lingpanda101
2017-Jun-19 13:31 UTC
[Samba] New AD user cannot access file share from member server
On 6/19/2017 9:12 AM, Viktor Trojanovic via samba wrote:> On 19 June 2017 at 14:56, Rowland Penny via samba <samba at lists.samba.org> > wrote: > >> On Mon, 19 Jun 2017 14:46:34 +0200 >> Viktor Trojanovic <viktor at troja.ch> wrote: >> >>> On 19 June 2017 at 14:20, lingpanda101 via samba >>> <samba at lists.samba.org> wrote: >>> >>>> On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote: >>>> >>>>> That's correct, I don't have "Unix Attributes" but through the >>>>> advanced view I have access to all attributes. >>>>> >>>>> The ldbsearch command is not returning anything in my case, it >>>>> gives me 0 records - no matter which user I try, even the >>>>> Administrator. I checked the >>>>> command several times to make sure there are no typos. I even >>>>> changed the objectclass from "person" to "user" to see if it makes >>>>> any difference but it doesn't. >>>>> >>>>> I tried borth /var/lib/samba/sam.ldb >>>>> and /var/lib/samba/private/sam.ldb) and the environment >>>>> environment has LDB_MODULES_PATH set. >>>>> >>>>> I can easily look at the objects using the ADUC from the RSAT, not >>>>> sure why >>>>> this isn't working... >>>>> >>>>> On 19 June 2017 at 12:59, Rowland Penny via samba >>>>> <samba at lists.samba.org> wrote: >>>>> >>>>> On Mon, 19 Jun 2017 12:38:09 +0200 >>>>>> Viktor Trojanovic <viktor at troja.ch> wrote: >>>>>> >>>>>> Here is the DC's smb.conf: >>>>>>> >>>>>>> [global] >>>>>>> workgroup = SAMDOM >>>>>>> realm = SAMDOM.EXAMPLE.COM >>>>>>> netbios name = DC >>>>>>> interfaces = lo br-lxc >>>>>>> bind interfaces only = Yes >>>>>>> server role = active directory domain controller >>>>>>> dns forwarder = 192.168.1.2 >>>>>>> idmap_ldb:use rfc2307 = yes >>>>>>> >>>>>>> [netlogon] >>>>>>> path = /var/lib/samba/sysvol/samdom.example.com/scripts >>>>>>> read only = No >>>>>>> >>>>>>> [sysvol] >>>>>>> path = /var/lib/samba/sysvol >>>>>>> read only = No >>>>>>> >>>>>> Nothing wrong there >>>>>> >>>>>> I'm not sure what you mean by showing you the user's AD object, >>>>>> can >>>>>>> you elaborate? >>>>>>> >>>>>> OK, install ldb-tools if not installed, then run this: >>>>>> >>>>>> ldbsearch -H /usr/local/samba/private/sam.ldb -b >>>>>> 'cn=users,dc=samdom,dc=example,dc=com' -s sub >>>>>> "(&(objectclass=person)(samaccountname=rowland))" >>>>>> >>>>>> Just in case it has got split up over multiple lines, the above >>>>>> should just one line. >>>>>> >>>>>> Replace: >>>>>> /usr/local/samba/private/sam.ldb with the path to your sam.ldb >>>>>> >>>>>> dc=samdom,dc=example,dc=com with your dns/realm names >>>>>> >>>>>> rowland with your users name >>>>>> >>>>>> You should get something like this back: >>>>>> >>>>>> # record 1 >>>>>> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com >>>>>> CN: Rowland Penny >>>>>> sn: Penny >>>>>> description: A Unix user >>>>>> givenName: Rowland >>>>>> instanceType: 4 >>>>>> whenCreated: 20151109093821.0Z >>>>>> displayName: Rowland Penny >>>>>> uSNCreated: 3365 >>>>>> name: Rowland Penny >>>>>> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72 >>>>>> userAccountControl: 66048 >>>>>> codePage: 0 >>>>>> countryCode: 0 >>>>>> homeDrive: H: >>>>>> pwdLastSet: 130915355010000000 >>>>>> primaryGroupID: 513 >>>>>> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107 >>>>>> accountExpires: 0 >>>>>> sAMAccountName: rowland >>>>>> sAMAccountType: 805306368 >>>>>> userPrincipalName: rowland at samdom.example.com >>>>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC>>>>>> example,DC=c >>>>>> om >>>>>> unixUserPassword: ABCD!efgh12345$67890 >>>>>> uid: rowland >>>>>> msSFU30Name: rowland >>>>>> msSFU30NisDomain: samdom >>>>>> uidNumber: 10000 >>>>>> gecos: Rowland Penny >>>>>> unixHomeDirectory: /home/rowland >>>>>> loginShell: /bin/bash >>>>>> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com >>>>>> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com >>>>>> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com >>>>>> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com >>>>>> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com >>>>>> homeDirectory: \\MEMBER1\home\rowland >>>>>> objectClass: top >>>>>> objectClass: securityPrincipal >>>>>> objectClass: person >>>>>> objectClass: organizationalPerson >>>>>> objectClass: user >>>>>> gidNumber: 10000 >>>>>> lastLogonTimestamp: 131418520439158520 >>>>>> whenChanged: 20170613182723.0Z >>>>>> uSNChanged: 121030 >>>>>> lastLogon: 131423412865104840 >>>>>> logonCount: 633 >>>>>> distinguishedName: CN=Rowland >>>>>> Penny,CN=Users,DC=samdom,DC=example,DC=com >>>>>> >>>>>> # returned 1 records >>>>>> # 1 entries >>>>>> # 0 referrals >>>>>> >>>>>> Please post that, though you can sanitise it if you like, but if >>>>>> you do, use the same changes through out. >>>>>> >>>>>> Samba is running on (Arch) Linux with Kernel 4.11. Clients are >>>>>>> Windows 10 with all the latest updates, I'm running the RSAT from >>>>>>> there. >>>>>>> >>>>>>> In which case you will not have 'Unix Attributes' tab in ADUC. >>>>>> Rowland >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> >>>>>> Use this command replace my name with your username. >>>> /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb >>>> -b 'dc=samdom,dc=example,dc=local' -s sub >>>> "(&(objectclass=person)(samacc ountname=james))" >>>> >>>> Rowland was linking to the CN=users. Yours may not be located there. >>>> >>>> >>>> I could swear I tried this before, too, but it didn't give me any >>>> results. >>> Now all of a sudden it does. I must have made a mistake. It gives me >>> one entry and 3 referrals. >>> >>> [root at DC ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b >>> 'dc=samdom,dc=example,dc=ch' -s sub >>> "(&(objectclass=person)(samaccountname=jd))" >>> # record 1 >>> dn: CN=First Last,OU=OFFICE,DC=samdom,DC=example,DC=ch >>> objectClass: top >>> objectClass: person >>> objectClass: organizationalPerson >>> objectClass: user >>> cn: Jane Doe >>> sn: Doe >>> givenName: Jane >>> instanceType: 4 >>> whenCreated: 20170618195208.0Z >>> displayName: Jane Doe >>> uSNCreated: 26951 >>> name: Jane Doe >>> objectGUID: e2df5086-fa25-4a25-93f2-d8f5e85a47e7 >>> badPwdCount: 0 >>> codePage: 0 >>> countryCode: 0 >>> badPasswordTime: 0 >>> lastLogoff: 0 >>> primaryGroupID: 513 >>> objectSid: S-1-5-21-4280320235-2980747731-3738778716-1116 >>> accountExpires: 9223372036854775807 >>> sAMAccountName: jd >>> sAMAccountType: 805306368 >>> userPrincipalName: jd at samdom.example.ch >>> objectCategory: >>> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example ,DC=ch >>> userAccountControl: 512 >>> msSFU30NisDomain: samdom >>> homeDrive: P: >>> homeDirectory: \\fileserver\users\jd >>> lastLogonTimestamp: 131422908301256970 >>> pwdLastSet: 131422908304075720 >>> uidNumber: 11008 >>> whenChanged: 20170618203831.0Z >>> uSNChanged: 26964 >>> lastLogon: 131423462588474750 >>> logonCount: 49 >>> distinguishedName: CN=Jane Doe,OU=OFFICE,DC=samdom,DC=example,DC=ch >> OK, glad we got that sorted out ;-) >> >> Your user 'Jane Doe' does not have a 'gidNumber' attribute, does >> 'Domain Users have a 'gidNumber attribute' ? >> > It does, it's set to 10001. > > And none of the users have gidNumber set.Is the users Primary group name/GID set as 'Domain Users'? -- -- James
Rowland Penny
2017-Jun-19 13:49 UTC
[Samba] New AD user cannot access file share from member server
On Mon, 19 Jun 2017 09:31:17 -0400 lingpanda101 via samba <samba at lists.samba.org> wrote:> > >>> primaryGroupID: 513 > > Is the users Primary group name/GID set as 'Domain Users'?Yes, see line above, '513' is Domain Users. I cannot see any reason why the user doesn't work, I think the best idea, as it is only one user, will be to delete and then recreate the user. This does mean that any files etc the old user owns may have to be changed to the new user Rowland
Viktor Trojanovic
2017-Jun-19 13:50 UTC
[Samba] New AD user cannot access file share from member server
On 19 June 2017 at 15:31, lingpanda101 via samba <samba at lists.samba.org> wrote:> On 6/19/2017 9:12 AM, Viktor Trojanovic via samba wrote: > >> On 19 June 2017 at 14:56, Rowland Penny via samba <samba at lists.samba.org> >> wrote: >> >> On Mon, 19 Jun 2017 14:46:34 +0200 >>> Viktor Trojanovic <viktor at troja.ch> wrote: >>> >>> On 19 June 2017 at 14:20, lingpanda101 via samba >>>> <samba at lists.samba.org> wrote: >>>> >>>> On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote: >>>>> >>>>> That's correct, I don't have "Unix Attributes" but through the >>>>>> advanced view I have access to all attributes. >>>>>> >>>>>> The ldbsearch command is not returning anything in my case, it >>>>>> gives me 0 records - no matter which user I try, even the >>>>>> Administrator. I checked the >>>>>> command several times to make sure there are no typos. I even >>>>>> changed the objectclass from "person" to "user" to see if it makes >>>>>> any difference but it doesn't. >>>>>> >>>>>> I tried borth /var/lib/samba/sam.ldb >>>>>> and /var/lib/samba/private/sam.ldb) and the environment >>>>>> environment has LDB_MODULES_PATH set. >>>>>> >>>>>> I can easily look at the objects using the ADUC from the RSAT, not >>>>>> sure why >>>>>> this isn't working... >>>>>> >>>>>> On 19 June 2017 at 12:59, Rowland Penny via samba >>>>>> <samba at lists.samba.org> wrote: >>>>>> >>>>>> On Mon, 19 Jun 2017 12:38:09 +0200 >>>>>> >>>>>>> Viktor Trojanovic <viktor at troja.ch> wrote: >>>>>>> >>>>>>> Here is the DC's smb.conf: >>>>>>> >>>>>>>> >>>>>>>> [global] >>>>>>>> workgroup = SAMDOM >>>>>>>> realm = SAMDOM.EXAMPLE.COM >>>>>>>> netbios name = DC >>>>>>>> interfaces = lo br-lxc >>>>>>>> bind interfaces only = Yes >>>>>>>> server role = active directory domain controller >>>>>>>> dns forwarder = 192.168.1.2 >>>>>>>> idmap_ldb:use rfc2307 = yes >>>>>>>> >>>>>>>> [netlogon] >>>>>>>> path = /var/lib/samba/sysvol/samdom.example.com/scripts >>>>>>>> read only = No >>>>>>>> >>>>>>>> [sysvol] >>>>>>>> path = /var/lib/samba/sysvol >>>>>>>> read only = No >>>>>>>> >>>>>>>> Nothing wrong there >>>>>>> >>>>>>> I'm not sure what you mean by showing you the user's AD object, >>>>>>> can >>>>>>> >>>>>>>> you elaborate? >>>>>>>> >>>>>>>> OK, install ldb-tools if not installed, then run this: >>>>>>> >>>>>>> ldbsearch -H /usr/local/samba/private/sam.ldb -b >>>>>>> 'cn=users,dc=samdom,dc=example,dc=com' -s sub >>>>>>> "(&(objectclass=person)(samaccountname=rowland))" >>>>>>> >>>>>>> Just in case it has got split up over multiple lines, the above >>>>>>> should just one line. >>>>>>> >>>>>>> Replace: >>>>>>> /usr/local/samba/private/sam.ldb with the path to your sam.ldb >>>>>>> >>>>>>> dc=samdom,dc=example,dc=com with your dns/realm names >>>>>>> >>>>>>> rowland with your users name >>>>>>> >>>>>>> You should get something like this back: >>>>>>> >>>>>>> # record 1 >>>>>>> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com >>>>>>> CN: Rowland Penny >>>>>>> sn: Penny >>>>>>> description: A Unix user >>>>>>> givenName: Rowland >>>>>>> instanceType: 4 >>>>>>> whenCreated: 20151109093821.0Z >>>>>>> displayName: Rowland Penny >>>>>>> uSNCreated: 3365 >>>>>>> name: Rowland Penny >>>>>>> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72 >>>>>>> userAccountControl: 66048 >>>>>>> codePage: 0 >>>>>>> countryCode: 0 >>>>>>> homeDrive: H: >>>>>>> pwdLastSet: 130915355010000000 >>>>>>> primaryGroupID: 513 >>>>>>> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107 >>>>>>> accountExpires: 0 >>>>>>> sAMAccountName: rowland >>>>>>> sAMAccountType: 805306368 >>>>>>> userPrincipalName: rowland at samdom.example.com >>>>>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC>>>>>>> example,DC=c >>>>>>> om >>>>>>> unixUserPassword: ABCD!efgh12345$67890 >>>>>>> uid: rowland >>>>>>> msSFU30Name: rowland >>>>>>> msSFU30NisDomain: samdom >>>>>>> uidNumber: 10000 >>>>>>> gecos: Rowland Penny >>>>>>> unixHomeDirectory: /home/rowland >>>>>>> loginShell: /bin/bash >>>>>>> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com >>>>>>> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com >>>>>>> memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com >>>>>>> memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com >>>>>>> memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com >>>>>>> homeDirectory: \\MEMBER1\home\rowland >>>>>>> objectClass: top >>>>>>> objectClass: securityPrincipal >>>>>>> objectClass: person >>>>>>> objectClass: organizationalPerson >>>>>>> objectClass: user >>>>>>> gidNumber: 10000 >>>>>>> lastLogonTimestamp: 131418520439158520 >>>>>>> whenChanged: 20170613182723.0Z >>>>>>> uSNChanged: 121030 >>>>>>> lastLogon: 131423412865104840 >>>>>>> logonCount: 633 >>>>>>> distinguishedName: CN=Rowland >>>>>>> Penny,CN=Users,DC=samdom,DC=example,DC=com >>>>>>> >>>>>>> # returned 1 records >>>>>>> # 1 entries >>>>>>> # 0 referrals >>>>>>> >>>>>>> Please post that, though you can sanitise it if you like, but if >>>>>>> you do, use the same changes through out. >>>>>>> >>>>>>> Samba is running on (Arch) Linux with Kernel 4.11. Clients are >>>>>>> >>>>>>>> Windows 10 with all the latest updates, I'm running the RSAT from >>>>>>>> there. >>>>>>>> >>>>>>>> In which case you will not have 'Unix Attributes' tab in ADUC. >>>>>>>> >>>>>>> Rowland >>>>>>> >>>>>>> -- >>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>> >>>>>>> Use this command replace my name with your username. >>>>>>> >>>>>> /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb >>>>> -b 'dc=samdom,dc=example,dc=local' -s sub >>>>> "(&(objectclass=person)(samacc ountname=james))" >>>>> >>>>> Rowland was linking to the CN=users. Yours may not be located there. >>>>> >>>>> >>>>> I could swear I tried this before, too, but it didn't give me any >>>>> results. >>>>> >>>> Now all of a sudden it does. I must have made a mistake. It gives me >>>> one entry and 3 referrals. >>>> >>>> [root at DC ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b >>>> 'dc=samdom,dc=example,dc=ch' -s sub >>>> "(&(objectclass=person)(samaccountname=jd))" >>>> # record 1 >>>> dn: CN=First Last,OU=OFFICE,DC=samdom,DC=example,DC=ch >>>> objectClass: top >>>> objectClass: person >>>> objectClass: organizationalPerson >>>> objectClass: user >>>> cn: Jane Doe >>>> sn: Doe >>>> givenName: Jane >>>> instanceType: 4 >>>> whenCreated: 20170618195208.0Z >>>> displayName: Jane Doe >>>> uSNCreated: 26951 >>>> name: Jane Doe >>>> objectGUID: e2df5086-fa25-4a25-93f2-d8f5e85a47e7 >>>> badPwdCount: 0 >>>> codePage: 0 >>>> countryCode: 0 >>>> badPasswordTime: 0 >>>> lastLogoff: 0 >>>> primaryGroupID: 513 >>>> objectSid: S-1-5-21-4280320235-2980747731-3738778716-1116 >>>> accountExpires: 9223372036854775807 >>>> sAMAccountName: jd >>>> sAMAccountType: 805306368 >>>> userPrincipalName: jd at samdom.example.ch >>>> objectCategory: >>>> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example ,DC=ch >>>> userAccountControl: 512 >>>> msSFU30NisDomain: samdom >>>> homeDrive: P: >>>> homeDirectory: \\fileserver\users\jd >>>> lastLogonTimestamp: 131422908301256970 >>>> pwdLastSet: 131422908304075720 >>>> uidNumber: 11008 >>>> whenChanged: 20170618203831.0Z >>>> uSNChanged: 26964 >>>> lastLogon: 131423462588474750 >>>> logonCount: 49 >>>> distinguishedName: CN=Jane Doe,OU=OFFICE,DC=samdom,DC=example,DC=ch >>>> >>> OK, glad we got that sorted out ;-) >>> >>> Your user 'Jane Doe' does not have a 'gidNumber' attribute, does >>> 'Domain Users have a 'gidNumber attribute' ? >>> >>> It does, it's set to 10001. >> >> And none of the users have gidNumber set. >> > > Is the users Primary group name/GID set as 'Domain Users'? > >Yes. Primary - and only group.
lingpanda101
2017-Jun-19 14:01 UTC
[Samba] New AD user cannot access file share from member server
On 6/19/2017 9:50 AM, Viktor Trojanovic wrote:> > > On 19 June 2017 at 15:31, lingpanda101 via samba > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > > On 6/19/2017 9:12 AM, Viktor Trojanovic via samba wrote: > > On 19 June 2017 at 14:56, Rowland Penny via samba > <samba at lists.samba.org <mailto:samba at lists.samba.org>> > wrote: > > On Mon, 19 Jun 2017 14:46:34 +0200 > Viktor Trojanovic <viktor at troja.ch > <mailto:viktor at troja.ch>> wrote: > > On 19 June 2017 at 14:20, lingpanda101 via samba > <samba at lists.samba.org <mailto:samba at lists.samba.org>> > wrote: > > On 6/19/2017 7:51 AM, Viktor Trojanovic via samba > wrote: > > That's correct, I don't have "Unix Attributes" > but through the > advanced view I have access to all attributes. > > The ldbsearch command is not returning > anything in my case, it > gives me 0 records - no matter which user I > try, even the > Administrator. I checked the > command several times to make sure there are > no typos. I even > changed the objectclass from "person" to > "user" to see if it makes > any difference but it doesn't. > > I tried borth /var/lib/samba/sam.ldb > and /var/lib/samba/private/sam.ldb) and the > environment > environment has LDB_MODULES_PATH set. > > I can easily look at the objects using the > ADUC from the RSAT, not > sure why > this isn't working... > > On 19 June 2017 at 12:59, Rowland Penny via samba > <samba at lists.samba.org > <mailto:samba at lists.samba.org>> wrote: > > On Mon, 19 Jun 2017 12:38:09 +0200 > > Viktor Trojanovic <viktor at troja.ch > <mailto:viktor at troja.ch>> wrote: > > Here is the DC's smb.conf: > > > [global] > workgroup = SAMDOM > realm = SAMDOM.EXAMPLE.COM > <http://SAMDOM.EXAMPLE.COM> > netbios name = DC > interfaces = lo br-lxc > bind interfaces only = Yes > server role = active > directory domain controller > dns forwarder = 192.168.1.2 > idmap_ldb:use rfc2307 = yes > > [netlogon] > path > /var/lib/samba/sysvol/samdom.example.com/scripts > <http://samdom.example.com/scripts> > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > Nothing wrong there > > I'm not sure what you mean by showing you > the user's AD object, > can > > you elaborate? > > OK, install ldb-tools if not installed, > then run this: > > ldbsearch -H > /usr/local/samba/private/sam.ldb -b > 'cn=users,dc=samdom,dc=example,dc=com' -s sub > "(&(objectclass=person)(samaccountname=rowland))" > > Just in case it has got split up over > multiple lines, the above > should just one line. > > Replace: > /usr/local/samba/private/sam.ldb with the > path to your sam.ldb > > dc=samdom,dc=example,dc=com with your > dns/realm names > > rowland with your users name > > You should get something like this back: > > # record 1 > dn: CN=Rowland > Penny,CN=Users,DC=samdom,DC=example,DC=com > CN: Rowland Penny > sn: Penny > description: A Unix user > givenName: Rowland > instanceType: 4 > whenCreated: 20151109093821.0Z > displayName: Rowland Penny > uSNCreated: 3365 > name: Rowland Penny > objectGUID: > 28103293-9fc9-4681-b19c-ae1150fe2b72 > userAccountControl: 66048 > codePage: 0 > countryCode: 0 > homeDrive: H: > pwdLastSet: 130915355010000000 > primaryGroupID: 513 > objectSid: > S-1-5-21-1768301897-3342589593-1064908849-1107 > accountExpires: 0 > sAMAccountName: rowland > sAMAccountType: 805306368 > userPrincipalName: > rowland at samdom.example.com > <mailto:rowland at samdom.example.com> > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC> example,DC=c > om > unixUserPassword: ABCD!efgh12345$67890 > uid: rowland > msSFU30Name: rowland > msSFU30NisDomain: samdom > uidNumber: 10000 > gecos: Rowland Penny > unixHomeDirectory: /home/rowland > loginShell: /bin/bash > memberOf: > CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com > memberOf: > CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com > memberOf: > CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com > memberOf: CN=Unix > Admins,CN=Users,DC=samdom,DC=example,DC=com > memberOf: > CN=Group12,CN=Users,DC=samdom,DC=example,DC=com > homeDirectory: \\MEMBER1\home\rowland > objectClass: top > objectClass: securityPrincipal > objectClass: person > objectClass: organizationalPerson > objectClass: user > gidNumber: 10000 > lastLogonTimestamp: 131418520439158520 > whenChanged: 20170613182723.0Z > uSNChanged: 121030 > lastLogon: 131423412865104840 > logonCount: 633 > distinguishedName: CN=Rowland > Penny,CN=Users,DC=samdom,DC=example,DC=com > > # returned 1 records > # 1 entries > # 0 referrals > > Please post that, though you can sanitise > it if you like, but if > you do, use the same changes through out. > > Samba is running on (Arch) Linux with > Kernel 4.11. Clients are > > Windows 10 with all the latest > updates, I'm running the RSAT from > there. > > In which case you will not have 'Unix > Attributes' tab in ADUC. > > Rowland > > -- > To unsubscribe from this list go to the > following URL and read the > instructions: > https://lists.samba.org/mailman/options/samba > <https://lists.samba.org/mailman/options/samba> > > Use this command replace my name with your > username. > > /usr/local/samba/bin/ldbsearch -H > /usr/local/samba/private/sam.ldb > -b 'dc=samdom,dc=example,dc=local' -s sub > "(&(objectclass=person)(samacc ountname=james))" > > Rowland was linking to the CN=users. Yours may not > be located there. > > > I could swear I tried this before, too, but it > didn't give me any > results. > > Now all of a sudden it does. I must have made a > mistake. It gives me > one entry and 3 referrals. > > [root at DC ~]# ldbsearch -H > /var/lib/samba/private/sam.ldb -b > 'dc=samdom,dc=example,dc=ch' -s sub > "(&(objectclass=person)(samaccountname=jd))" > # record 1 > dn: CN=First Last,OU=OFFICE,DC=samdom,DC=example,DC=ch > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: Jane Doe > sn: Doe > givenName: Jane > instanceType: 4 > whenCreated: 20170618195208.0Z > displayName: Jane Doe > uSNCreated: 26951 > name: Jane Doe > objectGUID: e2df5086-fa25-4a25-93f2-d8f5e85a47e7 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-4280320235-2980747731-3738778716-1116 > accountExpires: 9223372036854775807 > sAMAccountName: jd > sAMAccountType: 805306368 > userPrincipalName: jd at samdom.example.ch > <mailto:jd at samdom.example.ch> > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example > ,DC=ch > userAccountControl: 512 > msSFU30NisDomain: samdom > homeDrive: P: > homeDirectory: \\fileserver\users\jd > lastLogonTimestamp: 131422908301256970 > pwdLastSet: 131422908304075720 > uidNumber: 11008 > whenChanged: 20170618203831.0Z > uSNChanged: 26964 > lastLogon: 131423462588474750 > logonCount: 49 > distinguishedName: CN=Jane > Doe,OU=OFFICE,DC=samdom,DC=example,DC=ch > > OK, glad we got that sorted out ;-) > > Your user 'Jane Doe' does not have a 'gidNumber' > attribute, does > 'Domain Users have a 'gidNumber attribute' ? > > It does, it's set to 10001. > > And none of the users have gidNumber set. > > > Is the users Primary group name/GID set as 'Domain Users'? > > > Yes. Primary - and only group.I missed that as I was focused on a GID being present. Thanks. I wonder if this has to do with the recent change in 4.6 to winbind With 4.6, it will be possible to optionally use the primary group as set in the "Unix Attributes" tab for the local unix token of a domain user. Before 4.6, the Windows primary group was always chosen as primary group for the local unix token. To activate the unix primary group, set idmap config <DOMAIN> : unix_primary_group = yes Similarly, set idmap config <DOMAIN> : unix_nss_info = yes to retrieve the home directory and login shell from the "Unix Attributes" of the user. This supersedes the "winbind nss info" parameter with a per-domain configuration option. -- -- James
Viktor Trojanovic
2017-Jun-19 14:06 UTC
[Samba] New AD user cannot access file share from member server
On 19 June 2017 at 15:49, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Mon, 19 Jun 2017 09:31:17 -0400 > lingpanda101 via samba <samba at lists.samba.org> wrote: > > > > > >>> primaryGroupID: 513 > > > > Is the users Primary group name/GID set as 'Domain Users'? > > Yes, see line above, '513' is Domain Users. > > I cannot see any reason why the user doesn't work, I think the best > idea, as it is only one user, will be to delete and then recreate the > user. This does mean that any files etc the old user owns may have > to be changed to the new user > > I guess I'll do that and report back. But I sure am curious as to whatcould have caused this mess..