Thanks Rowland. See inline comments.>On Thu, 9 Nov 2017 17:08:52 -0000 >Rowland Penny via samba<samba at lists.samba.org> wrote: > See inline Comments: > > On Thu, 9 Nov 2017 16:11:49 -0000 > Roy Eastwood via samba <samba at lists.samba.org> wrote: > > > Hi, > > I have a Debian Stretch machine with Louis' samba 4.7.1 package > > installed. I have configured it as a member server and joined it to > > my test domain. I tried the idmap rid back end and all worked ok, > > but am now trying the idmap ad back end. I have users' home folders > > saved to a users share on the member server, configured to allow > > auto-creation of home folders when the windows user logs in for the > > first time. That's working OK after some adjustments to the ntfs > > and share permissions which vary from the samba WiKi page > > (https://wiki.samba.org/index.php/User_Home_Folders ) after reading > > this https://support.microsoft.com/en-gb/help/555046. Also if users > > are allowed to log in locally as a unix user to the member server, I > > found that the unix permissions had to include rwx for the domain > > users group otherwise they are unable to access their home > > folder. Does the WiKi need updating? > > Probably not.OK, fine, but I couldn't get auto-creation of home folders to work with just the settings in the WiKi.> > > > > Am I right in assuming from the WiKI that all users in the domain > > have to have at least the UID and GID set in AD (when using the idmap > > ad back end)? > > It depends on what version of Samba you are using and how you set up > smb.conf, more on this later ;-) > > > > > My problem is that if I want to log on as administrator, > > Log on where ? > If you mean to a Unix machine, then no you don't, you might think you > do, but really you don't.Yes, I did mean the unix machine; but you are right don't need to. I was just following the wiki to see if it works! And I can see it doesn't now from what you say below.> > > I either > > allocate a UID/GID in AD - in which case I can log in OK. However, if > > I use the username map parameter in smb.conf along with the > > appropriate file user.map to map administrator to root, the WiKi says > > do not allocate a UID and GID in AD. So I took these off but I > > cannot log in now to the member server as administrator. Neither does > > administrator show up in the output of getent passwd. > > Ah, but you are using a user.map, which maps 'Administrator' to > 'root', so guess who you should log onto the Unix machine as ?Yes, indeed. Actually I use another user and then sudo, but winds up as the same thing.> > > > > However, wbinfo -u produces: > > root at debian-m1:/home/linuxadmin# wbinfo -u > > test1 > > test2 > > test3 > > administrator > > roy > > krbtgt > > guest > > > > But wbinfo -i administrator produces: > > root at debian-m1:/home/linuxadmin# wbinfo -i administrator > > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > > Could not get info for user administrator > > Yes, that is correct for a Unix Domain member. All that wbinfo shows > is that winbind can connect to AD, you need to have 'getent passwd > username' produce output to prove that the OS knows your AD users as > Unix users (note that 'getent passwd Administrator' wont work either) > > > > > I have tried also with wbinfo -i MICROLYNX\administrator but the same > > result as above. > > > > My smb.conf from the member server: > > ============================> > [global] > > netbios name = debian-m1 > > security = ADS > > workgroup = MICROLYNX > > realm = MICROLYNX.CO.UK > > > > log file = /var/log/samba/%m.log > > log level = 1 > > > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > winbind refresh tickets = yes > > > > winbind trusted domains only = no > > winbind use default domain = yes > > > > # Default idmap config used for BUILTIN and local > > accounts/groups idmap config *:backend = tdb > > idmap config *:range = 2000-9999 > > > > # idmap config for domain MICROLYNX > > idmap config MICROLYNX:backend = ad > > idmap config MICROLYNX:schema_mode = rfc2307 > > idmap config MICROLYNX:range = 10000-99999 > > > > # Use settings from AD for login shell and home directory and > > primary group idmap config MICROLYNX:unix_nss_info=yes > > idmap config MICROLYNX:unix_primary_group=yes > > Remember when I said 'more on this later', well it is later ;-) > > With the above 'idmap config' lines, your users will need a uidNumber > attribute containing a unique number from the '10000-99999' range, they > will also need a gidNumber attribute that contains the gidNumber of a > group, this means that the group MUST have a gidNumber attribute > containing the same number, this must also be in the '10000-99999' > range. > If you do not want this, give Domain Users a gidNumber and remove the > 'unix_primary_group' line and restart Samba.OK, yes have removed this line as I have already given Domain Users a gid number.> > > > > # enable getent passwd & getent group to display domain users > > & groups winbind enum users = yes > > winbind enum groups = yes > > You should remove the two 'winbind enum' lines, you do not need them > and they only slow things down. >Yes, noted, these were inserted for testing.> RowlandSo the section on the WiKi page for "Mapping the Domain Administrator Account to the local root user" is never going to work for logging onto the member server itself? I assume therefore this will only apply if the administrator on another member client machine saves files etc, they will be owned by root rather than the Domain Administrator account? If so I misunderstood the purpose of that section! Thanks for your clarifications! Roy
On Thu, 9 Nov 2017 21:47:11 -0000 Roy Eastwood via samba <samba at lists.samba.org> wrote:> Thanks Rowland. > See inline comments. > > >On Thu, 9 Nov 2017 17:08:52 -0000 > >Rowland Penny via samba<samba at lists.samba.org> wrote: > > See inline Comments: > > > > On Thu, 9 Nov 2017 16:11:49 -0000 > > Roy Eastwood via samba <samba at lists.samba.org> wrote: > > > > > Hi, > > > I have a Debian Stretch machine with Louis' samba 4.7.1 package > > > installed. I have configured it as a member server and joined it > > > to my test domain. I tried the idmap rid back end and all > > > worked ok, but am now trying the idmap ad back end. I have > > > users' home folders saved to a users share on the member server, > > > configured to allow auto-creation of home folders when the > > > windows user logs in for the first time. That's working OK > > > after some adjustments to the ntfs and share permissions which > > > vary from the samba WiKi page > > > (https://wiki.samba.org/index.php/User_Home_Folders ) after > > > reading this https://support.microsoft.com/en-gb/help/555046. > > > Also if users are allowed to log in locally as a unix user to the > > > member server, I found that the unix permissions had to include > > > rwx for the domain users group otherwise they are unable to > > > access their home folder. Does the WiKi need updating? > > > > Probably not. > > OK, fine, but I couldn't get auto-creation of home folders to work > with just the settings in the WiKi.If you are talking about creating auto-creating users home folders on Unix machines, this is quite easy, when you know how ;-) Add this line to /etc/pam.d/common-session session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 Then when a user logs in, if the users homedir doesn't exist, it will be created.> > > I either > > > allocate a UID/GID in AD - in which case I can log in OK. > > > However, if I use the username map parameter in smb.conf along > > > with the appropriate file user.map to map administrator to root, > > > the WiKi says do not allocate a UID and GID in AD. So I took > > > these off but I cannot log in now to the member server as > > > administrator. Neither does administrator show up in the output > > > of getent passwd. > > > > Ah, but you are using a user.map, which maps 'Administrator' to > > 'root', so guess who you should log onto the Unix machine as ? > > Yes, indeed. Actually I use another user and then sudo, but winds up > as the same thing.It also works from windows, you can do things from windows on a Unix machine, set windows ACLs etc.> So the section on the WiKi page for "Mapping the Domain Administrator > Account to the local root user" is never going to work for logging > onto the member server itself? I assume therefore this will only > apply if the administrator on another member client machine saves > files etc, they will be owned by root rather than the Domain > Administrator account? If so I misunderstood the purpose of that > section!Yes, that is basically how it works, but it goes further, it allows you to do the things that Administrator does on Windows, on Unix domain members. Rowland
A bit cleaner way to mk_homedir, I would try to avoid changing manualy settings
in pam.
echo "Name: Create home directory during login
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
" > /usr/share/pam-configs/mkhomedir
And run :
pam-auth-update
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: donderdag 9 november 2017 23:13
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Member Server Configuration
>
> On Thu, 9 Nov 2017 21:47:11 -0000
> Roy Eastwood via samba <samba at lists.samba.org> wrote:
>
> > Thanks Rowland.
> > See inline comments.
> >
> > >On Thu, 9 Nov 2017 17:08:52 -0000
> > >Rowland Penny via samba<samba at lists.samba.org> wrote:
> > > See inline Comments:
> > >
> > > On Thu, 9 Nov 2017 16:11:49 -0000
> > > Roy Eastwood via samba <samba at lists.samba.org> wrote:
> > >
> > > > Hi,
> > > > I have a Debian Stretch machine with Louis' samba 4.7.1
package
> > > > installed. I have configured it as a member server and
> joined it
> > > > to my test domain. I tried the idmap rid back end and all
> > > > worked ok, but am now trying the idmap ad back end. I have
> > > > users' home folders saved to a users share on the member
server,
> > > > configured to allow auto-creation of home folders when the
> > > > windows user logs in for the first time. That's
working OK
> > > > after some adjustments to the ntfs and share permissions
which
> > > > vary from the samba WiKi page
> > > > (https://wiki.samba.org/index.php/User_Home_Folders ) after
> > > > reading this
https://support.microsoft.com/en-gb/help/555046.
> > > > Also if users are allowed to log in locally as a unix
> user to the
> > > > member server, I found that the unix permissions had to
include
> > > > rwx for the domain users group otherwise they are unable to
> > > > access their home folder. Does the WiKi need
updating?
> > >
> > > Probably not.
> >
> > OK, fine, but I couldn't get auto-creation of home folders to work
> > with just the settings in the WiKi.
>
> If you are talking about creating auto-creating users home folders on
> Unix machines, this is quite easy, when you know how ;-)
>
> Add this line to /etc/pam.d/common-session
>
> session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
>
> Then when a user logs in, if the users homedir doesn't exist, it will
> be created.
>
> > > > I either
> > > > allocate a UID/GID in AD - in which case I can log in OK.
> > > > However, if I use the username map parameter in smb.conf
along
> > > > with the appropriate file user.map to map administrator to
root,
> > > > the WiKi says do not allocate a UID and GID in AD. So I
took
> > > > these off but I cannot log in now to the member server as
> > > > administrator. Neither does administrator show up in the
output
> > > > of getent passwd.
> > >
> > > Ah, but you are using a user.map, which maps
'Administrator' to
> > > 'root', so guess who you should log onto the Unix machine
as ?
> >
> > Yes, indeed. Actually I use another user and then sudo,
> but winds up
> > as the same thing.
>
> It also works from windows, you can do things from windows on a Unix
> machine, set windows ACLs etc.
>
> > So the section on the WiKi page for "Mapping the Domain
> Administrator
> > Account to the local root user" is never going to work for
logging
> > onto the member server itself? I assume therefore this will only
> > apply if the administrator on another member client machine saves
> > files etc, they will be owned by root rather than the Domain
> > Administrator account? If so I misunderstood the purpose of that
> > section!
>
> Yes, that is basically how it works, but it goes further, it
> allows you
> to do the things that Administrator does on Windows, on Unix domain
> members.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Thanks Louis.> -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of L.P.H. van Belle via samba > Sent: 10 November 2017 08:15 > To: samba at lists.samba.org > Subject: Re: [Samba] Member Server Configuration > > A bit cleaner way to mk_homedir, I would try to avoid changing manualy settings in pam. > > echo "Name: Create home directory during login > Default: yes > Priority: 900 > Session-Type: Additional > Session: > required pam_mkhomedir.so umask=0022 skel=/etc/skel > " > /usr/share/pam-configs/mkhomedir > > And run : > pam-auth-update > > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Rowland Penny via samba > > Verzonden: donderdag 9 november 2017 23:13 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Member Server Configuration > > > > On Thu, 9 Nov 2017 21:47:11 -0000 > > Roy Eastwood via samba <samba at lists.samba.org> wrote: > > > > > Thanks Rowland. > > > See inline comments. > > > > > > >On Thu, 9 Nov 2017 17:08:52 -0000 > > > >Rowland Penny via samba<samba at lists.samba.org> wrote: > > > > See inline Comments: > > > > > > > > On Thu, 9 Nov 2017 16:11:49 -0000 > > > > Roy Eastwood via samba <samba at lists.samba.org> wrote: > > > > > > > > > Hi, > > > > > I have a Debian Stretch machine with Louis' samba 4.7.1 package > > > > > installed. I have configured it as a member server and > > joined it > > > > > to my test domain. I tried the idmap rid back end and all > > > > > worked ok, but am now trying the idmap ad back end. I have > > > > > users' home folders saved to a users share on the member server, > > > > > configured to allow auto-creation of home folders when the > > > > > windows user logs in for the first time. That's working OK > > > > > after some adjustments to the ntfs and share permissions which > > > > > vary from the samba WiKi page > > > > > (https://wiki.samba.org/index.php/User_Home_Folders ) after > > > > > reading this https://support.microsoft.com/en-gb/help/555046. > > > > > Also if users are allowed to log in locally as a unix > > user to the > > > > > member server, I found that the unix permissions had to include > > > > > rwx for the domain users group otherwise they are unable to > > > > > access their home folder. Does the WiKi need updating? > > > > > > > > Probably not. > > > > > > OK, fine, but I couldn't get auto-creation of home folders to work > > > with just the settings in the WiKi. > > > > If you are talking about creating auto-creating users home folders on > > Unix machines, this is quite easy, when you know how ;-) > > > > Add this line to /etc/pam.d/common-session > > > > session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 > > > > Then when a user logs in, if the users homedir doesn't exist, it will > > be created. > > > > > > > I either > > > > > allocate a UID/GID in AD - in which case I can log in OK. > > > > > However, if I use the username map parameter in smb.conf along > > > > > with the appropriate file user.map to map administrator to root, > > > > > the WiKi says do not allocate a UID and GID in AD. So I took > > > > > these off but I cannot log in now to the member server as > > > > > administrator. Neither does administrator show up in the output > > > > > of getent passwd. > > > > > > > > Ah, but you are using a user.map, which maps 'Administrator' to > > > > 'root', so guess who you should log onto the Unix machine as ? > > > > > > Yes, indeed. Actually I use another user and then sudo, > > but winds up > > > as the same thing. > > > > It also works from windows, you can do things from windows on a Unix > > machine, set windows ACLs etc. > > > > > So the section on the WiKi page for "Mapping the Domain > > Administrator > > > Account to the local root user" is never going to work for logging > > > onto the member server itself? I assume therefore this will only > > > apply if the administrator on another member client machine saves > > > files etc, they will be owned by root rather than the Domain > > > Administrator account? If so I misunderstood the purpose of that > > > section! > > > > Yes, that is basically how it works, but it goes further, it > > allows you > > to do the things that Administrator does on Windows, on Unix domain > > members. > > > > Rowland > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Fri, 10 Nov 2017 09:14:51 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> A bit cleaner way to mk_homedir, I would try to avoid changing > manualy settings in pam. > > echo "Name: Create home directory during login > Default: yes > Priority: 900 > Session-Type: Additional > Session: > required pam_mkhomedir.so umask=0022 skel=/etc/skel > " > /usr/share/pam-configs/mkhomedir > > And run : > pam-auth-update > > > Greetz, > > LouisFair enough, but the same line ends up in the same place ;-) Rowland
Yes, but now is ready for this bugfix. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568577 So whenever this one get fixed, you wont notice it. ;-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: vrijdag 10 november 2017 9:41 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Member Server Configuration > > On Fri, 10 Nov 2017 09:14:51 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > A bit cleaner way to mk_homedir, I would try to avoid changing > > manualy settings in pam. > > > > echo "Name: Create home directory during login > > Default: yes > > Priority: 900 > > Session-Type: Additional > > Session: > > required pam_mkhomedir.so umask=0022 skel=/etc/skel > > " > /usr/share/pam-configs/mkhomedir > > > > And run : > > pam-auth-update > > > > > > Greetz, > > > > Louis > > Fair enough, but the same line ends up in the same place ;-) > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
[snip] > > OK, fine, but I couldn't get auto-creation of home folders to work> > with just the settings in the WiKi. > > If you are talking about creating auto-creating users home folders on > Unix machines, this is quite easy, when you know how ;-) > > Add this line to /etc/pam.d/common-session > > session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 > > Then when a user logs in, if the users homedir doesn't exist, it will > be created. >Yes, that's fine for unix users. No, what I was wanting was the users home folders to be auto-created when a user logs in from a windows machine for the first time. This is normally how it works on Windows DCs. In addition if a GPO is set to redirect the users folders , eg Documents, Music, Pictures etc, to the home folder (instead of the user's profile folder on the local machine) these should also be auto-created. I wasn't getting this behaviour with the WiKi's recommended permissions for the home folders on the member server. Once I set permissions as follows: Share Permissions: Authenticated Users: Full Control (WiKi says Read & Execute) Domain Admins: Full Control NTFS Permissions: Domain Admins: Full Control (This folder, subfolder & files) Domain Users: Modify (This folder, subfolder & files) CREATOR OWNER: Full Control (Subfolders and files only) Authenticated Users: Read & Execute, List Folder Contents, Read (This folder only) Things started working as they would on a Windows DC. Thanks for your help. Roy