Jeff Dickens
2015-Nov-17 23:09 UTC
[Samba] Cannot chown file to active directory user/group on member server
So I am still stuck. For reference here is the smb.conf on the member server: root at florence:~# more /etc/samba/smb.conf [global] netbios name = FLORENCE security = ADS workgroup = IOL realm = IOL.SEAMANPAPER.COM log file = /var/log/samba/%m.log log level = 1 dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind refresh tickets = yes winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes # idmap config used for your domain. # Choose one of the following backends fitting to your # requirements and add the corresponding configuration. # idmap config ad # - idmap config rid # - idmap config autorid idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config IOL:backend = ad idmap config IOL:schema_mode = rfc2307 idmap config IOL:range = 1000000-9999999 winbind nss info = rfc2307 [home] path=/home/ read only = No I increased the range because it seems like the DC is using IDs above 1,000,000. This is on the DC: root at athens:~# wbinfo -u administrator test1 krbtgt guest root at athens:~# wbinfo -i administrator administrator:*:0:100::/home/IOL/administrator:/bin/false root at athens:~# wbinfo -i test1 test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false root at athens:~# And on the member server: root at florence:~# wbinfo -u administrator test1 krbtgt guest root at florence:~# wbinfo -i administrator failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user administrator root at florence:~# wbinfo -i test1 failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user test1 root at florence:~# Also: root at florence:~# wbinfo -n test1 S-1-5-21-870066441-3049097475-1009130827-1105 SID_USER (1) root at florence:~# wbinfo -n administrator S-1-5-21-870066441-3049097475-1009130827-500 SID_USER (1) Thought it might have something to do with the fact that the Kerberos user tools were not installed -but I set them up and no change. root at florence:~# kinit administrator at IOL.SEAMANPAPER.COM Password for administrator at IOL.SEAMANPAPER.COM: root at florence:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at IOL.SEAMANPAPER.COM Valid starting Expires Service principal 11/17/2015 17:20:51 11/18/2015 03:20:51 krbtgt/ IOL.SEAMANPAPER.COM at IOL.SEAMANPAPER.COM renew until 11/18/2015 17:19:59 root at florence:~# wbinfo -i test1 failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user test1 root at florence:~# !smbc smbcontrol all reload-config root at florence:~# wbinfo -i test1 failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user test1 root at florence:~# I found a note about a missing link to libnss_winbind.so.2.. fixed that and no difference. So it can list the users but not get the IDs... So it seems to have some kind of authentication issue. I've been all through the wiki and can't find anything else that seems relevant. On Tue, Nov 17, 2015 at 3:54 PM, Rowland Penny <rowlandpenny241155 at gmail.com> wrote:> On 17/11/15 20:46, Jeff Dickens wrote: > >> indeed >> >> On Tue, Nov 17, 2015 at 3:37 PM, Rowland Penny < >> rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>> >> wrote: >> >> On 17/11/15 20:28, Jeff Dickens wrote: >> >> >> >> On Sat, Nov 7, 2015 at 11:19 AM, Rowland Penny >> <rowlandpenny241155 at gmail.com >> <mailto:rowlandpenny241155 at gmail.com> >> <mailto:rowlandpenny241155 at gmail.com >> >> <mailto:rowlandpenny241155 at gmail.com>>> wrote: >> >> On 07/11/15 16:02, Krutskikh Ivan wrote: >> >> Hi, >> >> I need to change ownership of server files to user/group >> defined in active >> directory ( using rfc2307 and unix attributes). Chown >> returns >> no error, but >> 'ls -lia' shows that file ownership is unchanged. What >> am I >> doing wrong? >> >> archive-test:/archive/video # ls -lia ./test.mp4 >> 17121 -rw-r--r-- 1 root root 2413096 ноя 2 19:50 >> ./test.mp4 >> archive-test:/archive/video # wbinfo -u >> administrator >> xviewsion >> videoadm >> viewer1 >> krbtgt >> newadm >> guest >> test >> new >> archive-test:/archive/video # wbinfo -g >> allowed rodc password replication group >> enterprise read-only domain controllers >> denied rodc password replication group >> read-only domain controllers >> group policy creator owners >> ras and ias servers >> domain controllers >> enterprise admins >> domain computers >> cert publishers >> dnsupdateproxy >> domain admins >> domain guests >> schema admins >> domain users >> video admins >> dnsadmins >> videotest >> video >> archive-test:/archive/video # chown xviewsion ./test.mp4 >> archive-test:/archive/video # ls -lia ./test.mp4 >> 17121 -rw-r--r-- 1 root root 2413096 ноя 2 19:50 >> ./test.mp4 >> >> >> I think that something is wrong with uid/gid mapping: >> >> archive-test:/archive/video # getent passwd >> root:x:0:0:root:/root:/bin/bash >> bin:x:1:1:bin:/bin:/bin/bash >> daemon:x:2:2:Daemon:/sbin:/bin/bash >> lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash >> mail:x:8:12:Mailer >> daemon:/var/spool/clientmqueue:/bin/false >> news:x:9:13:News system:/etc/news:/bin/bash >> uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash >> games:x:12:100:Games account:/var/games:/bin/bash >> man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash >> wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false >> ftp:x:40:49:FTP account:/srv/ftp:/bin/bash >> nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash >> messagebus:x:499:497:User for D-Bus:/run/dbus:/bin/false >> postfix:x:51:51:Postfix >> Daemon:/var/spool/postfix:/bin/false >> rpc:x:498:65534:user for >> rpcbind:/var/lib/empty:/sbin/nologin >> sshd:x:497:496:SSH daemon:/var/lib/sshd:/bin/false >> statd:x:496:65534:NFS statd >> daemon:/var/lib/nfs:/sbin/nologin >> polkitd:x:495:495:User for >> polkitd:/var/lib/polkit:/sbin/nologin >> usrsokrat:x:1000:100::/home/usrsokrat:/bin/bash >> qemu:x:494:493:qemu user:/:/sbin/nologin >> tftp:x:493:492:TFTP account:/srv/tftpboot:/bin/false >> dnsmasq:x:492:65534:dnsmasq:/var/lib/empty:/bin/false >> avahi:x:491:491:User for >> Avahi:/run/avahi-daemon:/bin/false >> radvd:x:490:2:Router ADVertisement Daemon >> for:/var/lib/empty:/bin/false >> lxdm:x:489:488:LXDE Display Manager >> daemon:/var/lib/lxdm:/bin/false >> avahi-autoipd:x:488:487:User for Avahi >> IPv4LL:/var/lib/avahi-autoipd:/bin/false >> at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash >> nscd:x:487:486:User for nscd:/run/nscd:/sbin/nologin >> ntp:x:74:485:NTP daemon:/var/lib/ntp:/bin/false >> mysql:x:60:484:MySQL database >> admin:/var/lib/mysql:/bin/false >> nginx:x:486:483:user for nginx:/var/lib/nginx:/bin/false >> zabbix:x:485:482:Zabbix Agent >> Daemon:/var/lib/zabbix:/bin/false >> privoxy:x:484:481:Daemon user for >> privoxy:/var/lib/privoxy:/bin/false >> vscan:x:65:480:Vscan account:/var/spool/amavis:/bin/false >> lightdm:x:483:478:LightDM >> daemon:/var/lib/lightdm:/bin/false >> kdm:x:482:477:KDM Display Manager daemon:/var:/bin/false >> drweb:x:100:1000:Dr.Web system >> account:/var/opt/drweb.com:/bin/false >> asurkov:x:11114:100::/home/asurkov:/bin/bash >> >> administrator:*:4294967295:4294967295:Administrator:/home/Administrator:/bin/bash >> >> xviewsion:*:4294967295:4294967295:xviewsion:/home/xviewsion:/bin/sh >> videoadm:*:4294967295:4294967295:videoadm:/home/videoadm:/bin/sh >> >> viewer1:*:4294967295:4294967295:Viewer1:/home/TSNR/viewer1:/bin/bash >> krbtgt:*:4294967295:4294967295:krbtgt:/home/TSNR/krbtgt:/bin/bash >> newadm:*:4294967295:4294967295:newadm:/home/TSNR/newadm:/bin/bash >> guest:*:4294967295:4294967295:Guest:/home/TSNR/guest:/bin/bash >> test:*:4294967295:4294967295:test:/home/test:/bin/sh >> new:*:4294967295:4294967295:new:/home/new:/bin/sh >> >> >> >> Can you provide a bit more info, >> What distro are you using? >> What version of samba? >> What is your smb.conf? >> Is this on a DC or a Domain Member? >> Are you using sssd? >> Do your users have a uidNumber? >> does the Domain Users group have a gidNumber? >> >> and most importantly why does every domain user and group >> have the >> ID number of 4294967295? perhaps if you supply the above, >> we may >> be able to work this out. >> >> Rowland >> >> -- To unsubscribe from this list go to the following >> URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> >> I am having an identical problem. As the OP said (in the >> subject), this is a member server, not on the DC. >> >> I'm using the sernet distribution of samba 4.2 on Ubuntu 14 LTS. >> >> I configured nsswitch.conf on the DC to see if it would work >> there and I see the same behavior: >> >> root at athens:~# ls -l secondfile.txt >> -rw-rw-r-- 1 root users 0 Nov 17 15:15 secondfile.txt >> root at athens:~# chown Administrator:"Domain Users" secondfile.txt >> root at athens:~# ls -l secondfile.txt >> -rw-rw-r-- 1 root users 0 Nov 17 15:15 secondfile.txt >> root at athens:~# >> >> more info: >> >> With getent I get different behavior on the DC and member server: >> >> On the DC: >> >> root at athens:~# getent passwd Administrator >> administrator:*:0:100::/home/IOL/administrator:/bin/false >> root at athens:~# getent group "Domain Users" >> domain users:x:100: >> >> On the member server: >> >> root at florence:/home# getent passwd Administrator >> >> administrator:*:4294967295:4294967295::/home/IOL/administrator:/bin/false >> root at florence:/home# >> root at florence:/home# getent group "Domain Users" >> domain users:x:4294967295: >> >> >> The smb.conf on the dc: >> >> # Global parameters >> [global] >> workgroup = IOL >> realm = IOL.SEAMANPAPER.COM >> <http://IOL.SEAMANPAPER.COM> <http://IOL.SEAMANPAPER.COM> >> netbios name = ATHENS >> server role = active directory domain controller >> dns forwarder = 75.75.75.75 >> idmap_ldb:use rfc2307 = yes >> >> [netlogon] >> path >> /var/lib/samba/sysvol/iol.seamanpaper.com/scripts >> <http://iol.seamanpaper.com/scripts> >> <http://iol.seamanpaper.com/scripts> >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> The smb.conf on the member server: >> >> >> [global] >> >> netbios name = FLORENCE >> security = ADS >> workgroup = IOL >> realm = IOL.SEAMANPAPER.COM >> <http://IOL.SEAMANPAPER.COM> <http://IOL.SEAMANPAPER.COM> >> >> >> log file = /var/log/samba/%m.log >> log level = 1 >> >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> winbind refresh tickets = yes >> >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> >> # idmap config used for your domain. >> # Choose one of the following backends fitting to your >> # requirements and add the corresponding configuration. >> idmap config ad >> # - idmap config rid >> # - idmap config autorid >> >> >> You copied your smb.conf from the samba wiki, didn't you ? >> I take it that you didn't notice that 'idmap config ad' and 'idmap >> config rid' are hyperlinks ??? >> >> You need a bit more in your smb.conf :-) >> >> Rowland >> >> >> [home] >> path=/home/ >> read only = No >> >> >> Thanks in advance for any help. >> >> >> >> >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> >> >> -- >> * Jeff Dickens* >> IT Manager 978-632-1513 >> >> > No, go here: > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > > Go to the bottom of the sample smb.conf > Click on 'idmap config ad' > > this will take you here: > > https://wiki.samba.org/index.php/Idmap_config_ad > > This will show this (amongst every thing else) > > #*Important: The ranges of the default (*) idmap config* > #*and the domain(s)_must not_ overlap!* > > # Default idmap config used for BUILTIN and local accounts/groups > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # idmap config for domain SAMDOM > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 10000-99999 > > # Use settings from AD for login shell and home directory > winbind nss info = rfc2307 > > > There is a bit more required, but I will leave you to find it, it is all > on the wiki. > > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- * Jeff Dickens* IT Manager 978-632-1513
Rowland Penny
2015-Nov-18 09:34 UTC
[Samba] Cannot chown file to active directory user/group on member server
On 17/11/15 23:09, Jeff Dickens wrote:> So I am still stuck. For reference here is the smb.conf on the member > server: > > root at florence:~# more /etc/samba/smb.conf > [global] > > netbios name = FLORENCE > security = ADS > workgroup = IOL > realm = IOL.SEAMANPAPER.COM <http://IOL.SEAMANPAPER.COM> > > log file = /var/log/samba/%m.log > log level = 1 > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = yes > > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > # idmap config used for your domain. > # Choose one of the following backends fitting to your > # requirements and add the corresponding configuration. > # idmap config ad > # - idmap config rid > # - idmap config autorid > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config IOL:backend = ad > idmap config IOL:schema_mode = rfc2307 > idmap config IOL:range = 1000000-9999999 > > winbind nss info = rfc2307 > > > [home] > path=/home/ > read only = No > > > I increased the range because it seems like the DC is using IDs above > 1,000,000. This is on the DC:Ah, I think I see your problem, you think that because a user on the DC gets a uid, it should get one on a domain member without any intervention on your part. Did you miss this: Prerequisites * NIS extensions <https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory> installed in AD and RFC2307 enabled <https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_RFC2307_is_used_by_your_Domain_Controllers> in each DCs smb.conf * Users and groups have RFC2307 attributes set in AD on this wiki page: https://wiki.samba.org/index.php/Idmap_config_ad This means that any users that must be known to a Unix domain member *must* have a unique uidNumber, also Domain Users (at least) *must* have a unique gidNumber. These numbers must be inside the range you set in smb.conf, in your case '1000000-9999999' The numbers used on the DC are 'xidNumbers' and are only used on a DC and they could be different on other DCs If you do not want to add rfc2307 attributes, you could use the winbind 'rid' backend instead, see the wiki. Rowland> > root at athens:~# wbinfo -u > administrator > test1 > krbtgt > guest > root at athens:~# wbinfo -i administrator > administrator:*:0:100::/home/IOL/administrator:/bin/false > root at athens:~# wbinfo -i test1 > test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false > root at athens:~# > > > And on the member server: > > root at florence:~# wbinfo -u > administrator > test1 > krbtgt > guest > root at florence:~# wbinfo -i administrator > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user administrator > root at florence:~# wbinfo -i test1 > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user test1 > root at florence:~# > > Also: > > root at florence:~# wbinfo -n test1 > S-1-5-21-870066441-3049097475-1009130827-1105 SID_USER (1) > root at florence:~# wbinfo -n administrator > S-1-5-21-870066441-3049097475-1009130827-500 SID_USER (1) > > Thought it might have something to do with the fact that the Kerberos > user tools were not installed -but I set them up and no change. > > root at florence:~# kinit administrator at IOL.SEAMANPAPER.COM > <mailto:administrator at IOL.SEAMANPAPER.COM> > Password for administrator at IOL.SEAMANPAPER.COM > <mailto:administrator at IOL.SEAMANPAPER.COM>: > root at florence:~# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at IOL.SEAMANPAPER.COM > <mailto:administrator at IOL.SEAMANPAPER.COM> > > Valid starting Expires Service principal > 11/17/2015 17:20:51 11/18/2015 03:20:51 > krbtgt/IOL.SEAMANPAPER.COM at IOL.SEAMANPAPER.COM > <mailto:IOL.SEAMANPAPER.COM at IOL.SEAMANPAPER.COM> > renew until 11/18/2015 17:19:59 > root at florence:~# wbinfo -i test1 > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user test1 > root at florence:~# !smbc > smbcontrol all reload-config > root at florence:~# wbinfo -i test1 > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user test1 > root at florence:~# > > I found a note about a missing link to libnss_winbind.so.2.. fixed > that and no difference. > > So it can list the users but not get the IDs... So it seems to have > some kind of authentication issue. > > I've been all through the wiki and can't find anything else that seems > relevant. > >
Rowland Penny
2015-Nov-18 11:00 UTC
[Samba] Cannot chown file to active directory user/group on member server
On 18/11/15 10:27, Jeff Dickens wrote:> > > On Nov 18, 2015 4:35 AM, "Rowland Penny" <rowlandpenny241155 at gmail.com > <mailto:rowlandpenny241155 at gmail.com>> wrote: > > > > On 17/11/15 23:09, Jeff Dickens wrote: > >> > >> So I am still stuck. For reference here is the smb.conf on the > member server: > >> > >> root at florence:~# more /etc/samba/smb.conf > >> [global] > >> > >> netbios name = FLORENCE > >> security = ADS > >> workgroup = IOL > >> realm = IOL.SEAMANPAPER.COM <http://IOL.SEAMANPAPER.COM> > <http://IOL.SEAMANPAPER.COM> > >> > >> > >> log file = /var/log/samba/%m.log > >> log level = 1 > >> > >> dedicated keytab file = /etc/krb5.keytab > >> kerberos method = secrets and keytab > >> winbind refresh tickets = yes > >> > >> winbind trusted domains only = no > >> winbind use default domain = yes > >> winbind enum users = yes > >> winbind enum groups = yes > >> > >> # idmap config used for your domain. > >> # Choose one of the following backends fitting to your > >> # requirements and add the corresponding configuration. > >> # idmap config ad > >> # - idmap config rid > >> # - idmap config autorid > >> idmap config *:backend = tdb > >> idmap config *:range = 2000-9999 > >> idmap config IOL:backend = ad > >> idmap config IOL:schema_mode = rfc2307 > >> idmap config IOL:range = 1000000-9999999 > >> > >> winbind nss info = rfc2307 > >> > >> > >> [home] > >> path=/home/ > >> read only = No > >> > >> > >> I increased the range because it seems like the DC is using IDs > above 1,000,000. This is on the DC: > > > > > > Ah, I think I see your problem, you think that because a user on the > DC gets a uid, it should get one on a domain member without any > intervention on your part. > > > > Did you miss this: > > > > > > Prerequisites > > > > * NIS extensions > > > <https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory> > > installed in AD and RFC2307 enabled > > > <https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_RFC2307_is_used_by_your_Domain_Controllers> > > in each DCs smb.conf > > * Users and groups have RFC2307 attributes set in AD > > > > > > on this wiki page: > > > > https://wiki.samba.org/index.php/Idmap_config_ad > > > > This means that any users that must be known to a Unix domain member > *must* have a unique uidNumber, also Domain Users (at least) *must* > have a unique gidNumber. These numbers must be inside the range you > set in smb.conf, in your case '1000000-9999999' > > > > The numbers used on the DC are 'xidNumbers' and are only used on a > DC and they could be different on other DCs > > > > If you do not want to add rfc2307 attributes, you could use the > winbind 'rid' backend instead, see the wiki. > > > > Rowland > > I did use the --use-rfc2307 option when I originally provisioned the > domain. >All '--use-rfc2307' does, is to make it possible to use rfc2307 attributes, it does not add any rfc2307 attributes. You need to add these attributes to your users & groups, either by using the UNIX Attributes tab in ADUC after creating a user, or by creating a user/group with samba-tool, where you can add the rfc2307 attributes at the same time.> I do want to use that because eventually I will want to have some > Linux client machines. > >Then you need to either add uid/gidNumbers and use the winbind 'ad' backend, or use the winbind 'rid' backend, all the info is on the wiki, if you are struggling to understand the wiki, just say and we will try to make it clearer. Rowland
Krutskikh Ivan
2015-Nov-18 16:37 UTC
[Samba] Cannot chown file to active directory user/group on member server
BTW, my issue was resolved by correct configuration of smb.conf 2015-11-18 14:00 GMT+03:00 Rowland Penny <rowlandpenny241155 at gmail.com>:> On 18/11/15 10:27, Jeff Dickens wrote: > >> >> >> On Nov 18, 2015 4:35 AM, "Rowland Penny" <rowlandpenny241155 at gmail.com >> <mailto:rowlandpenny241155 at gmail.com>> wrote: >> > >> > On 17/11/15 23:09, Jeff Dickens wrote: >> >> >> >> So I am still stuck. For reference here is the smb.conf on the member >> server: >> >> >> >> root at florence:~# more /etc/samba/smb.conf >> >> [global] >> >> >> >> netbios name = FLORENCE >> >> security = ADS >> >> workgroup = IOL >> >> realm = IOL.SEAMANPAPER.COM <http://IOL.SEAMANPAPER.COM> < >> http://IOL.SEAMANPAPER.COM> >> >> >> >> >> >> >> log file = /var/log/samba/%m.log >> >> log level = 1 >> >> >> >> dedicated keytab file = /etc/krb5.keytab >> >> kerberos method = secrets and keytab >> >> winbind refresh tickets = yes >> >> >> >> winbind trusted domains only = no >> >> winbind use default domain = yes >> >> winbind enum users = yes >> >> winbind enum groups = yes >> >> >> >> # idmap config used for your domain. >> >> # Choose one of the following backends fitting to your >> >> # requirements and add the corresponding configuration. >> >> # idmap config ad >> >> # - idmap config rid >> >> # - idmap config autorid >> >> idmap config *:backend = tdb >> >> idmap config *:range = 2000-9999 >> >> idmap config IOL:backend = ad >> >> idmap config IOL:schema_mode = rfc2307 >> >> idmap config IOL:range = 1000000-9999999 >> >> >> >> winbind nss info = rfc2307 >> >> >> >> >> >> [home] >> >> path=/home/ >> >> read only = No >> >> >> >> >> >> I increased the range because it seems like the DC is using IDs above >> 1,000,000. This is on the DC: >> > >> > >> > Ah, I think I see your problem, you think that because a user on the DC >> gets a uid, it should get one on a domain member without any intervention >> on your part. >> > >> > Did you miss this: >> > >> > >> > Prerequisites >> > >> > * NIS extensions >> > < >> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory >> > >> > installed in AD and RFC2307 enabled >> > < >> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_RFC2307_is_used_by_your_Domain_Controllers >> > >> > in each DCs smb.conf >> > * Users and groups have RFC2307 attributes set in AD >> > >> > >> > on this wiki page: >> > >> > https://wiki.samba.org/index.php/Idmap_config_ad >> > >> > This means that any users that must be known to a Unix domain member >> *must* have a unique uidNumber, also Domain Users (at least) *must* have a >> unique gidNumber. These numbers must be inside the range you set in >> smb.conf, in your case '1000000-9999999' >> > >> > The numbers used on the DC are 'xidNumbers' and are only used on a DC >> and they could be different on other DCs >> > >> > If you do not want to add rfc2307 attributes, you could use the winbind >> 'rid' backend instead, see the wiki. >> > >> > Rowland >> >> I did use the --use-rfc2307 option when I originally provisioned the >> domain. >> >> > All '--use-rfc2307' does, is to make it possible to use rfc2307 > attributes, it does not add any rfc2307 attributes. > You need to add these attributes to your users & groups, either by using > the UNIX Attributes tab in ADUC after creating a user, or by creating a > user/group with samba-tool, where you can add the rfc2307 attributes at the > same time. > > > I do want to use that because eventually I will want to have some Linux >> client machines. >> >> >> > Then you need to either add uid/gidNumbers and use the winbind 'ad' > backend, or use the winbind 'rid' backend, all the info is on the wiki, if > you are struggling to understand the wiki, just say and we will try to make > it clearer. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Jeff Dickens
2015-Nov-18 18:18 UTC
[Samba] Cannot chown file to active directory user/group on member server
On Wed, Nov 18, 2015 at 6:00 AM, Rowland Penny <rowlandpenny241155 at gmail.com> wrote:> On 18/11/15 10:27, Jeff Dickens wrote: > >> >> >> On Nov 18, 2015 4:35 AM, "Rowland Penny" <rowlandpenny241155 at gmail.com >> <mailto:rowlandpenny241155 at gmail.com>> wrote: >> > >> > On 17/11/15 23:09, Jeff Dickens wrote: >> >> >> >> So I am still stuck. For reference here is the smb.conf on the member >> server: >> >> >> >> root at florence:~# more /etc/samba/smb.conf >> >> [global] >> >> >> >> netbios name = FLORENCE >> >> security = ADS >> >> workgroup = IOL >> >> realm = IOL.SEAMANPAPER.COM <http://IOL.SEAMANPAPER.COM> < >> http://IOL.SEAMANPAPER.COM> >> >> >> >> >> >> >> log file = /var/log/samba/%m.log >> >> log level = 1 >> >> >> >> dedicated keytab file = /etc/krb5.keytab >> >> kerberos method = secrets and keytab >> >> winbind refresh tickets = yes >> >> >> >> winbind trusted domains only = no >> >> winbind use default domain = yes >> >> winbind enum users = yes >> >> winbind enum groups = yes >> >> >> >> # idmap config used for your domain. >> >> # Choose one of the following backends fitting to your >> >> # requirements and add the corresponding configuration. >> >> # idmap config ad >> >> # - idmap config rid >> >> # - idmap config autorid >> >> idmap config *:backend = tdb >> >> idmap config *:range = 2000-9999 >> >> idmap config IOL:backend = ad >> >> idmap config IOL:schema_mode = rfc2307 >> >> idmap config IOL:range = 1000000-9999999 >> >> >> >> winbind nss info = rfc2307 >> >> >> >> >> >> [home] >> >> path=/home/ >> >> read only = No >> >> >> >> >> >> I increased the range because it seems like the DC is using IDs above >> 1,000,000. This is on the DC: >> > >> > >> > Ah, I think I see your problem, you think that because a user on the DC >> gets a uid, it should get one on a domain member without any intervention >> on your part. >> > >> > Did you miss this: >> > >> > >> > Prerequisites >> > >> > * NIS extensions >> > < >> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory >> > >> > installed in AD and RFC2307 enabled >> > < >> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_RFC2307_is_used_by_your_Domain_Controllers >> > >> > in each DCs smb.conf >> > * Users and groups have RFC2307 attributes set in AD >> > >> > >> > on this wiki page: >> > >> > https://wiki.samba.org/index.php/Idmap_config_ad >> > >> > This means that any users that must be known to a Unix domain member >> *must* have a unique uidNumber, also Domain Users (at least) *must* have a >> unique gidNumber. These numbers must be inside the range you set in >> smb.conf, in your case '1000000-9999999' >> > >> > The numbers used on the DC are 'xidNumbers' and are only used on a DC >> and they could be different on other DCs >> > >> > If you do not want to add rfc2307 attributes, you could use the winbind >> 'rid' backend instead, see the wiki. >> > >> > Rowland >> >> I did use the --use-rfc2307 option when I originally provisioned the >> domain. >> >> > All '--use-rfc2307' does, is to make it possible to use rfc2307 > attributes, it does not add any rfc2307 attributes. > You need to add these attributes to your users & groups, either by using > the UNIX Attributes tab in ADUC after creating a user, or by creating a > user/group with samba-tool, where you can add the rfc2307 attributes at the > same time. > > ok...> > I do want to use that because eventually I will want to have some Linux >> client machines. >> >> >> > Then you need to either add uid/gidNumbers and use the winbind 'ad' > backend, or use the winbind 'rid' backend, all the info is on the wiki, if > you are struggling to understand the wiki, just say and we will try to make > it clearer. > > Rowland > > > I will make a concerted effort to distill what I've learned and return itto the community. If the talk pages in the wiki were enabled it would be easier for me to point out things I find less than clear, but I assume that's because you want to keep discussions in one place (here). At https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#Using_domain_accounts.2Fgroups_in_OS_commands the 2nd condition (the accounts and groups have rfc2307 attributes) it would be good to have a way to check this with a command on the DC. Thanks for all your patient help.. I think I should be able to get it going when next I can spend a chunk of time on it.> -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- * Jeff Dickens* IT Manager 978-632-1513
Jeff Dickens
2015-Nov-18 22:32 UTC
[Samba] Cannot chown file to active directory user/group on member server
On Wed, Nov 18, 2015 at 6:00 AM, Rowland Penny <rowlandpenny241155 at gmail.com> wrote:> On 18/11/15 10:27, Jeff Dickens wrote: > >> >> >> On Nov 18, 2015 4:35 AM, "Rowland Penny" <rowlandpenny241155 at gmail.com >> <mailto:rowlandpenny241155 at gmail.com>> wrote: >> > >> > On 17/11/15 23:09, Jeff Dickens wrote: >> >> >> >> So I am still stuck. For reference here is the smb.conf on the member >> server: >> >> >> >> root at florence:~# more /etc/samba/smb.conf >> >> [global] >> >> >> >> netbios name = FLORENCE >> >> security = ADS >> >> workgroup = IOL >> >> realm = IOL.SEAMANPAPER.COM <http://IOL.SEAMANPAPER.COM> < >> http://IOL.SEAMANPAPER.COM> >> >> >> >> >> >> >> log file = /var/log/samba/%m.log >> >> log level = 1 >> >> >> >> dedicated keytab file = /etc/krb5.keytab >> >> kerberos method = secrets and keytab >> >> winbind refresh tickets = yes >> >> >> >> winbind trusted domains only = no >> >> winbind use default domain = yes >> >> winbind enum users = yes >> >> winbind enum groups = yes >> >> >> >> # idmap config used for your domain. >> >> # Choose one of the following backends fitting to your >> >> # requirements and add the corresponding configuration. >> >> # idmap config ad >> >> # - idmap config rid >> >> # - idmap config autorid >> >> idmap config *:backend = tdb >> >> idmap config *:range = 2000-9999 >> >> idmap config IOL:backend = ad >> >> idmap config IOL:schema_mode = rfc2307 >> >> idmap config IOL:range = 1000000-9999999 >> >> >> >> winbind nss info = rfc2307 >> >> >> >> >> >> [home] >> >> path=/home/ >> >> read only = No >> >> >> >> >> >> I increased the range because it seems like the DC is using IDs above >> 1,000,000. This is on the DC: >> > >> > >> > Ah, I think I see your problem, you think that because a user on the DC >> gets a uid, it should get one on a domain member without any intervention >> on your part. >> > >> > Did you miss this: >> > >> > >> > Prerequisites >> > >> > * NIS extensions >> > < >> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory >> > >> > installed in AD and RFC2307 enabled >> > < >> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_RFC2307_is_used_by_your_Domain_Controllers >> > >> > in each DCs smb.conf >> > * Users and groups have RFC2307 attributes set in AD >> > >> > >> > on this wiki page: >> > >> > https://wiki.samba.org/index.php/Idmap_config_ad >> > >> > This means that any users that must be known to a Unix domain member >> *must* have a unique uidNumber, also Domain Users (at least) *must* have a >> unique gidNumber. These numbers must be inside the range you set in >> smb.conf, in your case '1000000-9999999' >> > >> > The numbers used on the DC are 'xidNumbers' and are only used on a DC >> and they could be different on other DCs >> > >> > If you do not want to add rfc2307 attributes, you could use the winbind >> 'rid' backend instead, see the wiki. >> > >> > Rowland >> >> I did use the --use-rfc2307 option when I originally provisioned the >> domain. >> >> > All '--use-rfc2307' does, is to make it possible to use rfc2307 > attributes, it does not add any rfc2307 attributes. > You need to add these attributes to your users & groups, either by using > the UNIX Attributes tab in ADUC after creating a user, or by creating a > user/group with samba-tool, where you can add the rfc2307 attributes at the > same time. > > > I do want to use that because eventually I will want to have some Linux >> client machines. >> >> >> > Then you need to either add uid/gidNumbers and use the winbind 'ad' > backend, or use the winbind 'rid' backend, all the info is on the wiki, if > you are struggling to understand the wiki, just say and we will try to make > it clearer. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >Ok, so I have it working, sort-of. It's kind of screwed up. Here's what I did, and then a couple of followup questions. On the DC I ran wbinfo -i to look at some existing groups: root at athens:/etc/pam.d# wbinfo -i domain\ guests domain guests:*:3000012:3000012::/home/IOL/domain guests:/bin/false root at athens:/etc/pam.d# wbinfo -i domain\ admins domain admins:*:3000008:3000008::/home/IOL/domain admins:/bin/false root at athens:/etc/pam.d# wbinfo -i domain\ users failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user domain users On a windows workstation, logged in as the domain administrator, I ran the "Active Directory Users and Computers" app. Under iol.seamanpaper.com (my domain) / Users I double-clicked on "Domain Users" and then clicked on the "Unix Attributes" tab. I selected the NIS domain (iol) and picked a gid that looked like it probably wasn't in use. Then I clicked on OK. Then I went to the user "Test One (test1 at ...)" under Users, double clicked on it and then clicked on 'Unix Attributes". I picked the NIS domain, assigned a uid, a shell, a home diectory and left the Primary group name/GID at "Domain Users". I then went back to the group "Domain Users" and when I clicked on "Unix Attributes" it gave me a box that said "Unwilling to Perform". Not unable, but unwilling. We laughed. But nevertheless I was able to select the Add button, choose the user "Test One" from the list of Available NIS Users and click add and ok. Now on the member server I can do this: root at florence:/root# wbinfo -i test1 test1:*:3100100:3100000:Test One:/home/test1:/bin/bash but not this: root at florence:/root# wbinfo -i domain\ users failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user domain users I can also do this: root at florence:/root# touch file.txt root at florence:/root# ls -l file.txt -rw-r--r-- 1 root root 0 Nov 18 17:21 file.txt root at florence:/root# chown test1 file.txt root at florence:/root# ls -l file.txt -rw-r--r-- 1 test1 root 0 Nov 18 17:21 file.txt root at florence:/root# which was the point of the exercise. This also works: root at florence:/root# getent group domain\ users domain users:x:3100000: root at florence:/root# chgrp domain\ users file.txt root at florence:/root# ls -l file.txt -rw-r--r-- 1 test1 domain users 0 Nov 18 17:21 file.txt root at florence:/root# but... ): on the DC I see this: root at athens:~# wbinfo -i test1 test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false root at athens:~# wbinfo -i domain\ users failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user domain users root at athens:~# getent group domain\ users domain users:x:100: while on the member server I see this: root at florence:/root# wbinfo -i test1 test1:*:3100100:3100000:Test One:/home/test1:/bin/bash root at florence:/root# wbinfo -i domain\ users failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user domain users root at florence:/root# getent group domain\ users domain users:x:3100000: So my questions are: How did I end up with different IDs for test1 on the DC and member server ? How can I list all the IDs already assigned on the member server? Why was there already a gid assigned for "Domain Admins" and "Domain Guests" but not for "Domain Users" ? What does "Unwilling to Perform" mean? Do I need to set up the idmap backend on the DC ? Is that even possible? -- * Jeff Dickens* IT Manager 978-632-1513
Reasonably Related Threads
- Cannot chown file to active directory user/group on member server
- Cannot chown file to active directory user/group on member server
- Cannot chown file to active directory user/group on member server
- Cannot chown file to active directory user/group on member server
- Cannot chown file to active directory user/group on member server