samba - May 2017 - Samba 4.5.8 ADS user not showing in directory tree - chown "invalid user"

Hi,
I'm currently working on evalutating a AD-Domain for my Department. Since I
have a couple of year experince in running a NT-Style Domain, my choice is samba
- nowadays AD-DS.

Now I'm stuck, and I would really appreciate some more thoughts and a push
in the right direction. :-)

Thank your in advance
Franz


The facts:
A quick test installation is working as expected - Debian Jessie, Samba 4.2.14
from official repository.
A wbinfo - u lists domain users, and I can chown as neccesary. Of course, the
list is without the Realm in front.

# wbinfo -u
demo1
administrator
krbtgt

Over to the designated production server, which behaves different:
Here I have a Stretch with Samba 4.5.8, also from the standard reps 
deb http://ftp.de.debian.org/debian stretch main
deb-src http://ftp.de.debian.org/debian stretch main

This commands are all executed on the PDC.


The same command produces different output:
# wbinfo -u
H955\administrator
H955\krbtgt
H955\guest
H955\demo1

I get the mentioned error on chown - invalid user.

ls produces this- uid are korrekt.

#ls -al
total 56
drwxrwxrwx  8 root    root  4096 May 19 10:03 .
drwxr-xr-x  3 root    root  4096 May  8 15:36 ..

drwxrwxr-x+ 2 3000019 users 4096 May 19 09:40 demo1
drwxrwxr-x+ 2 3000019 users 4096 May 19 10:03 demo1_new
drwxrwxr-x+ 2 3000000 users 4096 May 18 16:12 admin


Here's my system environment:
# uname -a
Linux vw-ads 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30) x86_64
GNU/Linux

# samba -V
Version 4.5.8-Debian

#samba-tool domain provision --server-role=dc --use-rfc2307
--dns-backend=SAMBA_INTERNAL --realm=H955.TEST.AC.AT --domain=H955
--adminpass=passw0rd

#net rpc rights grant 'H955\Domain Admins' SeDiskOperatorPrivilege
-Uadministrator


# cat /etc/samba/smb.conf
# Global parameters
[global]
	    netbios name = VW1-ADS
	    realm = H955.TEST.AC.AT
	    workgroup = H955
	    dns forwarder = 8.8.8.8
	    server role = active directory domain controller
	    idmap_ldb:use rfc2307 = yes

[netlogon]
	    path = /data/data-nfs-vw/netlogon-ads/
	    read only = No

[sysvol]
	    path = /var/lib/samba/sysvol
	    read only = No

[profiles]
comment = Roaming Profiles
path = /data/data-nfs-vw/profiles-ads/
writeable = yes
store dos attributes = yes
profile acls = yes
csc policy = disable


[test]
path = /data/data/test
writeable = yes


# locate libnss_winbind.so
/lib/x86_64-linux-gnu/libnss_winbind.so
/lib/x86_64-linux-gnu/libnss_winbind.so.2
/lib64/libnss_winbind.so
/lib64/libnss_winbind.so.2

 #ls -al /etc/krb5.conf
lrwxrwxrwx 1 root root 32 May 16 20:40 /etc/krb5.conf ->
/var/lib/samba/private/krb5.conf

# cat /etc/nsswitch.conf
# /etc/nsswitch.conf

passwd: files winbind
group:  files winbind
passwd:		 compat
group:		  compat
shadow:		 compat
gshadow:	    files
hosts:		  files dns
networks:	   files
protocols:	  db files
services:	   db files
ethers:		 db files
rpc:		    db files
netgroup:	   nis

>Of course, the list is without the Realm in front.
> 
> # wbinfo -u
> demo1
> administrator
Small correction. 
>Of course, the list is without the NTDOMAIN in front.
						^^^^^^^^
NTDOM\user or  user at REALM 

And change your nsswitch to : 
passwd:         compat winbind
group:          compat winbind

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Franz Gansberger via samba
> Verzonden: vrijdag 19 mei 2017 11:49
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba 4.5.8 ADS user not showing in 
> directory tree - chown "invalid user"
> 
> Hi,
> I'm currently working on evalutating a AD-Domain for my 
> Department. Since I have a couple of year experince in 
> running a NT-Style Domain, my choice is samba - nowadays AD-DS.
> 
> Now I'm stuck, and I would really appreciate some more 
> thoughts and a push in the right direction. :-) 
> 
> Thank your in advance
> Franz
> 
> 
> The facts:
> A quick test installation is working as expected - Debian 
> Jessie, Samba 4.2.14 from official repository. 
> A wbinfo - u lists domain users, and I can chown as 
> neccesary. Of course, the list is without the Realm in front.
> 
> # wbinfo -u
> demo1
> administrator
> krbtgt
> 
> Over to the designated production server, which behaves different:
> Here I have a Stretch with Samba 4.5.8, also from the 
> standard reps deb http://ftp.de.debian.org/debian stretch 
> main deb-src http://ftp.de.debian.org/debian stretch main
> 
> This commands are all executed on the PDC.
> 
> 
> The same command produces different output:
> # wbinfo -u
> H955\administrator
> H955\krbtgt
> H955\guest
> H955\demo1
> 
> I get the mentioned error on chown - invalid user.
> 
> ls produces this- uid are korrekt.
> 
> #ls -al
> total 56
> drwxrwxrwx  8 root    root  4096 May 19 10:03 .
> drwxr-xr-x  3 root    root  4096 May  8 15:36 ..
> 
> drwxrwxr-x+ 2 3000019 users 4096 May 19 09:40 demo1
> drwxrwxr-x+ 2 3000019 users 4096 May 19 10:03 demo1_new
> drwxrwxr-x+ 2 3000000 users 4096 May 18 16:12 admin
> 
> 
> Here's my system environment:
> # uname -a
> Linux vw-ads 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 
> (2017-04-30) x86_64 GNU/Linux
> 
> # samba -V
> Version 4.5.8-Debian
> 
> #samba-tool domain provision --server-role=dc --use-rfc2307 
> --dns-backend=SAMBA_INTERNAL --realm=H955.TEST.AC.AT 
> --domain=H955 --adminpass=passw0rd
> 
> #net rpc rights grant 'H955\Domain Admins' 
> SeDiskOperatorPrivilege -Uadministrator
> 
> 
> # cat /etc/samba/smb.conf
> # Global parameters
> [global]
> 	    netbios name = VW1-ADS
> 	    realm = H955.TEST.AC.AT
> 	    workgroup = H955
> 	    dns forwarder = 8.8.8.8
> 	    server role = active directory domain controller
> 	    idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
> 	    path = /data/data-nfs-vw/netlogon-ads/
> 	    read only = No
> 
> [sysvol]
> 	    path = /var/lib/samba/sysvol
> 	    read only = No
> 
> [profiles]
> comment = Roaming Profiles
> path = /data/data-nfs-vw/profiles-ads/
> writeable = yes
> store dos attributes = yes
> profile acls = yes
> csc policy = disable
> 
> 
> [test]
> path = /data/data/test
> writeable = yes
> 
> 
> # locate libnss_winbind.so
> /lib/x86_64-linux-gnu/libnss_winbind.so
> /lib/x86_64-linux-gnu/libnss_winbind.so.2
> /lib64/libnss_winbind.so
> /lib64/libnss_winbind.so.2
> 
>  #ls -al /etc/krb5.conf
> lrwxrwxrwx 1 root root 32 May 16 20:40 /etc/krb5.conf -> 
> /var/lib/samba/private/krb5.conf
> 
> # cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> 
> passwd: files winbind
> group:  files winbind
> passwd:		 compat
> group:		  compat
> shadow:		 compat
> gshadow:	    files
> hosts:		  files dns
> networks:	   files
> protocols:	  db files
> services:	   db files
> ethers:		 db files
> rpc:		    db files
> netgroup:	   nis
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Fri, 19 May 2017 11:49:26 +0200
Franz Gansberger via samba <samba at lists.samba.org> wrote:
> Hi,
> I'm currently working on evalutating a AD-Domain for my Department.
> Since I have a couple of year experince in running a NT-Style Domain,
> my choice is samba - nowadays AD-DS.
> 
> Now I'm stuck, and I would really appreciate some more thoughts and a
> push in the right direction. :-) 
> 
> Thank your in advance
> Franz
> 
> 
> The facts:
> A quick test installation is working as expected - Debian Jessie,
> Samba 4.2.14 from official repository. A wbinfo - u lists domain
> users, and I can chown as neccesary. Of course, the list is without
> the Realm in front.
> 
> # wbinfo -u
> demo1
> administrator
> krbtgt
> 
> Over to the designated production server, which behaves different:
> Here I have a Stretch with Samba 4.5.8, also from the standard reps 
> deb http://ftp.de.debian.org/debian stretch main
> deb-src http://ftp.de.debian.org/debian stretch main
> 
> This commands are all executed on the PDC.
Please don't call it a PDC, your old machine was a PDC, your new one is
just a DC and if you add any other DCs, they will be just a DC as
well ;-)
> 
> 
> The same command produces different output:
> # wbinfo -u
> H955\administrator
> H955\krbtgt
> H955\guest
> H955\demo1
> 
> I get the mentioned error on chown - invalid user.
OK, 'wbinfo' == this is windows user or group
You need to use 'getent passwd username' or 'getent group
groupname'
If either of the above commands doesn't produce output, the user or
group is unknown to the OS.
 
> 
> ls produces this- uid are korrekt.
> 
> #ls -al
> total 56
> drwxrwxrwx  8 root    root  4096 May 19 10:03 .
> drwxr-xr-x  3 root    root  4096 May  8 15:36 ..
> 
> drwxrwxr-x+ 2 3000019 users 4096 May 19 09:40 demo1
> drwxrwxr-x+ 2 3000019 users 4096 May 19 10:03 demo1_new
> drwxrwxr-x+ 2 3000000 users 4096 May 18 16:12 admin
Who is '3000019' ?
You can find out by running ldbedit on idmap.ldb and then searching for
'3000019'
'users' is correct, Domain Users is mapped to 'users' in
idmap.ldb
> 
> 
> Here's my system environment:
> # uname -a
> Linux vw-ads 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30)
> x86_64 GNU/Linux
> 
> # samba -V
> Version 4.5.8-Debian
> 
> #samba-tool domain provision --server-role=dc --use-rfc2307
> --dns-backend=SAMBA_INTERNAL --realm=H955.TEST.AC.AT --domain=H955
> --adminpass=passw0rd
> 
> #net rpc rights grant 'H955\Domain Admins' SeDiskOperatorPrivilege
> -Uadministrator
> 
> 
> # cat /etc/samba/smb.conf
> # Global parameters
> [global]
> 	    netbios name = VW1-ADS
> 	    realm = H955.TEST.AC.AT
> 	    workgroup = H955
> 	    dns forwarder = 8.8.8.8
> 	    server role = active directory domain controller
> 	    idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
> 	    path = /data/data-nfs-vw/netlogon-ads/
> 	    read only = No
> 
> [sysvol]
> 	    path = /var/lib/samba/sysvol
> 	    read only = No
> 
> [profiles]
> comment = Roaming Profiles
> path = /data/data-nfs-vw/profiles-ads/
> writeable = yes
> store dos attributes = yes
> profile acls = yes
> csc policy = disable
You can remove the above three lines, they do nothing a DC.
> 
> 
> [test]
> path = /data/data/test
> writeable = yes
> 
> 
> # locate libnss_winbind.so
> /lib/x86_64-linux-gnu/libnss_winbind.so
> /lib/x86_64-linux-gnu/libnss_winbind.so.2
> /lib64/libnss_winbind.so
> /lib64/libnss_winbind.so.2
> 
>  #ls -al /etc/krb5.conf
> lrwxrwxrwx 1 root root 32 May 16 20:40 /etc/krb5.conf
> -> /var/lib/samba/private/krb5.conf
> 
> # cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> 
> passwd: files winbind
> group:  files winbind
> passwd:		 compat
> group:		  compat
You seem to have 'passwd' and 'group' twice, remove the second
two, the
first is correct.

Do you have these packages installed:
libpam-winbind libpam-krb5 libnss-winbind

Rowland

Hi Rowland,

thank you for your almost immediate answer, and your tips. :-)
And well - it is solved now. :-))

I've overseen this rediculous obvious double entry in the nsswitch.conf.
After correcting this mistake a 

# getent passwd demo1

resloves to

H955\demo1:*:3000019:100:demo1:/home/H955/demo1:/bin/false

So directory listing is now more human readable, and 3000019 is displayed as
demo1

# ls -al
total 56
drwxrwxrwx  8 root   			    root  4096 May 19 10:03 .
drwxr-xr-x  3 root   			    root  4096 May  8 15:36 ..
drwxrwxr-x+ 2 H955\demo1			 users 4096 May 19 09:40 demo2
drwxrwxr-x+ 2 H955\demo1			 users 4096 May 19 10:03 demo1_new
drwxrwxr-x+ 2 BUILTIN\administrators users 4096 May 18 16:12 admin

Good. :-)

Nonetheless the packages 
libpam-winbind libpam-krb5 
are not installed - yet. 


Thank you for doing this great job!!

Franz


>>> Rowland Penny <rpenny at samba.org> 19.05.2017 12:42
>>>
On Fri, 19 May 2017 11:49:26 +0200
Franz Gansberger via samba <samba at lists.samba.org> wrote:
> Hi,
> I'm currently working on evalutating a AD-Domain for my Department.
> Since I have a couple of year experince in running a NT-Style Domain,
> my choice is samba - nowadays AD-DS.
> 
> Now I'm stuck, and I would really appreciate some more thoughts and a
> push in the right direction. :-) 
> 
> Thank your in advance
> Franz
> 
> 
> The facts:
> A quick test installation is working as expected - Debian Jessie,
> Samba 4.2.14 from official repository. A wbinfo - u lists domain
> users, and I can chown as neccesary. Of course, the list is without
> the Realm in front.
> 
> # wbinfo -u
> demo1
> administrator
> krbtgt
> 
> Over to the designated production server, which behaves different:
> Here I have a Stretch with Samba 4.5.8, also from the standard reps 
> deb http://ftp.de.debian.org/debian stretch main
> deb-src http://ftp.de.debian.org/debian stretch main
> 
> This commands are all executed on the PDC.
Please don't call it a PDC, your old machine was a PDC, your new one is
just a DC and if you add any other DCs, they will be just a DC as
well ;-)
> 
> 
> The same command produces different output:
> # wbinfo -u
> H955\administrator
> H955\krbtgt
> H955\guest
> H955\demo1
> 
> I get the mentioned error on chown - invalid user.
OK, 'wbinfo' == this is windows user or group
You need to use 'getent passwd username' or 'getent group
groupname'
If either of the above commands doesn't produce output, the user or
group is unknown to the OS.
> 
> ls produces this- uid are korrekt.
> 
> #ls -al
> total 56
> drwxrwxrwx  8 root    root  4096 May 19 10:03 .
> drwxr-xr-x  3 root    root  4096 May  8 15:36 ..
> 
> drwxrwxr-x+ 2 3000019 users 4096 May 19 09:40 demo1
> drwxrwxr-x+ 2 3000019 users 4096 May 19 10:03 demo1_new
> drwxrwxr-x+ 2 3000000 users 4096 May 18 16:12 admin
Who is '3000019' ?
You can find out by running ldbedit on idmap.ldb and then searching for
'3000019'
'users' is correct, Domain Users is mapped to 'users' in
idmap.ldb
> 
> 
> Here's my system environment:
> # uname -a
> Linux vw-ads 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30)
> x86_64 GNU/Linux
> 
> # samba -V
> Version 4.5.8-Debian
> 
> #samba-tool domain provision --server-role=dc --use-rfc2307
> --dns-backend=SAMBA_INTERNAL --realm=H955.TEST.AC.AT --domain=H955
> --adminpass=passw0rd
> 
> #net rpc rights grant 'H955\Domain Admins' SeDiskOperatorPrivilege
> -Uadministrator
> 
> 
> # cat /etc/samba/smb.conf
> # Global parameters
> [global]
> 	    netbios name = VW1-ADS
> 	    realm = H955.TEST.AC.AT
> 	    workgroup = H955
> 	    dns forwarder = 8.8.8.8
> 	    server role = active directory domain controller
> 	    idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
> 	    path = /data/data-nfs-vw/netlogon-ads/
> 	    read only = No
> 
> [sysvol]
> 	    path = /var/lib/samba/sysvol
> 	    read only = No
> 
> [profiles]
> comment = Roaming Profiles
> path = /data/data-nfs-vw/profiles-ads/
> writeable = yes
> store dos attributes = yes
> profile acls = yes
> csc policy = disable
You can remove the above three lines, they do nothing a DC.
> 
> 
> [test]
> path = /data/data/test
> writeable = yes
> 
> 
> # locate libnss_winbind.so
> /lib/x86_64-linux-gnu/libnss_winbind.so
> /lib/x86_64-linux-gnu/libnss_winbind.so.2
> /lib64/libnss_winbind.so
> /lib64/libnss_winbind.so.2
> 
>  #ls -al /etc/krb5.conf
> lrwxrwxrwx 1 root root 32 May 16 20:40 /etc/krb5.conf
> -> /var/lib/samba/private/krb5.conf
> 
> # cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> 
> passwd: files winbind
> group:  files winbind
> passwd:		 compat
> group:		  compat
You seem to have 'passwd' and 'group' twice, remove the second
two, the
first is correct.

Do you have these packages installed:
libpam-winbind libpam-krb5 libnss-winbind

Rowland