samba - Dec 2015 - Permission Denied

Ole,

Did you configure PAM to use AD as a users source ? You need to have
Winbind or SSSD or nslcd configured to access your AD + configure PAM +
configure nsswitch.conf. Then you will system users from AD (ie "getent
passwd my-ad-account" would work).

Cheers,

mathias

2015-12-07 20:54 GMT+01:00 Rowland penny <rpenny at samba.org>:
> On 07/12/15 19:42, Ole Traupe wrote:
>
>>
>> If I do this (rely on the user map file containing "!root
>>>> BPN\Administrator BPN\administrator"), should I expect
"id Administrator"
>>>> to give anything?
>>>>
>>>> Ole
>>>>
>>>>
>>> Only a Samba AD DC, you will not get anything from 'getent
>>> Administrator' on a Unix domain member, but remember, with the
user map
>>> 'Administrator' becomes 'root' :-)
>>>
>>
>> Yes, and I can manage share permissions via ADUC due to the user
mapping.
>>
>> But on the DCs I still get "No such user" (although I
don't have any
>> appearent problem).
>>
>> Ole
>>
>>
>>
>>
> Have you changed anything on the DCs ? Are the winbind nss links in place
> ? (not sure if this makes any difference, but I always create them)
>
> if I run 'id Administrator', I get:
>
> uid=0(root) gid=100(users) groups=0(root),100(users),3000004(SAMdom\Group
> Policy Creator Owners),3000006(SAMDOM\Enterprise
> Admins),3000008(SAMDOM\Domain Admins),3000007(SAMDOM\Schema Admins)
>
> 'getent password Administrator' returns:
>
> SAMDOM\Administrator:*:0:100::/home/Administrator:/bin/bash
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

You are right! I haven't configured PAM for winbind on the DCs, probably 
because I don't need this.

Any reasons why I should, if I manage my domain from Windows ADUC and 
don't log-on to the DCs as Administrator locally?

Ole


Am 08.12.2015 um 14:39 schrieb mathias dufresne:
> Ole,
>
> Did you configure PAM to use AD as a users source ? You need to have
> Winbind or SSSD or nslcd configured to access your AD + configure PAM +
> configure nsswitch.conf. Then you will system users from AD (ie
"getent
> passwd my-ad-account" would work).
>
> Cheers,
>
> mathias
>
> 2015-12-07 20:54 GMT+01:00 Rowland penny <rpenny at samba.org>:
>
>> On 07/12/15 19:42, Ole Traupe wrote:
>>
>>> If I do this (rely on the user map file containing "!root
>>>>> BPN\Administrator BPN\administrator"), should I expect
"id Administrator"
>>>>> to give anything?
>>>>>
>>>>> Ole
>>>>>
>>>>>
>>>> Only a Samba AD DC, you will not get anything from 'getent
>>>> Administrator' on a Unix domain member, but remember, with
the user map
>>>> 'Administrator' becomes 'root' :-)
>>>>
>>> Yes, and I can manage share permissions via ADUC due to the user
mapping.
>>>
>>> But on the DCs I still get "No such user" (although I
don't have any
>>> appearent problem).
>>>
>>> Ole
>>>
>>>
>>>
>>>
>> Have you changed anything on the DCs ? Are the winbind nss links in
place
>> ? (not sure if this makes any difference, but I always create them)
>>
>> if I run 'id Administrator', I get:
>>
>> uid=0(root) gid=100(users)
groups=0(root),100(users),3000004(SAMdom\Group
>> Policy Creator Owners),3000006(SAMDOM\Enterprise
>> Admins),3000008(SAMDOM\Domain Admins),3000007(SAMDOM\Schema Admins)
>>
>> 'getent password Administrator' returns:
>>
>> SAMDOM\Administrator:*:0:100::/home/Administrator:/bin/bash
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

On 08/12/15 15:20, Ole Traupe wrote:
> You are right! I haven't configured PAM for winbind on the DCs, 
> probably because I don't need this.
>
> Any reasons why I should, if I manage my domain from Windows ADUC and 
> don't log-on to the DCs as Administrator locally?
>
> Ole
>
>
You only need to configure PAM on a DC if you intend to use the DC for 
anything other than Authentication.

Rowland

On any Linux system where you want to be able to use AD users as system
users you need to configure PAM. This because it is PAM which discuss with
the tool you have chosen to retrieve users information from AD and then
build system users with these information.

I think you also need to configure PAM for file servers connected to some
domain (AD or NT4) for the underlaying system knows which user (system
user, ie uid, gid, groups...) access to some shared file, to grant or
refuse this access.

The short way to put it would be: to configure your system configure PAM,
without PAM configured only applications are configured: kinit could work,
net command too, wbinfo also... but not getent and so all application
relying to system side won't work (example from your first post:
"id"
command rely on getent/PAM/nss/don't ask precisely and so won't work)

This can't be completely true as frontier between system and application is
more than fine (PAM is an app after all and a system could do what you want
it does without PAM configured -> a Samba DC without PAM configured can be
fully managed, just ACLs would lack beauty I expect).

2015-12-08 16:20 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
> You are right! I haven't configured PAM for winbind on the DCs,
probably
> because I don't need this.
>
> Any reasons why I should, if I manage my domain from Windows ADUC and
> don't log-on to the DCs as Administrator locally?
>
> Ole
>
>
>
> Am 08.12.2015 um 14:39 schrieb mathias dufresne:
>
>> Ole,
>>
>> Did you configure PAM to use AD as a users source ? You need to have
>> Winbind or SSSD or nslcd configured to access your AD + configure PAM +
>> configure nsswitch.conf. Then you will system users from AD (ie
"getent
>> passwd my-ad-account" would work).
>>
>> Cheers,
>>
>> mathias
>>
>> 2015-12-07 20:54 GMT+01:00 Rowland penny <rpenny at samba.org>:
>>
>> On 07/12/15 19:42, Ole Traupe wrote:
>>>
>>> If I do this (rely on the user map file containing "!root
>>>>
>>>>> BPN\Administrator BPN\administrator"), should I expect
"id
>>>>>> Administrator"
>>>>>> to give anything?
>>>>>>
>>>>>> Ole
>>>>>>
>>>>>>
>>>>>> Only a Samba AD DC, you will not get anything from
'getent
>>>>> Administrator' on a Unix domain member, but remember,
with the user map
>>>>> 'Administrator' becomes 'root' :-)
>>>>>
>>>>> Yes, and I can manage share permissions via ADUC due to the
user
>>>> mapping.
>>>>
>>>> But on the DCs I still get "No such user" (although I
don't have any
>>>> appearent problem).
>>>>
>>>> Ole
>>>>
>>>>
>>>>
>>>>
>>>> Have you changed anything on the DCs ? Are the winbind nss
links in
>>> place
>>> ? (not sure if this makes any difference, but I always create them)
>>>
>>> if I run 'id Administrator', I get:
>>>
>>> uid=0(root) gid=100(users)
groups=0(root),100(users),3000004(SAMdom\Group
>>> Policy Creator Owners),3000006(SAMDOM\Enterprise
>>> Admins),3000008(SAMDOM\Domain Admins),3000007(SAMDOM\Schema Admins)
>>>
>>> 'getent password Administrator' returns:
>>>
>>> SAMDOM\Administrator:*:0:100::/home/Administrator:/bin/bash
>>>
>>> Rowland
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>