Am 14.10.2016 um 16:40 schrieb Rowland Penny via samba:> On Fri, 14 Oct 2016 16:01:14 +0200 > Udo Willke via samba <samba at lists.samba.org> wrote: > >> Am 14.10.2016 um 15:04 schrieb Rowland Penny via samba: >>> On Fri, 14 Oct 2016 14:32:52 +0200 >>> Udo Willke via samba <samba at lists.samba.org> wrote: >>> >>>> Hello Rowland, >>>> >>>> Am 13.10.2016 um 18:25 schrieb Rowland Penny via samba: >>>>> It sounds like you don't have IDMU installed, not sure if you can >>>>> install it on 2012. >>>> are you trying to say that I should install "Identity Management >>>> for Unix" on a Windows Server 2012? If yes, I am afraid we have a >>>> misunderstanding here: I don't use any Windows Server in my set-up. >>>> >>>> I use a Fileserver with two network interfaces, one connected to a >>>> private network, the other connected to our university network. A >>>> Samba AD DC is supposed to manage a small Windows Domain in the >>>> private net. The fileserver also serves as a gateway to the >>>> Windows 7 workstations in the private net. Fileserver and AD DC >>>> are both running ubuntu 16.04 and have the respective Samba >>>> packages installed. For testing I have set up two Windows 7 >>>> Instances on ESXi inside the private net, one with the RSAT Tools >>>> installed and one as a user PC. >>>> >>>> Update: I spent the morning setting up a fresh member server >>>> ("FILESERVER2") for testing inside the private net (with 1 NIC >>>> only, thereby reducing complexity) I think, I have made all the >>>> necessary steps and did not forget to grant the >>>> SeDiskOperatorPrivilege rights to the Domain Admins >>>> >>>> root at fileserver2:/var/log/samba# net rpc rights list >>>> 'MYDOMAIN\Domain Admins' -U'MYDOMAIN\Administrator' -S addc01 >>>> Enter MYDOMAIN\Administrator's password: >>>> SeDiskOperatorPrivilege >>>> >>>> Now I'm stuck in the RSAT Computer Management Console where I am >>>> denied access to the share configuration. On the navigation tree in >>>> the left window "Local users and groups" is shown as locked (and I >>>> remember this went only away after I assigned a uidNumber to the >>>> Adminstrator account and made it a member of the Domain Admins Unix >>>> Group). Can't tell if this is a useful hint. >>>> >>> I could have sworn you mentioned a 2012 server, >> No problem >>> so if you are >>> authenticating the fileserver to a Samba AD DC, did you provision >>> the DC with '--use-rfc2307' ? >> Yes, I did. From my shell history >> >> samba-tool domain provision --use-rfc2307 --function-level=2008_R2 >> --dns-backend=BIND9_DLZ --host-name=addc01 --realm=MYDOMAIN.LAN >> --domain=MYDOMAIN --server-role='dc' -- >> adminpass='*******************' >> >>> Not a problem if you didn't, see here: >>> >>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_NIS_extensions >>> >>> The 'Administrator' is always a member of 'Domain Admins' >>> >>> Did you remember to add the 'user.map' line to smb.conf ? >> Yes I did, but had a typo in the real domain name .... and this was >> the problem :-[ >> >> Now I have access to the share configuration :-) >> >> What's a little confusing: >> "Share Permsissions" has the "Everyone" account already filled in >> with "Full Control". >> "Security" has "Everyone", "root", "ERSTELLER-BESITZER" (Creator >> Owner), ERSTELLERGRUPPE (Creator Group) and "Domain Admins" accounts >> already filled in >> >> ---> What would you suggest? Remove all unwanted accounts first an >> then follow the wiki? I remember trouble started when I removed the >> "Everyone" account. >> >> Extended attributes on [home] look like this at this point >> >> root at fileserver2:/var/log/samba# LANG=en_US >> getfacl /var/share/samba/homes/ getfacl: Removing leading '/' from >> absolute path names # file: var/share/samba/homes/ >> # owner: root >> # group: MYDOMAIN\134domain\040admins >> user::rwx >> group::rwx >> other::r-x >> >> BTW: On this server, I changed the id ranges to more modest values >> >> root at fileserver2:/var/log/samba# grep idmap /etc/samba/smb.conf >> ;; Default idmap config used for BUILTIN and local >> accounts/groups idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> ;; idmap config for domain MYDOMAIN >> idmap config MYDOMAIN : backend = ad >> idmap config MYDOMAIN : schema_mode = rfc2307 >> idmap config MYDOMAIN : range = 10000-99999 >> > Are you following this wiki page ? > > https://wiki.samba.org/index.php/Shares_with_Windows_ACLsYes, the page is linked in the "Preparatory work" section of the "User home drives" page <https://wiki.samba.org/index.php/User_home_drives> However it is not very specific as to what permissions should actually be configured: "Go to the "Security" tab, click the "Edit" button and configure the desired Windows ACLs".> > Also, when you changed the ranges in smb.conf, have you changed th > uidNumber & gidNumber attributes in AD ?Not necessary in my opinion as I only modified the "overkill" range of the * domain (100000 - 2^32 -1) . BTW: There is no range checking in the code. I started with 2^32 = 4294967296 as the upper limit and the mapping didn't work at all. Discovered later in the logs the range was parsed into "range 100000-0". Two questions: 1) Do you agree with the directions given by L.P.H. van Belle: Create new user "Admin" and remove all the already filled in accounts (much like in the screenshot on the <https://wiki.samba.org/index.php/Shares_with_Windows_ACLs> page? 2) Can you elaborate on this? I have removed the rfc2307-IDs now. I guess going to the "Unix Attributes" tab in ADUC and setting "NIS Domain" to "none" is sufficient? --> No, it should show your domain name. Hmm, the "NIS Domain" setting is a drop-down menu. When I choose mydomain (in lower case this time) a UID Number is automatically assigned, when I choose <none> the fields are greyed out. So "no uidNumber" and "should show your domain name" don't work at the same time. Or should I choose mydomain and delete the remaining field entries? Thanks a lot an best regards Udo> > Rowland >
On Fri, 14 Oct 2016 17:52:33 +0200 Udo Willke via samba <samba at lists.samba.org> wrote:> However it is not very specific as to what permissions should > actually be configured: "Go to the "Security" tab, click the "Edit" > button and configure the desired Windows ACLs". >What it means is, you need to add/change the users and groups and set permissions to meet your requirements.> > > > Also, when you changed the ranges in smb.conf, have you changed th > > uidNumber & gidNumber attributes in AD ? > > Not necessary in my opinion as I only modified the "overkill" range > of the * domain (100000 - 2^32 -1) . > > BTW: There is no range checking in the code. I started with 2^32 = > 4294967296 as the upper limit and the mapping didn't work at all. > Discovered later in the logs the range was parsed into "range > 100000-0". > > Two questions: > > 1) Do you agree with the directions given by L.P.H. van Belle: Create > new user "Admin" and remove all the already filled in accounts (much > like in the screenshot on the > <https://wiki.samba.org/index.php/Shares_with_Windows_ACLs> page?This is up to you, by doing what Louis is suggesting, is security through obscurity. It means that anybody trying to get into your system has to know (or obtain by whatever means) not only the password, they also have to know the username to go with it. As for removing the accounts, you need to decide just who has access and how much access they have, this may mean removing, altering or adding accounts.> > 2) Can you elaborate on this? >i think I just did ;-)> I have removed the rfc2307-IDs now. I guess going to the "Unix > Attributes" tab in ADUC and setting "NIS Domain" to "none" is > sufficient? > > --> No, it should show your domain name. > > Hmm, the "NIS Domain" setting is a drop-down menu. When I choose > mydomain (in lower case this time) a UID Number is automatically > assigned, when I choose <none> the fields are greyed out. So "no > uidNumber" and "should show your domain name" don't work at the same > time. Or should I choose mydomain and delete the remaining field > entries?If the windows machine that ADUC is running on is joined to the domain, it normally allows you to set the domain on the 'Unix Attributes' tab and setting this, fills in all the other boxes (uidNumber etc) Rowland
Hello Rowland, Am 14.10.2016 um 18:18 schrieb Rowland Penny via samba:> On Fri, 14 Oct 2016 17:52:33 +0200 > Udo Willke via samba <samba at lists.samba.org> wrote: > > >> However it is not very specific as to what permissions should >> actually be configured: "Go to the "Security" tab, click the "Edit" >> button and configure the desired Windows ACLs". >> > What it means is, you need to add/change the users and groups and set > permissions to meet your requirements. > >>> Also, when you changed the ranges in smb.conf, have you changed th >>> uidNumber & gidNumber attributes in AD ? >> Not necessary in my opinion as I only modified the "overkill" range >> of the * domain (100000 - 2^32 -1) . >> >> BTW: There is no range checking in the code. I started with 2^32 >> 4294967296 as the upper limit and the mapping didn't work at all. >> Discovered later in the logs the range was parsed into "range >> 100000-0". >> >> Two questions: >> >> 1) Do you agree with the directions given by L.P.H. van Belle: Create >> new user "Admin" and remove all the already filled in accounts (much >> like in the screenshot on the >> <https://wiki.samba.org/index.php/Shares_with_Windows_ACLs> page? > This is up to you, by doing what Louis is suggesting, is security > through obscurity. It means that anybody trying to get into your system > has to know (or obtain by whatever means) not only the password, they > also have to know the username to go with it. > As for removing the accounts, you need to decide just who has access > and how much access they have, this may mean removing, altering or > adding accounts. > > >> 2) Can you elaborate on this? >> > i think I just did ;-) > >> I have removed the rfc2307-IDs now. I guess going to the "Unix >> Attributes" tab in ADUC and setting "NIS Domain" to "none" is >> sufficient? >> >> --> No, it should show your domain name. >> >> Hmm, the "NIS Domain" setting is a drop-down menu. When I choose >> mydomain (in lower case this time) a UID Number is automatically >> assigned, when I choose <none> the fields are greyed out. So "no >> uidNumber" and "should show your domain name" don't work at the same >> time. Or should I choose mydomain and delete the remaining field >> entries? > If the windows machine that ADUC is running on is joined to the domain, > it normally allows you to set the domain on the 'Unix Attributes' tab > and setting this, fills in all the other boxes (uidNumber etc)Sorry for asking this twice, I just wanted to see if I understood everything correctly. So, to summarize the discussion: System accounts should not have rfc2307 IDs, only (unprivileged) users should. The Administrator account is the exception. It can be mapped to root trough the "username map" directive Today, I followed the wiki page <https://wiki.samba.org/index.php/User_home_drives> with all the prerequisites. Unfortunately, the automatic home folder creation still does not work. So I checked all my logs and I guess I have another problem with DDNS and DHCP: Oct 17 16:15:41 addc01 named[6074]: samba_dlz: starting transaction on zone 6.168.192.in-addr.arpa Oct 17 16:15:41 addc01 named[6074]: samba_dlz: spnego update failed Oct 17 16:15:41 addc01 named[6074]: client 127.0.0.1#59487/key rndc-key: updating zone '6.168.192.in-addr.arpa/NONE': update failed: rejected by secure update (REFUSED) Oct 17 16:15:41 addc01 named[6074]: samba_dlz: cancelling transaction on zone 6.168.192.in-addr.arpa Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPREQUEST for 192.168.6.56 from 00:0c:29:3c:4c:bc (Admin-PC) via ens32 Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPACK on 192.168.6.56 to 00:0c:29:3c:4c:bc (Admin-PC) via ens32 Oct 17 16:15:41 addc01 dhcpd[6062]: Unable to add reverse map from 56.6.168.192.in-addr.arpa. to Admin-PC.mydomain.lan: REFUSED This translates into missing PTR records of my two virtual PCs in the DNS (configured to get their IPs over DHCP). Can this be related to my first problem or has this other side effects? When I run the command samba_dnsupdate --verbose --all-names everything looks fine. Is this an known issue/mistake in the configuration? Best regards Udo> > Rowland >