samba - Aug 2016 - Linux Work Station USER ID PROBLEM

Dear all,

I set up the client as in the document that you can see the link below.

https://community.spiceworks.com/how_to/44885-setup-centos-to-authenticate-via-active-directory

User's home directories automatically mounted with NFS.(NFS directory is
also in Samba Server )

When i tried to connect from Centos workstation with user id and password,
i can open the machine. But when i tried to connect from Samba AD Server
with the same user id and password, i can not open the machine.

 The command which i execute on the Samba server part is,
[root at mems ~]# id btombul
 uid=3000105(FACILITY\btombul) gid=100(users) groups=100(users)

[root at mems btombul]# ls -al
total 28
drwx------   4 FACILITY\btombul users     108 Aug 24 11:34 .
drwxr-xr-x 210 root             users    8192 Aug 24 11:33 ..
-rw-------   1         16777216 16777216    7 Aug 24 11:34 .bash_history
-rw-------   1         16777216 16777216   18 Aug 24 11:33 .bash_logout
-rw-------   1         16777216 16777216  176 Aug 24 11:33 .bash_profile
-rw-------   1         16777216 16777216  124 Aug 24 11:33 .bashrc
drwx------   2         16777216 16777216    6 Aug 24 11:33 .gnome2
drwx------   4         16777216 16777216   37 Aug 24 11:33 .mozilla


The command which i execute on the CENTOS workstation part is,

[root at centosx FACILITY]# id btombul
uid=16777216(btombul) gid=16777216(domain users) groups=16777216(domain
users),

[root at centosx btombul]# ls -al
total 28
drwx------.   4 3000105 users         108 Aug 24 11:34 .
drwxr-xr-x. 210 root    users        8192 Aug 24 11:33 ..
-rw-------.   1 btombul domain users    7 Aug 24 11:34 .bash_history
-rw-------.   1 btombul domain users   18 Aug 24 11:33 .bash_logout
-rw-------.   1 btombul domain users  176 Aug 24 11:33 .bash_profile
-rw-------.   1 btombul domain users  124 Aug 24 11:33 .bashrc
drwx------.   2 btombul domain users    6 Aug 24 11:33 .gnome2
drwx------.   4 btombul domain users   37 Aug 24 11:33 .mozilla


Kind regards.

Barış.

On Wed, 24 Aug 2016 11:53:15 +0300
barış tombul via samba <samba at lists.samba.org> wrote:
> Dear all,
> 
> I set up the client as in the document that you can see the link
> below.
> 
>
https://community.spiceworks.com/how_to/44885-setup-centos-to-authenticate-via-active-directory
> 
> User's home directories automatically mounted with NFS.(NFS directory
> is also in Samba Server )
> 
> When i tried to connect from Centos workstation with user id and
> password, i can open the machine. But when i tried to connect from
> Samba AD Server with the same user id and password, i can not open
> the machine.
> 
>  The command which i execute on the Samba server part is,
> [root at mems ~]# id btombul
>  uid=3000105(FACILITY\btombul) gid=100(users) groups=100(users)
> 
> [root at mems btombul]# ls -al
> total 28
> drwx------   4 FACILITY\btombul users     108 Aug 24 11:34 .
> drwxr-xr-x 210 root             users    8192 Aug 24 11:33 ..
> -rw-------   1         16777216 16777216    7 Aug 24
> 11:34 .bash_history -rw-------   1         16777216 16777216   18 Aug
> 24 11:33 .bash_logout -rw-------   1         16777216 16777216  176
> Aug 24 11:33 .bash_profile -rw-------   1         16777216 16777216
> 124 Aug 24 11:33 .bashrc drwx------   2         16777216 16777216
> 6 Aug 24 11:33 .gnome2 drwx------   4         16777216 16777216   37
> Aug 24 11:33 .mozilla
> 
> 
> The command which i execute on the CENTOS workstation part is,
> 
> [root at centosx FACILITY]# id btombul
> uid=16777216(btombul) gid=16777216(domain users)
> groups=16777216(domain users),
> 
> [root at centosx btombul]# ls -al
> total 28
> drwx------.   4 3000105 users         108 Aug 24 11:34 .
> drwxr-xr-x. 210 root    users        8192 Aug 24 11:33 ..
> -rw-------.   1 btombul domain users    7 Aug 24 11:34 .bash_history
> -rw-------.   1 btombul domain users   18 Aug 24 11:33 .bash_logout
> -rw-------.   1 btombul domain users  176 Aug 24 11:33 .bash_profile
> -rw-------.   1 btombul domain users  124 Aug 24 11:33 .bashrc
> drwx------.   2 btombul domain users    6 Aug 24 11:33 .gnome2
> drwx------.   4 btombul domain users   37 Aug 24 11:33 .mozilla
> 
> 
> Kind regards.
> 
> Barış.
Welcome to the wonderful world of getting the same IDs everywhere ;-)

Your problem is that your AD DC is using the IDs that Samba creates and
your Centos machine is using sssd and this is coming up with different
IDs.

There are a few ways around this, dump sssd on the Centos machine and
use winbind instead, or give all your users a 'uidNumber' and Domain
 Users (at least) a gidNumber attribute, you will then have to set up
 sssd to use these.

Until both machines return the same results, you are going to have this
problem.

Rowland

I used winbind. I never use SSSD.

#cat /etc/nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind

#wbinfo -u
asus
sqluser
dns-mems
krbtgt
guest
..
..



2016-08-24 12:39 GMT+03:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Wed, 24 Aug 2016 11:53:15 +0300
> barış tombul via samba <samba at lists.samba.org> wrote:
>
> > Dear all,
> >
> > I set up the client as in the document that you can see the link
> > below.
> >
> > https://community.spiceworks.com/how_to/44885-setup-centos-
> to-authenticate-via-active-directory
> >
> > User's home directories automatically mounted with NFS.(NFS
directory
> > is also in Samba Server )
> >
> > When i tried to connect from Centos workstation with user id and
> > password, i can open the machine. But when i tried to connect from
> > Samba AD Server with the same user id and password, i can not open
> > the machine.
> >
> >  The command which i execute on the Samba server part is,
> > [root at mems ~]# id btombul
> >  uid=3000105(FACILITY\btombul) gid=100(users) groups=100(users)
> >
> > [root at mems btombul]# ls -al
> > total 28
> > drwx------   4 FACILITY\btombul users     108 Aug 24 11:34 .
> > drwxr-xr-x 210 root             users    8192 Aug 24 11:33 ..
> > -rw-------   1         16777216 16777216    7 Aug 24
> > 11:34 .bash_history -rw-------   1         16777216 16777216   18 Aug
> > 24 11:33 .bash_logout -rw-------   1         16777216 16777216  176
> > Aug 24 11:33 .bash_profile -rw-------   1         16777216 16777216
> > 124 Aug 24 11:33 .bashrc drwx------   2         16777216 16777216
> > 6 Aug 24 11:33 .gnome2 drwx------   4         16777216 16777216   37
> > Aug 24 11:33 .mozilla
> >
> >
> > The command which i execute on the CENTOS workstation part is,
> >
> > [root at centosx FACILITY]# id btombul
> > uid=16777216(btombul) gid=16777216(domain users)
> > groups=16777216(domain users),
> >
> > [root at centosx btombul]# ls -al
> > total 28
> > drwx------.   4 3000105 users         108 Aug 24 11:34 .
> > drwxr-xr-x. 210 root    users        8192 Aug 24 11:33 ..
> > -rw-------.   1 btombul domain users    7 Aug 24 11:34 .bash_history
> > -rw-------.   1 btombul domain users   18 Aug 24 11:33 .bash_logout
> > -rw-------.   1 btombul domain users  176 Aug 24 11:33 .bash_profile
> > -rw-------.   1 btombul domain users  124 Aug 24 11:33 .bashrc
> > drwx------.   2 btombul domain users    6 Aug 24 11:33 .gnome2
> > drwx------.   4 btombul domain users   37 Aug 24 11:33 .mozilla
> >
> >
> > Kind regards.
> >
> > Barış.
>
> Welcome to the wonderful world of getting the same IDs everywhere ;-)
>
> Your problem is that your AD DC is using the IDs that Samba creates and
> your Centos machine is using sssd and this is coming up with different
> IDs.
>
> There are a few ways around this, dump sssd on the Centos machine and
> use winbind instead, or give all your users a 'uidNumber' and
Domain
>  Users (at least) a gidNumber attribute, you will then have to set up
>  sssd to use these.
>
> Until both machines return the same results, you are going to have this
> problem.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Wed, 24 Aug 2016 16:03:05 +0300
barış tombul <bbtombul at gmail.com> wrote:

> > Strange, have you given 'FACILITY\btombul' the ID number
> > '16777216' ?
> >
> > Can you post the smb.conf from the Samba AD DC and the Centos
> > machine (please post what is actually there, not the output of
> > 'samba-tool testparm -v')
> >
> > Rowland
> >
> >
> >
> >

So I said 'not the output of 'samba-tool testparm -v'
and what do I get LOL

In English, putting 'not' in front of something, means 'do not do
this'

Please post the output of 'cat /path/to/smb.conf' from BOTH machines.

Replacing '/path/to/smb.conf' with the path to your smb.conf
i.e. /etc/samba/smb.conf

Rowland

centos workstation: smb.conf >>

[global]
   workgroup = LAB
   realm = LAB.LOCAL
   security = ads
   idmap config * : range = 16777216-33554431
   template homedir = /home/LAB/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false


Samba Domain Server : smb.conf>>

[global]
    idmap cache time = 604800
    idmap negative cache time = 120
    idmap config LAB : range = 2000000-9999999
    idmap config LAB : default = yes
    idmap config LAB : backend = ad
    idmap config LAB : readonly = no
    idmap config LAB : schema_mode = rfc2307
    idmap config LAB : cache time = 3600
    idmap config * : default = yes
    idmap config * : readonly = no
    idmap config * : schema_mode = rfc2307
    idmap config * : backend = tdb
    idmap config * : range = 2000000-9999999
    idmap_ldb:use rfc2307 = yes
    idmap config all : readonly = yes
    idmap config all : default = yes
    idmap config all : backend = tdb
ntlm auth = Yes
    lanman auth = Yes
    raw NTLMv2 auth = Yes
    client NTLMv2 auth = Yes
    client lanman auth = Yes
    server max protocol = SMB3
    server min protocol = LANMAN1
    server multi channel support = No
    client max protocol = default
    client min protocol = CORE
    restrict anonymous = 0
    security = USER
    bind interfaces only = Yes
    interfaces = lo ens192
    auth methods     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl,
winbindd, ntp_signd, kcc, dnsupdate
    dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, remote,
dnsserver
    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab
    winbind max clients = 500
    winbindd:use external pipes = true
    winbind cache time = 300
    winbind reconnect delay = 30
    winbind request timeout = 60
    winbind max domain connections = 1
    winbindd socket directory = /usr/local/samba/var/run/winbindd
    winbindd privileged socket directory
/usr/local/samba/var/lib/winbindd_privileged
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    winbind trusted domains only = No
    winbind nested groups = Yes
    winbind expand groups = 10
    winbind nss info = rfc2307
    winbind refresh tickets = Yes
    winbind offline logon = Yes
    winbind normalize names = Yes
    winbind sealed pipes = Yes
    winbind rpc only = Yes
    wins proxy = Yes
    wins support = Yes
    obey pam restrictions = No
    ldap server require strong auth = no
    dos charset = CP850
    unix charset = UTF-8
    workgroup = LAB
    realm = LAB.LOCAL
    netbios name = LAB
    netbios scope     server string = LAB Samba Server
    hosts allow = ALL 127.0.0.1
    guest ok = No
    server role = active directory domain controller
    server role check:inhibit = yes
    log level = 3 passdb:3 auth:10 winbind:2
    log file = /var/log/samba/log.%m
    rndc command = /usr/sbin/rndc
    max log size = 0
    set primary group script     logging = file
    allow dns updates = nonsecure and secure
    dns update command = /usr/local/samba/sbin/samba_dnsupdate
    pam password change = Yes
    smb ports = 445 139
    nbt port = 137
    kpasswd port = 464
    krb5 port = 88
    web port = 901
    nbt port = 137
    dgram port = 138
    cldap port = 389
    socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
    domain logons = Yes
    os level = 255
    preferred master = Yes
    local master = Yes
    domain master = Yes
    load printers = No
    use client driver = No
    show add printer wizard = Yes
    printcap cache time = 0
    printcap name = cups
    cups encrypt = No
    cups connection timeout = 60
    disable spoolss = No
    min print space = 0
    max reported print jobs = 0
    max print jobs = 1000
    print notify backchannel = No
    printing = cups
    cups options = raw
    default devmode = Yes
    force printername = Yes
    printjob username = %U
    lpq cache time = 30
    spoolss: architecture = Windows x64
    debug timestamp = Yes
    debug prefix timestamp = No
    debug hires timestamp = Yes
    debug pid = No
    debug uid = No
    debug class = No
    timestamp logs = Yes
    require strong key = Yes
    allow dcerpc auth level connect = No
    client ipc signing = default
    client ipc max protocol = default
    client ipc min protocol = default
    nsupdate command =  /usr/bin/nsupdate -g
    dns proxy = No
    allow trusted domains = Yes
    guest account = nobody
    map to guest = Bad User
    guest only = No
    config backend = file
    encrypt passwords = Yes
    smb passwd file = /usr/local/samba/private/smbpasswd
    private dir = /usr/local/samba/private
    algorithmic rid base = 1000
    passdb expand explicit = No
    passdb backend = tdbsam
    passwd chat debug = No
    passwd chat timeout = 2
    passwd program = /usr/local/samba/bin/smbpasswd %u
    passwd chat = *New*password* %n\n *ReType*new*password*
%n\n*passwd:*all*authentication*tokens*updated*successfully*
    password server = LAB.LAB.local
    old password allowed period = 120
    unix password sync = Yes
    client plaintext auth = No
    map untrusted to domain = Yes
    enable core files = Yes
    large readwrite = Yes
    unicode = Yes
    read raw = Yes
    write raw = Yes
    disable netbios = No
    reset on zero vc = No
    log writeable files on exit = No
    defer sharing violations = Yes
    nt pipe support = Yes
    nt status support = Yes
    max mux = 50
    max xmit = 32768
    name resolve order = lmhosts wins host bcast
    max ttl = 259200
    max wins ttl = 518400
    min wins ttl = 21600
    min receivefile size = 16384
    time server = Yes
    time server = No
    unix extensions = Yes
    server signing = mandatory
    client signing = mandatory
    client schannel = Auto
    server schannel = Auto
    client use spnego = Yes
    client ldap sasl wrapping = sign
    enable asu support = No
    rpc big endian = No
    deadtime = 0
    getwd cache = Yes
    keepalive = 300
    smbd profiling level = off
    spotlight = No
    max smbd processes = 0
    max disk size = 0
    max open files = 65535
    use mmap = Yes
    hostname lookups = No
    name cache timeout = 3600
    clustering = No
    ctdb timeout = 0
    ctdb locktime warn threshold = 0
    smb2 max read = 8388608
    smb2 max write = 8388608
    smb2 max trans = 8388608
    smb2 max credits = 8192
    mangling method = hash2
    mangle prefix = 1
    max stat cache size = 256
    stat cache = Yes
    machine password timeout = 604800
    username map cache time = 0
    username level = 0
    init logon delay = 100
    lm announce = Auto
    lm interval = 60
    browse list = Yes
    enhanced browsing = Yes
    smb2 leases = Yes
    ldap admin dn     ldap connection timeout = 2
    ldap delete dn = No
    ldap deref = auto
    ldap follow referral = Auto
    ldap group suffix     ldap idmap suffix     ldap machine suffix     ldap
page size = 1000
    ldap passwd sync = no
    ldap replication sleep = 1000
    ldap server require strong auth = No
    ldap ssl = start tls
    ldap ssl ads = No
    ldap suffix     ldap timeout = 15
    ldap user suffix     ldap debug level = 0
    ldap debug threshold = 10
    lock directory = /usr/local/samba/var/lock
    state directory = /usr/local/samba/var/locks
    cache directory = /usr/local/samba/var/cache
    pid directory = /usr/local/samba/var/run
    ntp signd socket directory = /usr/local/samba/var/lib/ntp_signd
    utmp = No
    nmbd bind explicit broadcast = Yes
    homedir map = auto.home
    afs token lifetime = 604800
    afs share = No
    NIS homedir = No
    registry shares = No
    usershare allow guests = No
    usershare max shares = 0
    usershare owner only = Yes
    usershare path = /usr/local/samba/var/locks/usershares
    async smb echo handler = No
    template homedir = /home/%D/%U
    template shell = /bin/bash
    create krb5 conf = Yes
    ncalrpc dir = /usr/local/samba/var/run/ncalrpc
    neutralize nt4 emulation = No
    reject md5 servers = No
    reject md5 clients = No
    set quota command     multicast dns register = Yes
    samba kcc command = /usr/local/samba/sbin/samba_kcc
    spn update command = /usr/local/samba/sbin/samba_spnupdate
    share backend = classic
    allow nt4 crypto = No
    tls enabled = Yes
    tls keyfile = tls/key.pem
    tls certfile = tls/cert.pem
    tls cafile = tls/ca.pem
    tls crlfile     tls dh params file     tls verify peer =
as_strict_as_possible
    tls priority = NORMAL:-VERS-SSL3.0
    rpc_server:tcpip = no
    rpc_daemon:spoolssd = fork
    rpc_server:default = external
    rpc_server:spoolss = external
    rpc_server:svcctl = embedded
    rpc_server:srvsvc = embedded
    rpc_server:eventlog = embedded
    rpc_server:ntsvcs = embedded
    rpc_server:winreg = embedded
    spoolssd:prefork_child_min_life = 60
    spoolssd:prefork_max_allowed_clients = 200
    spoolssd:prefork_spawn_rate = 5
    spoolssd:prefork_max_children = 75#
    spoolssd:prefork_min_children = 5
    acl group control = No
    acl map full control = Yes
    acl allow execute always = No
    force unknown acl user = No
    inherit permissions = No
    inherit acls = No
    inherit owner = No
map acl inherit = No
    nt acl support = Yes
    profile acls = No
    administrative share = No
    allocation roundup size = 1048576
    aio read size = 16384
    aio write size = 16384
    aio max threads = 100
    ea support = No
    smb encrypt = default
    durable handles = Yes
    block size = 1024
    change notify = Yes
    directory name cache size = 100
    kernel change notify = Yes
    max connections = 0
    strict allocate = No
    strict rename = No
    strict sync = No
    sync always = No
    use sendfile = No
    write cache size = 0
    default case = lower
    case sensitive = Auto
    preserve case = Yes
    short preserve case = Yes
    mangling char = ~
    hide dot files = Yes
    hide special files = No
    hide unreadable = No
    hide unwriteable files = No
    delete veto files = No
    map archive = No
    map hidden = No
    map system = No
    map readonly = No
    mangled names = Yes
    mangling char = ~
    store dos attributes = Yes
    dmapi support = No
    browseable = Yes
    access based share enum = No
    blocking locks = Yes
    csc policy = manual
    lock spin time = 200
    oplock break wait time = 0
    fake oplocks = No
    kernel oplocks = No
    kernel share modes = Yes
    locking = Yes
    oplocks = Yes
    level2 oplocks = Yes
    oplock contention limit = 2
    posix locking = Yes
    strict locking = Auto
    dfree cache time = 0
    preexec close = No
    root preexec close = No
    available = Yes
    fstype = NTFS
    wide links = No
    allow insecure wide links = No
    follow symlinks = Yes
    delete readonly = No
    dos filemode = No
    dos filetimes = Yes
    dos filetime resolution = No
    fake directory create times = No
    host msdfs = Yes
    msdfs root = No
    msdfs shuffle referrals = No
    ntvfs handler = unixuid, default
    vfs objects = dfs_samba4 acl_xattr full_audit
    full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
    full_audit:failure = connect disconnect
    full_audit:success = connect disconnect opendir mkdir rmdir closedir
open close read pread write pwrite sendfile rename unlink chmod fchmod
chown fchown chdir ftruncate lock symlink readlink link mknod
    full_audit:LAB = local5
    full_audit:priority = notice
[homes]
comment = Home Directories
path = /mnt/storage/homes/%U
browseable = No
hide files = /Recycle Bin/
veto files = /*.encrypted/*.ecc/*.ccc/
admin users = "@Domain Admins"
create mask = 0644
force create mode = 0660
force directory mode = 0770
read only = No
valid users = "@Domain Users"
vfs objects = acl_xattr full_audit recycle
recycle:repository = Recycle Bin
recycle:keeptree = yes
recycle:minsize = 0
recycle:maxsize = 0
recycle:touch = yes
recycle:touch_mtime = yes
recycle:versions = yes
recycle:exclude
*.tmp|*.temp|*.o|*.obj|~$*|*.??|*.log|*.trace|*.TMP|*.ASV|*.$$$|*.asv
recycle:excludedir = /Recycle Bin
recycle:noversions = *.tmp|*.temp|*.dat|*.ini
recycle:mode = KEEP_DIRECTORIES|VERSION|TOUCH
[profiles]
comment = Network Profiles Share
path = /mnt/storage/profiles
    profile acls = Yes
browseable = No
create mask = 0644
force create mode = 0660
force directory mode = 0770
read only = No
[netlogon]
comment = Network Netlogon Share
path = /usr/local/samba/var/locks/sysvol/LAB.local/scripts
browseable = No
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
browseable = No
read only = No




2016-08-24 16:49 GMT+03:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Wed, 24 Aug 2016 16:03:05 +0300
> barış tombul <bbtombul at gmail.com> wrote:
>
>
> > > Strange, have you given 'FACILITY\btombul' the ID number
> > > '16777216' ?
> > >
> > > Can you post the smb.conf from the Samba AD DC and the Centos
> > > machine (please post what is actually there, not the output of
> > > 'samba-tool testparm -v')
> > >
> > > Rowland
> > >
> > >
> > >
> > >
>
>
> So I said 'not the output of 'samba-tool testparm -v'
> and what do I get LOL
>
> In English, putting 'not' in front of something, means 'do not
do this'
>
> Please post the output of 'cat /path/to/smb.conf' from BOTH
machines.
>
> Replacing '/path/to/smb.conf' with the path to your smb.conf
> i.e. /etc/samba/smb.conf
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>