Alnis Morics
2017-Feb-06 09:11 UTC
[Samba] Regular users can't log in to Samba AD DC from Windows
Thank you, Rowland, for the reply. On 02/06/2017 10:44, Rowland Penny via samba wrote:> On Mon, 6 Feb 2017 10:07:18 +0200 > Alnis Morics via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> I continue setting up my FreeBSD 11.0 machine with Samba 4.4.9 built >> from sources. (Actually, OS type and Samba version don't matter so >> much, as I have the same problem with Debian Jessie and Samba 4.5.5) >> >> I followed the Wiki very close. Some details from provisioning: > > Did you run the provision command like this: > > samba-tool domain provision --use-rfc2307 --interactiveyes> >> >> [samba-share] >> path = /samba-share >> read only = no >> > > Have you set up the libnnss_winbind links ?yes: ln -s /usr/local/samba/lib/nss_winbind.so.1 /usr/local/lib/nss/ ln -s /usr/local/samba/lib/nss_winbind.so.1 /usr/local/lib/nss/nss_winbind.so ldconfig And the nss tests as per Wiki seem to pass: wbinfo --ping-dc checking the NETLOGON for domain[RW] dc connection to "samba4-pfbsd.rw.lan" succeeded # getent passwd Administrator RW\administrator:*:0:20::/home/administrator:/usr/sbin/nologin # getent passwd user1 RW\user1:*:3000017:20:User1 Tester1:/home/user1:/usr/sbin/nologin # getent group "Domain Users" RW\domain users:x:20 # touch testfile # ll testfile -rw-r--r-- 1 root wheel 0 Jan 28 19:25 testfile # chown user1:"domain users" testfile # ll testfile -rw-r--r-- 1 RW\user1 staff 0 Jan 28 19:25 testfile Only I would expect that a regular users' GID numbers are not within 0-1000, but I don't know.> > >> >> Next, I successfully joined a Windows 10 Enterprise machine and >> logged in as a domain administrator. I can access the file share, >> write to it, set Windows permissions. >> >> But when I open ADUC and click a user properties, I only have 5 tabs >> there (Environment, Sessions, Remote control, Remote Desktop Service >> Profile, COM+), and I can't add any other user. Windows just says >> nothing but from Samba logs I see something like this: > > This is a windows 10 problem, do a search on 'windows 10 missing tabs' > > Rowland >
Rowland Penny
2017-Feb-06 09:48 UTC
[Samba] Regular users can't log in to Samba AD DC from Windows
On Mon, 6 Feb 2017 11:11:09 +0200 Alnis Morics via samba <samba at lists.samba.org> wrote:> Thank you, Rowland, for the reply. >> And the nss tests as per Wiki seem to pass: >> > # getent passwd Administrator > RW\administrator:*:0:20::/home/administrator:/usr/sbin/nologin > > # getent passwd user1 > RW\user1:*:3000017:20:User1 Tester1:/home/user1:/usr/sbin/nologinThe above is interesting, you don't have a template homedir line in smb.conf but you have '/home/username' instead of '/home/RW/username'> > # getent group "Domain Users" > RW\domain users:x:20 > > # touch testfile > # ll testfile > -rw-r--r-- 1 root wheel 0 Jan 28 19:25 testfile > # chown user1:"domain users" testfile > # ll testfile > -rw-r--r-- 1 RW\user1 staff 0 Jan 28 19:25 testfile > > Only I would expect that a regular users' GID numbers are not within > 0-1000, but I don't know. >On a Samba AD DC, 'Domain Users' should be mapped to the users group (on Debian anyway, could be a different group on freebsd), but your example seems to show that it is mapped to the group 'staff'. Here is the big thing that people seem to find hard to understand, when asking for the users info with 'getent passwd' the users 'gidNumber attribute is ignored, in fact, the user doesn't need to have a gidNumber. In AD, all users are members of 'Domain Users' and this group is used as the Unix users primary group. Rowland
Alnis Morics
2017-Feb-06 10:57 UTC
[Samba] Regular users can't log in to Samba AD DC from Windows
On 02/06/2017 11:48, Rowland Penny via samba wrote:> On Mon, 6 Feb 2017 11:11:09 +0200 > Alnis Morics via samba <samba at lists.samba.org> wrote: > >> Thank you, Rowland, for the reply. >> > >> And the nss tests as per Wiki seem to pass: >> > >> >> # getent passwd Administrator >> RW\administrator:*:0:20::/home/administrator:/usr/sbin/nologin >> >> # getent passwd user1 >> RW\user1:*:3000017:20:User1 Tester1:/home/user1:/usr/sbin/nologin > > The above is interesting, you don't have a template homedir line in > smb.conf but you have '/home/username' instead of '/home/RW/username'Oh, yes, didn't notice that. But the directory doesn't actually exist. I guess it would be created on first logon which has not yet occurred ?) And I can't login with it locally (I would need PAM configured for it, right?) Although, when I create a FreeBSD user ("pw useradd testuser -m /home/testuser"), the home directory is immediately created without loging in. I tried now to create a user explicitly telling the home directory: samba-tool user create user2 Pa$$w0rd --surname=Tester2 --given-name=User2 --mail-address=user2 at rw.lan --home-directory=/home/RW/user2 getent passwd user2 RW\user2:*:3000020:20:User2 Tester2:/home/RW/user2:/usr/sbin/nologin But otherwise nothing changes: directory isn't created, and I can't login from Windows. And the logs repeat the same thing.> >> >> # getent group "Domain Users" >> RW\domain users:x:20 >> >> # touch testfile >> # ll testfile >> -rw-r--r-- 1 root wheel 0 Jan 28 19:25 testfile >> # chown user1:"domain users" testfile >> # ll testfile >> -rw-r--r-- 1 RW\user1 staff 0 Jan 28 19:25 testfile >> >> Only I would expect that a regular users' GID numbers are not within >> 0-1000, but I don't know. >> > > On a Samba AD DC, 'Domain Users' should be mapped to the users group > (on Debian anyway, could be a different group on freebsd), but your > example seems to show that it is mapped to the group 'staff'.Yes, there's a group "staff" in /etc/group with GID number 20. Ok, so that shouldn't be a problem.> > Here is the big thing that people seem to find hard to understand, when > asking for the users info with 'getent passwd' the users 'gidNumber > attribute is ignored, in fact, the user doesn't need to have a > gidNumber. In AD, all users are members of 'Domain Users' and this group > is used as the Unix users primary group. > > Rowland > > >
Apparently Analagous Threads
- Regular users can't log in to Samba AD DC from Windows
- Regular users can't log in to Samba AD DC from Windows
- Regular users can't log in to Samba AD DC from Windows
- Regular users can't log in to Samba AD DC from Windows
- Regular users can't log in to Samba AD DC from Windows