samba - Apr 2016 - chgrp "Domain Admins" on folder return invalid group "Domain Admins"

Thank you Rowland for your mail.

My aim is to create a fileserver with samba4 and with acl supported. Users
most logon through their windows that are in domain to access their shares.

Samba how to and your explanations open my eyes on the interaction between
samba users and group with the Linux OS.
>From ADUC, I assign an Unix Attribute to a user accout, and automatically
it is given 10000 as its UID, getent command still not display it.

So in my plan, users should only exist in active directory. Does that mean
that getent can still display user or group information that will only
exist in AD ?

Sorry if i am missing something.

Thank you

On Tue, Apr 5, 2016 at 2:03 PM, Rowland penny <rpenny at samba.org> wrote:
> On 05/04/16 13:46, Jules Houantonon wrote:
>
>> Dear all,
>>
>> thank you for your previous mails. It realy help me.
>>
>> Denis, Following your mail and thanks to  the link  i configure my
>> /etc/nsswitch.conf file  by adding windbind to user and group line and
>> execute winbindd command.
>>
>> As i install samba4 from sernet package, init script are created for
>> starting AD, smbd, nmbd and winbindd. But i read that smbd, nmd and
>> winbindd should be disable to start samba4 in AD mode. There were even
a
>> Warning that were generated if windbindd service were kept started. So
I do
>> not touch them, as they are disabled.
>>
>
> It has been sometime since I used a Sernet package, but I seem to remember
> that it came with an init script to start the 'samba' deamon and
this will
> start any other required deamons, try looking in /etc/init.d
>
>
>> But after making nsswitch.conf changes, I am able to execute chgrp
>> "domain admins" /home/demo succesfully and ls -l /home
display the
>> permission with the suitable group.
>>
>> wbinfo -u also return the users created from AD as wbinfo -g also
display
>> AD domaine groups.
>>
>>
> All 'wbinfo' shows is that winbindd is running, you need to get
'getent
> passwd' to show users and 'getent group' to show groups. Any
users & groups
> that getent does not show, are unknown to the underlying Unix OS.
>
> I supposethat things are OK now.
>>
>> But when i try the getent passwd
>> I do not have domain user display. Only local users account appear.
>>
>>
> You normally need to give any users that you need to be visible to Unix, a
> unique uidNumber attribute, but on a DC you should get an xidNumber in the
> 3000000 range.
>
> Do you have users in /etc/passwd that are in AD ?
> If so, choose where you want the user to exist and delete the other, they
> cannot be in both databases.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Jules HOUANTONON
*Phone* : (00229) 97578914
*Email *: juleshoueto at gmail.com
*Skype* : houantonon
*linkedin* : www.linkedin.com/in/jhouantonon/en

On 05/04/16 14:32, Jules Houantonon wrote:
> Thank you Rowland for your mail.
>
> My aim is to create a fileserver with samba4 and with acl supported. 
> Users most logon through their windows that are in domain to access 
> their shares.
>
> Samba how to and your explanations open my eyes on the interaction 
> between samba users and group with the Linux OS.
>
> From ADUC, I assign an Unix Attribute to a user accout, and 
> automatically it is given 10000 as its UID, getent command still not 
> display it.
The next one should get 10001
>
> So in my plan, users should only exist in active directory. Does that 
> mean that getent can still display user or group information that will 
> only exist in AD ?
>
getent will display users known to the underlying OS, this is done by 
specifying what methods to use in /etc/nsswitch.conf. For users, there 
is a line that starts 'passwd', this normally contains 'compat '
or
'files' and will mean 'getent passwd auser' will return the
users info
found in the file /etc/passwd. If you want to user a different method to 
use to get a users info, you would add it after 'compat ' or
'files'
i.e. to use winbind 'passwd compat winbind'. This would mean that when 
you run 'getent passwd auser' , the user would be found by first 
searching in /etc/passwd (this is why you cannot have users in 
/etc/passwd & AD) and then by asking winbind. On a DC, winbind would 
assign an xidNumber and then store it in idmap.ldb *or* you can give 
each user a 'uidNumber' and then this will be used instead, only problem
is that the old xidNumber will take precedence for a time, but you can 
short circuit this by running:

net cache flush

> Sorry if i am missing something.
>
> Thank you
>

Thank you Rowland,

I do not change my existing configuration as far i have already indicate
winbind value on both passwd and group lines in nsswitch.conf.

But i execute the net cahe flush command and then try getent command by
providing the user name and it works.

It provide outpout for a demo acount that it is only creat in AD and has
unix attribute assigned :
#getent passwd demo
demo:*:10001:10001:demo demo:/home/DEMO/demo:/bin/false

So now, i should be able to define file or folder right from Linux OS with
AD users.

I think that we can consider this subject Solved with your permission.

Many thanks again

On Tue, Apr 5, 2016 at 2:52 PM, Rowland penny <rpenny at samba.org> wrote:
> On 05/04/16 14:32, Jules Houantonon wrote:
>
>> Thank you Rowland for your mail.
>>
>> My aim is to create a fileserver with samba4 and with acl supported.
>> Users most logon through their windows that are in domain to access
their
>> shares.
>>
>> Samba how to and your explanations open my eyes on the interaction
>> between samba users and group with the Linux OS.
>>
>> From ADUC, I assign an Unix Attribute to a user accout, and
automatically
>> it is given 10000 as its UID, getent command still not display it.
>>
>
> The next one should get 10001
>
>
>> So in my plan, users should only exist in active directory. Does that
>> mean that getent can still display user or group information that will
only
>> exist in AD ?
>>
>>
> getent will display users known to the underlying OS, this is done by
> specifying what methods to use in /etc/nsswitch.conf. For users, there is a
> line that starts 'passwd', this normally contains 'compat '
or 'files' and
> will mean 'getent passwd auser' will return the users info found in
the
> file /etc/passwd. If you want to user a different method to use to get a
> users info, you would add it after 'compat ' or 'files'
i.e. to use winbind
> 'passwd compat winbind'. This would mean that when you run
'getent passwd
> auser' , the user would be found by first searching in /etc/passwd
(this is
> why you cannot have users in /etc/passwd & AD) and then by asking
winbind.
> On a DC, winbind would assign an xidNumber and then store it in idmap.ldb
> *or* you can give each user a 'uidNumber' and then this will be
used
> instead, only problem is that the old xidNumber will take precedence for a
> time, but you can short circuit this by running:
>
> net cache flush
>
>
> Sorry if i am missing something.
>>
>> Thank you
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Jules HOUANTONON
*Phone* : (00229) 97578914
*Email *: juleshoueto at gmail.com
*Skype* : houantonon
*linkedin* : www.linkedin.com/in/jhouantonon/en