samba - Jan 2017 - ADS domain member: winbind fails [SOLVED]

On Sun, 1 Jan 2017 11:51:26 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> Am 2016-12-31 um 13:14 schrieb Rowland Penny via samba:
> 
> >> "wbinfo -u" brings users now.
> > 
> > Next step, does 'getent passwd a_username' show anything ?
> 
> yes! On the member server:
> 
> main ~ # grep ads1 /etc/passwd
> 
> main ~ # getent passwd ads1
> ads1:*:13112:10513::/home/ARBEITSGRUPPE/ads1:/bin/false
Are these the numbers you want to use ?
I ask this because you are using the 'rid' backend, but will probably
also have uidNumber & gidNumber attributes in AD.
> 
> This is a newly created user in the AD.
> 
> As mentioned old users are in /etc/passwd on the member server from
> the time when it was the NT4-PDC. I might/should remove them from
> that file now?
Oh definitely 'should' ;-)

if you look in /etc/nsswitch.conf, the passwd line will be something
like this:

passwd:         compat winbind

This means that /etc/passwd will be checked first and any users found
there will be used instead of from AD, also you should not be able to
create new users in AD if they already exist in /etc/passwd. You only
need users and groups stored in one place and that is AD.
> 
> >> Maybe I come back with another issue later, we saw permission
> >> problems at editing GPOs. "sysvolreset" and
"sysvolcheck" done OK
> >> already.
> > 
> > What problem are you having ?
> 
> I have to re-test that onsite in the next days, I am currently at home
> and have no RSAT-tools at hand. When we edited group policy objects we
> got some "access denied", I can't remember the specific
"path" now. We
> will test that in the next days and I report back.
You will probably need to give Domain Admins the disk operator
privilege:

net rpc rights grant DOMAIN\\"Domain Admins"
SeDiskOperatorPrivilege -UAdministrator 
> 
> Aside from that it looks to me as if that migration (NT4 domain -> AD
> domain) is pretty much done?
> 
> -- have a happy new year everyone!
> 
> Stefan
> 
> 
May I echo that sentiment, may the new year bring you everything you
wish for .

Rowland

Am 2017-01-01 um 12:25 schrieb Rowland Penny via samba:
>> main ~ # getent passwd ads1
>> ads1:*:13112:10513::/home/ARBEITSGRUPPE/ads1:/bin/false
> 
> Are these the numbers you want to use ?
> I ask this because you are using the 'rid' backend, but will
probably
> also have uidNumber & gidNumber attributes in AD.
As mentioned before:

"rid" is only chosen because I switched to that while trying to make
things work. No decision made here.

And the numbers: same. Just copy and paste from the wiki, no choice made.
>> As mentioned old users are in /etc/passwd on the member server from
>> the time when it was the NT4-PDC. I might/should remove them from
>> that file now?
> 
> Oh definitely 'should' ;-)
> 
> if you look in /etc/nsswitch.conf, the passwd line will be something
> like this:
> 
> passwd:         compat winbind
> 
> This means that /etc/passwd will be checked first and any users found
> there will be used instead of from AD, also you should not be able to
> create new users in AD if they already exist in /etc/passwd. You only
> need users and groups stored in one place and that is AD.
So that scares me again. rm-ing users from /etc/passwd will now change
their UIDs because it gets them from winbindd/AD then?

In passwd I have UIDs up from 1000 as usual.

I don't *have* to maintain the old UIDs, the admin there is perfectly
happy if we start over with new ones and just do the initial "chown"
and
"chmod" if needed .... they just share one fat share within one group
basically (sounds like overkill, right? ;-) )
> You will probably need to give Domain Admins the disk operator
> privilege:
> 
> net rpc rights grant DOMAIN\\"Domain Admins"
> SeDiskOperatorPrivilege -UAdministrator 
gives me:

 Failed to grant privileges for ARBEITSGRUPPE\Domain Admins
(NT_STATUS_ACCESS_DENIED)

is "rpc" correct here?
> May I echo that sentiment, may the new year bring you everything you
> wish for .
thanks a lot!

Am 2017-01-01 um 12:25 schrieb Rowland Penny via samba:
> You will probably need to give Domain Admins the disk operator
> privilege:
> 
> net rpc rights grant DOMAIN\\"Domain Admins"
> SeDiskOperatorPrivilege -UAdministrator 
update: had to run that on the DC, worked.
tests with RSAT tomorrow or so.

On Sun, 1 Jan 2017 12:46:54 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> Am 2017-01-01 um 12:25 schrieb Rowland Penny via samba:
> >> main ~ # getent passwd ads1
> >> ads1:*:13112:10513::/home/ARBEITSGRUPPE/ads1:/bin/false
> > 
> > Are these the numbers you want to use ?
> > I ask this because you are using the 'rid' backend, but will
> > probably also have uidNumber & gidNumber attributes in AD.
> 
> As mentioned before:
> 
> "rid" is only chosen because I switched to that while trying to
make
> things work. No decision made here.
> 
> And the numbers: same. Just copy and paste from the wiki, no choice
> made.
> 
> >> As mentioned old users are in /etc/passwd on the member server
from
> >> the time when it was the NT4-PDC. I might/should remove them from
> >> that file now?
> > 
> > Oh definitely 'should' ;-)
> > 
> > if you look in /etc/nsswitch.conf, the passwd line will be something
> > like this:
> > 
> > passwd:         compat winbind
> > 
> > This means that /etc/passwd will be checked first and any users
> > found there will be used instead of from AD, also you should not be
> > able to create new users in AD if they already exist
> > in /etc/passwd. You only need users and groups stored in one place
> > and that is AD.
> 
> So that scares me again. rm-ing users from /etc/passwd will now change
> their UIDs because it gets them from winbindd/AD then?
Try checking in AD, as you have classicupgraded, your users should have
uidNumber attributes. Find the lowest and the highest, do the same for
groups and if you change to the 'ad' backend and set the range based on
your lowest and highest numbers (remembering you will probably want to
add new users, so add something to the highest number), you should get
the same IDs you had on the PDC. You will have to remove the users
from /etc/passwd though.

The ranges on the wiki were chosen for:
the '*' range starts at 2000 so that it allows for any local Unix users
& groups you may require, it ends at 9999.
The 'DOMAIN' range starts at 10000, this is where ADUC starts from, you
can end it where you like.

The whole idea behind AD is having just one place to maintain users,
so you do not and should not have users in multiple databases.
 
> 
> In passwd I have UIDs up from 1000 as usual.
> 
> I don't *have* to maintain the old UIDs, the admin there is perfectly
> happy if we start over with new ones and just do the initial
"chown"
> and "chmod" if needed .... they just share one fat share within
one
> group basically (sounds like overkill, right? ;-) )
> 
You may feel that you need to renumber your users, but this will have
to be your decision, it all boils down to what works for you ;-)

Rowland