samba - Oct 2015 - Make a share owned by a service account available to members of an AD group

The only way it seems to work is if I do have both the local and AD user with
the same name.  But my goal here is to not require that, to have the AD account
only.
    I have applied Unix attributes to the users.  testuser uidNumber = 30089 and
gidNumber = 100.  However, when I try to query with wbinfo, I was unable to look
that up:

wbinfo -i "DEVELOPMENT\testuser"
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

    I get the same result regardless of if the account is in the local passwd
file or not.
    I switched to “rid” and now I can successfully query for the testuser
account:

wbinfo -i "DEVELOPMENT\testuser"
testuser:*:36385:30513::/home/testuser:/bin/bash

    but the uidNumber and gidNumber do not match what is in AD.  And it still
will not allow the testuser account to map the share unless the account exists
in the local passwd file.  It is getting the password from AD, but only if the
account exists in the local system too.
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389

________________________________________________________________
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
Sent: Friday, October 9, 2015 11:36 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Make a share owned by a service account available to
members of an AD group

On 09/10/15 18:54, Tovey, Mark wrote:
>
>     Got it.  I changed that section as follows:
>
>         idmap config *:backend = tdb
>
>         idmap config *:range = 5000-29999
>
>         idmap config DEVELOPMENT:backend = ad
>
>         idmap config DEVELOPMENT:schema_mode = rfc2307
>
>         idmap config DEVELOPMENT:range = 30000-99999
>
>     It did not change the “map to guest = Bad Uid” issue, however.  
> The error I see in the log file is “check_ntlm_password:  
> Authentication for user [testuser] -> [testuser] FAILED with error 
> NT_STATUS_NO_SUCH_USER”. If I add the testuser account to the Linux 
> system’s passwd file, then I see “check_ntlm_password:  authentication 
> for user [testuser] -> [testuser] -> [testuser] succeeded”. The 
> testuser account does not have a password on the Linux system, the 
> password exists only in the AD system.  So, I am able to map the share 
> to my workstation using the testuser account only when the testuser 
> account exists in both the AD system and the Linux system, which is 
> what I am trying to avoid.  I want to have the testuser account be in 
> the AD system only.
>
>     The documentation for “map to guest = Bad Uid” states: “user 
> logins which are successfully authenticated but which have no valid 
> Unix user account should be mapped to the defined guest account.”  The 
> guest account is set to “nobody” and it does exist in the passwd file, 
> but the mapping does not seem to be occurring.  Am I misunderstanding 
> the meaning here?  Or perhaps how the guest account functions?
>
>     -Mark
>
> ________________________________________________________________
>
> Mark Tovey - UNIX Engineer | Service Strategy & Design
>
> UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>
> MTovey at go2uti.com | O / C +1 503 953-1389
>
You cannot have a local user and an AD user with the same name, so I would
suggest removing the local user. I know you have set up the 'ad'
backend in smb.conf but have you given any of your users a uidNumber attribute
(and Domain Users a gidNumber) ? these numbers need to be inside the range set
in your smb.conf. If you haven't done this, then either do so, or change
this line 'idmap config DEVELOPMENT:backend = ad' to 'idmap config
DEVELOPMENT:backend = rid'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 10/09/2015 12:31 PM, Tovey, Mark wrote:
>     The only way it seems to work is if I do have both the local and AD
user with the same name.  But my goal here is to not require that, to have the
AD account only.
>     I have applied Unix attributes to the users.  testuser uidNumber =
30089 and gidNumber = 100.  However, when I try to query with wbinfo, I was
unable to look that up:
> 
> wbinfo -i "DEVELOPMENT\testuser"
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> 
>     I get the same result regardless of if the account is in the local
passwd file or not.
>     I switched to “rid” and now I can successfully query for the testuser
account:
> 
> wbinfo -i "DEVELOPMENT\testuser"
> testuser:*:36385:30513::/home/testuser:/bin/bash
> 
>     but the uidNumber and gidNumber do not match what is in AD.  And it
still will not allow the testuser account to map the share unless the account
exists in the local passwd file.  It is getting the password from AD, but only
if the account exists in the local system too.
>     -Mark
> 
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design
> UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
> MTovey at go2uti.com | O / C +1 503 953-1389
> 

Do you have winbind listed in your nsswitch.conf? If not, you'll need
that so the OS itself will see the AD users.

-- 
John Yocum, Systems Administrator, DEOHS

On 09/10/15 20:31, Tovey, Mark wrote:
>      The only way it seems to work is if I do have both the local and AD
user with the same name.  But my goal here is to not require that, to have the
AD account only.
To do what you want you need to use winbind (other ways if doing it are 
available, but this is the samba mailing list) and then use either the 
'ad' or 'rid' backend, this way your AD users become Unix users.
>      I have applied Unix attributes to the users.  testuser uidNumber =
30089 and gidNumber = 100.  However, when I try to query with wbinfo, I was
unable to look that up:
>
> wbinfo -i "DEVELOPMENT\testuser"
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Two things, have you added a gidNumber to Domain Users ? (do not use 
100, this is the Unix users group and is outside the range set in 
smb.conf) and you should be using getent not wbinfo. wbinfo works 
directly on winbind, getent doesn't, try 'getent passwd testuser'
>
>      I get the same result regardless of if the account is in the local
passwd file or not.
>      I switched to “rid” and now I can successfully query for the testuser
account:
>
> wbinfo -i "DEVELOPMENT\testuser"
> testuser:*:36385:30513::/home/testuser:/bin/bash
>
>      but the uidNumber and gidNumber do not match what is in AD.
Using the 'rid' backend it never will, this is the beauty behind the 
'ad' backend, you set the users uidNumber in AD and you will get that 
number everywhere, but you also need to give Domain Users a gidNumber or 
winbind will not work. whatever numbers you use *must* be inside the 
range you set in smb.conf i.e. if you have 'idmap config EXAMPLE:range = 
10000-99999' , your numbers must be above 9999 but below 100000.
>   And it still will not allow the testuser account to map the share unless
the account exists in the local passwd file.  It is getting the password from
AD, but only if the account exists in the local system too.
You need to remove any local users that you want to be in AD (oh and 
don't try and get creative and put Unix system users in AD, they belong 
in /etc/passwd) , run 'net cache flush' , run 'getent passwd
<ADuser>'
(replace <ADuser> with an AD username that has a uidNumber), if this 
returns the users details, you should then be able to chown the share to 
belong to the user.

Once you have got this far, I would suggest reading more on the samba 
wiki, especially about creating shares and setting the ACLs

Rowland
>      -Mark
>
>

No joy.  I added winbind to the passwd, shadow, and group lines and it is still
not working.  I also switched back to ad instead of rid (I deleted the Samba
database files in /var/lib/samba and rejoined the domain when I switched), and
still the same.  If the account exists locally I can authenticate against AD and
map the share.  No local account and it fails.
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of John Yocum
Sent: Friday, October 9, 2015 12:37 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Make a share owned by a service account available to
members of an AD group

On 10/09/2015 12:31 PM, Tovey, Mark wrote:
>     The only way it seems to work is if I do have both the local and AD
user with the same name.  But my goal here is to not require that, to have the
AD account only.
>     I have applied Unix attributes to the users.  testuser uidNumber =
30089 and gidNumber = 100.  However, when I try to query with wbinfo, I was
unable to look that up:
> 
> wbinfo -i "DEVELOPMENT\testuser"
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> 
>     I get the same result regardless of if the account is in the local
passwd file or not.
>     I switched to “rid” and now I can successfully query for the testuser
account:
> 
> wbinfo -i "DEVELOPMENT\testuser"
> testuser:*:36385:30513::/home/testuser:/bin/bash
> 
>     but the uidNumber and gidNumber do not match what is in AD.  And it
still will not allow the testuser account to map the share unless the account
exists in the local passwd file.  It is getting the password from AD, but only
if the account exists in the local system too.
>     -Mark
> 
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
> MTovey at go2uti.com | O / C +1 503 953-1389
> 

Do you have winbind listed in your nsswitch.conf? If not, you'll need that
so the OS itself will see the AD users.

--
John Yocum, Systems Administrator, DEOHS

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

So I made the primary group for the testuser account be smbgrp, and it's
gidNumber is 30124.  Still nothing.  "getent passwd testuser" returns
nothing unless testuser is in the local passwd file, and then it returns the
attributes that are in the passwd file, not the AD system.
    Some time ago I put together a configuration that uses Linux SSSD to
communicate with AD.  That allows us to store user account information in AD and
authenticate against that.  No local account information is necessary.  It works
and does it quite well, but it is a bear to manage, so I try to avoid it (I am
planning on switching to an IPA based system instead of my roll-your-own
system).
    I was trying to build this Samba system independent of my SSSD system, but I
am wondering if I need to put that between Samba and AD.  That way Samba
won't know that it is using AD in the background and will just be using
local authentication mechanisms.
    Does anyone have any experience using Samba in conjunction with SSSD and can
offer any advice there?
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
Sent: Friday, October 9, 2015 12:57 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Make a share owned by a service account available to
members of an AD group

On 09/10/15 20:31, Tovey, Mark wrote:
>      The only way it seems to work is if I do have both the local and AD
user with the same name.  But my goal here is to not require that, to have the
AD account only.
To do what you want you need to use winbind (other ways if doing it are
available, but this is the samba mailing list) and then use either the
'ad' or 'rid' backend, this way your AD users become Unix users.
>      I have applied Unix attributes to the users.  testuser uidNumber =
30089 and gidNumber = 100.  However, when I try to query with wbinfo, I was
unable to look that up:
>
> wbinfo -i "DEVELOPMENT\testuser"
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Two things, have you added a gidNumber to Domain Users ? (do not use 100, this
is the Unix users group and is outside the range set in
smb.conf) and you should be using getent not wbinfo. wbinfo works directly on
winbind, getent doesn't, try 'getent passwd testuser'
>
>      I get the same result regardless of if the account is in the local
passwd file or not.
>      I switched to “rid” and now I can successfully query for the testuser
account:
>
> wbinfo -i "DEVELOPMENT\testuser"
> testuser:*:36385:30513::/home/testuser:/bin/bash
>
>      but the uidNumber and gidNumber do not match what is in AD.
Using the 'rid' backend it never will, this is the beauty behind the
'ad' backend, you set the users uidNumber in AD and you will get that
number everywhere, but you also need to give Domain Users a gidNumber or winbind
will not work. whatever numbers you use *must* be inside the range you set in
smb.conf i.e. if you have 'idmap config EXAMPLE:range = 10000-99999' ,
your numbers must be above 9999 but below 100000.
>   And it still will not allow the testuser account to map the share unless
the account exists in the local passwd file.  It is getting the password from
AD, but only if the account exists in the local system too.
You need to remove any local users that you want to be in AD (oh and don't
try and get creative and put Unix system users in AD, they belong in
/etc/passwd) , run 'net cache flush' , run 'getent passwd
<ADuser>'
(replace <ADuser> with an AD username that has a uidNumber), if this
returns the users details, you should then be able to chown the share to belong
to the user.

Once you have got this far, I would suggest reading more on the samba wiki,
especially about creating shares and setting the ACLs

Rowland
>      -Mark
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba