Hello Rowland,
thank you for your swift reply. I made the modifications you suggested,
which unfortunately did not better the situation. No change as to the
"Creator Owner" rights and the Administrator account still shown as
locked. Also, I couldn't spot any suspicious messages in the Samba
logfiles besides maybe
get_referred_path: |profiles| in dfs path
\fileserver.mydomain.lan\profiles is not a dfs root.
get_referred_path: |home| in dfs path \fileserver.mydomain.lan\home is
not a dfs root.
My test users have uidNumbers und gidNumbers defined. I found this nifty
command to list them
root at fileserver:/var/log/samba# net ads search
'(|(uidNumber=*)(gidNumber=*))' sAMAccountName uidNumber gidNumber -P
Got 15 replies
sAMAccountName: Enterprise Read-Only Domain Controllers
gidNumber: 10005
sAMAccountName: Administrator
uidNumber: 10000
gidNumber: 10000
sAMAccountName: Enterprise Admins
gidNumber: 10004
sAMAccountName: workgroup-1
gidNumber: 10010
sAMAccountName: Users
gidNumber: 10008
sAMAccountName: DnsAdmins
gidNumber: 10006
sAMAccountName: kbudwi
uidNumber: 10002
gidNumber: 10001
sAMAccountName: kbmamu
uidNumber: 10004
gidNumber: 10001
sAMAccountName: Guest
uidNumber: 10001
gidNumber: 10000
sAMAccountName: Schema Admins
gidNumber: 10003
sAMAccountName: Administrators
gidNumber: 10007
sAMAccountName: Domain Admins
gidNumber: 10000
sAMAccountName: Domain Users
gidNumber: 10001
uidNumber: 10003
gidNumber: 10001
sAMAccountName: kbanre
sAMAccountName: Domain Guests
gidNumber: 10002
I can list those users and groups on the member server using "getent
passwd" and "getent group".
What else could be wrong? My impression is that samba and winbind caches
a lot of information. Should I start over with the member server?
BTW: I rebooted the server after making the changes - just to be sure.
Thanks in advance an best regards
Udo
Am 13.10.2016 um 11:04 schrieb Rowland Penny via samba:> On Thu, 13 Oct 2016 10:33:20 +0200
> Udo Willke via samba <samba at lists.samba.org> wrote:
>
>> Hi everyone,
>>
>> after some struggling I have finally set up a Samba AD DC and a file
>> server more or less successfully. Unfortunately I am failing at one
>> of the last steps: the configuration of the home share, where I
can't
>> set the permissions correctly which, as a consequence, seems to
>> prevent the creation of the users' folders on the home share
>>
>> I am using the standard Samba packages on ubuntu 16.04 LTS
>> ("2:4.3.11+dfsg-0ubuntu0.16.04") and opted for winbind and
the AD
>> backend for id mapping of the domain users. My smb.conf of the member
>> server looks like this:
>>
>> [global]
>> netbios name = FILESERVER
>> security = ADS
>> workgroup = MYDOMAIN
>> realm = MYDOMAIN.LAN
>>
>> log level = 5
>> log file = /var/log/samba/%m.log
>>
>> password server = 192.168.6.8
>>
>> interfaces = lo br0
>> bind interfaces only = yes
>>
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = no
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind refresh tickets = Yes
>> winbind cache time = 60
>>
>> ;; Default idmap config used for BUILTIN and local
>> accounts/groups idmap config * : backend = tdb
>> idmap config * : range = 100000-4294967295
>>
>> ;; idmap config for domain MYDOMAIN
>> idmap config MYDOMAIN : backend = ad
>> idmap config MYDOMAIN : schema_mode = rfc2307
>> idmap config MYDOMAIN : range = 10000-99999
>>
>> vfs objects = acl_xattr
>> map acl inherit = yes
>> store dos attributes = yes
>>
>> load printers = no
>> printing = bsd
>> printcap name = /dev/null
>> disable spoolss = yes
>>
>> template homedir = /var/share/samba/homes/%U
>>
>> [home]
>> path = /var/share/samba/homes
>> guest ok = no
>> read only = no
>> browseable = yes
>>
>>
>> [profiles]
>> path = /var/share/samba/profiles
>> read only = no
>> store dos attributes = yes
>> create mask = 0600
>> directory mask = 0700
>> guest ok = no
>> profile acls = yes
>> csc policy = disable
>>
>> "interfaces" and "bind interfaces only = yes" is
needed because the
>> server is dual-homed. By setting the tdb id range to
>> 100000-4294967295, I hoped to get the Windows system accounts mapped.
>>
>> winbind seems to work ok. "getent passwd" and "getent
group" show the
>> AD users with the uidNumber and gidNumber attributes set on the AD in
>> the right range. Example
>>
>> root at fileserver:/var/share/samba# id MYDOMAIN\\Administrator
>> uid=10000(MYDOMAIN\administrator) gid=10000(MYDOMAIN\domain admins)
>> groups=10000(MYDOMAIN\domain admins),10004(MYDOMAIN\enterprise
>> admins),10003(MYDOMAIN\schema admins),10001(MYDOMAIN\domain
>> users),100000(BUILTIN\administrators),100001(BUILTIN\users)
>>
>> After adding the [home] section to smb.conf I create the directory
>> as described in the Samba wiki
>>
>> root at fileserver:/var/share/samba# mkdir homes
>> root at fileserver:/var/share/samba# chgrp MYDOMAIN\\Domain\ Admins
>> homes/ root at fileserver:/var/share/samba# chmod g=rwx homes/
>> root at fileserver:/var/share/samba# ls -ld homes/
>> drwxrwxr-x 2 root MYDOMAIN\domain admins 4096 Okt 12 16:05 homes/
>>
>> Then I continue with the RSAT Tools (German Language Version) on
>> Windows 7 where I log in as "MYDOMAIN\Administrator" and use
the
>> "Computer Management" Console to configure the home share.
>>
>>
>> Here I face two problems on the "Security" tab:
>>
>> 1) When I add the Administrator user, the account is shown as
>> "locked" (red dot with cross) but I can set "Full
Control"
>>
>> 2) When I add the Creator Owner (in my case, I have to look for
>> ERSTELLER-BESITZER) I can check "Full Control", but when I
click
>> "Apply" all the check marks disappear
>>
>> Additionally, extra users like "Everyone", "root"
or "Creator Group"
>> are already listed in the dialogue box without me doing anything.
>>
>>
>> On the Linux side, the extended permissions of the
>> /var/share/samba/homes directory look like this
>>
>> root at fileserver:/var/share/samba# getfacl homes/
>> # file: homes/
>> # owner: MYDOMAIN\134administrator
>> # group: MYDOMAIN\134domain\040admins
>> user::rwx
>> user:MYDOMAIN\134administrator:rwx
>> group::rwx
>> group:MYDOMAIN\134domain\040admins:rwx
>> group:100004:r-x
>> group:100005:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:MYDOMAIN\134administrator:rwx
>> default:group::---
>> default:group:MYDOMAIN\134domain\040admins:rwx
>> default:group:100004:r-x
>> default:group:100005:rwx
>> default:mask::rwx
>> default:other::---
>>
>> I noticed GIDs 100004 and 100005 are not resolved so I tried to find
>> out why
>>
>> root at fileserver:/var/share/samba# net idmap dump
>> dumping id mapping from /var/lib/samba/winbindd_idmap.tdb
>> GID 100004 S-1-5-11
>> GID 100005 S-1-5-18
>> GID 100006 S-1-3-0
>> USER HWM 100000
>> GID 100002 S-1-1-0
>> GID 100007 S-1-5-4
>> GID 100003 S-1-5-2
>> GROUP HWM 100008
>>
>> With wbinfo --sid-to-fullname I find
>>
>> GID 100004 S-1-5-11 --> NT AUTHORITY\Authenticated Users 5
>>
>> GID 100005 S-1-5-18 --> NT AUTHORITY\SYSTEM 5
>>
>> S-1-3-0 is the well-known SID of the Creator Owner (thus known to the
>> server)
>>
>> Finally, when I log into a Windows 7 workstation (previously joined
>> to the domain) with my test user account
>>
>> root at fileserver:/var/share/samba# id MYDOMAIN\\kbudwi
>> uid=10002(MYDOMAIN\kbudwi) gid=10001(MYDOMAIN\domain users)
>> groups=10001(MYDOMAIN\domain
>> users),10010(MYDOMAIN\workgroup-1),100001(BUILTIN\users)
>>
>> my home folder "kbudwi" is neither created nor mounted.
>>
>> When I navigate manually to the home base folder by entering
>> "\\fileserver\home" into Windows Explorer, I get an empty
folder.
>>
>> When I try to create my home folder manually I get a message box
>> saying something like "home: You need permissions to continue the
>> operation" (loosely translated from German). I suspect, the
missing
>> "Creator Owner" rights block the folder creation.
>>
>> Generally speaking, I am very unsure how to handle the id mapping for
>> the ad backend. The documentation (I found) does not specify, whether
>> I have to set the Unix UIDs and GIDs on system accounts or on user
>> accounts only. Maybe I have messed it up at this level?
>>
>> Any help would by highly appreciated as I am seriously running out of
>> ideas
>>
>> Thanks and best regards
>>
>> Udo
>>
> Do you really need '4294867295' spaces for the '*' range, I
only have
> '7999' and feel that is an overkill, see here for more info:
>
> https://support.microsoft.com/en-us/kb/243330
>
> As for your users home dir not getting created, try running this on the
> fileserver:
>
> echo "session required pam_mkhomedir.so skel=/etc/skel/
> umask=0022" >> /etc/pam.d/common-account
>
> Add this line to smb.conf:
>
> username map = /etc/samba/user.map
>
> And create the the /etc/samba/user.map with this content:
>
> !root = MYDOMAIN\Administrator MYDOMAIN\administrator Administrator
> administrator
>
> That will map the windows administrator to the Unix root user
>
> To make windows users visible to the domain member whilst using the
> winbind 'ad' backend, you must give each user a unique uidNumber
> attribute inside the range you set for the domain (MYDOMAIN) in
> smb.conf, you MUST also give Domain Users a gidNumber attribute inside
> the range.
>
> Rowland
>
>
>
>