samba - Apr 2015 - Samba as AD member can not validate domain user

Cit?ju Rowland Penny <rowlandpenny at googlemail.com>:
>> after assigning UNIX attributes to users and domain groups all of them
have
>> uidNUmbers and gidNumbers starting from 10000,
>> ldbsearch gives:
>> dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv
>> objectSid: S-1-5-21-216404829-505555237-127066545-513
>> gidNumber: 10000
>>
>>> If you use the 'ad' backend, then giving your users a
'uidNumber'
>>> is not enough, you must give their primarygroup (Domain Users) a  
>>> 'gidNumber' attribute.
>
>> all of the AD users are members of the Domain Users group now.
>
> what do you mean 'all of the AD users are members of the Domain  
> Users group now.' ??
>
> I hope you haven't changed the users primaryGroupID attribute.
I assigned primary group to each domain user through UNIX  
attributes(?) in Windows (8.1) domain management tool, choosing  
INTERNAL as NIS realm.
> This is what I get when I run getent on one of my DCs:
>
> root at dc01:~# getent passwd rowland
> EXAMPLE\rowland:*:10000:10000:Rowland Penny:/home/EXAMPLE/rowland:/bin/bash
yes, I am getting similar:
username:*:10000:10000::/home/INTERNAL/username:/bin/false

Some questions related to this -

- can I have domain user's home directory kind of \\FS\home\username?  
As far as I understand, home directory /home/INTERNAL/username is not  
created automatically. I tried to create it by hand (and chown to  
10000.10000) in order to see what's changing, but is remained empty.

- does the shell parameter play any role if all domain users are pure  
windows users?

- if the shell is set to /bin/bash, for example, is the domain user  
able to login to any Linux server's, which is domain member, shell?
> Hmm, if I run (on a member server):
>
> getent passwd EXAMPLE\\rowland
>
> I get:
>
> rowland:*:10000:10000::/home/rowland:/bin/bash
Yes, finally, I am getting similar now. I'll check later what effect  
it has overall.

Janis

On 07/04/15 07:14, jd at ionica.lv wrote:
>
> Cit?ju Rowland Penny <rowlandpenny at googlemail.com>:
>
>>> after assigning UNIX attributes to users and domain groups all of 
>>> them have
>>> uidNUmbers and gidNumbers starting from 10000,
>>> ldbsearch gives:
>>> dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv
>>> objectSid: S-1-5-21-216404829-505555237-127066545-513
>>> gidNumber: 10000
>>>
>>>> If you use the 'ad' backend, then giving your users a
'uidNumber'
>>>> is not enough, you must give their primarygroup (Domain Users)
a
>>>> 'gidNumber' attribute.
>>
>>> all of the AD users are members of the Domain Users group now.
>>
>> what do you mean 'all of the AD users are members of the Domain
Users
>> group now.' ??
>>
>> I hope you haven't changed the users primaryGroupID attribute.
>
> I assigned primary group to each domain user through UNIX 
> attributes(?) in Windows (8.1) domain management tool, choosing 
> INTERNAL as NIS realm.
>
>> This is what I get when I run getent on one of my DCs:
>>
>> root at dc01:~# getent passwd rowland
>> EXAMPLE\rowland:*:10000:10000:Rowland 
>> Penny:/home/EXAMPLE/rowland:/bin/bash
>
> yes, I am getting similar:
> username:*:10000:10000::/home/INTERNAL/username:/bin/false
>
> Some questions related to this -
>
> - can I have domain user's home directory kind of \\FS\home\username? 
> As far as I understand, home directory /home/INTERNAL/username is not 
> created automatically. I tried to create it by hand (and chown to 
> 10000.10000) in order to see what's changing, but is remained empty.
>
> - does the shell parameter play any role if all domain users are pure 
> windows users?
>
> - if the shell is set to /bin/bash, for example, is the domain user 
> able to login to any Linux server's, which is domain member, shell?
You only need the 'template' line if you intend to log into the DC

Rowland
>
>> Hmm, if I run (on a member server):
>>
>> getent passwd EXAMPLE\\rowland
>>
>> I get:
>>
>> rowland:*:10000:10000::/home/rowland:/bin/bash
>
> Yes, finally, I am getting similar now. I'll check later what effect 
> it has overall.
>
> Janis
>

Hi!

the previous problems were solved (thank you, Rowland!), but few  
issues remains:

I get such msg in log:
0. Is it possible to tell samba to output messages in logs as one line  
per message (even if it is long one?)

1. 2015/04/12 11:32:39.293583,  3]  
../source3/smbd/msdfs.c:971(get_referred_path)
  get_referred_path: |shareX| in dfs path \FS\shareX is not a dfs root.
(seems it is not making problems as access to other shares giving such  
error not influences anything)


2. 2015/04/12 11:32:18.852138,  3]  
../libcli/security/dom_sid.c:209(dom_sid_parse_endp) string_to_sid:  
SID @INTERNAL\\group is not in a valid format

such messages I get after attempt to open a share (from smb.conf):
[shareX]
         comment = What it serves
         path = /home/shares/data/sharex
         browseable = yes
         read only = no
         valid users = @"INTERNAL\\group"
         force group = @"INTERNAL\\group"
         force create mode = 0660
         force directory mode = 0770

the directory is owned by a domain user, which is not the member of  
INTERNAL\\group and group ownership of the dir is INTERNAl\\group. I  
do not understand why in that particular case it is important, because  
the other, working shares, has the same domain user as owner having  
their own specific domain group ownership.

At the moment I have two non working shares for the specific group and  
one - with Domain Users.

In all cases Windows client argues that group name can not be found.  
If for the first two cases it could have some salt, for the other -  
not at all, because other shares accessible to Domain Users and having  
respective group ownership works.

getent group INTERNAL\\group gives correct domain group information.

The other issue I have - if the user is not a member of particular  
domain group, but has the right to accees the share, it is requested  
to enter username/pw, but can not access it anyway:

[shareY]
         comment = Other share
         path=/home/shares/data/shareY
         browseable = yes
         read only = no
         valid users = @INTERNAL\\group1, @INTERNAL\\otheruser
         force group = @INTERNAL\\group1
         force create mode = 0660
         force directory mode = 0770



Janis