samba - Aug 2017 - Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users

Thank you for your feedback. I have changed the parameters, but still no
success.

winbind use default domain = yes
         idmap config * : range = 1000000-1999999
         idmap config MYDOM : range = 100-999999

Regards,
Martin


2017-08-18 15:00 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
>
> See inline comments:
>
> On Fri, 18 Aug 2017 14:40:54 +0200
> Martin Decker via samba <samba at lists.samba.org> wrote:
>
> >     Dear List,
> >
> >     I am trying to set up Samba 3.6.25 (solaris 11.3 packaged) to
> > provide unix file shares to windows users.
> >
> >     I can successfully list groups and users with wbinfo -u / wbinfo
> > -g, but I do not get any data with "getent group" or
"getent passwd".
> > In AD, we have set "gidNumber" Attribute for Group
"Domain Users" to
> > a value in the specified range (100-999999). Also, for my account
> > "mdecker", we have set uidNumber in AD to a value in the
range.
> >
> >     getent group "MYDOM\\Domain Users"
> >     ... no output
> >
> >     For reference, this is the smb.conf:
> >
> >     [global]
> >         workgroup = MYDOM
> >         realm = MYDOM.ADS
> >         server string = Samba Server
> >         security = ADS
> >         log level = 2
> >         log file = /var/samba/log/log.%m
> >         max log size = 50
> >         unix extensions = No
> >         client signing = Yes
> >         local master = No
> >         domain master = No
> >         dns proxy = No
> >         winbind enum users = Yes
> >         winbind enum groups = Yes
> >         # So we remove the "MYDOMAIN\" part from
MYDOMAIN\userid
> >         winbind trusted domains only = Yes
>
> The above line doesn't remove the DOMAIN from the username, you need:
>           winbind use default domain = yes
> to do that
>
> >         idmap config * :backend = tdb
> >         idmap config * : range = 1000-1999999
> >         idmap config MYDOM : backend = ad
> >         idmap config MYDOM : range = 100-999999
> >         idmap config MYDOM : schema_mode = rfc2307
>
> Your ranges overlap and you don't really need '1,998,999' IDs
for the
> '*' range.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



-- 
--
Martin Decker

On Fri, 18 Aug 2017 17:32:34 +0200
Martin Decker via samba <samba at lists.samba.org> wrote:
> Thank you for your feedback. I have changed the parameters, but still
> no success.
> 
> winbind use default domain = yes
>          idmap config * : range = 1000000-1999999
>          idmap config MYDOM : range = 100-999999
> 
You are using the winbind 'ad' backend, so do your AD domain users
have a uidNumber attribute containing a unique number inside the range
'100-999999' AND does 'Domain Users' have a gidNumber attribute
containing a number in the same range.

Rowland

Dear Rowland,

our windows admin assured me that they have set uidNumber and gidNumber in
the range. I have requested screenshots for confirmation.

Now we are one step further: "getent passwd | grep mdecker" now lists
the
AD account.

mdecker:*:13667:7142:Decker, Martin:/home/MYDOM/mdecker:/bin/false

With "getent passwd mdecker" however, it shows
"NT_STATUS_NO_SUCH_USER".

getent passwd mdecker

winbindd_getpwnam: My domain -- rejecting getpwnam() for MYDOM\mdecker.
Could not convert sid S-0-0: NT_STATUS_NO_SUCH_USER

Also not working:

getnet passwd mdecker
getent passwd "MYDOM\\mdecker"

What is working though is when i give REALM Suffix ".ADS"

getent passwd "MYDOM.ADS\\mdecker"
mdecker:*:13667:7142:Decker, Martin:/home/MYDOM/mdecker:/bin/false

For "getent group" currently, the issue is: "rejecting
getgrsid()", altough
the Group "DOMAIN USERS" was sucessfully resolved from name to SID.

getent group "MYDOM\\DOMÄNEN-BENUTZER"

wcache_save_name_to_sid: MYDOM\DOMÄNEN-BENUTZER ->
S-1-5-21-1585417398-3384821309-2524188735-513
(NT_STATUS_OK)
winbindd_getgrsid: My domain -- rejecting getgrsid() for
S-1-5-21-1585417398-3384821309-2524188735-513
Could not convert sid S-1-5-21-1585417398-3384821309-2524188735-513:
NT_STATUS_NO_SUCH_GROUP

Is there anything else to set up on Windows side in order for getgrsid to
work?

With wbinfo, i can do these sucessfully:

wbinfo --sid-to-uid "S-1-5-21-1585417398-3384821309-2524188735-13667"
13667


root at solaris1:/# wbinfo --uid-info=13667
mdecker:*:13667:7142::/home/MYDOM/mdecker:/bin/false

... but "wbinfo -r" does not work:

root at solaris1:/# wbinfo -r mdecker
failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user mdecker

Testing access to a Solaris SMB Share from Windows, reports this error when
trying to mount the share:


[2017/08/21 17:19:44.281527,  3]
auth/user_krb5.c:50(get_user_from_kerberos_info)
  Kerberos ticket principal name is [mdecker at MYDOM.ADS]
[2017/08/21 17:19:44.281680, 10]
auth/user_krb5.c:82(get_user_from_kerberos_info)
  Domain is [MYDOM] (using PAC)
[2017/08/21 17:19:44.281747,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user MYDOM\mdecker
[2017/08/21 17:19:44.281805,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is MYDOM\mdecker
[2017/08/21 17:19:44.283946,  5] lib/username.c:123(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is MYDOM\mdecker
[2017/08/21 17:19:44.284685,  5] lib/username.c:133(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is MYDOM\MDECKER
[2017/08/21 17:19:44.285073,  5] lib/username.c:142(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in MYDOM\mdecker
[2017/08/21 17:19:44.285150,  5] lib/username.c:148(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [MYDOM\mdecker]!
[2017/08/21 17:19:44.285222,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user mdecker
[2017/08/21 17:19:44.285323,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is mdecker
[2017/08/21 17:19:44.285755,  5] lib/username.c:133(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is MDECKER
[2017/08/21 17:19:44.286128,  5] lib/username.c:142(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in mdecker
[2017/08/21 17:19:44.286197,  5] lib/username.c:148(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [mdecker]!
[2017/08/21 17:19:44.287762,  1]
auth/user_krb5.c:161(get_user_from_kerberos_info)
  Username MYDOM\mdecker is invalid on this system
[2017/08/21 17:19:44.287963,  3] smbd/error.c:77(error_packet_set)
  error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE


Any ideas?

Best regards,
Martin




2017-08-18 17:48 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Fri, 18 Aug 2017 17:32:34 +0200
> Martin Decker via samba <samba at lists.samba.org> wrote:
>
> > Thank you for your feedback. I have changed the parameters, but still
> > no success.
> >
> > winbind use default domain = yes
> >          idmap config * : range = 1000000-1999999
> >          idmap config MYDOM : range = 100-999999
> >
>
> You are using the winbind 'ad' backend, so do your AD domain users
> have a uidNumber attribute containing a unique number inside the range
> '100-999999' AND does 'Domain Users' have a gidNumber
attribute
> containing a number in the same range.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
--
Martin Decker