samba - Oct 2016 - Unable to set up home share correctly

Hello Rowland,

Am 17.10.2016 um 18:06 schrieb Rowland Penny via samba:
> See inline comments:
>
> On Mon, 17 Oct 2016 17:14:43 +0200
> Udo Willke via samba <samba at lists.samba.org> wrote:
>
>> So, to summarize the discussion:
>>
>> System accounts should not have rfc2307 IDs, only (unprivileged)
>> users should. The Administrator account is the exception. It can be
>> mapped to root trough the "username map" directive
> Basically yes, you can also give Domain Admins a gidNumber and then
> make any users you want to be admins, members of this group.
>
>> Today, I followed the wiki page
>> <https://wiki.samba.org/index.php/User_home_drives> with all the
>> prerequisites. Unfortunately, the automatic home folder creation
>> still does not work.
> Just followed it myself and it does work against a Samba fileserver.
Hmm, then I must be doing it wrong somehow ... :-[
>
> Where do you expect the home directory to be created ?
On the Samba member server as defined in the [home] share definition 
(and also as defined in the user profile (home drive/home share))
> Is it on a Samba machine and if so what have you got in smb.conf ?
Here comes my smb.conf of the member server == file server

[global]
     netbios name = FILESERVER2
     security = ADS
     workgroup = MYDOMAIN
     realm = MYDOMAIN.LAN
     server string = Virtual Server

     log level = 5
     log file = /var/log/samba/%m.log

     password server = 192.168.6.8

     dedicated keytab file = /etc/krb5.keytab
     kerberos method = secrets and keytab

     username map = /etc/samba/user.map

     ;; Use settings from AD for login shell and home directory
     winbind nss info = rfc2307
     winbind trusted domains only = no
     winbind use default domain = no
     winbind enum users  = yes
     winbind enum groups = yes
     winbind refresh tickets = Yes
     winbind cache time = 60

     ;; Default idmap config used for BUILTIN and local accounts/groups
     idmap config * : backend = tdb
     idmap config * : range = 2000-9999

     ;; idmap config for domain MYDOMAIN
     idmap config MYDOMAIN : backend = ad
     idmap config MYDOMAIN : schema_mode = rfc2307
     idmap config MYDOMAIN : range = 10000-99999

     vfs objects = acl_xattr
     map acl inherit = yes
     store dos attributes = yes

     load printers = no
     printing = bsd
     printcap name = /dev/null
     disable spoolss = yes

     template homedir = /var/share/samba/homes/%U


[home]
     path = /var/share/samba/homes
     guest ok = no
     read only = no
     browseable = yes

[profiles]
     path = /var/share/samba/profiles
     read only = no
     store dos attributes = yes
     create mask = 0600
     directory mask = 0700
     guest ok = no
     profile acls = yes
     csc policy = disable
>
>> So I checked all my logs and I guess I have
>> another problem with DDNS and DHCP:
>>
>> Oct 17 16:15:41 addc01 named[6074]: samba_dlz: starting transaction
>> on zone 6.168.192.in-addr.arpa
>> Oct 17 16:15:41 addc01 named[6074]: samba_dlz: spnego update failed
>> Oct 17 16:15:41 addc01 named[6074]: client 127.0.0.1#59487/key
>> rndc-key: updating zone '6.168.192.in-addr.arpa/NONE': update
failed:
>> rejected by secure update (REFUSED)
>> Oct 17 16:15:41 addc01 named[6074]: samba_dlz: cancelling transaction
>> on zone 6.168.192.in-addr.arpa
>> Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPREQUEST for 192.168.6.56 from
>> 00:0c:29:3c:4c:bc (Admin-PC) via ens32
>> Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPACK on 192.168.6.56 to
>> 00:0c:29:3c:4c:bc (Admin-PC) via ens32
>> Oct 17 16:15:41 addc01 dhcpd[6062]: Unable to add reverse map from
>> 56.6.168.192.in-addr.arpa. to Admin-PC.mydomain.lan: REFUSED
>>
> Are you running the dhcp server on the DC along with Bind9 ?
Yes, I do.
> If so, please post your dhcpd.conf
This is my dhcpd.conf

include "/etc/dhcp/ddns-keys/rndc.key";

update-static-leases on;
allow unknown-clients;
use-host-decl-names on;
default-lease-time 3600;

zone mydomain.lan. {
   primary 127.0.0.1; # This server is the primary DNS server for the zone
   key rndc-key;       # Use the key we defined earlier for dynamic updates
}

zone 6.168.192.in-addr.arpa. {
   primary 127.0.0.1; # This server is the primary reverse DNS server 
for the zone
   key rndc-key;       # Use the key we defined earlier for dynamic updates
}

subnet 192.168.6.0 netmask 255.255.255.0 {
   range 192.168.6.16 192.168.6.63;
   authoritative;
   option subnet-mask 255.255.255.0;
   option routers 192.168.6.1;
   option domain-name-servers 192.168.6.8;
   option domain-name "mydomain.lan";
   ddns-domainname "mydomain.lan.";
   # ddns-rev-domainname "6.168.192.in-addr.arpa.";
   ddns-rev-domainname "in-addr.arpa.";
}

ddns-update-style interim;

max-lease-time 7200;

authoritative;

log-facility local7;


My intention was to have static addresses for the DC(s) an the file 
server(s) from 192.168.6.1 - 192.168.6.15 and use DHCP for the Windows 7 
Workstations (easier to roll out).

Best regards

Udo
>
>> This translates into missing PTR records of my two virtual PCs in the
>> DNS (configured to get their IPs over DHCP). Can this be related to
>> my first problem or has this other side effects?
>>
> Not having reverse records isn't go to help, but I don't think this
is
> your problem.
>
> Rowland
>

See inline comments:

On Mon, 17 Oct 2016 23:09:34 +0200
Udo Willke via samba <samba at lists.samba.org> wrote:
> Hello Rowland,
> 
> >> Today, I followed the wiki page
> >> <https://wiki.samba.org/index.php/User_home_drives> with all
the
> >> prerequisites. Unfortunately, the automatic home folder creation
> >> still does not work.
> > Just followed it myself and it does work against a Samba fileserver.
> Hmm, then I must be doing it wrong somehow ... :-[
> >
> > Where do you expect the home directory to be created ?
> 
> On the Samba member server as defined in the [home] share definition 
> (and also as defined in the user profile (home drive/home share))
> 
> > Is it on a Samba machine and if so what have you got in smb.conf ?
> 
> Here comes my smb.conf of the member server == file server
> 
> [global]
>      netbios name = FILESERVER2
>      security = ADS
>      workgroup = MYDOMAIN
>      realm = MYDOMAIN.LAN
>      server string = Virtual Server
> 
>      log level = 5
>      log file = /var/log/samba/%m.log
> 
>      password server = 192.168.6.8
> 
It would be better if you let Samba find the AD DC
>      dedicated keytab file = /etc/krb5.keytab
>      kerberos method = secrets and keytab
> 
>      username map = /etc/samba/user.map
> 
>      ;; Use settings from AD for login shell and home directory
>      winbind nss info = rfc2307
>      winbind trusted domains only = no
>      winbind use default domain = no
>      winbind enum users  = yes
>      winbind enum groups = yes
>      winbind refresh tickets = Yes
>      winbind cache time = 60
> 
>      ;; Default idmap config used for BUILTIN and local
> accounts/groups idmap config * : backend = tdb
>      idmap config * : range = 2000-9999
> 
>      ;; idmap config for domain MYDOMAIN
>      idmap config MYDOMAIN : backend = ad
>      idmap config MYDOMAIN : schema_mode = rfc2307
>      idmap config MYDOMAIN : range = 10000-99999
> 
>      vfs objects = acl_xattr
>      map acl inherit = yes
>      store dos attributes = yes
> 
>      load printers = no
>      printing = bsd
>      printcap name = /dev/null
>      disable spoolss = yes
> 
>      template homedir = /var/share/samba/homes/%U
If you want to use the template line, you do not need the 'schema_mode'
line in 'idmap config'
> 
> 
> [home]
>      path = /var/share/samba/homes
>      guest ok = no
>      read only = no
>      browseable = yes
Sure you are following the wiki page ?, just where on that page does it
tell you to add 'guest ok' and browseable' lines ?? 
> 
> [profiles]
>      path = /var/share/samba/profiles
>      read only = no
>      store dos attributes = yes
>      create mask = 0600
>      directory mask = 0700
>      guest ok = no
>      profile acls = yes
>      csc policy = disable
> >
There is also a wiki page on setting up the profile share, see here:

https://wiki.samba.org/index.php/Implementing_roaming_profiles

I would look at the 'shares' wiki page again, follow it to letter,
adding the users & groups shown, removing any others not shown and see
if you can make it work.

Rowland

Hello Rowland,

the home folder creation works now(!) It was a misunderstanding on my 
side. The key phrase in the wiki is:

"Close the users properties window with „OK“ to save the modification. 
**The users home directory is created on the fly during the save 
processes.**"

This is a different behaviour as with the "profiles" folders which are
created during the first login with a new account. I thought it would be 
the same mechanism with the home shares too, which was wrong. Sorry for 
taking so much of your time.

Does folder creation also work when I create user accounts on the linux 
side with samba-tool

samba-tool user create kbuwi first_time_passwd \
   --userou=CN=Users \
   --surname="Willke" \
   --given-name="Udo" \
   --profile-path="\\\\fileserver\\profiles\\kbudwi" \
   --home-drive="H" \
   --home-directory="\\\\fileserver\\home\\kbudwi" \
   --job-title="IT Specialist" \
   --department="Some Department" \
   --company="Some Company" \
   --description="Some Description" \
   --mail-address="Udo.Willke at somedomain.edu" \
   --internet-address="http://somedomain.edu/somepage" \
   --telephone-number="+49 123/4567890" \
   --physical-delivery-office="Some Office" \
   --nis-domain="mydomain" \
   --unix-home="/var/share/samba/homes/kbudwi" \
   --uid="$USERNAME" \
   --uid-number="$uidNumber" \
   --gid-number="$gidNumber" \
   --gecos="$PRENAME $NAME" \
   --login-shell="/bin/false" \
   --must-change-at-next-login


Is the command meant to be used in this way?

What I also noticed is, that wbinfo has the --allocate-gid und 
--allocate-uid options which could be used to assign the $uidNumber and 
$uidNumber variables in my script. However "samba-tool create user" is
supposed to run as "root" on the DC while "wbinfo
--allocate-gid" seems
to give results only on the member server. Is there a possibility to run 
everything on the same machine? OK, the obvious solution is to execute 
it remotely over ssh.

Many thanks again and best regards

Udo



Am 17.10.2016 um 23:26 schrieb Rowland Penny via samba:
> See inline comments:
>
> On Mon, 17 Oct 2016 23:09:34 +0200
> Udo Willke via samba <samba at lists.samba.org> wrote:
>
>> Hello Rowland,
>>
>>>> Today, I followed the wiki page
>>>> <https://wiki.samba.org/index.php/User_home_drives> with
all the
>>>> prerequisites. Unfortunately, the automatic home folder
creation
>>>> still does not work.
>>> Just followed it myself and it does work against a Samba
fileserver.
>> Hmm, then I must be doing it wrong somehow ... :-[
>>> Where do you expect the home directory to be created ?
>> On the Samba member server as defined in the [home] share definition
>> (and also as defined in the user profile (home drive/home share))
>>
>>> Is it on a Samba machine and if so what have you got in smb.conf ?
>> Here comes my smb.conf of the member server == file server
>>
>> [global]
>>       netbios name = FILESERVER2
>>       security = ADS
>>       workgroup = MYDOMAIN
>>       realm = MYDOMAIN.LAN
>>       server string = Virtual Server
>>
>>       log level = 5
>>       log file = /var/log/samba/%m.log
>>
>>       password server = 192.168.6.8
>>
> It would be better if you let Samba find the AD DC
>
>>       dedicated keytab file = /etc/krb5.keytab
>>       kerberos method = secrets and keytab
>>
>>       username map = /etc/samba/user.map
>>
>>       ;; Use settings from AD for login shell and home directory
>>       winbind nss info = rfc2307
>>       winbind trusted domains only = no
>>       winbind use default domain = no
>>       winbind enum users  = yes
>>       winbind enum groups = yes
>>       winbind refresh tickets = Yes
>>       winbind cache time = 60
>>
>>       ;; Default idmap config used for BUILTIN and local
>> accounts/groups idmap config * : backend = tdb
>>       idmap config * : range = 2000-9999
>>
>>       ;; idmap config for domain MYDOMAIN
>>       idmap config MYDOMAIN : backend = ad
>>       idmap config MYDOMAIN : schema_mode = rfc2307
>>       idmap config MYDOMAIN : range = 10000-99999
>>
>>       vfs objects = acl_xattr
>>       map acl inherit = yes
>>       store dos attributes = yes
>>
>>       load printers = no
>>       printing = bsd
>>       printcap name = /dev/null
>>       disable spoolss = yes
>>
>>       template homedir = /var/share/samba/homes/%U
> If you want to use the template line, you do not need the
'schema_mode'
> line in 'idmap config'
>
>>
>> [home]
>>       path = /var/share/samba/homes
>>       guest ok = no
>>       read only = no
>>       browseable = yes
> Sure you are following the wiki page ?, just where on that page does it
> tell you to add 'guest ok' and browseable' lines ??
>
>> [profiles]
>>       path = /var/share/samba/profiles
>>       read only = no
>>       store dos attributes = yes
>>       create mask = 0600
>>       directory mask = 0700
>>       guest ok = no
>>       profile acls = yes
>>       csc policy = disable
> There is also a wiki page on setting up the profile share, see here:
>
> https://wiki.samba.org/index.php/Implementing_roaming_profiles
>
> I would look at the 'shares' wiki page again, follow it to letter,
> adding the users & groups shown, removing any others not shown and see
> if you can make it work.
>
> Rowland
>

Just one thing.. 
>    --profile-path="\\\\fileserver\\profiles\\kbudwi" \
>    --home-directory="\\\\fileserver\\home\\kbudwi" \
Use FQDN. ="\\\\fileserver.domain.tld\\.... 

https://technet.microsoft.com/en-us/library/cc974331(v=ws.10).aspx 

https://technet.microsoft.com/en-us/library/cc794753(v=ws.10).aspx 

Greetz, 

Louis 


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Udo Willke via
> samba
> Verzonden: dinsdag 18 oktober 2016 11:37
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Unable to set up home share correctly
> 
> Hello Rowland,
> 
> the home folder creation works now(!) It was a misunderstanding on my
> side. The key phrase in the wiki is:
> 
> "Close the users properties window with „OK“ to save the modification.
> **The users home directory is created on the fly during the save
> processes.**"
> 
> This is a different behaviour as with the "profiles" folders
which are
> created during the first login with a new account. I thought it would be
> the same mechanism with the home shares too, which was wrong. Sorry for
> taking so much of your time.
> 
> Does folder creation also work when I create user accounts on the linux
> side with samba-tool
> 
> samba-tool user create kbuwi first_time_passwd \
>    --userou=CN=Users \
>    --surname="Willke" \
>    --given-name="Udo" \
>    --profile-path="\\\\fileserver\\profiles\\kbudwi" \
>    --home-drive="H" \
>    --home-directory="\\\\fileserver\\home\\kbudwi" \
>    --job-title="IT Specialist" \
>    --department="Some Department" \
>    --company="Some Company" \
>    --description="Some Description" \
>    --mail-address="Udo.Willke at somedomain.edu" \
>    --internet-address="http://somedomain.edu/somepage" \
>    --telephone-number="+49 123/4567890" \
>    --physical-delivery-office="Some Office" \
>    --nis-domain="mydomain" \
>    --unix-home="/var/share/samba/homes/kbudwi" \
>    --uid="$USERNAME" \
>    --uid-number="$uidNumber" \
>    --gid-number="$gidNumber" \
>    --gecos="$PRENAME $NAME" \
>    --login-shell="/bin/false" \
>    --must-change-at-next-login
> 
> 
> Is the command meant to be used in this way?
> 
> What I also noticed is, that wbinfo has the --allocate-gid und
> --allocate-uid options which could be used to assign the $uidNumber and
> $uidNumber variables in my script. However "samba-tool create
user" is
> supposed to run as "root" on the DC while "wbinfo
--allocate-gid" seems
> to give results only on the member server. Is there a possibility to run
> everything on the same machine? OK, the obvious solution is to execute
> it remotely over ssh.
> 
> Many thanks again and best regards
> 
> Udo
> 
> 
> 
> Am 17.10.2016 um 23:26 schrieb Rowland Penny via samba:
> > See inline comments:
> >
> > On Mon, 17 Oct 2016 23:09:34 +0200
> > Udo Willke via samba <samba at lists.samba.org> wrote:
> >
> >> Hello Rowland,
> >>
> >>>> Today, I followed the wiki page
> >>>> <https://wiki.samba.org/index.php/User_home_drives>
with all the
> >>>> prerequisites. Unfortunately, the automatic home folder
creation
> >>>> still does not work.
> >>> Just followed it myself and it does work against a Samba
fileserver.
> >> Hmm, then I must be doing it wrong somehow ... :-[
> >>> Where do you expect the home directory to be created ?
> >> On the Samba member server as defined in the [home] share
definition
> >> (and also as defined in the user profile (home drive/home share))
> >>
> >>> Is it on a Samba machine and if so what have you got in
smb.conf ?
> >> Here comes my smb.conf of the member server == file server
> >>
> >> [global]
> >>       netbios name = FILESERVER2
> >>       security = ADS
> >>       workgroup = MYDOMAIN
> >>       realm = MYDOMAIN.LAN
> >>       server string = Virtual Server
> >>
> >>       log level = 5
> >>       log file = /var/log/samba/%m.log
> >>
> >>       password server = 192.168.6.8
> >>
> > It would be better if you let Samba find the AD DC
> >
> >>       dedicated keytab file = /etc/krb5.keytab
> >>       kerberos method = secrets and keytab
> >>
> >>       username map = /etc/samba/user.map
> >>
> >>       ;; Use settings from AD for login shell and home directory
> >>       winbind nss info = rfc2307
> >>       winbind trusted domains only = no
> >>       winbind use default domain = no
> >>       winbind enum users  = yes
> >>       winbind enum groups = yes
> >>       winbind refresh tickets = Yes
> >>       winbind cache time = 60
> >>
> >>       ;; Default idmap config used for BUILTIN and local
> >> accounts/groups idmap config * : backend = tdb
> >>       idmap config * : range = 2000-9999
> >>
> >>       ;; idmap config for domain MYDOMAIN
> >>       idmap config MYDOMAIN : backend = ad
> >>       idmap config MYDOMAIN : schema_mode = rfc2307
> >>       idmap config MYDOMAIN : range = 10000-99999
> >>
> >>       vfs objects = acl_xattr
> >>       map acl inherit = yes
> >>       store dos attributes = yes
> >>
> >>       load printers = no
> >>       printing = bsd
> >>       printcap name = /dev/null
> >>       disable spoolss = yes
> >>
> >>       template homedir = /var/share/samba/homes/%U
> > If you want to use the template line, you do not need the
'schema_mode'
> > line in 'idmap config'
> >
> >>
> >> [home]
> >>       path = /var/share/samba/homes
> >>       guest ok = no
> >>       read only = no
> >>       browseable = yes
> > Sure you are following the wiki page ?, just where on that page does
it
> > tell you to add 'guest ok' and browseable' lines ??
> >
> >> [profiles]
> >>       path = /var/share/samba/profiles
> >>       read only = no
> >>       store dos attributes = yes
> >>       create mask = 0600
> >>       directory mask = 0700
> >>       guest ok = no
> >>       profile acls = yes
> >>       csc policy = disable
> > There is also a wiki page on setting up the profile share, see here:
> >
> > https://wiki.samba.org/index.php/Implementing_roaming_profiles
> >
> > I would look at the 'shares' wiki page again, follow it to
letter,
> > adding the users & groups shown, removing any others not shown and
see
> > if you can make it work.
> >
> > Rowland
> >
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba