Viktor Trojanovic
2017-Jun-19 12:48 UTC
[Samba] New AD user cannot access file share from member server
I missed to mention it. But I actually did try changing the CN=users to OU=ouname, and even leaving it out. I don't know why it didn't return any results before, it does now - see my reply to James. On 19 June 2017 at 14:30, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Mon, 19 Jun 2017 08:20:35 -0400 > lingpanda101 via samba <samba at lists.samba.org> wrote: > > > On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote: > > > That's correct, I don't have "Unix Attributes" but through the > > > advanced view I have access to all attributes. > > > > > > The ldbsearch command is not returning anything in my case, it > > > gives me 0 records - no matter which user I try, even the > > > Administrator. I checked the command several times to make sure > > > there are no typos. I even changed the objectclass from "person" to > > > "user" to see if it makes any difference but it doesn't. > > > > > > I tried borth /var/lib/samba/sam.ldb > > > and /var/lib/samba/private/sam.ldb) and the environment environment > > > has LDB_MODULES_PATH set. > > > > > > I can easily look at the objects using the ADUC from the RSAT, not > > > sure why this isn't working... > > > > > > On 19 June 2017 at 12:59, Rowland Penny via samba > > > <samba at lists.samba.org> wrote: > > > > > >> On Mon, 19 Jun 2017 12:38:09 +0200 > > >> Viktor Trojanovic <viktor at troja.ch> wrote: > > >> > > >>> Here is the DC's smb.conf: > > >>> > > >>> > > >>> [global] > > >>> workgroup = SAMDOM > > >>> realm = SAMDOM.EXAMPLE.COM > > >>> netbios name = DC > > >>> interfaces = lo br-lxc > > >>> bind interfaces only = Yes > > >>> server role = active directory domain controller > > >>> dns forwarder = 192.168.1.2 > > >>> idmap_ldb:use rfc2307 = yes > > >>> > > >>> [netlogon] > > >>> path = /var/lib/samba/sysvol/samdom.example.com/scripts > > >>> read only = No > > >>> > > >>> [sysvol] > > >>> path = /var/lib/samba/sysvol > > >>> read only = No > > >> Nothing wrong there > > >> > > >>> I'm not sure what you mean by showing you the user's AD object, > > >>> can you elaborate? > > >> OK, install ldb-tools if not installed, then run this: > > >> > > >> ldbsearch -H /usr/local/samba/private/sam.ldb -b > > >> 'cn=users,dc=samdom,dc=example,dc=com' -s sub > > >> "(&(objectclass=person)(samaccountname=rowland))" > > >> > > >> Just in case it has got split up over multiple lines, the above > > >> should just one line. > > >> > > >> Replace: > > >> /usr/local/samba/private/sam.ldb with the path to your sam.ldb > > >> > > >> dc=samdom,dc=example,dc=com with your dns/realm names > > >> > > >> rowland with your users name > > >> > > >> You should get something like this back: > > >> > > >> # record 1 > > >> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com > > >> CN: Rowland Penny > > >> sn: Penny > > >> description: A Unix user > > >> givenName: Rowland > > >> instanceType: 4 > > >> whenCreated: 20151109093821.0Z > > >> displayName: Rowland Penny > > >> uSNCreated: 3365 > > >> name: Rowland Penny > > >> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72 > > >> userAccountControl: 66048 > > >> codePage: 0 > > >> countryCode: 0 > > >> homeDrive: H: > > >> pwdLastSet: 130915355010000000 > > >> primaryGroupID: 513 > > >> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107 > > >> accountExpires: 0 > > >> sAMAccountName: rowland > > >> sAMAccountType: 805306368 > > >> userPrincipalName: rowland at samdom.example.com > > >> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC> > >> example,DC=c > > >> om > > >> unixUserPassword: ABCD!efgh12345$67890 > > >> uid: rowland > > >> msSFU30Name: rowland > > >> msSFU30NisDomain: samdom > > >> uidNumber: 10000 > > >> gecos: Rowland Penny > > >> unixHomeDirectory: /home/rowland > > >> loginShell: /bin/bash > > >> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com > > >> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com > > >> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com > > >> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com > > >> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com > > >> homeDirectory: \\MEMBER1\home\rowland > > >> objectClass: top > > >> objectClass: securityPrincipal > > >> objectClass: person > > >> objectClass: organizationalPerson > > >> objectClass: user > > >> gidNumber: 10000 > > >> lastLogonTimestamp: 131418520439158520 > > >> whenChanged: 20170613182723.0Z > > >> uSNChanged: 121030 > > >> lastLogon: 131423412865104840 > > >> logonCount: 633 > > >> distinguishedName: CN=Rowland > > >> Penny,CN=Users,DC=samdom,DC=example,DC=com > > >> > > >> # returned 1 records > > >> # 1 entries > > >> # 0 referrals > > >> > > >> Please post that, though you can sanitise it if you like, but if > > >> you do, use the same changes through out. > > >> > > >>> Samba is running on (Arch) Linux with Kernel 4.11. Clients are > > >>> Windows 10 with all the latest updates, I'm running the RSAT from > > >>> there. > > >>> > > >> In which case you will not have 'Unix Attributes' tab in ADUC. > > >> > > >> Rowland > > >> > > >> -- > > >> To unsubscribe from this list go to the following URL and read the > > >> instructions: https://lists.samba.org/mailman/options/samba > > >> > > Use this command replace my name with your username. > > > > /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb -b > > 'dc=samdom,dc=example,dc=local' -s sub > > "(&(objectclass=person)(samaccountname=james))" > > > > Rowland was linking to the CN=users. Yours may not be located there. > > > > Good point, but it is the default location for users and groups and the > OP never mentioned creating an OU (unless I missed it) > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Viktor Trojanovic
2017-Jun-19 13:08 UTC
[Samba] New AD user cannot access file share from member server
Not sure if it matters but here is the AD object of a user with no issues: [root at GJSERVER ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'ou=office,dc=samdom,dc=example,dc=ch' -s sub "(&(objectclass=person)(samaccountname=jd))" # record 1 dn: CN=John Doe,OU=OFFICE,DC=samdom,DC=example,DC=ch objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: John Doe sn: Doe givenName: John instanceType: 4 whenCreated: 20151228014125.0Z displayName: John Doe uSNCreated: 3788 name: John Doe objectGUID: 15d6c679-5877-452d-a498-183f78d3fb39 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 primaryGroupID: 513 objectSid: S-1-5-21-4280320235-2980747731-3738778716-1105 accountExpires: 9223372036854775807 sAMAccountName: jd sAMAccountType: 805306368 userPrincipalName: jd at samdom.example.ch objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example ,DC=ch userAccountControl: 512 uidNumber: 11001 msSFU30NisDomain: samdom homeDirectory: \\fileserver\users\jd homeDrive: P: pwdLastSet: 131405963619168070 lastLogonTimestamp: 131420723196760820 whenChanged: 20170616073839.0Z uSNChanged: 26797 lastLogon: 131423508299965620 logonCount: 1630 distinguishedName: CN=John Doe,OU=OFFICE,DC=samdom,DC=example,DC=ch Except for the fact that the attributes are not in the same order, I can't seem to find a relevant difference. On 19 June 2017 at 14:48, Viktor Trojanovic <viktor at troja.ch> wrote:> I missed to mention it. But I actually did try changing the CN=users to > OU=ouname, and even leaving it out. I don't know why it didn't return any > results before, it does now - see my reply to James. > > On 19 June 2017 at 14:30, Rowland Penny via samba <samba at lists.samba.org> > wrote: > >> On Mon, 19 Jun 2017 08:20:35 -0400 >> lingpanda101 via samba <samba at lists.samba.org> wrote: >> >> > On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote: >> > > That's correct, I don't have "Unix Attributes" but through the >> > > advanced view I have access to all attributes. >> > > >> > > The ldbsearch command is not returning anything in my case, it >> > > gives me 0 records - no matter which user I try, even the >> > > Administrator. I checked the command several times to make sure >> > > there are no typos. I even changed the objectclass from "person" to >> > > "user" to see if it makes any difference but it doesn't. >> > > >> > > I tried borth /var/lib/samba/sam.ldb >> > > and /var/lib/samba/private/sam.ldb) and the environment environment >> > > has LDB_MODULES_PATH set. >> > > >> > > I can easily look at the objects using the ADUC from the RSAT, not >> > > sure why this isn't working... >> > > >> > > On 19 June 2017 at 12:59, Rowland Penny via samba >> > > <samba at lists.samba.org> wrote: >> > > >> > >> On Mon, 19 Jun 2017 12:38:09 +0200 >> > >> Viktor Trojanovic <viktor at troja.ch> wrote: >> > >> >> > >>> Here is the DC's smb.conf: >> > >>> >> > >>> >> > >>> [global] >> > >>> workgroup = SAMDOM >> > >>> realm = SAMDOM.EXAMPLE.COM >> > >>> netbios name = DC >> > >>> interfaces = lo br-lxc >> > >>> bind interfaces only = Yes >> > >>> server role = active directory domain controller >> > >>> dns forwarder = 192.168.1.2 >> > >>> idmap_ldb:use rfc2307 = yes >> > >>> >> > >>> [netlogon] >> > >>> path = /var/lib/samba/sysvol/samdom.example.com/scripts >> > >>> read only = No >> > >>> >> > >>> [sysvol] >> > >>> path = /var/lib/samba/sysvol >> > >>> read only = No >> > >> Nothing wrong there >> > >> >> > >>> I'm not sure what you mean by showing you the user's AD object, >> > >>> can you elaborate? >> > >> OK, install ldb-tools if not installed, then run this: >> > >> >> > >> ldbsearch -H /usr/local/samba/private/sam.ldb -b >> > >> 'cn=users,dc=samdom,dc=example,dc=com' -s sub >> > >> "(&(objectclass=person)(samaccountname=rowland))" >> > >> >> > >> Just in case it has got split up over multiple lines, the above >> > >> should just one line. >> > >> >> > >> Replace: >> > >> /usr/local/samba/private/sam.ldb with the path to your sam.ldb >> > >> >> > >> dc=samdom,dc=example,dc=com with your dns/realm names >> > >> >> > >> rowland with your users name >> > >> >> > >> You should get something like this back: >> > >> >> > >> # record 1 >> > >> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com >> > >> CN: Rowland Penny >> > >> sn: Penny >> > >> description: A Unix user >> > >> givenName: Rowland >> > >> instanceType: 4 >> > >> whenCreated: 20151109093821.0Z >> > >> displayName: Rowland Penny >> > >> uSNCreated: 3365 >> > >> name: Rowland Penny >> > >> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72 >> > >> userAccountControl: 66048 >> > >> codePage: 0 >> > >> countryCode: 0 >> > >> homeDrive: H: >> > >> pwdLastSet: 130915355010000000 >> > >> primaryGroupID: 513 >> > >> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107 >> > >> accountExpires: 0 >> > >> sAMAccountName: rowland >> > >> sAMAccountType: 805306368 >> > >> userPrincipalName: rowland at samdom.example.com >> > >> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC>> > >> example,DC=c >> > >> om >> > >> unixUserPassword: ABCD!efgh12345$67890 >> > >> uid: rowland >> > >> msSFU30Name: rowland >> > >> msSFU30NisDomain: samdom >> > >> uidNumber: 10000 >> > >> gecos: Rowland Penny >> > >> unixHomeDirectory: /home/rowland >> > >> loginShell: /bin/bash >> > >> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com >> > >> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com >> > >> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com >> > >> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com >> > >> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com >> > >> homeDirectory: \\MEMBER1\home\rowland >> > >> objectClass: top >> > >> objectClass: securityPrincipal >> > >> objectClass: person >> > >> objectClass: organizationalPerson >> > >> objectClass: user >> > >> gidNumber: 10000 >> > >> lastLogonTimestamp: 131418520439158520 >> > >> whenChanged: 20170613182723.0Z >> > >> uSNChanged: 121030 >> > >> lastLogon: 131423412865104840 >> > >> logonCount: 633 >> > >> distinguishedName: CN=Rowland >> > >> Penny,CN=Users,DC=samdom,DC=example,DC=com >> > >> >> > >> # returned 1 records >> > >> # 1 entries >> > >> # 0 referrals >> > >> >> > >> Please post that, though you can sanitise it if you like, but if >> > >> you do, use the same changes through out. >> > >> >> > >>> Samba is running on (Arch) Linux with Kernel 4.11. Clients are >> > >>> Windows 10 with all the latest updates, I'm running the RSAT from >> > >>> there. >> > >>> >> > >> In which case you will not have 'Unix Attributes' tab in ADUC. >> > >> >> > >> Rowland >> > >> >> > >> -- >> > >> To unsubscribe from this list go to the following URL and read the >> > >> instructions: https://lists.samba.org/mailman/options/samba >> > >> >> > Use this command replace my name with your username. >> > >> > /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb -b >> > 'dc=samdom,dc=example,dc=local' -s sub >> > "(&(objectclass=person)(samaccountname=james))" >> > >> > Rowland was linking to the CN=users. Yours may not be located there. >> > >> >> Good point, but it is the default location for users and groups and the >> OP never mentioned creating an OU (unless I missed it) >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
Rowland Penny
2017-Jun-19 13:22 UTC
[Samba] New AD user cannot access file share from member server
On Mon, 19 Jun 2017 15:08:45 +0200 Viktor Trojanovic <viktor at troja.ch> wrote:> Not sure if it matters but here is the AD object of a user with no > issues: > > [root at GJSERVER ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'ou=office,dc=samdom,dc=example,dc=ch' -s sub > "(&(objectclass=person)(samaccountname=jd))" > # record 1 > dn: CN=John Doe,OU=OFFICE,DC=samdom,DC=example,DC=ch > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: John Doe > sn: Doe > givenName: John > instanceType: 4 > whenCreated: 20151228014125.0Z > displayName: John Doe > uSNCreated: 3788 > name: John Doe > objectGUID: 15d6c679-5877-452d-a498-183f78d3fb39 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-4280320235-2980747731-3738778716-1105 > accountExpires: 9223372036854775807 > sAMAccountName: jd > sAMAccountType: 805306368 > userPrincipalName: jd at samdom.example.ch > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example ,DC=ch > userAccountControl: 512 > uidNumber: 11001 > msSFU30NisDomain: samdom > homeDirectory: \\fileserver\users\jd > homeDrive: P: > pwdLastSet: 131405963619168070 > lastLogonTimestamp: 131420723196760820 > whenChanged: 20170616073839.0Z > uSNChanged: 26797 > lastLogon: 131423508299965620 > logonCount: 1630 > distinguishedName: CN=John Doe,OU=OFFICE,DC=samdom,DC=example,DC=ch > > Except for the fact that the attributes are not in the same order, I > can't seem to find a relevant difference. >That might be the problem, who did you create first ? John Doe or Jane Doe ? I only ask this because they both seem to have this: CN=John Doe,OU=OFFICE,DC=samdom,DC=example,DC=ch homeDirectory: \\fileserver\users\jd CN=Jane Doe,OU=OFFICE,DC=samdom,DC=example,DC=ch homeDirectory: \\fileserver\users\jd They both cannot own the users directory 'jd' or is this a sanitisation error ? Rowland