samba - Nov 2015 - Cannot chown file to active directory user/group on member server

On Wed, Nov 18, 2015 at 6:00 AM, Rowland Penny <rowlandpenny241155 at
gmail.com
> wrote:
> On 18/11/15 10:27, Jeff Dickens wrote:
>
>>
>>
>> On Nov 18, 2015 4:35 AM, "Rowland Penny"
<rowlandpenny241155 at gmail.com
>> <mailto:rowlandpenny241155 at gmail.com>> wrote:
>> >
>> > On 17/11/15 23:09, Jeff Dickens wrote:
>> >>
>> >> So I am still stuck.  For reference here is the smb.conf on
the member
>> server:
>> >>
>> >> root at florence:~# more /etc/samba/smb.conf
>> >> [global]
>> >>
>> >>        netbios name = FLORENCE
>> >>        security = ADS
>> >>        workgroup = IOL
>> >>        realm = IOL.SEAMANPAPER.COM
<http://IOL.SEAMANPAPER.COM> <
>> http://IOL.SEAMANPAPER.COM>
>>
>> >>
>> >>
>> >>        log file = /var/log/samba/%m.log
>> >>        log level = 1
>> >>
>> >>        dedicated keytab file = /etc/krb5.keytab
>> >>        kerberos method = secrets and keytab
>> >>        winbind refresh tickets = yes
>> >>
>> >>        winbind trusted domains only = no
>> >>        winbind use default domain = yes
>> >>        winbind enum users  = yes
>> >>        winbind enum groups = yes
>> >>
>> >>        # idmap config used for your domain.
>> >>        # Choose one of the following backends fitting to your
>> >>        # requirements and add the corresponding configuration.
>> >>        # idmap config ad
>> >>        #  - idmap config rid
>> >>        #  - idmap config autorid
>> >>         idmap config *:backend = tdb
>> >>         idmap config *:range = 2000-9999
>> >>         idmap config IOL:backend = ad
>> >>         idmap config IOL:schema_mode = rfc2307
>> >>         idmap config IOL:range = 1000000-9999999
>> >>
>> >>         winbind nss info = rfc2307
>> >>
>> >>
>> >> [home]
>> >>         path=/home/
>> >>         read only = No
>> >>
>> >>
>> >> I increased the range because it seems like the DC is using
IDs above
>> 1,000,000.  This is on the DC:
>> >
>> >
>> > Ah, I think I see your problem, you think that because a user on
the DC
>> gets a uid, it should get one on a domain member without any
intervention
>> on your part.
>> >
>> > Did you miss this:
>> >
>> >
>> >    Prerequisites
>> >
>> >  * NIS extensions
>> >    <
>>
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory
>> >
>> >    installed in AD and RFC2307 enabled
>> >    <
>>
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_RFC2307_is_used_by_your_Domain_Controllers
>> >
>> >    in each DCs smb.conf
>> >  * Users and groups have RFC2307 attributes set in AD
>> >
>> >
>> > on this wiki page:
>> >
>> > https://wiki.samba.org/index.php/Idmap_config_ad
>> >
>> > This means that any users that must be known to a Unix domain
member
>> *must* have a unique uidNumber, also Domain Users (at least) *must*
have a
>> unique gidNumber. These numbers must be inside the range you set in
>> smb.conf, in your case '1000000-9999999'
>> >
>> > The numbers used on the DC are 'xidNumbers' and are only
used on a DC
>> and they could be different on other DCs
>> >
>> > If you do not want to add rfc2307 attributes, you could use the
winbind
>> 'rid' backend instead, see the wiki.
>> >
>> > Rowland
>>
>> I did use the --use-rfc2307 option when I originally provisioned the
>> domain.
>>
>>
> All '--use-rfc2307' does, is to make it possible to use rfc2307
> attributes, it does not add any rfc2307 attributes.
> You need to add these attributes to your users & groups, either by
using
> the UNIX Attributes tab in ADUC after creating a user, or by creating a
> user/group with samba-tool, where you can add the rfc2307 attributes at the
> same time.
>
>
> I do want to use that because eventually I will want to have some Linux
>> client machines.
>>
>>
>>
> Then you need to either add uid/gidNumbers and use the winbind 'ad'
> backend, or use the winbind 'rid' backend, all the info is on the
wiki, if
> you are struggling to understand the wiki, just say and we will try to make
> it clearer.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
​Ok, so I have it working, sort-of.  It's kind of screwed up.  Here's
what
I did, and then a couple of followup questions.


On the DC I ran wbinfo -i to look at some existing groups:

root at athens:/etc/pam.d# wbinfo -i domain\ guests
domain guests:*:3000012:3000012::/home/IOL/domain guests:/bin/false
root at athens:/etc/pam.d# wbinfo -i domain\ admins
domain admins:*:3000008:3000008::/home/IOL/domain admins:/bin/false
root at athens:/etc/pam.d# wbinfo -i domain\ users
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user domain users

On a windows workstation, logged in as the domain administrator, I ran the
"Active Directory Users and Computers" app.  Under iol.seamanpaper.com
(my
domain) / Users I double-clicked on "Domain Users" and then clicked on
the
"Unix Attributes" tab.  I selected the NIS domain (iol) and picked a
gid
that looked like it probably wasn't in use.  Then I clicked on OK.

Then I went to the user "Test One (test1 at ...)" under Users, double
clicked
on it and then clicked on 'Unix Attributes".  I picked the NIS domain,
assigned a uid, a shell, a home diectory and left the Primary group
name/GID at "Domain Users".

I then went back to the group "Domain Users" and when I clicked on
"Unix
Attributes" it gave me a box that said "Unwilling to Perform". 
Not unable,
but unwilling.  We laughed.  But nevertheless I was able to select the Add
button, choose the user "Test One" from the list of Available NIS
Users and
click add and ok.

Now on the member server I can do this:
root at florence:/root# wbinfo -i test1
test1:*:3100100:3100000:Test One:/home/test1:/bin/bash

but not this:

root at florence:/root# wbinfo -i domain\ users
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user domain users

I can also do this:

root at florence:/root# touch file.txt
root at florence:/root# ls -l file.txt
-rw-r--r-- 1 root root 0 Nov 18 17:21 file.txt
root at florence:/root# chown test1 file.txt
root at florence:/root# ls -l file.txt
-rw-r--r-- 1 test1 root 0 Nov 18 17:21 file.txt
root at florence:/root#

which was the point of the exercise.

This also works:

root at florence:/root# getent group domain\ users
domain users:x:3100000:
root at florence:/root# chgrp domain\ users file.txt
root at florence:/root# ls -l file.txt
-rw-r--r-- 1 test1 domain users 0 Nov 18 17:21 file.txt
root at florence:/root#

but... ):  on the DC I see this:

root at athens:~# wbinfo -i test1
test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false
root at athens:~# wbinfo -i domain\ users
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user domain users
root at athens:~# getent group domain\ users
domain users:x:100:

while on the member server I see this:

root at florence:/root# wbinfo -i test1
test1:*:3100100:3100000:Test One:/home/test1:/bin/bash
root at florence:/root# wbinfo -i domain\ users
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user domain users
root at florence:/root# getent group domain\ users
domain users:x:3100000:

So my questions are:

How did I end up with different IDs for test1 on the DC and member server ?

How can I list all the IDs already assigned on the member server?

Why was there already a gid assigned for "Domain Admins" and
"Domain
Guests" but not for "Domain Users" ?

What does "Unwilling to Perform" mean?

Do I need to set up the idmap backend on the DC ?  Is that even possible?



​



-- 
*     Jeff Dickens*
     IT Manager      978-632-1513

On 18/11/15 22:32, Jeff Dickens wrote:
>
> ​Ok, so I have it working, sort-of. It's kind of screwed up. 
Here's
> what I did, and then a couple of followup questions.
>
>
> On the DC I ran wbinfo -i to look at some existing groups:
>
> root at athens:/etc/pam.d# wbinfo -i domain\ guests
> domain guests:*:3000012:3000012::/home/IOL/domain guests:/bin/false
> root at athens:/etc/pam.d# wbinfo -i domain\ admins
> domain admins:*:3000008:3000008::/home/IOL/domain admins:/bin/false
> root at athens:/etc/pam.d# wbinfo -i domain\ users
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user domain users
Never checked using those commands before, but I get virtually the same 
results
>
> On a windows workstation, logged in as the domain administrator, I ran 
> the "Active Directory Users and Computers" app.  Under 
> iol.seamanpaper.com <http://iol.seamanpaper.com> (my domain) / Users
I
> double-clicked on "Domain Users" and then clicked on the
"Unix
> Attributes" tab.  I selected the NIS domain (iol) and picked a gid 
> that looked like it probably wasn't in use.  Then I clicked on OK.
>
> Then I went to the user "Test One (test1 at ...)" under Users,
double
> clicked on it and then clicked on 'Unix Attributes".  I picked the
NIS
> domain, assigned a uid, a shell, a home diectory and left the Primary 
> group name/GID at "Domain Users".
>
> I then went back to the group "Domain Users" and when I clicked
on
> "Unix Attributes" it gave me a box that said "Unwilling to
Perform".
> Not unable, but unwilling.  We laughed.  But nevertheless I was able 
> to select the Add button, choose the user "Test One" from the
list of
> Available NIS Users and click add and ok.
You don't need to do this.
>
> Now on the member server I can do this:
> root at florence:/root# wbinfo -i test1
> test1:*:3100100:3100000:Test One:/home/test1:/bin/bash
>
> but not this:
>
> root at florence:/root# wbinfo -i domain\ users
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user domain users
Exactly the same for me
>
> I can also do this:
>
> root at florence:/root# touch file.txt
> root at florence:/root# ls -l file.txt
> -rw-r--r-- 1 root root 0 Nov 18 17:21 file.txt
> root at florence:/root# chown test1 file.txt
> root at florence:/root# ls -l file.txt
> -rw-r--r-- 1 test1 root 0 Nov 18 17:21 file.txt
> root at florence:/root#
>
> which was the point of the exercise.
>
Good, this is how it is supposed to work.
> This also works:
>
> root at florence:/root# getent group domain\ users
> domain users:x:3100000:
> root at florence:/root# chgrp domain\ users file.txt
> root at florence:/root# ls -l file.txt
> -rw-r--r-- 1 test1 domain users 0 Nov 18 17:21 file.txt
> root at florence:/root#
>
> but... ):  on the DC I see this:
>
> root at athens:~# wbinfo -i test1
> test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false
> root at athens:~# wbinfo -i domain\ users
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user domain users
> root at athens:~# getent group domain\ users
> domain users:x:100:
>
> while on the member server I see this:
>
> root at florence:/root# wbinfo -i test1
> test1:*:3100100:3100000:Test One:/home/test1:/bin/bash
> root at florence:/root# wbinfo -i domain\ users
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user domain users
> root at florence:/root# getent group domain\ users
> domain users:x:3100000:
>
> So my questions are:
>
> How did I end up with different IDs for test1 on the DC and member 
> server ?
Right, On the DC, Samba uses xidNumbers that are stored in idmap.ldb, 
unless you use uidNumber & gidNumber attributes. If you don't do 
anything and ask for a users or groups info, you will get a number in 
the 3000000 range. but if you add the uidNumber & gidNumber attributes, 
you will get them instead i.e. I use numbers starting at 10000

root at dc1:~# getent group Domain\ Users
SAMDOM\domain users:x:10000:

root at dc1:~# getent passwd rowland
SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash


If I run the same two commands on a domain member:

root at member1:~# getent group Domain\ Users
domain_users:x:10000:dns-dc1,dns-dc2,dhcpduser,rowland,cifsuser,administrator,krbtgt

root at member1:~# getent passwd rowland
rowland:*:10000:10000::/home/rowland:/bin/bash

Virtually the same info.

This still doesn't answer why you are getting different info though.

Have you set up nsswitch correctly and do you have the required 
libnss_winbind links in place ?

Are the uid/gidNumbers, you added, inside the range you set in the 
domain member smb.conf ?
>
> How can I list all the IDs already assigned on the member server?
They aren't assigned on the member server, they are assigned in AD. You 
could write a short script to extract the uid/gidnumber attributes using 
ldaptools or ldbtools.
>
> Why was there already a gid assigned for "Domain Admins" and
"Domain
> Guests" but not for "Domain Users" ?
They haven't, they have a xidNumber from idmap.ldb

>
> What does "Unwilling to Perform" mean?
Basically what it is says, it cannot do what you are asking.
>
> Do I need to set up the idmap backend on the DC ?  Is that even possible?
No, because this is what idmap.ldb and the underlying code is for, it is 
also the subject of an ongoing plea for it to be changed. At the moment 
the DC on the surface seems to work like the winbind 'rid' backend on a 
domain member (it is different, but at the first glance it is very 
similar), i.e. a user or group has the ID set automatically and the Unix 
home directory and shell are set from templates, the only real visible 
difference is that on the DC the range is fixed and on a domain member 
you can set the start number.

Now, when you add uidNumbers & gidNumbers, on the DC you stop using the 
xidNumbers from idmap.ldb, but you have to continue using the templates. 
However on a domain member using the winbind 'ad' backend, you can pull 
the full range of rfc2307 attributes, this includes the 
unixHomeDirectory & loginShell attributes, this allows having different 
homedir paths & shells for users.

Note, xidNumbers are never used on a domain member, you need to use the 
'ad', 'rid' or one of the other lesser used winbind backends.

Again, any questions, please ask.

Rowland
>
>
>
> ​
>
>
>
> -- 
> *Jeff Dickens*
>      IT Manager 978-632-1513
>

On Wed, Nov 18, 2015 at 6:26 PM, Rowland Penny <rowlandpenny241155 at
gmail.com
> wrote:
> On 18/11/15 22:32, Jeff Dickens wrote:
>
>>
>> ​Ok, so I have it working, sort-of. It's kind of screwed up. 
Here's what
>> I did, and then a couple of followup questions.
>>
>>
>> On the DC I ran wbinfo -i to look at some existing groups:
>>
>> root at athens:/etc/pam.d# wbinfo -i domain\ guests
>> domain guests:*:3000012:3000012::/home/IOL/domain guests:/bin/false
>> root at athens:/etc/pam.d# wbinfo -i domain\ admins
>> domain admins:*:3000008:3000008::/home/IOL/domain admins:/bin/false
>> root at athens:/etc/pam.d# wbinfo -i domain\ users
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user domain users
>>
>
> Never checked using those commands before, but I get virtually the same
> results
>
>
>> On a windows workstation, logged in as the domain administrator, I ran
>> the "Active Directory Users and Computers" app.  Under
>> iol.seamanpaper.com <http://iol.seamanpaper.com> (my domain) /
Users I
>> double-clicked on "Domain Users" and then clicked on the
"Unix Attributes"
>> tab.  I selected the NIS domain (iol) and picked a gid that looked like
it
>> probably wasn't in use.  Then I clicked on OK.
>>
>> Then I went to the user "Test One (test1 at ...)" under
Users, double
>> clicked on it and then clicked on 'Unix Attributes".  I picked
the NIS
>> domain, assigned a uid, a shell, a home diectory and left the Primary
group
>> name/GID at "Domain Users".
>>
>> I then went back to the group "Domain Users" and when I
clicked on "Unix
>> Attributes" it gave me a box that said "Unwilling to
Perform".  Not unable,
>> but unwilling.  We laughed.  But nevertheless I was able to select the
Add
>> button, choose the user "Test One" from the list of Available
NIS Users and
>> click add and ok.
>>
>
> You don't need to do this.
>
>
>> Now on the member server I can do this:
>> root at florence:/root# wbinfo -i test1
>> test1:*:3100100:3100000:Test One:/home/test1:/bin/bash
>>
>> but not this:
>>
>> root at florence:/root# wbinfo -i domain\ users
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user domain users
>>
>
> Exactly the same for me
>
>
>> I can also do this:
>>
>> root at florence:/root# touch file.txt
>> root at florence:/root# ls -l file.txt
>> -rw-r--r-- 1 root root 0 Nov 18 17:21 file.txt
>> root at florence:/root# chown test1 file.txt
>> root at florence:/root# ls -l file.txt
>> -rw-r--r-- 1 test1 root 0 Nov 18 17:21 file.txt
>> root at florence:/root#
>>
>> which was the point of the exercise.
>>
>>
> Good, this is how it is supposed to work.
>
>
> This also works:
>>
>> root at florence:/root# getent group domain\ users
>> domain users:x:3100000:
>> root at florence:/root# chgrp domain\ users file.txt
>> root at florence:/root# ls -l file.txt
>> -rw-r--r-- 1 test1 domain users 0 Nov 18 17:21 file.txt
>> root at florence:/root#
>>
>> but... ):  on the DC I see this:
>>
>> root at athens:~# wbinfo -i test1
>> test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false
>> root at athens:~# wbinfo -i domain\ users
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user domain users
>> root at athens:~# getent group domain\ users
>> domain users:x:100:
>>
>> while on the member server I see this:
>>
>> root at florence:/root# wbinfo -i test1
>> test1:*:3100100:3100000:Test One:/home/test1:/bin/bash
>> root at florence:/root# wbinfo -i domain\ users
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user domain users
>> root at florence:/root# getent group domain\ users
>> domain users:x:3100000:
>>
>> So my questions are:
>>
>> How did I end up with different IDs for test1 on the DC and member
server
>> ?
>>
>
​Michael Adam suggested I do "net cache flush" and that seemed to
resolve
that problem:

​DC:

jeff at athens:~$ getent group Domain\ Users
domain users:x:3100000:
jeff at athens:~$ getent passwd test1
test1:*:3100100:3100000:Test One:/home/IOL/test1:/bin/false​

Member Server:

jeff at florence:~$ getent group Domain\ Users
domain users:x:3100000:
jeff at florence:~$ getent passwd test1
test1:*:3100100:3100000:Test One:/home/test1:/bin/bash

Well that's one down.
​

>
> Right, On the DC, Samba uses xidNumbers that are stored in idmap.ldb,
> unless you use uidNumber & gidNumber attributes. If you don't do
anything
> and ask for a users or groups info, you will get a number in the 3000000
> range. but if you add the uidNumber & gidNumber attributes, you will
get
> them instead i.e. I use numbers starting at 10000
>
> root at dc1:~# getent group Domain\ Users
> SAMDOM\domain users:x:10000:
>
> root at dc1:~# getent passwd rowland
> SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
>
> If I run the same two commands on a domain member:
>
> root at member1:~# getent group Domain\ Users
>
>
domain_users:x:10000:dns-dc1,dns-dc2,dhcpduser,rowland,cifsuser,administrator,krbtgt
>
> root at member1:~# getent passwd rowland
> rowland:*:10000:10000::/home/rowland:/bin/bash
>
> Virtually the same info.
>
> This still doesn't answer why you are getting different info though.
>
> Have you set up nsswitch correctly and do you have the required
> libnss_winbind links in place ?
>
> Are the uid/gidNumbers, you added, inside the range you set in the domain
> member smb.conf ?
>
>
>> How can I list all the IDs already assigned on the member server?
>>
>
> They aren't assigned on the member server, they are assigned in AD. You
> could write a short script to extract the uid/gidnumber attributes using
> ldaptools or ldbtools.
>
>
>> Why was there already a gid assigned for "Domain Admins" and
"Domain
>> Guests" but not for "Domain Users" ?
>>
>
> They haven't, they have a xidNumber from idmap.ldb
>
>
>
>> What does "Unwilling to Perform" mean?
>>
>
> Basically what it is says, it cannot do what you are asking.
>
>
>> Do I need to set up the idmap backend on the DC ?  Is that even
possible?
>>
>
> No, because this is what idmap.ldb and the underlying code is for, it is
> also the subject of an ongoing plea for it to be changed. At the moment the
> DC on the surface seems to work like the winbind 'rid' backend on a
domain
> member (it is different, but at the first glance it is very similar), i.e.
> a user or group has the ID set automatically and the Unix home directory
> and shell are set from templates, the only real visible difference is that
> on the DC the range is fixed and on a domain member you can set the start
> number.
>
> Now, when you add uidNumbers & gidNumbers, on the DC you stop using the
> xidNumbers from idmap.ldb, but you have to continue using the templates.
> However on a domain member using the winbind 'ad' backend, you can
pull the
> full range of rfc2307 attributes, this includes the unixHomeDirectory &
> loginShell attributes, this allows having different homedir paths &
shells
> for users.
>
> Note, xidNumbers are never used on a domain member, you need to use the
> 'ad', 'rid' or one of the other lesser used winbind
backends.
>
> Again, any questions, please ask.
>
> Rowland
>
>
>>
>>
>> ​
>>
>>
>>
>> --
>> *Jeff Dickens*
>>      IT Manager 978-632-1513
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
*     Jeff Dickens*
     IT Manager      978-632-1513