowland
Rowland