Rowland Penny
2015-Apr-12 11:49 UTC
[Samba] Samba as AD member can not validate domain user
On 12/04/15 11:19, jd at ionica.lv wrote:> > Cit?ju jd at ionica.lv: > >> Hi! >> >> the previous problems were solved (thank you, Rowland!), but few >> issues remains: >> >> I get such msg in log: >> 0. Is it possible to tell samba to output messages in logs as one >> line per message (even if it is long one?) >> >> 1. 2015/04/12 11:32:39.293583, 3] >> ../source3/smbd/msdfs.c:971(get_referred_path) >> get_referred_path: |shareX| in dfs path \FS\shareX is not a dfs root. >> (seems it is not making problems as access to other shares giving >> such error not influences anything) >> >> >> 2. 2015/04/12 11:32:18.852138, 3] >> ../libcli/security/dom_sid.c:209(dom_sid_parse_endp) string_to_sid: >> SID @INTERNAL\\group is not in a valid format >> >> such messages I get after attempt to open a share (from smb.conf): >> [shareX] >> comment = What it serves >> path = /home/shares/data/sharex >> browseable = yes >> read only = no >> valid users = @"INTERNAL\\group" >> force group = @"INTERNAL\\group" >> force create mode = 0660 >> force directory mode = 0770 > > SOLVED: > > the line valid users shuold look as such: > valid users = @INTERNAL\\group > > That one remains > >> The other issue I have - if the user is not a member of particular >> domain group, but has the right to accees the share, it is requested >> to enter username/pw, but can not access it anyway: >> >> [shareY] >> comment = Other share >> path=/home/shares/data/shareY >> browseable = yes >> read only = no >> valid users = @INTERNAL\\group1, @INTERNAL\\otheruser >> force group = @INTERNAL\\group1 >> force create mode = 0660 >> force directory mode = 0770 > > I found one additional problem - when I request Domain Users group > information, no users are listed > > gentent group "INTERNAL\\Domain Users" returns plain > domain_users:x:10000: > the same goes on DC. > > Do I need to create alternative Domain Users group? > >No, "INTERNAL\\Domain Users" is the same group as 'domain_users', you probably have 'winbind normalize names = Yes' in smb.conf Rowland
jd at ionica.lv
2015-Apr-13 12:40 UTC
[Samba] Samba as AD member can not validate domain user
Cit?ju Rowland Penny <rowlandpenny at googlemail.com>:>> I found one additional problem - when I request Domain Users group >> information, no users are listed >> >> gentent group "INTERNAL\\Domain Users" returns plain >> domain_users:x:10000: >> the same goes on DC. >> >> Do I need to create alternative Domain Users group? >> >> > No, "INTERNAL\\Domain Users" is the same group as 'domain_users', > you probably have 'winbind normalize names = Yes' in smb.confit is strange, because gentent group "INTERNAL\\Domain Admins" returns what is expected - gid and list of persons in the group Janis
Rowland Penny
2015-Apr-13 13:30 UTC
[Samba] Samba as AD member can not validate domain user
On 13/04/15 13:40, jd at ionica.lv wrote:> > Cit?ju Rowland Penny <rowlandpenny at googlemail.com>: > >>> I found one additional problem - when I request Domain Users group >>> information, no users are listed >>> >>> gentent group "INTERNAL\\Domain Users" returns plain >>> domain_users:x:10000: >>> the same goes on DC. >>> >>> Do I need to create alternative Domain Users group? >>> >>> >> No, "INTERNAL\\Domain Users" is the same group as 'domain_users', you >> probably have 'winbind normalize names = Yes' in smb.conf > > it is strange, because > gentent group "INTERNAL\\Domain Admins" > returns what is expected - gid and list of persons in the group > > Janis >No, not strange, just the way you have formatted the getent command, this is what I get on my laptop with different formatting: rowland at ThinkPad ~ $ getent group "EXAMPLE\\Domain Admins" domain_admins:x:10002:s4admin,administrator rowland at ThinkPad ~ $ getent group EXAMPLE\\Domain\ Admins domain_admins:x:10002:s4admin,administrator rowland at ThinkPad ~ $ getent group EXAMPLE\\domain_admins domain_admins:x:10002:s4admin,administrator rowland at ThinkPad ~ $ getent group domain_admins domain_admins:x:10002:s4admin,administrator The same commands on a DC: root at dc01:~# getent group "EXAMPLE\\Domain Admins" EXAMPLE\Domain Admins:*:10002: root at dc01:~# getent group EXAMPLE\\Domain\ Admins EXAMPLE\Domain Admins:*:10002: root at dc01:~# getent group EXAMPLE\\domain_admins root at dc01:~# getent group domain_admins As you can see, it differs between the two machine, you cannot seem to 'normalise' the group names on a Samba AD DC. Rowland