lingpanda101
2017-Jun-19 12:20 UTC
[Samba] New AD user cannot access file share from member server
On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote:> That's correct, I don't have "Unix Attributes" but through the advanced > view I have access to all attributes. > > The ldbsearch command is not returning anything in my case, it gives me 0 > records - no matter which user I try, even the Administrator. I checked the > command several times to make sure there are no typos. I even changed the > objectclass from "person" to "user" to see if it makes any difference but > it doesn't. > > I tried borth /var/lib/samba/sam.ldb and /var/lib/samba/private/sam.ldb) > and the environment environment has LDB_MODULES_PATH set. > > I can easily look at the objects using the ADUC from the RSAT, not sure why > this isn't working... > > On 19 June 2017 at 12:59, Rowland Penny via samba <samba at lists.samba.org> > wrote: > >> On Mon, 19 Jun 2017 12:38:09 +0200 >> Viktor Trojanovic <viktor at troja.ch> wrote: >> >>> Here is the DC's smb.conf: >>> >>> >>> [global] >>> workgroup = SAMDOM >>> realm = SAMDOM.EXAMPLE.COM >>> netbios name = DC >>> interfaces = lo br-lxc >>> bind interfaces only = Yes >>> server role = active directory domain controller >>> dns forwarder = 192.168.1.2 >>> idmap_ldb:use rfc2307 = yes >>> >>> [netlogon] >>> path = /var/lib/samba/sysvol/samdom.example.com/scripts >>> read only = No >>> >>> [sysvol] >>> path = /var/lib/samba/sysvol >>> read only = No >> Nothing wrong there >> >>> I'm not sure what you mean by showing you the user's AD object, can >>> you elaborate? >> OK, install ldb-tools if not installed, then run this: >> >> ldbsearch -H /usr/local/samba/private/sam.ldb -b >> 'cn=users,dc=samdom,dc=example,dc=com' -s sub >> "(&(objectclass=person)(samaccountname=rowland))" >> >> Just in case it has got split up over multiple lines, the above should >> just one line. >> >> Replace: >> /usr/local/samba/private/sam.ldb with the path to your sam.ldb >> >> dc=samdom,dc=example,dc=com with your dns/realm names >> >> rowland with your users name >> >> You should get something like this back: >> >> # record 1 >> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com >> CN: Rowland Penny >> sn: Penny >> description: A Unix user >> givenName: Rowland >> instanceType: 4 >> whenCreated: 20151109093821.0Z >> displayName: Rowland Penny >> uSNCreated: 3365 >> name: Rowland Penny >> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72 >> userAccountControl: 66048 >> codePage: 0 >> countryCode: 0 >> homeDrive: H: >> pwdLastSet: 130915355010000000 >> primaryGroupID: 513 >> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107 >> accountExpires: 0 >> sAMAccountName: rowland >> sAMAccountType: 805306368 >> userPrincipalName: rowland at samdom.example.com >> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC>> example,DC=c >> om >> unixUserPassword: ABCD!efgh12345$67890 >> uid: rowland >> msSFU30Name: rowland >> msSFU30NisDomain: samdom >> uidNumber: 10000 >> gecos: Rowland Penny >> unixHomeDirectory: /home/rowland >> loginShell: /bin/bash >> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com >> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com >> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com >> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com >> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com >> homeDirectory: \\MEMBER1\home\rowland >> objectClass: top >> objectClass: securityPrincipal >> objectClass: person >> objectClass: organizationalPerson >> objectClass: user >> gidNumber: 10000 >> lastLogonTimestamp: 131418520439158520 >> whenChanged: 20170613182723.0Z >> uSNChanged: 121030 >> lastLogon: 131423412865104840 >> logonCount: 633 >> distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com >> >> # returned 1 records >> # 1 entries >> # 0 referrals >> >> Please post that, though you can sanitise it if you like, but if you >> do, use the same changes through out. >> >>> Samba is running on (Arch) Linux with Kernel 4.11. Clients are >>> Windows 10 with all the latest updates, I'm running the RSAT from >>> there. >>> >> In which case you will not have 'Unix Attributes' tab in ADUC. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>Use this command replace my name with your username. /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=local' -s sub "(&(objectclass=person)(samaccountname=james))" Rowland was linking to the CN=users. Yours may not be located there. -- -- James
Rowland Penny
2017-Jun-19 12:30 UTC
[Samba] New AD user cannot access file share from member server
On Mon, 19 Jun 2017 08:20:35 -0400 lingpanda101 via samba <samba at lists.samba.org> wrote:> On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote: > > That's correct, I don't have "Unix Attributes" but through the > > advanced view I have access to all attributes. > > > > The ldbsearch command is not returning anything in my case, it > > gives me 0 records - no matter which user I try, even the > > Administrator. I checked the command several times to make sure > > there are no typos. I even changed the objectclass from "person" to > > "user" to see if it makes any difference but it doesn't. > > > > I tried borth /var/lib/samba/sam.ldb > > and /var/lib/samba/private/sam.ldb) and the environment environment > > has LDB_MODULES_PATH set. > > > > I can easily look at the objects using the ADUC from the RSAT, not > > sure why this isn't working... > > > > On 19 June 2017 at 12:59, Rowland Penny via samba > > <samba at lists.samba.org> wrote: > > > >> On Mon, 19 Jun 2017 12:38:09 +0200 > >> Viktor Trojanovic <viktor at troja.ch> wrote: > >> > >>> Here is the DC's smb.conf: > >>> > >>> > >>> [global] > >>> workgroup = SAMDOM > >>> realm = SAMDOM.EXAMPLE.COM > >>> netbios name = DC > >>> interfaces = lo br-lxc > >>> bind interfaces only = Yes > >>> server role = active directory domain controller > >>> dns forwarder = 192.168.1.2 > >>> idmap_ldb:use rfc2307 = yes > >>> > >>> [netlogon] > >>> path = /var/lib/samba/sysvol/samdom.example.com/scripts > >>> read only = No > >>> > >>> [sysvol] > >>> path = /var/lib/samba/sysvol > >>> read only = No > >> Nothing wrong there > >> > >>> I'm not sure what you mean by showing you the user's AD object, > >>> can you elaborate? > >> OK, install ldb-tools if not installed, then run this: > >> > >> ldbsearch -H /usr/local/samba/private/sam.ldb -b > >> 'cn=users,dc=samdom,dc=example,dc=com' -s sub > >> "(&(objectclass=person)(samaccountname=rowland))" > >> > >> Just in case it has got split up over multiple lines, the above > >> should just one line. > >> > >> Replace: > >> /usr/local/samba/private/sam.ldb with the path to your sam.ldb > >> > >> dc=samdom,dc=example,dc=com with your dns/realm names > >> > >> rowland with your users name > >> > >> You should get something like this back: > >> > >> # record 1 > >> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com > >> CN: Rowland Penny > >> sn: Penny > >> description: A Unix user > >> givenName: Rowland > >> instanceType: 4 > >> whenCreated: 20151109093821.0Z > >> displayName: Rowland Penny > >> uSNCreated: 3365 > >> name: Rowland Penny > >> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72 > >> userAccountControl: 66048 > >> codePage: 0 > >> countryCode: 0 > >> homeDrive: H: > >> pwdLastSet: 130915355010000000 > >> primaryGroupID: 513 > >> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107 > >> accountExpires: 0 > >> sAMAccountName: rowland > >> sAMAccountType: 805306368 > >> userPrincipalName: rowland at samdom.example.com > >> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC> >> example,DC=c > >> om > >> unixUserPassword: ABCD!efgh12345$67890 > >> uid: rowland > >> msSFU30Name: rowland > >> msSFU30NisDomain: samdom > >> uidNumber: 10000 > >> gecos: Rowland Penny > >> unixHomeDirectory: /home/rowland > >> loginShell: /bin/bash > >> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com > >> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com > >> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com > >> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com > >> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com > >> homeDirectory: \\MEMBER1\home\rowland > >> objectClass: top > >> objectClass: securityPrincipal > >> objectClass: person > >> objectClass: organizationalPerson > >> objectClass: user > >> gidNumber: 10000 > >> lastLogonTimestamp: 131418520439158520 > >> whenChanged: 20170613182723.0Z > >> uSNChanged: 121030 > >> lastLogon: 131423412865104840 > >> logonCount: 633 > >> distinguishedName: CN=Rowland > >> Penny,CN=Users,DC=samdom,DC=example,DC=com > >> > >> # returned 1 records > >> # 1 entries > >> # 0 referrals > >> > >> Please post that, though you can sanitise it if you like, but if > >> you do, use the same changes through out. > >> > >>> Samba is running on (Arch) Linux with Kernel 4.11. Clients are > >>> Windows 10 with all the latest updates, I'm running the RSAT from > >>> there. > >>> > >> In which case you will not have 'Unix Attributes' tab in ADUC. > >> > >> Rowland > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > Use this command replace my name with your username. > > /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb -b > 'dc=samdom,dc=example,dc=local' -s sub > "(&(objectclass=person)(samaccountname=james))" > > Rowland was linking to the CN=users. Yours may not be located there. >Good point, but it is the default location for users and groups and the OP never mentioned creating an OU (unless I missed it) Rowland
Viktor Trojanovic
2017-Jun-19 12:46 UTC
[Samba] New AD user cannot access file share from member server
On 19 June 2017 at 14:20, lingpanda101 via samba <samba at lists.samba.org> wrote:> On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote: > >> That's correct, I don't have "Unix Attributes" but through the advanced >> view I have access to all attributes. >> >> The ldbsearch command is not returning anything in my case, it gives me 0 >> records - no matter which user I try, even the Administrator. I checked >> the >> command several times to make sure there are no typos. I even changed the >> objectclass from "person" to "user" to see if it makes any difference but >> it doesn't. >> >> I tried borth /var/lib/samba/sam.ldb and /var/lib/samba/private/sam.ldb) >> and the environment environment has LDB_MODULES_PATH set. >> >> I can easily look at the objects using the ADUC from the RSAT, not sure >> why >> this isn't working... >> >> On 19 June 2017 at 12:59, Rowland Penny via samba <samba at lists.samba.org> >> wrote: >> >> On Mon, 19 Jun 2017 12:38:09 +0200 >>> Viktor Trojanovic <viktor at troja.ch> wrote: >>> >>> Here is the DC's smb.conf: >>>> >>>> >>>> [global] >>>> workgroup = SAMDOM >>>> realm = SAMDOM.EXAMPLE.COM >>>> netbios name = DC >>>> interfaces = lo br-lxc >>>> bind interfaces only = Yes >>>> server role = active directory domain controller >>>> dns forwarder = 192.168.1.2 >>>> idmap_ldb:use rfc2307 = yes >>>> >>>> [netlogon] >>>> path = /var/lib/samba/sysvol/samdom.example.com/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /var/lib/samba/sysvol >>>> read only = No >>>> >>> Nothing wrong there >>> >>> I'm not sure what you mean by showing you the user's AD object, can >>>> you elaborate? >>>> >>> OK, install ldb-tools if not installed, then run this: >>> >>> ldbsearch -H /usr/local/samba/private/sam.ldb -b >>> 'cn=users,dc=samdom,dc=example,dc=com' -s sub >>> "(&(objectclass=person)(samaccountname=rowland))" >>> >>> Just in case it has got split up over multiple lines, the above should >>> just one line. >>> >>> Replace: >>> /usr/local/samba/private/sam.ldb with the path to your sam.ldb >>> >>> dc=samdom,dc=example,dc=com with your dns/realm names >>> >>> rowland with your users name >>> >>> You should get something like this back: >>> >>> # record 1 >>> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com >>> CN: Rowland Penny >>> sn: Penny >>> description: A Unix user >>> givenName: Rowland >>> instanceType: 4 >>> whenCreated: 20151109093821.0Z >>> displayName: Rowland Penny >>> uSNCreated: 3365 >>> name: Rowland Penny >>> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72 >>> userAccountControl: 66048 >>> codePage: 0 >>> countryCode: 0 >>> homeDrive: H: >>> pwdLastSet: 130915355010000000 >>> primaryGroupID: 513 >>> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107 >>> accountExpires: 0 >>> sAMAccountName: rowland >>> sAMAccountType: 805306368 >>> userPrincipalName: rowland at samdom.example.com >>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC>>> example,DC=c >>> om >>> unixUserPassword: ABCD!efgh12345$67890 >>> uid: rowland >>> msSFU30Name: rowland >>> msSFU30NisDomain: samdom >>> uidNumber: 10000 >>> gecos: Rowland Penny >>> unixHomeDirectory: /home/rowland >>> loginShell: /bin/bash >>> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com >>> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com >>> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com >>> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com >>> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com >>> homeDirectory: \\MEMBER1\home\rowland >>> objectClass: top >>> objectClass: securityPrincipal >>> objectClass: person >>> objectClass: organizationalPerson >>> objectClass: user >>> gidNumber: 10000 >>> lastLogonTimestamp: 131418520439158520 >>> whenChanged: 20170613182723.0Z >>> uSNChanged: 121030 >>> lastLogon: 131423412865104840 >>> logonCount: 633 >>> distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com >>> >>> # returned 1 records >>> # 1 entries >>> # 0 referrals >>> >>> Please post that, though you can sanitise it if you like, but if you >>> do, use the same changes through out. >>> >>> Samba is running on (Arch) Linux with Kernel 4.11. Clients are >>>> Windows 10 with all the latest updates, I'm running the RSAT from >>>> there. >>>> >>>> In which case you will not have 'Unix Attributes' tab in ADUC. >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> Use this command replace my name with your username. > > /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb -b > 'dc=samdom,dc=example,dc=local' -s sub "(&(objectclass=person)(samacc > ountname=james))" > > Rowland was linking to the CN=users. Yours may not be located there. > > > I could swear I tried this before, too, but it didn't give me any results.Now all of a sudden it does. I must have made a mistake. It gives me one entry and 3 referrals. [root at DC ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=ch' -s sub "(&(objectclass=person)(samaccountname=jd))" # record 1 dn: CN=First Last,OU=OFFICE,DC=samdom,DC=example,DC=ch objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Jane Doe sn: Doe givenName: Jane instanceType: 4 whenCreated: 20170618195208.0Z displayName: Jane Doe uSNCreated: 26951 name: Jane Doe objectGUID: e2df5086-fa25-4a25-93f2-d8f5e85a47e7 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 primaryGroupID: 513 objectSid: S-1-5-21-4280320235-2980747731-3738778716-1116 accountExpires: 9223372036854775807 sAMAccountName: jd sAMAccountType: 805306368 userPrincipalName: jd at samdom.example.ch objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example ,DC=ch userAccountControl: 512 msSFU30NisDomain: samdom homeDrive: P: homeDirectory: \\fileserver\users\jd lastLogonTimestamp: 131422908301256970 pwdLastSet: 131422908304075720 uidNumber: 11008 whenChanged: 20170618203831.0Z uSNChanged: 26964 lastLogon: 131423462588474750 logonCount: 49 distinguishedName: CN=Jane Doe,OU=OFFICE,DC=samdom,DC=example,DC=ch
Viktor Trojanovic
2017-Jun-19 12:48 UTC
[Samba] New AD user cannot access file share from member server
I missed to mention it. But I actually did try changing the CN=users to OU=ouname, and even leaving it out. I don't know why it didn't return any results before, it does now - see my reply to James. On 19 June 2017 at 14:30, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Mon, 19 Jun 2017 08:20:35 -0400 > lingpanda101 via samba <samba at lists.samba.org> wrote: > > > On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote: > > > That's correct, I don't have "Unix Attributes" but through the > > > advanced view I have access to all attributes. > > > > > > The ldbsearch command is not returning anything in my case, it > > > gives me 0 records - no matter which user I try, even the > > > Administrator. I checked the command several times to make sure > > > there are no typos. I even changed the objectclass from "person" to > > > "user" to see if it makes any difference but it doesn't. > > > > > > I tried borth /var/lib/samba/sam.ldb > > > and /var/lib/samba/private/sam.ldb) and the environment environment > > > has LDB_MODULES_PATH set. > > > > > > I can easily look at the objects using the ADUC from the RSAT, not > > > sure why this isn't working... > > > > > > On 19 June 2017 at 12:59, Rowland Penny via samba > > > <samba at lists.samba.org> wrote: > > > > > >> On Mon, 19 Jun 2017 12:38:09 +0200 > > >> Viktor Trojanovic <viktor at troja.ch> wrote: > > >> > > >>> Here is the DC's smb.conf: > > >>> > > >>> > > >>> [global] > > >>> workgroup = SAMDOM > > >>> realm = SAMDOM.EXAMPLE.COM > > >>> netbios name = DC > > >>> interfaces = lo br-lxc > > >>> bind interfaces only = Yes > > >>> server role = active directory domain controller > > >>> dns forwarder = 192.168.1.2 > > >>> idmap_ldb:use rfc2307 = yes > > >>> > > >>> [netlogon] > > >>> path = /var/lib/samba/sysvol/samdom.example.com/scripts > > >>> read only = No > > >>> > > >>> [sysvol] > > >>> path = /var/lib/samba/sysvol > > >>> read only = No > > >> Nothing wrong there > > >> > > >>> I'm not sure what you mean by showing you the user's AD object, > > >>> can you elaborate? > > >> OK, install ldb-tools if not installed, then run this: > > >> > > >> ldbsearch -H /usr/local/samba/private/sam.ldb -b > > >> 'cn=users,dc=samdom,dc=example,dc=com' -s sub > > >> "(&(objectclass=person)(samaccountname=rowland))" > > >> > > >> Just in case it has got split up over multiple lines, the above > > >> should just one line. > > >> > > >> Replace: > > >> /usr/local/samba/private/sam.ldb with the path to your sam.ldb > > >> > > >> dc=samdom,dc=example,dc=com with your dns/realm names > > >> > > >> rowland with your users name > > >> > > >> You should get something like this back: > > >> > > >> # record 1 > > >> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com > > >> CN: Rowland Penny > > >> sn: Penny > > >> description: A Unix user > > >> givenName: Rowland > > >> instanceType: 4 > > >> whenCreated: 20151109093821.0Z > > >> displayName: Rowland Penny > > >> uSNCreated: 3365 > > >> name: Rowland Penny > > >> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72 > > >> userAccountControl: 66048 > > >> codePage: 0 > > >> countryCode: 0 > > >> homeDrive: H: > > >> pwdLastSet: 130915355010000000 > > >> primaryGroupID: 513 > > >> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107 > > >> accountExpires: 0 > > >> sAMAccountName: rowland > > >> sAMAccountType: 805306368 > > >> userPrincipalName: rowland at samdom.example.com > > >> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC> > >> example,DC=c > > >> om > > >> unixUserPassword: ABCD!efgh12345$67890 > > >> uid: rowland > > >> msSFU30Name: rowland > > >> msSFU30NisDomain: samdom > > >> uidNumber: 10000 > > >> gecos: Rowland Penny > > >> unixHomeDirectory: /home/rowland > > >> loginShell: /bin/bash > > >> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com > > >> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com > > >> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com > > >> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com > > >> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com > > >> homeDirectory: \\MEMBER1\home\rowland > > >> objectClass: top > > >> objectClass: securityPrincipal > > >> objectClass: person > > >> objectClass: organizationalPerson > > >> objectClass: user > > >> gidNumber: 10000 > > >> lastLogonTimestamp: 131418520439158520 > > >> whenChanged: 20170613182723.0Z > > >> uSNChanged: 121030 > > >> lastLogon: 131423412865104840 > > >> logonCount: 633 > > >> distinguishedName: CN=Rowland > > >> Penny,CN=Users,DC=samdom,DC=example,DC=com > > >> > > >> # returned 1 records > > >> # 1 entries > > >> # 0 referrals > > >> > > >> Please post that, though you can sanitise it if you like, but if > > >> you do, use the same changes through out. > > >> > > >>> Samba is running on (Arch) Linux with Kernel 4.11. Clients are > > >>> Windows 10 with all the latest updates, I'm running the RSAT from > > >>> there. > > >>> > > >> In which case you will not have 'Unix Attributes' tab in ADUC. > > >> > > >> Rowland > > >> > > >> -- > > >> To unsubscribe from this list go to the following URL and read the > > >> instructions: https://lists.samba.org/mailman/options/samba > > >> > > Use this command replace my name with your username. > > > > /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb -b > > 'dc=samdom,dc=example,dc=local' -s sub > > "(&(objectclass=person)(samaccountname=james))" > > > > Rowland was linking to the CN=users. Yours may not be located there. > > > > Good point, but it is the default location for users and groups and the > OP never mentioned creating an OU (unless I missed it) > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2017-Jun-19 12:56 UTC
[Samba] New AD user cannot access file share from member server
On Mon, 19 Jun 2017 14:46:34 +0200 Viktor Trojanovic <viktor at troja.ch> wrote:> On 19 June 2017 at 14:20, lingpanda101 via samba > <samba at lists.samba.org> wrote: > > > On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote: > > > >> That's correct, I don't have "Unix Attributes" but through the > >> advanced view I have access to all attributes. > >> > >> The ldbsearch command is not returning anything in my case, it > >> gives me 0 records - no matter which user I try, even the > >> Administrator. I checked the > >> command several times to make sure there are no typos. I even > >> changed the objectclass from "person" to "user" to see if it makes > >> any difference but it doesn't. > >> > >> I tried borth /var/lib/samba/sam.ldb > >> and /var/lib/samba/private/sam.ldb) and the environment > >> environment has LDB_MODULES_PATH set. > >> > >> I can easily look at the objects using the ADUC from the RSAT, not > >> sure why > >> this isn't working... > >> > >> On 19 June 2017 at 12:59, Rowland Penny via samba > >> <samba at lists.samba.org> wrote: > >> > >> On Mon, 19 Jun 2017 12:38:09 +0200 > >>> Viktor Trojanovic <viktor at troja.ch> wrote: > >>> > >>> Here is the DC's smb.conf: > >>>> > >>>> > >>>> [global] > >>>> workgroup = SAMDOM > >>>> realm = SAMDOM.EXAMPLE.COM > >>>> netbios name = DC > >>>> interfaces = lo br-lxc > >>>> bind interfaces only = Yes > >>>> server role = active directory domain controller > >>>> dns forwarder = 192.168.1.2 > >>>> idmap_ldb:use rfc2307 = yes > >>>> > >>>> [netlogon] > >>>> path = /var/lib/samba/sysvol/samdom.example.com/scripts > >>>> read only = No > >>>> > >>>> [sysvol] > >>>> path = /var/lib/samba/sysvol > >>>> read only = No > >>>> > >>> Nothing wrong there > >>> > >>> I'm not sure what you mean by showing you the user's AD object, > >>> can > >>>> you elaborate? > >>>> > >>> OK, install ldb-tools if not installed, then run this: > >>> > >>> ldbsearch -H /usr/local/samba/private/sam.ldb -b > >>> 'cn=users,dc=samdom,dc=example,dc=com' -s sub > >>> "(&(objectclass=person)(samaccountname=rowland))" > >>> > >>> Just in case it has got split up over multiple lines, the above > >>> should just one line. > >>> > >>> Replace: > >>> /usr/local/samba/private/sam.ldb with the path to your sam.ldb > >>> > >>> dc=samdom,dc=example,dc=com with your dns/realm names > >>> > >>> rowland with your users name > >>> > >>> You should get something like this back: > >>> > >>> # record 1 > >>> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com > >>> CN: Rowland Penny > >>> sn: Penny > >>> description: A Unix user > >>> givenName: Rowland > >>> instanceType: 4 > >>> whenCreated: 20151109093821.0Z > >>> displayName: Rowland Penny > >>> uSNCreated: 3365 > >>> name: Rowland Penny > >>> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72 > >>> userAccountControl: 66048 > >>> codePage: 0 > >>> countryCode: 0 > >>> homeDrive: H: > >>> pwdLastSet: 130915355010000000 > >>> primaryGroupID: 513 > >>> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107 > >>> accountExpires: 0 > >>> sAMAccountName: rowland > >>> sAMAccountType: 805306368 > >>> userPrincipalName: rowland at samdom.example.com > >>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC> >>> example,DC=c > >>> om > >>> unixUserPassword: ABCD!efgh12345$67890 > >>> uid: rowland > >>> msSFU30Name: rowland > >>> msSFU30NisDomain: samdom > >>> uidNumber: 10000 > >>> gecos: Rowland Penny > >>> unixHomeDirectory: /home/rowland > >>> loginShell: /bin/bash > >>> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com > >>> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com > >>> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com > >>> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com > >>> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com > >>> homeDirectory: \\MEMBER1\home\rowland > >>> objectClass: top > >>> objectClass: securityPrincipal > >>> objectClass: person > >>> objectClass: organizationalPerson > >>> objectClass: user > >>> gidNumber: 10000 > >>> lastLogonTimestamp: 131418520439158520 > >>> whenChanged: 20170613182723.0Z > >>> uSNChanged: 121030 > >>> lastLogon: 131423412865104840 > >>> logonCount: 633 > >>> distinguishedName: CN=Rowland > >>> Penny,CN=Users,DC=samdom,DC=example,DC=com > >>> > >>> # returned 1 records > >>> # 1 entries > >>> # 0 referrals > >>> > >>> Please post that, though you can sanitise it if you like, but if > >>> you do, use the same changes through out. > >>> > >>> Samba is running on (Arch) Linux with Kernel 4.11. Clients are > >>>> Windows 10 with all the latest updates, I'm running the RSAT from > >>>> there. > >>>> > >>>> In which case you will not have 'Unix Attributes' tab in ADUC. > >>> > >>> Rowland > >>> > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: https://lists.samba.org/mailman/options/samba > >>> > >>> Use this command replace my name with your username. > > > > /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb > > -b 'dc=samdom,dc=example,dc=local' -s sub > > "(&(objectclass=person)(samacc ountname=james))" > > > > Rowland was linking to the CN=users. Yours may not be located there. > > > > > > I could swear I tried this before, too, but it didn't give me any > > results. > Now all of a sudden it does. I must have made a mistake. It gives me > one entry and 3 referrals. > > [root at DC ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'dc=samdom,dc=example,dc=ch' -s sub > "(&(objectclass=person)(samaccountname=jd))" > # record 1 > dn: CN=First Last,OU=OFFICE,DC=samdom,DC=example,DC=ch > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: Jane Doe > sn: Doe > givenName: Jane > instanceType: 4 > whenCreated: 20170618195208.0Z > displayName: Jane Doe > uSNCreated: 26951 > name: Jane Doe > objectGUID: e2df5086-fa25-4a25-93f2-d8f5e85a47e7 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-4280320235-2980747731-3738778716-1116 > accountExpires: 9223372036854775807 > sAMAccountName: jd > sAMAccountType: 805306368 > userPrincipalName: jd at samdom.example.ch > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example ,DC=ch > userAccountControl: 512 > msSFU30NisDomain: samdom > homeDrive: P: > homeDirectory: \\fileserver\users\jd > lastLogonTimestamp: 131422908301256970 > pwdLastSet: 131422908304075720 > uidNumber: 11008 > whenChanged: 20170618203831.0Z > uSNChanged: 26964 > lastLogon: 131423462588474750 > logonCount: 49 > distinguishedName: CN=Jane Doe,OU=OFFICE,DC=samdom,DC=example,DC=chOK, glad we got that sorted out ;-) Your user 'Jane Doe' does not have a 'gidNumber' attribute, does 'Domain Users have a 'gidNumber attribute' ? Rowland
Possibly Parallel Threads
- New AD user cannot access file share from member server
- New AD user cannot access file share from member server
- New AD user cannot access file share from member server
- New AD user cannot access file share from member server
- New AD user cannot access file share from member server