samba - Feb 2017 - Regular users can't log in to Samba AD DC from Windows

On 02/06/2017 11:48, Rowland Penny via samba wrote:
> On Mon, 6 Feb 2017 11:11:09 +0200
> Alnis Morics via samba <samba at lists.samba.org> wrote:
>
>> Thank you, Rowland, for the reply.
>>
>
>> And the nss tests as per Wiki seem to pass:
>>
>
>>
>> # getent passwd Administrator
>> RW\administrator:*:0:20::/home/administrator:/usr/sbin/nologin
>>
>> # getent passwd user1
>> RW\user1:*:3000017:20:User1 Tester1:/home/user1:/usr/sbin/nologin
>
> The above is interesting, you don't have a template homedir line in
> smb.conf but you have '/home/username' instead of
'/home/RW/username'
Oh, yes, didn't notice that. But the directory doesn't actually exist. I
guess it would be created on first logon which has not yet occurred ?) 
And I can't login with it locally (I would need PAM configured for it, 
right?)

Although, when I create a FreeBSD user ("pw useradd testuser -m 
/home/testuser"), the home directory is immediately created without 
loging in.

I tried now to create a user explicitly telling the home directory:
samba-tool user create user2 Pa$$w0rd --surname=Tester2 
--given-name=User2 --mail-address=user2 at rw.lan 
--home-directory=/home/RW/user2

getent passwd user2
RW\user2:*:3000020:20:User2 Tester2:/home/RW/user2:/usr/sbin/nologin

But otherwise nothing changes: directory isn't created, and I can't 
login from Windows. And the logs repeat the same thing.
>
>>
>> # getent group "Domain Users"
>> RW\domain users:x:20
>>
>> # touch testfile
>> # ll testfile
>> -rw-r--r--  1 root  wheel  0 Jan 28 19:25 testfile
>> # chown user1:"domain users" testfile
>> # ll testfile
>> -rw-r--r--  1 RW\user1  staff  0 Jan 28 19:25 testfile
>>
>> Only I would expect that a regular users' GID numbers are not
within
>> 0-1000, but I don't know.
>>
>
> On a Samba AD DC, 'Domain Users' should be mapped to the users
group
> (on Debian anyway, could be a different group on freebsd), but your
> example seems to show that it is mapped to the group 'staff'.
Yes, there's a group "staff" in /etc/group with GID number 20. Ok,
so
that shouldn't be a problem.
>
> Here is the big thing that people seem to find hard to understand, when
> asking for the users info with 'getent passwd' the users
'gidNumber
> attribute is ignored, in fact, the user doesn't need to have a
> gidNumber. In AD, all users are members of 'Domain Users' and this
group
> is used as the Unix users primary group.
>
> Rowland
>
>
>

On Mon, 6 Feb 2017 12:57:19 +0200
Alnis Morics via samba <samba at lists.samba.org> wrote:
> 
> 
> On 02/06/2017 11:48, Rowland Penny via samba wrote:
> > On Mon, 6 Feb 2017 11:11:09 +0200
> > Alnis Morics via samba <samba at lists.samba.org> wrote:
> >
> >> Thank you, Rowland, for the reply.
> >>
> >
> >> And the nss tests as per Wiki seem to pass:
> >>
> >
> >>
> >> # getent passwd Administrator
> >> RW\administrator:*:0:20::/home/administrator:/usr/sbin/nologin
> >>
> >> # getent passwd user1
> >> RW\user1:*:3000017:20:User1 Tester1:/home/user1:/usr/sbin/nologin
> >
> > The above is interesting, you don't have a template homedir line
in
> > smb.conf but you have '/home/username' instead of
> > '/home/RW/username'
> 
> Oh, yes, didn't notice that. But the directory doesn't actually
> exist. I guess it would be created on first logon which has not yet
> occurred ?) And I can't login with it locally (I would need PAM
> configured for it, right?)>
Yes, you need to get PAM to create the users homedir with pam_mkhomedir
> Although, when I create a FreeBSD user ("pw useradd testuser -m 
> /home/testuser"), the home directory is immediately created without 
> loging in.
That's because you are telling the command to create the homedir
> 
> I tried now to create a user explicitly telling the home directory:
> samba-tool user create user2 Pa$$w0rd --surname=Tester2 
> --given-name=User2 --mail-address=user2 at rw.lan 
> --home-directory=/home/RW/user2
> 
> getent passwd user2
> RW\user2:*:3000020:20:User2 Tester2:/home/RW/user2:/usr/sbin/nologin
> 
> But otherwise nothing changes: directory isn't created, and I can't
> login from Windows. And the logs repeat the same thing.
samba-tool doesn't create the homedirs, it populates an attribute in AD
and PAM reads this and creates the home dir at first login.
> 
> >
> >>
> >> # getent group "Domain Users"
> >> RW\domain users:x:20
> >>
> >> # touch testfile
> >> # ll testfile
> >> -rw-r--r--  1 root  wheel  0 Jan 28 19:25 testfile
> >> # chown user1:"domain users" testfile
> >> # ll testfile
> >> -rw-r--r--  1 RW\user1  staff  0 Jan 28 19:25 testfile
> >>
> >> Only I would expect that a regular users' GID numbers are not
> >> within 0-1000, but I don't know.
> >>
> >
> > On a Samba AD DC, 'Domain Users' should be mapped to the users
group
> > (on Debian anyway, could be a different group on freebsd), but your
> > example seems to show that it is mapped to the group 'staff'.
> 
> Yes, there's a group "staff" in /etc/group with GID number
20. Ok, so
> that shouldn't be a problem.
On debian, 'Domain Users' is mapped to ID '100', this is the
Unix group
'users', but there is also a Unix group called 'staff' with the
ID '50'.
So, I think that if AD users get the same permissions as members of the
'staff' group, this shouldn't be a problem.

Rowland

On 02/06/2017 13:36, Rowland Penny via samba wrote:
> On Mon, 6 Feb 2017 12:57:19 +0200
> Alnis Morics via samba <samba at lists.samba.org> wrote:
>
>>
>>
>> On 02/06/2017 11:48, Rowland Penny via samba wrote:
>>> On Mon, 6 Feb 2017 11:11:09 +0200
>>> Alnis Morics via samba <samba at lists.samba.org> wrote:
>>>
>>>> Thank you, Rowland, for the reply.
>>>>
>>>
>>>> And the nss tests as per Wiki seem to pass:
>>>>
>>>
>>>>
>>>> # getent passwd Administrator
>>>> RW\administrator:*:0:20::/home/administrator:/usr/sbin/nologin
>>>>
>>>> # getent passwd user1
>>>> RW\user1:*:3000017:20:User1
Tester1:/home/user1:/usr/sbin/nologin
>>>
>>> The above is interesting, you don't have a template homedir
line in
>>> smb.conf but you have '/home/username' instead of
>>> '/home/RW/username'
>>
>> Oh, yes, didn't notice that. But the directory doesn't actually
>> exist. I guess it would be created on first logon which has not yet
>> occurred ?) And I can't login with it locally (I would need PAM
>> configured for it, right?)>
>
> Yes, you need to get PAM to create the users homedir with pam_mkhomedir
>
>> Although, when I create a FreeBSD user ("pw useradd testuser -m
>> /home/testuser"), the home directory is immediately created
without
>> loging in.
>
> That's because you are telling the command to create the homedir
>
>>
>> I tried now to create a user explicitly telling the home directory:
>> samba-tool user create user2 Pa$$w0rd --surname=Tester2
>> --given-name=User2 --mail-address=user2 at rw.lan
>> --home-directory=/home/RW/user2
>>
>> getent passwd user2
>> RW\user2:*:3000020:20:User2 Tester2:/home/RW/user2:/usr/sbin/nologin
>>
>> But otherwise nothing changes: directory isn't created, and I
can't
>> login from Windows. And the logs repeat the same thing.
>
> samba-tool doesn't create the homedirs, it populates an attribute in AD
> and PAM reads this and creates the home dir at first login.
I see. But I don't necessarily need homedirs and hence PAM configured 
just to log in from Windows and access a file share from there, do I? Or 
even just to log in on Windows to the domain.

Alnis