samba - Oct 2016 - Unable to set up home share correctly

Am 14.10.2016 um 15:04 schrieb Rowland Penny via samba:
> On Fri, 14 Oct 2016 14:32:52 +0200
> Udo Willke via samba <samba at lists.samba.org> wrote:
>
>> Hello Rowland,
>>
>> Am 13.10.2016 um 18:25 schrieb Rowland Penny via samba:
>>> It sounds like you don't have IDMU installed, not sure if you
can
>>> install it on 2012.
>> are you trying to say that I should install "Identity Management
for
>> Unix" on a Windows Server 2012? If yes, I am afraid we have a
>> misunderstanding here: I don't use any Windows Server in my set-up.
>>
>> I use a Fileserver with two network interfaces, one connected to a
>> private network, the other connected to our university network. A
>> Samba AD DC is supposed to manage a small Windows Domain in the
>> private net. The fileserver also serves as a gateway to the Windows 7
>> workstations in the private net. Fileserver and AD DC are both
>> running ubuntu 16.04 and have the respective Samba packages
>> installed. For testing I have set up two Windows 7 Instances on ESXi
>> inside the private net, one with the RSAT Tools installed and one as
>> a user PC.
>>
>> Update: I spent the morning setting up a fresh member server
>> ("FILESERVER2") for testing inside the private net (with 1
NIC only,
>> thereby reducing complexity) I think, I have made all the necessary
>> steps and did not forget to grant the SeDiskOperatorPrivilege rights
>> to the Domain Admins
>>
>> root at fileserver2:/var/log/samba# net rpc rights list
'MYDOMAIN\Domain
>> Admins' -U'MYDOMAIN\Administrator' -S addc01
>> Enter MYDOMAIN\Administrator's password:
>> SeDiskOperatorPrivilege
>>
>> Now I'm stuck in the RSAT Computer Management Console where I am
>> denied access to the share configuration. On the navigation tree in
>> the left window "Local users and groups" is shown as locked
(and I
>> remember this went only away after I assigned a uidNumber to the
>> Adminstrator account and made it a member of the Domain Admins Unix
>> Group). Can't tell if this is a useful hint.
>>
> I could have sworn you mentioned a 2012 server,
No problem
> so if you are
> authenticating the fileserver to a Samba AD DC, did you provision the
> DC with '--use-rfc2307' ?
Yes, I did. From my shell history

samba-tool domain provision  --use-rfc2307 --function-level=2008_R2 
--dns-backend=BIND9_DLZ --host-name=addc01 --realm=MYDOMAIN.LAN 
--domain=MYDOMAIN --server-role='dc' --
adminpass='*******************'
> Not a problem if you didn't, see here:
>
>
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_NIS_extensions
>
> The 'Administrator' is always a member of 'Domain Admins'
>
> Did you remember to add the 'user.map' line to smb.conf ?
  Yes I did, but had a typo in the real domain name .... and this was 
the problem :-[

Now I have access to the share configuration :-)

What's a little confusing:
"Share Permsissions" has the "Everyone" account already
filled in with
"Full Control".
"Security" has "Everyone", "root",
"ERSTELLER-BESITZER" (Creator Owner),
ERSTELLERGRUPPE (Creator Group) and "Domain Admins" accounts already 
filled in

---> What would you suggest? Remove all unwanted accounts first an then 
follow the wiki? I remember trouble started when I removed the 
"Everyone" account.

Extended attributes on [home] look like this at this point

root at fileserver2:/var/log/samba# LANG=en_US getfacl /var/share/samba/homes/
getfacl: Removing leading '/' from absolute path names
# file: var/share/samba/homes/
# owner: root
# group: MYDOMAIN\134domain\040admins
user::rwx
group::rwx
other::r-x

BTW: On this server, I changed the id ranges to more modest values

root at fileserver2:/var/log/samba# grep idmap /etc/samba/smb.conf
     ;; Default idmap config used for BUILTIN and local accounts/groups
     idmap config * : backend = tdb
     idmap config * : range = 2000-9999
     ;; idmap config for domain MYDOMAIN
     idmap config MYDOMAIN : backend = ad
     idmap config MYDOMAIN : schema_mode = rfc2307
     idmap config MYDOMAIN : range = 10000-99999

This is correctly reflected in the id mappings

root at fileserver2:/var/log/samba# net idmap dump
dumping id mapping from /var/lib/samba/winbindd_idmap.tdb
GID 2004 S-1-5-11
USER HWM 2000
GID 2002 S-1-1-0
GID 2003 S-1-5-2
GROUP HWM 2005

Thanks an best regards

Udo

>
> Rowland
>

On Fri, 14 Oct 2016 16:01:14 +0200
Udo Willke via samba <samba at lists.samba.org> wrote:
> Am 14.10.2016 um 15:04 schrieb Rowland Penny via samba:
> > On Fri, 14 Oct 2016 14:32:52 +0200
> > Udo Willke via samba <samba at lists.samba.org> wrote:
> >
> >> Hello Rowland,
> >>
> >> Am 13.10.2016 um 18:25 schrieb Rowland Penny via samba:
> >>> It sounds like you don't have IDMU installed, not sure if
you can
> >>> install it on 2012.
> >> are you trying to say that I should install "Identity
Management
> >> for Unix" on a Windows Server 2012? If yes, I am afraid we
have a
> >> misunderstanding here: I don't use any Windows Server in my
set-up.
> >>
> >> I use a Fileserver with two network interfaces, one connected to a
> >> private network, the other connected to our university network. A
> >> Samba AD DC is supposed to manage a small Windows Domain in the
> >> private net. The fileserver also serves as a gateway to the
> >> Windows 7 workstations in the private net. Fileserver and AD DC
> >> are both running ubuntu 16.04 and have the respective Samba
> >> packages installed. For testing I have set up two Windows 7
> >> Instances on ESXi inside the private net, one with the RSAT Tools
> >> installed and one as a user PC.
> >>
> >> Update: I spent the morning setting up a fresh member server
> >> ("FILESERVER2") for testing inside the private net (with
1 NIC
> >> only, thereby reducing complexity) I think, I have made all the
> >> necessary steps and did not forget to grant the
> >> SeDiskOperatorPrivilege rights to the Domain Admins
> >>
> >> root at fileserver2:/var/log/samba# net rpc rights list
> >> 'MYDOMAIN\Domain Admins'
-U'MYDOMAIN\Administrator' -S addc01
> >> Enter MYDOMAIN\Administrator's password:
> >> SeDiskOperatorPrivilege
> >>
> >> Now I'm stuck in the RSAT Computer Management Console where I
am
> >> denied access to the share configuration. On the navigation tree
in
> >> the left window "Local users and groups" is shown as
locked (and I
> >> remember this went only away after I assigned a uidNumber to the
> >> Adminstrator account and made it a member of the Domain Admins
Unix
> >> Group). Can't tell if this is a useful hint.
> >>
> > I could have sworn you mentioned a 2012 server,
> No problem
> > so if you are
> > authenticating the fileserver to a Samba AD DC, did you provision
> > the DC with '--use-rfc2307' ?
> Yes, I did. From my shell history
> 
> samba-tool domain provision  --use-rfc2307 --function-level=2008_R2 
> --dns-backend=BIND9_DLZ --host-name=addc01 --realm=MYDOMAIN.LAN 
> --domain=MYDOMAIN --server-role='dc' --
> adminpass='*******************'
> 
> > Not a problem if you didn't, see here:
> >
> >
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_NIS_extensions
> >
> > The 'Administrator' is always a member of 'Domain
Admins'
> >
> > Did you remember to add the 'user.map' line to smb.conf ?
>   Yes I did, but had a typo in the real domain name .... and this was 
> the problem :-[
> 
> Now I have access to the share configuration :-)
> 
> What's a little confusing:
> "Share Permsissions" has the "Everyone" account already
filled in
> with "Full Control".
> "Security" has "Everyone", "root",
"ERSTELLER-BESITZER" (Creator
> Owner), ERSTELLERGRUPPE (Creator Group) and "Domain Admins"
accounts
> already filled in
> 
> ---> What would you suggest? Remove all unwanted accounts first an
> then follow the wiki? I remember trouble started when I removed the 
> "Everyone" account.
> 
> Extended attributes on [home] look like this at this point
> 
> root at fileserver2:/var/log/samba# LANG=en_US
> getfacl /var/share/samba/homes/ getfacl: Removing leading '/' from
> absolute path names # file: var/share/samba/homes/
> # owner: root
> # group: MYDOMAIN\134domain\040admins
> user::rwx
> group::rwx
> other::r-x
> 
> BTW: On this server, I changed the id ranges to more modest values
> 
> root at fileserver2:/var/log/samba# grep idmap /etc/samba/smb.conf
>      ;; Default idmap config used for BUILTIN and local
> accounts/groups idmap config * : backend = tdb
>      idmap config * : range = 2000-9999
>      ;; idmap config for domain MYDOMAIN
>      idmap config MYDOMAIN : backend = ad
>      idmap config MYDOMAIN : schema_mode = rfc2307
>      idmap config MYDOMAIN : range = 10000-99999
> 
Are you following this wiki page ?

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

Also, when you changed the ranges in smb.conf, have you changed th
uidNumber & gidNumber attributes in AD ?

Rowland

Am 14.10.2016 um 16:40 schrieb Rowland Penny via samba:
> On Fri, 14 Oct 2016 16:01:14 +0200
> Udo Willke via samba <samba at lists.samba.org> wrote:
>
>> Am 14.10.2016 um 15:04 schrieb Rowland Penny via samba:
>>> On Fri, 14 Oct 2016 14:32:52 +0200
>>> Udo Willke via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hello Rowland,
>>>>
>>>> Am 13.10.2016 um 18:25 schrieb Rowland Penny via samba:
>>>>> It sounds like you don't have IDMU installed, not sure
if you can
>>>>> install it on 2012.
>>>> are you trying to say that I should install "Identity
Management
>>>> for Unix" on a Windows Server 2012? If yes, I am afraid we
have a
>>>> misunderstanding here: I don't use any Windows Server in my
set-up.
>>>>
>>>> I use a Fileserver with two network interfaces, one connected
to a
>>>> private network, the other connected to our university network.
A
>>>> Samba AD DC is supposed to manage a small Windows Domain in the
>>>> private net. The fileserver also serves as a gateway to the
>>>> Windows 7 workstations in the private net. Fileserver and AD DC
>>>> are both running ubuntu 16.04 and have the respective Samba
>>>> packages installed. For testing I have set up two Windows 7
>>>> Instances on ESXi inside the private net, one with the RSAT
Tools
>>>> installed and one as a user PC.
>>>>
>>>> Update: I spent the morning setting up a fresh member server
>>>> ("FILESERVER2") for testing inside the private net
(with 1 NIC
>>>> only, thereby reducing complexity) I think, I have made all the
>>>> necessary steps and did not forget to grant the
>>>> SeDiskOperatorPrivilege rights to the Domain Admins
>>>>
>>>> root at fileserver2:/var/log/samba# net rpc rights list
>>>> 'MYDOMAIN\Domain Admins'
-U'MYDOMAIN\Administrator' -S addc01
>>>> Enter MYDOMAIN\Administrator's password:
>>>> SeDiskOperatorPrivilege
>>>>
>>>> Now I'm stuck in the RSAT Computer Management Console where
I am
>>>> denied access to the share configuration. On the navigation
tree in
>>>> the left window "Local users and groups" is shown as
locked (and I
>>>> remember this went only away after I assigned a uidNumber to
the
>>>> Adminstrator account and made it a member of the Domain Admins
Unix
>>>> Group). Can't tell if this is a useful hint.
>>>>
>>> I could have sworn you mentioned a 2012 server,
>> No problem
>>> so if you are
>>> authenticating the fileserver to a Samba AD DC, did you provision
>>> the DC with '--use-rfc2307' ?
>> Yes, I did. From my shell history
>>
>> samba-tool domain provision  --use-rfc2307 --function-level=2008_R2
>> --dns-backend=BIND9_DLZ --host-name=addc01 --realm=MYDOMAIN.LAN
>> --domain=MYDOMAIN --server-role='dc' --
>> adminpass='*******************'
>>
>>> Not a problem if you didn't, see here:
>>>
>>>
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_NIS_extensions
>>>
>>> The 'Administrator' is always a member of 'Domain
Admins'
>>>
>>> Did you remember to add the 'user.map' line to smb.conf ?
>>    Yes I did, but had a typo in the real domain name .... and this was
>> the problem :-[
>>
>> Now I have access to the share configuration :-)
>>
>> What's a little confusing:
>> "Share Permsissions" has the "Everyone" account
already filled in
>> with "Full Control".
>> "Security" has "Everyone", "root",
"ERSTELLER-BESITZER" (Creator
>> Owner), ERSTELLERGRUPPE (Creator Group) and "Domain Admins"
accounts
>> already filled in
>>
>> ---> What would you suggest? Remove all unwanted accounts first an
>> then follow the wiki? I remember trouble started when I removed the
>> "Everyone" account.
>>
>> Extended attributes on [home] look like this at this point
>>
>> root at fileserver2:/var/log/samba# LANG=en_US
>> getfacl /var/share/samba/homes/ getfacl: Removing leading '/'
from
>> absolute path names # file: var/share/samba/homes/
>> # owner: root
>> # group: MYDOMAIN\134domain\040admins
>> user::rwx
>> group::rwx
>> other::r-x
>>
>> BTW: On this server, I changed the id ranges to more modest values
>>
>> root at fileserver2:/var/log/samba# grep idmap /etc/samba/smb.conf
>>       ;; Default idmap config used for BUILTIN and local
>> accounts/groups idmap config * : backend = tdb
>>       idmap config * : range = 2000-9999
>>       ;; idmap config for domain MYDOMAIN
>>       idmap config MYDOMAIN : backend = ad
>>       idmap config MYDOMAIN : schema_mode = rfc2307
>>       idmap config MYDOMAIN : range = 10000-99999
>>
> Are you following this wiki page ?
>
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
Yes, the page is linked in the "Preparatory work" section of the
"User
home drives" page <https://wiki.samba.org/index.php/User_home_drives>

However it is not very specific as to what permissions should actually 
be configured: "Go to the "Security" tab, click the
"Edit" button and
configure the desired Windows ACLs".
>
> Also, when you changed the ranges in smb.conf, have you changed th
> uidNumber & gidNumber attributes in AD ?
Not necessary in my opinion as I only modified the "overkill" range of
the * domain (100000 -  2^32 -1) .

BTW: There is no range checking in the code. I started with 2^32 = 
4294967296 as the upper limit and the mapping didn't work at all. 
Discovered later in the logs the range was parsed into "range
100000-0".

Two questions:

1) Do you agree with the directions given by L.P.H. van Belle: Create 
new user "Admin" and remove all the already filled in accounts (much 
like in the screenshot on the 
<https://wiki.samba.org/index.php/Shares_with_Windows_ACLs> page?

2) Can you elaborate on this?

I have removed the rfc2307-IDs now. I guess going to the "Unix
Attributes" tab in ADUC and setting "NIS Domain" to
"none" is
sufficient?

--> No, it should show your domain name.

Hmm, the "NIS Domain" setting is a drop-down menu. When I choose
mydomain (in lower case this time) a UID Number is automatically
assigned, when I choose <none> the fields are greyed out. So "no
uidNumber" and "should show your domain name" don't work at
the same
time. Or should I choose mydomain and delete the remaining field
entries?

Thanks a lot an best regards

Udo

>
> Rowland
>