> On 29.09.2017 11:44 Rowland Penny wrote: > Have you set up the libnss_winbind links, PAM and /etc/nsswitch.conf ?Yes, I had modified two lines in /etc/nsswitch.conf: passwd: files winbind group: files winbind No, I had not seen a pointer to libnss, but now did ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/i386-linux-gnu/ ln -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so ldconfig The wiki page Authenticating_Domain_Users_Using_PAM tell to NOT configure PAM on a DC. I tried "net cache flush" These tests succeed: wbinfo --ping-dc getent passwd COMPANY\\user getent group "COMPANY\\Domain Users" The output of “getfacl sysvol” looks strange: # file: usr/local/samba/var/locks/sysvol # owner: root # group: BUILTIN\134administrators user::rwx user:root:rwx user:3000000:rwx group::rwx group:BUILTIN\134administrators:rwx group:BUILTIN\134server\040operators:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:group::--- default:group:BUILTIN\134administrators:rwx default:group:BUILTIN\134server\040operators:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- I tried "samba-tool ntacl sysvolreset". This added a few lines to the output of getfacl: # file: usr/local/samba/var/locks/sysvol # owner: root # group: BUILTIN\134administrators user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx user:3000003:r-x group::rwx group:BUILTIN\134administrators:rwx group:BUILTIN\134server\040operators:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:BUILTIN\134administrators:rwx default:group:BUILTIN\134server\040operators:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- Users still cannot see the contents of any share. What else could be missing? Klaus
On Fri, 29 Sep 2017 13:19:44 +0200 Klaus Hartnegg via samba <samba at lists.samba.org> wrote:> > > On 29.09.2017 11:44 Rowland Penny wrote: > > Have you set up the libnss_winbind links, PAM > > and /etc/nsswitch.conf ? > > Yes, I had modified two lines in /etc/nsswitch.conf: > passwd: files winbind > group: files winbind > > No, I had not seen a pointer to libnss, but now did > ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/i386-linux-gnu/ > ln > -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so > ldconfig > > The wiki page Authenticating_Domain_Users_Using_PAM tell to > NOT configure PAM on a DC.I have just checked the page again: https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM I cannot see where it says not to use on a DC> I tried "net cache flush" > > These tests succeed: > wbinfo --ping-dc > getent passwd COMPANY\\user > getent group "COMPANY\\Domain Users" > > > The output of “getfacl sysvol” looks strange: > > # file: usr/local/samba/var/locks/sysvol > # owner: root > # group: BUILTIN\134administrators > user::rwx > user:root:rwx > user:3000000:rwx > group::rwx > group:BUILTIN\134administrators:rwx > group:BUILTIN\134server\040operators:r-x > group:3000002:rwx > group:3000003:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:group::--- > default:group:BUILTIN\134administrators:rwx > default:group:BUILTIN\134server\040operators:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- > > I tried "samba-tool ntacl sysvolreset". > This added a few lines to the output of getfacl: > > # file: usr/local/samba/var/locks/sysvol > # owner: root > # group: BUILTIN\134administrators > user::rwx > user:root:rwx > user:3000000:rwx > user:3000001:r-x > user:3000002:rwx > user:3000003:r-x > group::rwx > group:BUILTIN\134administrators:rwx > group:BUILTIN\134server\040operators:r-x > group:3000002:rwx > group:3000003:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:user:3000001:r-x > default:user:3000002:rwx > default:user:3000003:r-x > default:group::--- > default:group:BUILTIN\134administrators:rwx > default:group:BUILTIN\134server\040operators:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- >By 'strange', I take it you are referring to the numbers instead of names, don't worry, this perfectly normal on a DC. The numbers are the 'xidNumbers' you will find in idmap.ldb> Users still cannot see the contents of any share.What does 'getent passwd username' actually produce ?> > What else could be missing?Not sure, if PAM isn't set up, then set it up by installing the required packages and try again Rowland
> On 29.09.2017 14:32 Rowland Penny wrote: > I cannot see where it says not to use on a DCI misread the first section.> What does 'getent passwd username' actually produce ?root at dc1:~# getent passwd administrator COMPANY\administrator:*:0:100::/home/COMPANY/administrator:/bin/false root at dc1:~# getent passwd klaus COMPANY\klaus:*:10000:100::/home/COMPANY/klaus:/bin/false> if PAM isn't set up, then set it up by installing the > required packages and try againOk, I ran "pam-auth-update" and pressed enter twice. Have no idea what this does. But is PAM really necessary on a DC? The Wiki says that winbindd is optional. Should not at least sysvol work without it? Klaus
Now with this email also, you at least 3 problems. 1) incorrect hosts file. ( see previous post of me ) 2) incorrect resolv.conf ( see previous post of me ) 3) you did hit the "Group bug" ( group 100 should be minimal 10000) https://bugzilla.samba.org/show_bug.cgi?id=13054 Fix that with wbinfo -G 10000 net cache flush> Then I used ADUC from RSAT to create an OU and a user. > User can see the shares (and can map them to a drive letter), but is > denied to look inside. > Same for another share which I added. > Even when administrator grants permission to everybody.Did you "copy" an other user? Or did you create a templete for you users? If you copy from an other user, and if you have set the Unix attributes. Try this, remove the profile and user folder, goto the ADUC , Profile tab. Change something in the user and profile field so windows see's a change. Then klik apply. For other quick fix. You see the 2005 there, make sure that matchs your own wbinfo -G 2005 S-1-5-18 wbinfo -Y S-1-5-18 #!/bin/bash RIGHTSFILE="default-rights-user-profile.acl" GROUP_WRITE_RIGHTS="domain\040users" USER_SYSTEM="$(wbinfo -Y S-1-5-18)" cat << EOF > ${RIGHTSFILE} # file: user.V6/ # owner: user # group: domain\040users user::rwx user:${1}:rwx group::--- group:${USER_SYSTEM}:rwx group:${GROUP_WRITE_RIGHTS:--- mask::rwx other::--- default:user::rwx default:user:${1}:rwx default:group::--- default:group:2005:rwx default:group:${GROUP_WRITE_RIGHTS):--- default:mask::rwx default:other::--- EOF echo "Run : setfacl -R -b -M $RIGHTSFILE The_Users_Profile_Folder" As Administrator check the rights on the share. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Klaus Hartnegg via samba > Verzonden: vrijdag 29 september 2017 15:42 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] user cannot access shares on new ad-dc > > > > On 29.09.2017 14:32 Rowland Penny wrote: > > I cannot see where it says not to use on a DC > > I misread the first section. > > > What does 'getent passwd username' actually produce ? > > root at dc1:~# getent passwd administrator > COMPANY\administrator:*:0:100::/home/COMPANY/administrator:/bin/false > root at dc1:~# getent passwd klaus > COMPANY\klaus:*:10000:100::/home/COMPANY/klaus:/bin/false > > > if PAM isn't set up, then set it up by installing the required > > packages and try again > > Ok, I ran "pam-auth-update" and pressed enter twice. > Have no idea what this does. > > But is PAM really necessary on a DC? > The Wiki says that winbindd is optional. > Should not at least sysvol work without it? > > Klaus > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >