Hello Rowland, Am 13.10.2016 um 15:09 schrieb Rowland Penny via samba:> On Thu, 13 Oct 2016 14:48:57 +0200 > Udo Willke via samba <samba at lists.samba.org> wrote: > >> Hello Rowland, >> >> thank you for your swift reply. I made the modifications you >> suggested, which unfortunately did not better the situation. No >> change as to the "Creator Owner" rights and the Administrator account >> still shown as locked. Also, I couldn't spot any suspicious messages >> in the Samba logfiles besides maybe >> >> get_referred_path: |profiles| in dfs path >> \fileserver.mydomain.lan\profiles is not a dfs root. >> get_referred_path: |home| in dfs path \fileserver.mydomain.lan\home >> is not a dfs root. >> >> My test users have uidNumbers und gidNumbers defined. I found this >> nifty command to list them >> >> root at fileserver:/var/log/samba# net ads search >> '(|(uidNumber=*)(gidNumber=*))' sAMAccountName uidNumber gidNumber -P >> Got 15 replies >> >> sAMAccountName: Enterprise Read-Only Domain Controllers >> gidNumber: 10005 >> >> sAMAccountName: Administrator >> uidNumber: 10000 >> gidNumber: 10000 >> >> sAMAccountName: Enterprise Admins >> gidNumber: 10004 >> >> sAMAccountName: workgroup-1 >> gidNumber: 10010 >> >> sAMAccountName: Users >> gidNumber: 10008 >> >> sAMAccountName: DnsAdmins >> gidNumber: 10006 >> >> sAMAccountName: kbudwi >> uidNumber: 10002 >> gidNumber: 10001 >> >> sAMAccountName: kbmamu >> uidNumber: 10004 >> gidNumber: 10001 >> >> sAMAccountName: Guest >> uidNumber: 10001 >> gidNumber: 10000 >> >> sAMAccountName: Schema Admins >> gidNumber: 10003 >> >> sAMAccountName: Administrators >> gidNumber: 10007 >> >> sAMAccountName: Domain Admins >> gidNumber: 10000 >> >> sAMAccountName: Domain Users >> gidNumber: 10001 >> >> uidNumber: 10003 >> gidNumber: 10001 >> sAMAccountName: kbanre >> >> sAMAccountName: Domain Guests >> gidNumber: 10002 >> >> I can list those users and groups on the member server using "getent >> passwd" and "getent group". > Can I suggest you remove uid/gidNumber attributes from: > > Enterprise Read-Only Domain Controllers > Administrator > Enterprise Admins > Users > DnsAdmins > Guest > Schema Admins > Administrators > Domain Guests > > They will be mapped as required by '*' in smb.conf > You have also made 'Administrator' a normal Unix user by giving it a > uidNumber. > > Rowland > >I have removed the rfc2307-IDs now. I guess going to the "Unix Attributes" tab in ADUC and setting "NIS Domain" to "none" is sufficient? Checking the getent commands: root at fileserver:/var/log/samba# getent passwd | grep ^MYDOMAIN MYDOMAIN\kbanre:*:10003:10001:XXXXXXXXXX:/var/share/samba/homes/kbanre:/bin/sh MYDOMAIN\kbmamu:*:10004:10001:Max Mustermann:/var/share/samba//homes/kbmamu:/bin/sh MYDOMAIN\kbudwi:*:10002:10001:Udo Willke:/var/share/samba/homes/kbudwi:/bin/sh root at fileserver:/var/log/samba# getent group | grep ^MYDOMAIN MYDOMAIN\domain admins:x:10000: MYDOMAIN\domain users:x:10001: MYDOMAIN\workgroup-1:x:10010: Does this look good? Should I recreate the /var/share/samba/homes directory? The owner with UID 10000 is not known to Linux now: root at fileserver:~# getfacl /var/share/samba/homes/ getfacl: Removing leading '/' from absolute path names # file: var/share/samba/homes/ # owner: 10000 # group: MYDOMAIN\134domain\040admins .... Apart from that: Still no home folders, even not able to create them manually. All the initial symptoms persist :-( Any ideas? Thanks and best regards Udo
On Thu, 13 Oct 2016 16:22:47 +0200 Udo Willke via samba <samba at lists.samba.org> wrote:> Hello Rowland, > > I have removed the rfc2307-IDs now. I guess going to the "Unix > Attributes" tab in ADUC and setting "NIS Domain" to "none" is > sufficient?No, it should show your domain name.> > Checking the getent commands: > > root at fileserver:/var/log/samba# getent passwd | grep ^MYDOMAIN > MYDOMAIN\kbanre:*:10003:10001:XXXXXXXXXX:/var/share/samba/homes/kbanre:/bin/sh > MYDOMAIN\kbmamu:*:10004:10001:Max > Mustermann:/var/share/samba//homes/kbmamu:/bin/sh > MYDOMAIN\kbudwi:*:10002:10001:Udo > Willke:/var/share/samba/homes/kbudwi:/bin/sh > > root at fileserver:/var/log/samba# getent group | grep ^MYDOMAIN > MYDOMAIN\domain admins:x:10000: > MYDOMAIN\domain users:x:10001: > MYDOMAIN\workgroup-1:x:10010: > > Does this look good?Yes> > Should I recreate the /var/share/samba/homes directory? The owner > with UID 10000 is not known to Linux now:Probably easiest, as long as the old dirs don't contain anything you need.> > root at fileserver:~# getfacl /var/share/samba/homes/ > getfacl: Removing leading '/' from absolute path names > # file: var/share/samba/homes/ > # owner: 10000 > # group: MYDOMAIN\134domain\040admins > > .... > > Apart from that: Still no home folders, even not able to create them > manually. All the initial symptoms persist :-( >Altering the PAM config should create the home dirs as the users connect, but why are you putting them in /var ?? What is wrong with /home/DOMAIN/%U Rowland
Hello Rowland, Am 13.10.2016 um 16:53 schrieb Rowland Penny via samba:> On Thu, 13 Oct 2016 16:22:47 +0200 > Udo Willke via samba <samba at lists.samba.org> wrote: > >> Hello Rowland, >> >> I have removed the rfc2307-IDs now. I guess going to the "Unix >> Attributes" tab in ADUC and setting "NIS Domain" to "none" is >> sufficient? > No, it should show your domain name.Hmm, the "NIS Domain" setting is a drop-down menu. When I choose mydomain (in lower case this time) a UID Number is automatically assigned, when I choose <none> the fields are greyed out. So "no uidNumber" and "should show your domain name" don't work at the same time. Or should I choose mydomain and delete the remaining field entries?> >> Checking the getent commands: >> >> root at fileserver:/var/log/samba# getent passwd | grep ^MYDOMAIN >> MYDOMAIN\kbanre:*:10003:10001:XXXXXXXXXX:/var/share/samba/homes/kbanre:/bin/sh >> MYDOMAIN\kbmamu:*:10004:10001:Max >> Mustermann:/var/share/samba//homes/kbmamu:/bin/sh >> MYDOMAIN\kbudwi:*:10002:10001:Udo >> Willke:/var/share/samba/homes/kbudwi:/bin/sh >> >> root at fileserver:/var/log/samba# getent group | grep ^MYDOMAIN >> MYDOMAIN\domain admins:x:10000: >> MYDOMAIN\domain users:x:10001: >> MYDOMAIN\workgroup-1:x:10010: >> >> Does this look good? > Yes > >> Should I recreate the /var/share/samba/homes directory? The owner >> with UID 10000 is not known to Linux now: > Probably easiest, as long as the old dirs don't contain anything you > need.Yes, already made this. Now Administrator account is not shown as locked (!) in ADUC but still not able to assign rights to the "Creator Owner". HOWEVER: In the Advanced View the check marks are there (!) together with the restriction "Files and Subfolders only". But, still the unwanted accounts "Everyone", "root" and "Creator Group" are listed on the Security tab?!? And still no home folders ....> >> root at fileserver:~# getfacl /var/share/samba/homes/ >> getfacl: Removing leading '/' from absolute path names >> # file: var/share/samba/homes/ >> # owner: 10000 >> # group: MYDOMAIN\134domain\040admins >> >> .... >> >> Apart from that: Still no home folders, even not able to create them >> manually. All the initial symptoms persist :-( >> > Altering the PAM config should create the home dirs as the users > connect, but why are you putting them in /var ?? > What is wrong with /home/DOMAIN/%UNothing at all. I somewhere read that this was a "recommendation" for user shares on Linux. So I mounted my xattr-enabled partition underneath /var/share, but maybe that's wrong? However, would prefer not changing this right now. This is /etc/pam.d/common-account - just for verification: # # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # # here are the per-package modules (the "Primary" block) account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) account required pam_krb5.so minimum_uid=1000 # end of pam-auth-update config # # Modification for Samba # session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 Entries are TAB-separated. Also checked the syslog for PAM errors with no result. pam_mkhomedir.so is installed. root at fileserver:/var/log# locate pam_mkhomedir.so /lib/x86_64-linux-gnu/security/pam_mkhomedir.so Would be looking forward to continue finding the problem tomorrow. Thanks and best regards Udo> > Rowland > >