On 26.10.2015 23:03, Rowland Penny wrote:> On 26/10/15 21:38, Viktor Trojanovic wrote: >> I joined a Samba AD member server (file server) to a Samba AD DC. >> This seems to have worked. However, if I try to access the file >> server from the domain administrator account on a Windows client, I >> am asked to provide authorization details. Since I have no other >> privileged users, I am using the domain admin credentials but they're >> not accepted. >> >> I'm not sure exactly where to look but I think the problem could be >> connected to the following: On my member server, the getent command >> does not yield any results. As per the recommendations on the "Samba >> Member Server Troubleshooting" page, I checked on the DC if the group >> Domain Users has a gidNumber. Well, it doesn't. Neither do my users >> have uidNumbers though this, allegedly, is not such an issue. > > Yes it is, there is no point in adding a gidNumber to Domain Users if > you are not going to give your Users a uidNumber. > > As far as how to add uidNumbers and gidNumbers, well firstly, do you > need to? if your users are never going to actually log into the member > server and this is your only Unix machine, you could use the winbind > 'rid' backend, this will create the ID numbers on the fly. > If you have more than one member server, or Unix clients or want your > users to log into the member server, you will probably be better off > using the winbind 'ad' backend. To do this you will need to give your > users a unique uidNumber and Domain Users (at least) a gidNumber. You > can do this by using the ADUC UNIX Attributes tab, by writing your own > script using an ldif, or by using something like the LDAP Account > Manager (LAM). > > RowlandThanks again for helping, Rowland. As I mentioned before, both the DC and the member server are Unix running Samba 4.3. The purpose of the member server is to act as file server, nothing more. The clients are all windows machines and users, they will never log in to one of the unix systems directly. If they are able to access shares on the file server without having to log in, then I guess this 'rid' backend seems to be what I need. Correct? Can you give me some pointers on how to do that, or direct me to the documentation? Though one has to wonder: There is a wiki how to implement a Samba AD, and how to add a Samba Member Server. I followed the instructions step by step, for both, and now it turns out that the instructions for the member server are not made to fit the configuration of the DC? That's a bit discouraging. Viktor
On 26/10/15 22:35, Viktor Trojanovic wrote:> > > On 26.10.2015 23:03, Rowland Penny wrote: >> On 26/10/15 21:38, Viktor Trojanovic wrote: >>> I joined a Samba AD member server (file server) to a Samba AD DC. >>> This seems to have worked. However, if I try to access the file >>> server from the domain administrator account on a Windows client, I >>> am asked to provide authorization details. Since I have no other >>> privileged users, I am using the domain admin credentials but >>> they're not accepted. >>> >>> I'm not sure exactly where to look but I think the problem could be >>> connected to the following: On my member server, the getent command >>> does not yield any results. As per the recommendations on the "Samba >>> Member Server Troubleshooting" page, I checked on the DC if the >>> group Domain Users has a gidNumber. Well, it doesn't. Neither do my >>> users have uidNumbers though this, allegedly, is not such an issue. >> >> Yes it is, there is no point in adding a gidNumber to Domain Users >> if you are not going to give your Users a uidNumber. >> >> As far as how to add uidNumbers and gidNumbers, well firstly, do you >> need to? if your users are never going to actually log into the >> member server and this is your only Unix machine, you could use the >> winbind 'rid' backend, this will create the ID numbers on the fly. >> If you have more than one member server, or Unix clients or want your >> users to log into the member server, you will probably be better off >> using the winbind 'ad' backend. To do this you will need to give your >> users a unique uidNumber and Domain Users (at least) a gidNumber. You >> can do this by using the ADUC UNIX Attributes tab, by writing your >> own script using an ldif, or by using something like the LDAP Account >> Manager (LAM). >> >> Rowland > Thanks again for helping, Rowland. > > As I mentioned before, both the DC and the member server are Unix > running Samba 4.3. The purpose of the member server is to act as file > server, nothing more. > > The clients are all windows machines and users, they will never log in > to one of the unix systems directly. If they are able to access shares > on the file server without having to log in, then I guess this 'rid' > backend seems to be what I need. Correct? Can you give me some > pointers on how to do that, or direct me to the documentation? > > Though one has to wonder: There is a wiki how to implement a Samba AD, > and how to add a Samba Member Server. I followed the instructions step > by step, for both, and now it turns out that the instructions for the > member server are not made to fit the configuration of the DC? That's > a bit discouraging. > > ViktorThe main problem is that idmap.ldb on the DC will allocate an xidNumber to a user in the '3000000' range, this xidNumber is used for the users uidNumber. If you use the DC as a fileserver and a user stores something on the DC and you were to examine the permissions, you will find that it doesn't belong to a user but a number. This gets worse, if you have two DCs, you can and probably will get different numbers on each DC. Now this is not a problem until you do something like copy the file from one DC to the other, the file could then belong to another user, this can also happen with a member server. If you use a member server and do not want your users to log into it, you can use the winbind 'rid' backend, this will allocate UID numbers to your users using an algorithm based on the users RID, this also has the affect of creating the same UID on every member server. If you need to use the DC as a fileserver, then I would advise the use of the winbind 'ad' backend. Using this, your users will get the same UID everywhere, as the users UID is stored in AD using the uidNumber attribute. To add uidNumber & gidNumber attributes to AD is fairly simple, you can do it using ADUC, or by writing your own script around an ldif. To use the winbind 'rid' backend, see here: https://wiki.samba.org/index.php/Idmap_config_rid Rowland
On 27.10.2015 09:05, Rowland Penny wrote:> On 26/10/15 22:35, Viktor Trojanovic wrote: >> >> >> On 26.10.2015 23:03, Rowland Penny wrote: >>> On 26/10/15 21:38, Viktor Trojanovic wrote: >>>> I joined a Samba AD member server (file server) to a Samba AD DC. >>>> This seems to have worked. However, if I try to access the file >>>> server from the domain administrator account on a Windows client, I >>>> am asked to provide authorization details. Since I have no other >>>> privileged users, I am using the domain admin credentials but >>>> they're not accepted. >>>> >>>> I'm not sure exactly where to look but I think the problem could be >>>> connected to the following: On my member server, the getent command >>>> does not yield any results. As per the recommendations on the >>>> "Samba Member Server Troubleshooting" page, I checked on the DC if >>>> the group Domain Users has a gidNumber. Well, it doesn't. Neither >>>> do my users have uidNumbers though this, allegedly, is not such an >>>> issue. >>> >>> Yes it is, there is no point in adding a gidNumber to Domain Users >>> if you are not going to give your Users a uidNumber. >>> >>> As far as how to add uidNumbers and gidNumbers, well firstly, do you >>> need to? if your users are never going to actually log into the >>> member server and this is your only Unix machine, you could use the >>> winbind 'rid' backend, this will create the ID numbers on the fly. >>> If you have more than one member server, or Unix clients or want >>> your users to log into the member server, you will probably be >>> better off using the winbind 'ad' backend. To do this you will need >>> to give your users a unique uidNumber and Domain Users (at least) a >>> gidNumber. You can do this by using the ADUC UNIX Attributes tab, by >>> writing your own script using an ldif, or by using something like >>> the LDAP Account Manager (LAM). >>> >>> Rowland >> Thanks again for helping, Rowland. >> >> As I mentioned before, both the DC and the member server are Unix >> running Samba 4.3. The purpose of the member server is to act as file >> server, nothing more. >> >> The clients are all windows machines and users, they will never log >> in to one of the unix systems directly. If they are able to access >> shares on the file server without having to log in, then I guess this >> 'rid' backend seems to be what I need. Correct? Can you give me some >> pointers on how to do that, or direct me to the documentation? >> >> Though one has to wonder: There is a wiki how to implement a Samba >> AD, and how to add a Samba Member Server. I followed the instructions >> step by step, for both, and now it turns out that the instructions >> for the member server are not made to fit the configuration of the >> DC? That's a bit discouraging. >> >> Viktor > > The main problem is that idmap.ldb on the DC will allocate an > xidNumber to a user in the '3000000' range, this xidNumber is used for > the users uidNumber. If you use the DC as a fileserver and a user > stores something on the DC and you were to examine the permissions, > you will find that it doesn't belong to a user but a number. This gets > worse, if you have two DCs, you can and probably will get different > numbers on each DC. Now this is not a problem until you do something > like copy the file from one DC to the other, the file could then > belong to another user, this can also happen with a member server. > > If you use a member server and do not want your users to log into it, > you can use the winbind 'rid' backend, this will allocate UID numbers > to your users using an algorithm based on the users RID, this also has > the affect of creating the same UID on every member server. > > If you need to use the DC as a fileserver, then I would advise the use > of the winbind 'ad' backend. Using this, your users will get the same > UID everywhere, as the users UID is stored in AD using the uidNumber > attribute. > > To add uidNumber & gidNumber attributes to AD is fairly simple, you > can do it using ADUC, or by writing your own script around an ldif. > > To use the winbind 'rid' backend, see here: > https://wiki.samba.org/index.php/Idmap_config_rid > > Rowland > >Thanks a lot for this very valuable information, this all became a lot clearer now. I am currently just doing a lab setup with a very small AD (5 users, 1 OU, just the standard groups), so I want to try both variations, starting with the ad (rfc2307) backend, and I already have some questions. I'm using Win10 RSAT, so I don't have the "Unix Attributes" tab but I can still modify the attributes manually in the "Attributes" tab. I understand how to change the attributes but I'm not clear on which values to use. The wiki says that "by default, ADUC starts assigning UIDs and GIDs at 10000". I haven't changed those defaults anywhere so this is what must apply for my AD. But I don't understand how ADUC "assigns" anything. It seems that I have to manually choose which values to enter, and I'm not being restricted. So, I'm worried I will break something if I do a mistake here. For example, I gave the admin account a UID of 10000 and my Domain Users group a GID of 10000. Was that the right thing to do? And where do I go from here? Because I'm further confused by the sentence in the wiki "Every time a UID/GID is assigned using ADUC, the next UID/GID is stored inside the AD". So, this sounds that there has to be a strict rule which number comes next. By the way, is there a way that the server could just handle these assignments automatically for me? Or is this the ldif script I would have to write myself you were mentioning?