samba - Dec 2015 - Permission Denied

On any Linux system where you want to be able to use AD users as system
users you need to configure PAM. This because it is PAM which discuss with
the tool you have chosen to retrieve users information from AD and then
build system users with these information.

I think you also need to configure PAM for file servers connected to some
domain (AD or NT4) for the underlaying system knows which user (system
user, ie uid, gid, groups...) access to some shared file, to grant or
refuse this access.

The short way to put it would be: to configure your system configure PAM,
without PAM configured only applications are configured: kinit could work,
net command too, wbinfo also... but not getent and so all application
relying to system side won't work (example from your first post:
"id"
command rely on getent/PAM/nss/don't ask precisely and so won't work)

This can't be completely true as frontier between system and application is
more than fine (PAM is an app after all and a system could do what you want
it does without PAM configured -> a Samba DC without PAM configured can be
fully managed, just ACLs would lack beauty I expect).

2015-12-08 16:20 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
> You are right! I haven't configured PAM for winbind on the DCs,
probably
> because I don't need this.
>
> Any reasons why I should, if I manage my domain from Windows ADUC and
> don't log-on to the DCs as Administrator locally?
>
> Ole
>
>
>
> Am 08.12.2015 um 14:39 schrieb mathias dufresne:
>
>> Ole,
>>
>> Did you configure PAM to use AD as a users source ? You need to have
>> Winbind or SSSD or nslcd configured to access your AD + configure PAM +
>> configure nsswitch.conf. Then you will system users from AD (ie
"getent
>> passwd my-ad-account" would work).
>>
>> Cheers,
>>
>> mathias
>>
>> 2015-12-07 20:54 GMT+01:00 Rowland penny <rpenny at samba.org>:
>>
>> On 07/12/15 19:42, Ole Traupe wrote:
>>>
>>> If I do this (rely on the user map file containing "!root
>>>>
>>>>> BPN\Administrator BPN\administrator"), should I expect
"id
>>>>>> Administrator"
>>>>>> to give anything?
>>>>>>
>>>>>> Ole
>>>>>>
>>>>>>
>>>>>> Only a Samba AD DC, you will not get anything from
'getent
>>>>> Administrator' on a Unix domain member, but remember,
with the user map
>>>>> 'Administrator' becomes 'root' :-)
>>>>>
>>>>> Yes, and I can manage share permissions via ADUC due to the
user
>>>> mapping.
>>>>
>>>> But on the DCs I still get "No such user" (although I
don't have any
>>>> appearent problem).
>>>>
>>>> Ole
>>>>
>>>>
>>>>
>>>>
>>>> Have you changed anything on the DCs ? Are the winbind nss
links in
>>> place
>>> ? (not sure if this makes any difference, but I always create them)
>>>
>>> if I run 'id Administrator', I get:
>>>
>>> uid=0(root) gid=100(users)
groups=0(root),100(users),3000004(SAMdom\Group
>>> Policy Creator Owners),3000006(SAMDOM\Enterprise
>>> Admins),3000008(SAMDOM\Domain Admins),3000007(SAMDOM\Schema Admins)
>>>
>>> 'getent password Administrator' returns:
>>>
>>> SAMDOM\Administrator:*:0:100::/home/Administrator:/bin/bash
>>>
>>> Rowland
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 08/12/15 16:02, mathias dufresne wrote:
> On any Linux system where you want to be able to use AD users as system
> users you need to configure PAM. This because it is PAM which discuss with
> the tool you have chosen to retrieve users information from AD and then
> build system users with these information.
It may be better if you stop calling local Unix users 'system users', 
system users are something else, i.e. 'root' is a system user, as is 
'www-data'
>
> I think you also need to configure PAM for file servers connected to some
> domain (AD or NT4) for the underlaying system knows which user (system
> user, ie uid, gid, groups...) access to some shared file, to grant or
> refuse this access.
Yes, if you need to connect to a Unix machine, the Unix OS needs to know 
whoever is trying to connect.
> The short way to put it would be: to configure your system configure PAM,
> without PAM configured only applications are configured: kinit could work,
> net command too, wbinfo also... but not getent and so all application
> relying to system side won't work (example from your first post:
"id"
> command rely on getent/PAM/nss/don't ask precisely and so won't
work)
>
> This can't be completely true as frontier between system and
application is
> more than fine (PAM is an app after all and a system could do what you want
> it does without PAM configured -> a Samba DC without PAM configured can
be
> fully managed, just ACLs would lack beauty I expect).
PAM is just part of the system, in fact some systems don't use PAM, but 
the majority of Unix systems use it because it makes life easier.

Rowland
> 2015-12-08 16:20 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>
>> You are right! I haven't configured PAM for winbind on the DCs,
probably
>> because I don't need this.
>>
>> Any reasons why I should, if I manage my domain from Windows ADUC and
>> don't log-on to the DCs as Administrator locally?
>>
>> Ole
>>
>>
>>
>> Am 08.12.2015 um 14:39 schrieb mathias dufresne:
>>
>>> Ole,
>>>
>>> Did you configure PAM to use AD as a users source ? You need to
have
>>> Winbind or SSSD or nslcd configured to access your AD + configure
PAM +
>>> configure nsswitch.conf. Then you will system users from AD (ie
"getent
>>> passwd my-ad-account" would work).
>>>
>>> Cheers,
>>>
>>> mathias
>>>
>>> 2015-12-07 20:54 GMT+01:00 Rowland penny <rpenny at
samba.org>:
>>>
>>> On 07/12/15 19:42, Ole Traupe wrote:
>>>> If I do this (rely on the user map file containing "!root
>>>>>> BPN\Administrator BPN\administrator"), should I
expect "id
>>>>>>> Administrator"
>>>>>>> to give anything?
>>>>>>>
>>>>>>> Ole
>>>>>>>
>>>>>>>
>>>>>>> Only a Samba AD DC, you will not get anything from
'getent
>>>>>> Administrator' on a Unix domain member, but
remember, with the user map
>>>>>> 'Administrator' becomes 'root' :-)
>>>>>>
>>>>>> Yes, and I can manage share permissions via ADUC due to
the user
>>>>> mapping.
>>>>>
>>>>> But on the DCs I still get "No such user"
(although I don't have any
>>>>> appearent problem).
>>>>>
>>>>> Ole
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Have you changed anything on the DCs ? Are the winbind nss
links in
>>>> place
>>>> ? (not sure if this makes any difference, but I always create
them)
>>>>
>>>> if I run 'id Administrator', I get:
>>>>
>>>> uid=0(root) gid=100(users)
groups=0(root),100(users),3000004(SAMdom\Group
>>>> Policy Creator Owners),3000006(SAMDOM\Enterprise
>>>> Admins),3000008(SAMDOM\Domain Admins),3000007(SAMDOM\Schema
Admins)
>>>>
>>>> 'getent password Administrator' returns:
>>>>
>>>> SAMDOM\Administrator:*:0:100::/home/Administrator:/bin/bash
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

I see, thank you!


Am 08.12.2015 um 17:02 schrieb mathias dufresne:
> On any Linux system where you want to be able to use AD users as system
> users you need to configure PAM. This because it is PAM which discuss with
> the tool you have chosen to retrieve users information from AD and then
> build system users with these information.
>
> I think you also need to configure PAM for file servers connected to some
> domain (AD or NT4) for the underlaying system knows which user (system
> user, ie uid, gid, groups...) access to some shared file, to grant or
> refuse this access.
>
> The short way to put it would be: to configure your system configure PAM,
> without PAM configured only applications are configured: kinit could work,
> net command too, wbinfo also... but not getent and so all application
> relying to system side won't work (example from your first post:
"id"
> command rely on getent/PAM/nss/don't ask precisely and so won't
work)
>
> This can't be completely true as frontier between system and
application is
> more than fine (PAM is an app after all and a system could do what you want
> it does without PAM configured -> a Samba DC without PAM configured can
be
> fully managed, just ACLs would lack beauty I expect).
>
> 2015-12-08 16:20 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>
>> You are right! I haven't configured PAM for winbind on the DCs,
probably
>> because I don't need this.
>>
>> Any reasons why I should, if I manage my domain from Windows ADUC and
>> don't log-on to the DCs as Administrator locally?
>>
>> Ole
>>
>>
>>
>> Am 08.12.2015 um 14:39 schrieb mathias dufresne:
>>
>>> Ole,
>>>
>>> Did you configure PAM to use AD as a users source ? You need to
have
>>> Winbind or SSSD or nslcd configured to access your AD + configure
PAM +
>>> configure nsswitch.conf. Then you will system users from AD (ie
"getent
>>> passwd my-ad-account" would work).
>>>
>>> Cheers,
>>>
>>> mathias
>>>
>>> 2015-12-07 20:54 GMT+01:00 Rowland penny <rpenny at
samba.org>:
>>>
>>> On 07/12/15 19:42, Ole Traupe wrote:
>>>> If I do this (rely on the user map file containing "!root
>>>>>> BPN\Administrator BPN\administrator"), should I
expect "id
>>>>>>> Administrator"
>>>>>>> to give anything?
>>>>>>>
>>>>>>> Ole
>>>>>>>
>>>>>>>
>>>>>>> Only a Samba AD DC, you will not get anything from
'getent
>>>>>> Administrator' on a Unix domain member, but
remember, with the user map
>>>>>> 'Administrator' becomes 'root' :-)
>>>>>>
>>>>>> Yes, and I can manage share permissions via ADUC due to
the user
>>>>> mapping.
>>>>>
>>>>> But on the DCs I still get "No such user"
(although I don't have any
>>>>> appearent problem).
>>>>>
>>>>> Ole
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Have you changed anything on the DCs ? Are the winbind nss
links in
>>>> place
>>>> ? (not sure if this makes any difference, but I always create
them)
>>>>
>>>> if I run 'id Administrator', I get:
>>>>
>>>> uid=0(root) gid=100(users)
groups=0(root),100(users),3000004(SAMdom\Group
>>>> Policy Creator Owners),3000006(SAMDOM\Enterprise
>>>> Admins),3000008(SAMDOM\Domain Admins),3000007(SAMDOM\Schema
Admins)
>>>>
>>>> 'getent password Administrator' returns:
>>>>
>>>> SAMDOM\Administrator:*:0:100::/home/Administrator:/bin/bash
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

2015-12-08 17:15 GMT+01:00 Rowland penny <rpenny at samba.org>:
> On 08/12/15 16:02, mathias dufresne wrote:
>
>> On any Linux system where you want to be able to use AD users as system
>> users you need to configure PAM. This because it is PAM which discuss
with
>> the tool you have chosen to retrieve users information from AD and then
>> build system users with these information.
>>
>
> It may be better if you stop calling local Unix users 'system
users',
> system users are something else, i.e. 'root' is a system user, as
is
> 'www-data'

System users are users available from system side.
Local users are users declared in /etc/passwd.

What is the point of your remark?

>
>
>
>> I think you also need to configure PAM for file servers connected to
some
>> domain (AD or NT4) for the underlaying system knows which user (system
>> user, ie uid, gid, groups...) access to some shared file, to grant or
>> refuse this access.
>>
>
> Yes, if you need to connect to a Unix machine, the Unix OS needs to know
> whoever is trying to connect.
>
> The short way to put it would be: to configure your system configure PAM,
>> without PAM configured only applications are configured: kinit could
work,
>> net command too, wbinfo also... but not getent and so all application
>> relying to system side won't work (example from your first post:
"id"
>> command rely on getent/PAM/nss/don't ask precisely and so won't
work)
>>
>> This can't be completely true as frontier between system and
application
>> is
>> more than fine (PAM is an app after all and a system could do what you
>> want
>> it does without PAM configured -> a Samba DC without PAM configured
can be
>> fully managed, just ACLs would lack beauty I expect).
>>
>
> PAM is just part of the system, in fact some systems don't use PAM, but
> the majority of Unix systems use it because it makes life easier.
>
> Rowland
>
>
> 2015-12-08 16:20 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
>>
>> You are right! I haven't configured PAM for winbind on the DCs,
probably
>>> because I don't need this.
>>>
>>> Any reasons why I should, if I manage my domain from Windows ADUC
and
>>> don't log-on to the DCs as Administrator locally?
>>>
>>> Ole
>>>
>>>
>>>
>>> Am 08.12.2015 um 14:39 schrieb mathias dufresne:
>>>
>>> Ole,
>>>>
>>>> Did you configure PAM to use AD as a users source ? You need to
have
>>>> Winbind or SSSD or nslcd configured to access your AD +
configure PAM +
>>>> configure nsswitch.conf. Then you will system users from AD (ie
"getent
>>>> passwd my-ad-account" would work).
>>>>
>>>> Cheers,
>>>>
>>>> mathias
>>>>
>>>> 2015-12-07 20:54 GMT+01:00 Rowland penny <rpenny at
samba.org>:
>>>>
>>>> On 07/12/15 19:42, Ole Traupe wrote:
>>>>
>>>>> If I do this (rely on the user map file containing
"!root >>>>>
>>>>>> BPN\Administrator BPN\administrator"), should I
expect "id
>>>>>>>
>>>>>>>> Administrator"
>>>>>>>> to give anything?
>>>>>>>>
>>>>>>>> Ole
>>>>>>>>
>>>>>>>>
>>>>>>>> Only a Samba AD DC, you will not get anything
from 'getent
>>>>>>>>
>>>>>>> Administrator' on a Unix domain member, but
remember, with the user
>>>>>>> map
>>>>>>> 'Administrator' becomes 'root' :-)
>>>>>>>
>>>>>>> Yes, and I can manage share permissions via ADUC
due to the user
>>>>>>>
>>>>>> mapping.
>>>>>>
>>>>>> But on the DCs I still get "No such user"
(although I don't have any
>>>>>> appearent problem).
>>>>>>
>>>>>> Ole
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Have you changed anything on the DCs ? Are the winbind
nss links in
>>>>>>
>>>>> place
>>>>> ? (not sure if this makes any difference, but I always
create them)
>>>>>
>>>>> if I run 'id Administrator', I get:
>>>>>
>>>>> uid=0(root) gid=100(users)
>>>>> groups=0(root),100(users),3000004(SAMdom\Group
>>>>> Policy Creator Owners),3000006(SAMDOM\Enterprise
>>>>> Admins),3000008(SAMDOM\Domain Admins),3000007(SAMDOM\Schema
Admins)
>>>>>
>>>>> 'getent password Administrator' returns:
>>>>>
>>>>> SAMDOM\Administrator:*:0:100::/home/Administrator:/bin/bash
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and
read the
>>>>> instructions: 
https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>