Bob Thomas
2018-Jun-20 19:12 UTC
[Samba] Ubuntu 18:04 not getting 'home' directory from DC
Rowland, How would I find this info? Check if 'Rachel Jones' has a 'gecos' attribute in AD. You seem to be being denied access to '.Xauthority', was it created on another machine ? No However, I am sure '-13' usually means incorrect password. I am sure the password is correct, the /mnt/home/rachel folder is created but the user files are not created because access is denied. The folder stays empty and the computer flashes back to the login screen. Bob On Wed, 20 Jun 2018 12:01:57 -0400 Bob Thomas via samba <samba at lists.samba.org <https://lists.samba.org/mailman/listinfo/samba>> wrote:>/Thank you for your reply. />//>/First I am using 'ad' backend (DC config is in first post below) and wland />/until I did a fresh install of a new DC Samba 4.8.2 on Ubuntu 18.04 />/the user/group id, shell, and home directory paths were correctly />/obtained from the RSAT UNIX Attribute Tab settings on the DC. It />/seems that is still working for users already created with existing />/home directories on the file server, it is new users or any user that />/needs to build a home directory on the file server. This behavior is />/happening on both Ubuntu 18.04 and 16.04 now, so I believe it is />/related to the new DC. />//>/do I need 'winbind nss info = template' and if so what does it do? /No, because it is the default setting and it tells winbind to only obtain the users ID amd primary group from AD.>//>/Anyway, I tried Louis' suggestion and was able to get a better />/response after adding this to the *file server smb.conf*: />//>/ template homedir = /mnt/home/%U ( also tried />//mnt/Filestore/user-folders/%U ) />/ template shell = /bin/sh />//>/both resulted in correct mount points and shell: />//>/getent passwd 'rachelj' />/rachelj:*:10161:10001::/mnt/home/rachelj:/bin/sh />//>/but expected: />/rachelj:*:10161:10001:Rachel Jones:/mnt/home/rachelj:/bin/sh /Check if 'Rachel Jones' has a 'gecos' attribute in AD.>/But when I tried to login, after a short pause it snaps back to a />/login. The mount point (rachelj) was created but nothing is in the />/directory. Note this is a new user and nothing exists on the file />/server other than the folder created via RSAT during the user setup. />//>/Jun 20 10:29:35 CY-MKT-10 systemd[1]: Started User Manager for />/UID 10161. Jun 20 10:29:35 CY-MKT-10 lightdm[823]: ** (process:1419): />/WARNING **: Error reading existing Xauthority: Failed to open file />/'/mnt/home/rachelj/.Xauthority': Permission denied />/Jun 20 10:29:35 CY-MKT-10 lightdm[823]: Error writing X authority: />/Failed to open X authority /mnt/home/rachelj/.Xauthority: Permission />/denied Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:116): />/Clean global config (0) />/Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:133): clean />/system authtok=0x1a22910 (0) />/Jun 20 10:29:36 CY-MKT-10 acpid: client 880[0:0] has disconnected />/Jun 20 10:29:36 CY-MKT-10 acpid: client connected from 1463[0:0] />/Jun 20 10:29:36 CY-MKT-10 acpid: 1 client rule loaded />/Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169343] Status code returned />/0xc000006d STATUS_LOGON_FAILURE />/Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169355] CIFS VFS: Send error />/in SessSetup = -13 />/Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169436] CIFS VFS: cifs_mount />/failed w/return code = -13 /You seem to be being denied access to '.Xauthority', was it created on another machine ? However, I am sure '-13' usually means incorrect password. Rowland On 6/20/2018 12:01 PM, Bob Thomas wrote:> > Thank you for your reply. > > First I am using 'ad' backend (DC config is in first post below) and > until I did a fresh install of a new DC Samba 4.8.2 on Ubuntu 18.04 > the user/group id, shell, and home directory paths were correctly > obtained from the RSAT UNIX Attribute Tab settings on the DC. It > seems that is still working for users already created with existing > home directories on the file server, it is new users or any user that > needs to build a home directory on the file server. This behavior is > happening on both Ubuntu 18.04 and 16.04 now, so I believe it is > related to the new DC. > > do I need 'winbind nss info = template' and if so what does it do? > > Anyway, I tried Louis' suggestion and was able to get a better > response after adding this to the *file server smb.conf*: > > template homedir = /mnt/home/%U ( also tried > /mnt/Filestore/user-folders/%U ) > template shell = /bin/sh > > both resulted in correct mount points and shell: > > getent passwd 'rachelj' > rachelj:*:10161:10001::/mnt/home/rachelj:/bin/sh > > but expected: > rachelj:*:10161:10001:Rachel Jones:/mnt/home/rachelj:/bin/sh > > But when I tried to login, after a short pause it snaps back to a > login. The mount point (rachelj) was created but nothing is in the > directory. Note this is a new user and nothing exists on the file > server other than the folder created via RSAT during the user setup. > > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (rdconf1.c:744): path to > luserconf set to /mnt/home/rachelj/.pam_mount.conf.xml > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:568): pam_mount > 2.14: entering session stage > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:786): Could not get > realpath of /mnt/home/rachelj: No such file or directory > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:267): Mount info: > globalconf, user=rachelj <volume fstype="cifs" server="cy-vault" > path="home/rachelj" mountpoint="/mnt/home/rachelj" cipher="(null)" > fskeypath="(null)" fskeycipher="(n$ > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:309): mkmountpoint: > checking /mnt > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:309): mkmountpoint: > checking /mnt/home > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:309): mkmountpoint: > checking /mnt/home/rachelj > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:349): mkdir[0] > /mnt/home/rachelj > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:357): chown > /mnt/home/rachelj -> 10161:10001 > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:664): Password will > be sent to helper as-is. > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: command: 'mount' '-t' 'cifs' > '//cy-vault/home/rachelj' '/mnt/home/rachelj' '-o' > 'username=rachelj,uid=10161,gid=10001,vers=2.1' > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 18 24 0:17 / > /sys rw,nosuid,nodev,noexec,relatime shared:7 - sysfs sysfs rw > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 19 24 0:4 / > /proc rw,nosuid,nodev,noexec,relatime shared:12 - proc proc rw > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 20 24 0:6 / > /dev rw,nosuid,relatime shared:2 - devtmpfs udev > rw,size=1965792k,nr_inodes=491448,mode=755 > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 21 20 0:18 / > /dev/pts rw,nosuid,noexec,relatime shared:3 - devpts devpts > rw,gid=5,mode=620,ptmxmode=000 > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 22 24 0:19 / > /run rw,nosuid,noexec,relatime shared:5 - tmpfs tmpfs > rw,size=397688k,mode=755 > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 24 0 8:1 / / > rw,relatime shared:1 - ext4 /dev/sda1 rw,errors=remount-ro,data=ordered > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 25 18 0:13 / > /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:8 - > securityfs securityfs rw > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 26 20 0:21 / > /dev/shm rw,nosuid,nodev shared:4 - tmpfs tmpfs rw > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 27 22 0:22 / > /run/lock rw,nosuid,nodev,noexec,relatime shared:6 - tmpfs tmpfs > rw,size=5120k > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 28 18 0:23 / > /sys/fs/cgroup rw shared:9 - tmpfs tmpfs rw,mode=755 > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 29 28 0:24 / > /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:10 - > cgroup cgroup > rw,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 30 18 0:25 / > /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:11 - pstore > pstore rw > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 31 28 0:26 / > /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:13 - > cgroup cgroup rw,memory > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 32 28 0:27 / > /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:14 - > cgroup cgroup rw,devices > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 33 28 0:28 / > /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:15 - > cgroup cgroup > rw,perf_event,release_agent=/run/cgmanager/agents/cgm-release-agent.perf_event > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 34 28 0:29 / > /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:16 - > cgroup cgroup rw,cpu,cpuacct > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 35 28 0:30 / > /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:17 - > cgroup cgroup rw,cpuset,clone_children > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 36 28 0:31 / > /sys/fs/cgroup/pids rw,nosuid,nodev,noexec,relatime shared:18 - cgroup > cgroup rw,pids,release_agent=/run/cgmanager/agents/cgm-release-agent.pids > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 37 28 0:32 / > /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime shared:19 - > cgroup cgroup > rw,hugetlb,release_agent=/run/cgmanager/agents/cgm-release-agent.hugetlb > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 38 28 0:33 / > /sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime > shared:20 - cgroup cgroup rw,net_cls,net_prio > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 39 28 0:34 / > /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:21 - > cgroup cgroup rw,blkio > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 40 28 0:35 / > /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:22 - > cgroup cgroup rw,freezer > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 41 19 0:36 / > /proc/sys/fs/binfmt_misc rw,relatime shared:23 - autofs systemd-1 > rw,fd=31,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=12818 > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 75 18 0:7 / > /sys/kernel/debug rw,relatime shared:56 - debugfs debugfs rw > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 77 20 0:37 / > /dev/hugepages rw,relatime shared:58 - hugetlbfs hugetlbfs rw > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 79 20 0:16 / > /dev/mqueue rw,relatime shared:60 - mqueue mqueue rw > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 81 18 0:38 / > /sys/fs/fuse/connections rw,relatime shared:62 - fusectl fusectl rw > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 42 41 0:39 / > /proc/sys/fs/binfmt_misc rw,relatime shared:24 - binfmt_misc > binfmt_misc rw > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 44 22 0:40 / > /run/cgmanager/fs rw,relatime shared:25 - tmpfs cgmfs > rw,size=100k,mode=755 > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 155 22 0:43 / > /run/user/108 rw,nosuid,nodev,relatime shared:113 - tmpfs tmpfs > rw,size=397688k,mode=700,uid=108,gid=114 > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 163 22 0:45 / > /run/user/0 rw,nosuid,nodev,relatime shared:121 - tmpfs tmpfs > rw,size=397688k,mode=700 > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 109 24 0:42 > /rachelj /mnt/home/rachelj rw,relatime shared:68 - cifs > //cy-vault/home/rachelj > rw,vers=2.1,sec=ntlmssp,cache=strict,username=rachelj,domain=CY,uid=10161,forceuid,gid$ > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: command: 'pmvarrun' '-u' > 'rachelj' '-o' '1' > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pmvarrun.c:258): parsed count > value 0 > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:441): pmvarrun > says login count is 1 > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:660): done > opening session (ret=0) > Jun 20 10:29:35 CY-MKT-10 systemd[1]: Created slice User Slice of rachelj. > Jun 20 10:29:35 CY-MKT-10 systemd[1]: Starting User Manager for UID > 10161...Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Paths. > Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Sockets. > Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Timers. > Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Basic System. > Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Default. > Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Startup finished in 22ms. > Jun 20 10:29:35 CY-MKT-10 systemd[1]: Started User Manager for UID 10161. > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: ** (process:1419): WARNING **: > Error reading existing Xauthority: Failed to open file > '/mnt/home/rachelj/.Xauthority': Permission denied > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: Error writing X authority: > Failed to open X authority /mnt/home/rachelj/.Xauthority: Permission > denied > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:116): Clean > global config (0) > Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:133): clean > system authtok=0x1a22910 (0) > Jun 20 10:29:36 CY-MKT-10 acpid: client 880[0:0] has disconnected > Jun 20 10:29:36 CY-MKT-10 acpid: client connected from 1463[0:0] > Jun 20 10:29:36 CY-MKT-10 acpid: 1 client rule loaded > Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169343] Status code returned > 0xc000006d STATUS_LOGON_FAILURE > Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169355] CIFS VFS: Send error > in SessSetup = -13 > Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169436] CIFS VFS: cifs_mount > failed w/return code = -13 > > Bob Thomas > > On Wed, 20 Jun 2018 11:36:06 +0200 > "L.P.H. van Belle via samba"<samba at lists.samba.org> wrote: > >> Hai Bob, >> >> And what does the wiki tell you about RID/AD backend AND ..... >> Well even i had troubles finding the page again. So.. .its not you.. >> >> The wiki, is getting to complex and is having to much side links to >> other pages. You need to set one or more of the following settings. >> >> template homedir =/home/%D/%U >> template shell = /bin/false >> usershare template share >> winbind nss info = template >> >> >> Rowland can you follow this path. >> ( think in, install a member ) >> 1) >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member >> Look for any reference for the template settings, if you use RID. >> >> Maybe its an option to link some specific settings to these on the >> page. ad idmap config ad idmap_ad(8) >> rid idmap config rid idmap_rid(8) >> >> Anyhow, for you i suggest the folling. >> >> Member : home path in the share. >> /mnt/Filestore/user-folders >> >> And this is the default: >> template homedir =/home/%D/%U >> >> Change/add this >> template homedir =/mnt/Filestore/%U >> >> >> >> Greetz, >> >> Louis >> >> > The problem with the wikipage is, just what Louis said, it is too > complex and all over the place. Until somebody said something, I wasn't > going to alter it, mainly because when I pointed this out, I upset the > person that wrote it. > > In my opinion, the wiki should be easy to understand and follow, even > if this means the same information being on several pages. To me, the > whole idea of a wiki, is to get the information across to users, not to > make it easy to maintain. > > As is, it is very easy to miss that you must add various options to > smb.conf to get a fully working Unix domain member. > > I am open to ideas on how to update the Unix domain member wikipage, my > first thought is to put everything on one page, but as I say, I am open > to suggestions. > > Rowland > > > On Wed, 20 Jun 2018 11:36:06 +0200 > "L.P.H. van Belle via samba"<samba at lists.samba.org> wrote: > >> Hai Bob, >> >> And what does the wiki tell you about RID/AD backend AND ..... >> Well even i had troubles finding the page again. So.. .its not you.. >> >> The wiki, is getting to complex and is having to much side links to >> other pages. You need to set one or more of the following settings. >> >> template homedir =/home/%D/%U >> template shell = /bin/false >> usershare template share >> winbind nss info = template >> >> >> Rowland can you follow this path. >> ( think in, install a member ) >> 1) >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member >> Look for any reference for the template settings, if you use RID. >> >> Maybe its an option to link some specific settings to these on the >> page. ad idmap config ad idmap_ad(8) >> rid idmap config rid idmap_rid(8) >> >> Anyhow, for you i suggest the folling. >> >> Member : home path in the share. >> /mnt/Filestore/user-folders >> >> And this is the default: >> template homedir =/home/%D/%U >> >> Change/add this >> template homedir =/mnt/Filestore/%U >> >> >> >> Greetz, >> >> Louis >> >> > The problem with the wikipage is, just what Louis said, it is too > complex and all over the place. Until somebody said something, I wasn't > going to alter it, mainly because when I pointed this out, I upset the > person that wrote it. > > In my opinion, the wiki should be easy to understand and follow, even > if this means the same information being on several pages. To me, the > whole idea of a wiki, is to get the information across to users, not to > make it easy to maintain. > > As is, it is very easy to miss that you must add various options to > smb.conf to get a fully working Unix domain member. > > I am open to ideas on how to update the Unix domain member wikipage, my > first thought is to put everything on one page, but as I say, I am open > to suggestions. > > Rowland > > > recommendation > > > On 6/19/2018 2:57 PM, Bob Thomas wrote: >> >> Hello, >> >> I've been trying to get Ubuntu 18.04 to work with Samba AD, seems I >> am almost there but am unable to get home directories to mount >> properly. The domain join went without a problem but because the >> default cifs ver changed in Ubuntu to get other Samba shares on a >> samba file server to mount I had to add to it's smb.conf: >> >> client min protocol = SMB2 >> client min protocol = SMB3 >> >> So I can now mount shares, but home directory will not mount and >> build on the Ubuntu 18.04 client. I believe the the issue is this: >> >> On Ubuntu 16.04 client getent passwd kiarar properly gives the DC's >> home directory setting of: >> root at CY-SALES-JM:~# getent passwd 'kiarar' >> kiarar:*:10155:10001:Kiara Ratcliff:/mnt/home/kiarar:/bin/sh >> >> On Ubuntu 18.04 client getent passwd kiarar gives: >> root at CY-SALE:~# getent passwd 'kiarar' >> kiarar:*:10155:10001::/home/CY/kiarar:/bin/false >> >> So it gets the correct UID and GID but not the login shell or home >> directory set in the UNIX Attributes tab. >> >> Samba DC version 4.8.2 on Ubuntu 18.04 config: >> >> [global] >> netbios name = CY-DC >> realm = CY.MYDOMAIN.COM >> workgroup = CY >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdate >> idmap_ldb:use rfc2307 = yes >> idmap config CY:unix_nss_info = yes >> ldap server require strong auth = no >> allow dns updates = nonsecure and secure >> log level = 2 >> ntlm auth = yes >> >> # stops cups errors in log file >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> >> [netlogon] >> path = /var/lib/samba/sysvol/cy.cybernetics.com/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol>> read only = No >> >> Samba File server version 4.7.4 on Ubuntu 16.04 config: >> >> [global] >> realm = CY.CYBERNETICS.COM >> workgroup = CY >> netbios name = cy-vault >> security = ADS >> server role = member server >> encrypt passwords = yes >> client min protocol = SMB2 >> client max protocol = SMB3 >> >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> >> idmap config CY:backend = ad >> idmap config CY:schema_mode = rfc2307 >> idmap config CY:range = 10000-99999 >> idmap config CY : unix_nss_info = yes >> >> winbind trusted domains only = no >> winbind use default domain = yes >> >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> >> username map = /etc/samba/user.map >> >> log level=3 >> log file = /var/log/samba/log.%m >> max log size = 500 >> >> # Stops cups errors in log file >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> >> ####### User folder for Ubuntu ########## >> >> [home] >> comment = UNIX Home Directories >> path = /mnt/Filestore/user-folders >> read only = no >> level2 oplocks =no >> oplocks = no >> locking = no >> strict locking = no >> >> Any help? >> >> Bob Thomas >> >> > > On Wed, 20 Jun 2018 11:36:06 +0200 > "L.P.H. van Belle via samba"<samba at lists.samba.org> wrote: > >> Hai Bob, >> >> And what does the wiki tell you about RID/AD backend AND ..... >> Well even i had troubles finding the page again. So.. .its not you.. >> >> The wiki, is getting to complex and is having to much side links to >> other pages. You need to set one or more of the following settings. >> >> template homedir =/home/%D/%U >> template shell = /bin/false >> usershare template share >> winbind nss info = template >> >> >> Rowland can you follow this path. >> ( think in, install a member ) >> 1) >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member >> Look for any reference for the template settings, if you use RID. >> >> Maybe its an option to link some specific settings to these on the >> page. ad idmap config ad idmap_ad(8) >> rid idmap config rid idmap_rid(8) >> >> Anyhow, for you i suggest the folling. >> >> Member : home path in the share. >> /mnt/Filestore/user-folders >> >> And this is the default: >> template homedir =/home/%D/%U >> >> Change/add this >> template homedir =/mnt/Filestore/%U >> >> >> >> Greetz, >> >> Louis >> >> > The problem with the wikipage is, just what Louis said, it is too > complex and all over the place. Until somebody said something, I wasn't > going to alter it, mainly because when I pointed this out, I upset the > person that wrote it. > > In my opinion, the wiki should be easy to understand and follow, even > if this means the same information being on several pages. To me, the > whole idea of a wiki, is to get the information across to users, not to > make it easy to maintain. > > As is, it is very easy to miss that you must add various options to > smb.conf to get a fully working Unix domain member. > > I am open to ideas on how to update the Unix domain member wikipage, my > first thought is to put everything on one page, but as I say, I am open > to suggestions. > > Rowland
Rowland Penny
2018-Jun-20 19:31 UTC
[Samba] Ubuntu 18:04 not getting 'home' directory from DC
On Wed, 20 Jun 2018 15:12:52 -0400 Bob Thomas via samba <samba at lists.samba.org> wrote:> Rowland, > > How would I find this info?The easiest way would be to run 'samba-tool user edit rachelj' on the Samba AD DC and then search the output, if it isn't there, add it: gecos: Rachel Jones Close and save and you should be good to go. This command will use the systems EDITOR, you can override this with '--editor=your_favourite_editor' e.g. '--editor=nano'> > You seem to be being denied access to '.Xauthority', was it created on > another machine ? No > > However, I am sure '-13' usually means incorrect password.Have you considered using kerberos (sec=krb5) with pam_mount ? Rowland
Bob Thomas
2018-Jun-21 16:02 UTC
[Samba] Ubuntu 18:04 not getting 'home' directory from DC
Thank You Louis and Rowland for your help, Seems samba version in Ubuntu 18.04 was the key, (Samba version 4.7.6-Ubuntu). I was using an old smb.conf that has always worked on my Ubuntu 16.04 workstations: [global] realm = XX.DOMAIN.COM workgroup = XX security = ADS dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config XX:backend = ad idmap config XX:range = 10000-99999 idmap config XX:schema_mode = rfc2307 *idmap config XX:unix_nss_info = yes****# winbind nss info = rfc2307* winbind use default domain = Yes winbind refresh tickets = Yes winbind normalize names = Yes store dos attributes = Yes vfs objects = acl_xattr map acl inherit = Yes After changing: 'winbind nss info = rfc2307' to 'idmap config CY:unix_nss_info = yes' the DC UNIX attributes are correctly applied. I am still having issues running some programs after home mounts from the server, for example Thunderbird doesn't get to the account setup popup, and chromium doesn't even start. both seem to be "permissions" related. I think will see if the sec=krb5 resolves it but haven't got that working yet, setting "sec=krb5" give me this. (ips edited) cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=1x.1xx.1.3x;ip4=1x.1xx.1.3x;sec=krb5;uid=0x277d;creduid=0x0;user=test;pid=0x4ba cifs.upcall: ver=2 cifs.upcall: host=1x.1xx.1.3x cifs.upcall: ip=1x.1xx.1.3x cifs.upcall: sec=1 uid=10109 creduid=0 user=test pid=1210 get_cachename_from_process_env: pid == 0 get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall: get_tgt_time: unable to get principal cifs.upcall: krb5_get_init_creds_keytab: -1765328203 cifs.upcall: Exit status 1 lightdm[830]: (mount.c:72): Messages from underlying mount program: lightdm[830]: (mount.c:76): mount error(126): Required key not available Do you have a good wiki for setting up sec=krb5 for mount authentication? Thanks again, Bob --------------------------------------- Hai, Now i dont use GUI on my servers, but i would check the following if i had your problem. Ubuntu 16 and 18 its samba versions are very different keep that in mind. This must be checked: smbmount/smblcient and protocol mismatches. Lookup where the mount command is done and add -m SMB2 Probely /etc/security/pam_mount.conf.xml Last, smbclient/mount are also using krb5.conf settings. Adding this to libdefaults might help also a bit so the cyphers are more aligned. ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 If im correct above would fix a possible right problem on /home/username/.Xauthority but you only know that if you mount works. If the mount works but login fails: check this one out.https://blog.laczik.org/xauth-and-xauthority/ This looks a bit the same as a problem, i had when mounting the user homedir with kerberos nfsv4 mounts. I needed to add : ignore_k5login = true Because even root and Administrator are locked out of my user home dirs. ( ! Note, as it should imo. Its my default setting) Greetz, Louis On 6/20/2018 3:12 PM, Bob Thomas wrote:> Rowland, > > How would I find this info? > > Check if 'Rachel Jones' has a 'gecos' attribute in AD. > > You seem to be being denied access to '.Xauthority', was it created on > another machine ? No > > However, I am sure '-13' usually means incorrect password. > > I am sure the password is correct, the /mnt/home/rachel folder is created> but the user files are not created because access is denied. The folder > stays empty and the computer flashes back to the login screen. > > > Bob > > > > On Wed, 20 Jun 2018 12:01:57 -0400 > Bob Thomas via samba <samba at lists.samba.org <https://lists.samba.org/mailman/listinfo/samba>> wrote: > > >/Thank you for your reply. />//>/First I am using 'ad' backend (DC config is in first post below) and > wland />/until I did a fresh install of a new DC Samba 4.8.2 on Ubuntu 18.04 />/the user/group id, shell, and home directory paths were correctly />/obtained from the RSAT UNIX Attribute Tab settings on the DC. It />/seems that is still working for users already created with existing />/home directories on the file server, it is new users or any user that />/needs to build a home directory on the file server. This behavior is />/happening on both Ubuntu 18.04 and 16.04 now, so I believe it is />/related to the new DC. />//>/do I need 'winbind nss info = template' and if so what does it do? / > No, because it is the default setting and it tells winbind to only > obtain the users ID amd primary group from AD. > > >//>/Anyway, I tried Louis' suggestion and was able to get a better />/response after adding this to the *file server smb.conf*: />//>/ template homedir = /mnt/home/%U ( also tried />//mnt/Filestore/user-folders/%U ) />/ template shell = /bin/sh />//>/both resulted in correct mount points and shell: />//>/getent passwd 'rachelj' />/rachelj:*:10161:10001::/mnt/home/rachelj:/bin/sh />//>/but expected: />/rachelj:*:10161:10001:Rachel Jones:/mnt/home/rachelj:/bin/sh / > Check if 'Rachel Jones' has a 'gecos' attribute in AD. > > >/But when I tried to login, after a short pause it snaps back to a />/login. The mount point (rachelj) was created but nothing is in the />/directory. Note this is a new user and nothing exists on the file />/server other than the folder created via RSAT during the user setup. />//>/Jun 20 10:29:35 CY-MKT-10 systemd[1]: Started User Manager for />/UID 10161. Jun 20 10:29:35 CY-MKT-10 lightdm[823]: ** (process:1419): />/WARNING **: Error reading existing Xauthority: Failed to open file />/'/mnt/home/rachelj/.Xauthority': Permission denied />/Jun 20 10:29:35 CY-MKT-10 lightdm[823]: Error writing X authority: />/Failed to open X authority /mnt/home/rachelj/.Xauthority: Permission />/denied Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:116): />/Clean global config (0) />/Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:133): clean />/system authtok=0x1a22910 (0) />/Jun 20 10:29:36 CY-MKT-10 acpid: client 880[0:0] has disconnected />/Jun 20 10:29:36 CY-MKT-10 acpid: client connected from 1463[0:0] />/Jun 20 10:29:36 CY-MKT-10 acpid: 1 client rule loaded />/Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169343] Status code returned />/0xc000006d STATUS_LOGON_FAILURE />/Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169355] CIFS VFS: Send error />/in SessSetup = -13 />/Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169436] CIFS VFS: cifs_mount />/failed w/return code = -13 / > You seem to be being denied access to '.Xauthority', was it created on > another machine ? > However, I am sure '-13' usually means incorrect password. > > Rowland > > On 6/20/2018 12:01 PM, Bob Thomas wrote: >> >> Thank you for your reply. >> >> First I am using 'ad' backend (DC config is in first post below) and >> until I did a fresh install of a new DC Samba 4.8.2 on Ubuntu 18.04 >> the user/group id, shell, and home directory paths were correctly >> obtained from the RSAT UNIX Attribute Tab settings on the DC. It >> seems that is still working for users already created with existing >> home directories on the file server, it is new users or any user that >> needs to build a home directory on the file server. This behavior is >> happening on both Ubuntu 18.04 and 16.04 now, so I believe it is >> related to the new DC. >> >> do I need 'winbind nss info = template' and if so what does it do? >> >> Anyway, I tried Louis' suggestion and was able to get a better >> response after adding this to the *file server smb.conf*: >> >> template homedir = /mnt/home/%U ( also tried >> /mnt/Filestore/user-folders/%U ) >> template shell = /bin/sh >> >> both resulted in correct mount points and shell: >> >> getent passwd 'rachelj' >> rachelj:*:10161:10001::/mnt/home/rachelj:/bin/sh >> >> but expected: >> rachelj:*:10161:10001:Rachel Jones:/mnt/home/rachelj:/bin/sh >> >> But when I tried to login, after a short pause it snaps back to a >> login. The mount point (rachelj) was created but nothing is in the >> directory. Note this is a new user and nothing exists on the file >> server other than the folder created via RSAT during the user setup. >> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (rdconf1.c:744): path to >> luserconf set to /mnt/home/rachelj/.pam_mount.conf.xml >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:568): pam_mount >> 2.14: entering session stage >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:786): Could not get >> realpath of /mnt/home/rachelj: No such file or directory >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:267): Mount info: >> globalconf, user=rachelj <volume fstype="cifs" server="cy-vault" >> path="home/rachelj" mountpoint="/mnt/home/rachelj" cipher="(null)" >> fskeypath="(null)" fskeycipher="(n$ >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:309): mkmountpoint: >> checking /mnt >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:309): mkmountpoint: >> checking /mnt/home >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:309): mkmountpoint: >> checking /mnt/home/rachelj >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:349): mkdir[0] >> /mnt/home/rachelj >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:357): chown >> /mnt/home/rachelj -> 10161:10001 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:664): Password will >> be sent to helper as-is. >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: command: 'mount' '-t' 'cifs' >> '//cy-vault/home/rachelj' '/mnt/home/rachelj' '-o' >> 'username=rachelj,uid=10161,gid=10001,vers=2.1' >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 18 24 0:17 / >> /sys rw,nosuid,nodev,noexec,relatime shared:7 - sysfs sysfs rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 19 24 0:4 / >> /proc rw,nosuid,nodev,noexec,relatime shared:12 - proc proc rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 20 24 0:6 / >> /dev rw,nosuid,relatime shared:2 - devtmpfs udev >> rw,size=1965792k,nr_inodes=491448,mode=755 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 21 20 0:18 / >> /dev/pts rw,nosuid,noexec,relatime shared:3 - devpts devpts >> rw,gid=5,mode=620,ptmxmode=000 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 22 24 0:19 / >> /run rw,nosuid,noexec,relatime shared:5 - tmpfs tmpfs >> rw,size=397688k,mode=755 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 24 0 8:1 / / >> rw,relatime shared:1 - ext4 /dev/sda1 rw,errors=remount-ro,data=ordered >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 25 18 0:13 / >> /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:8 - >> securityfs securityfs rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 26 20 0:21 / >> /dev/shm rw,nosuid,nodev shared:4 - tmpfs tmpfs rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 27 22 0:22 / >> /run/lock rw,nosuid,nodev,noexec,relatime shared:6 - tmpfs tmpfs >> rw,size=5120k >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 28 18 0:23 / >> /sys/fs/cgroup rw shared:9 - tmpfs tmpfs rw,mode=755 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 29 28 0:24 / >> /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:10 - >> cgroup cgroup >> rw,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 30 18 0:25 / >> /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:11 - pstore >> pstore rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 31 28 0:26 / >> /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:13 - >> cgroup cgroup rw,memory >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 32 28 0:27 / >> /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:14 - >> cgroup cgroup rw,devices >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 33 28 0:28 / >> /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:15 - >> cgroup cgroup >> rw,perf_event,release_agent=/run/cgmanager/agents/cgm-release-agent.perf_event >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 34 28 0:29 / >> /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:16 >> - cgroup cgroup rw,cpu,cpuacct >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 35 28 0:30 / >> /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:17 - >> cgroup cgroup rw,cpuset,clone_children >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 36 28 0:31 / >> /sys/fs/cgroup/pids rw,nosuid,nodev,noexec,relatime shared:18 - >> cgroup cgroup >> rw,pids,release_agent=/run/cgmanager/agents/cgm-release-agent.pids >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 37 28 0:32 / >> /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime shared:19 - >> cgroup cgroup >> rw,hugetlb,release_agent=/run/cgmanager/agents/cgm-release-agent.hugetlb >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 38 28 0:33 / >> /sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime >> shared:20 - cgroup cgroup rw,net_cls,net_prio >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 39 28 0:34 / >> /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:21 - >> cgroup cgroup rw,blkio >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 40 28 0:35 / >> /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:22 - >> cgroup cgroup rw,freezer >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 41 19 0:36 / >> /proc/sys/fs/binfmt_misc rw,relatime shared:23 - autofs systemd-1 >> rw,fd=31,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=12818 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 75 18 0:7 / >> /sys/kernel/debug rw,relatime shared:56 - debugfs debugfs rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 77 20 0:37 / >> /dev/hugepages rw,relatime shared:58 - hugetlbfs hugetlbfs rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 79 20 0:16 / >> /dev/mqueue rw,relatime shared:60 - mqueue mqueue rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 81 18 0:38 / >> /sys/fs/fuse/connections rw,relatime shared:62 - fusectl fusectl rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 42 41 0:39 / >> /proc/sys/fs/binfmt_misc rw,relatime shared:24 - binfmt_misc >> binfmt_misc rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 44 22 0:40 / >> /run/cgmanager/fs rw,relatime shared:25 - tmpfs cgmfs >> rw,size=100k,mode=755 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 155 22 0:43 / >> /run/user/108 rw,nosuid,nodev,relatime shared:113 - tmpfs tmpfs >> rw,size=397688k,mode=700,uid=108,gid=114 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 163 22 0:45 / >> /run/user/0 rw,nosuid,nodev,relatime shared:121 - tmpfs tmpfs >> rw,size=397688k,mode=700 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 109 24 0:42 >> /rachelj /mnt/home/rachelj rw,relatime shared:68 - cifs >> //cy-vault/home/rachelj >> rw,vers=2.1,sec=ntlmssp,cache=strict,username=rachelj,domain=CY,uid=10161,forceuid,gid$ >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: command: 'pmvarrun' '-u' >> 'rachelj' '-o' '1' >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pmvarrun.c:258): parsed >> count value 0 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:441): pmvarrun >> says login count is 1 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:660): done >> opening session (ret=0) >> Jun 20 10:29:35 CY-MKT-10 systemd[1]: Created slice User Slice of >> rachelj. >> Jun 20 10:29:35 CY-MKT-10 systemd[1]: Starting User Manager for UID >> 10161...Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Paths. >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Sockets. >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Timers. >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Basic System. >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Default. >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Startup finished in 22ms. >> Jun 20 10:29:35 CY-MKT-10 systemd[1]: Started User Manager for UID 10161. >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: ** (process:1419): WARNING >> **: Error reading existing Xauthority: Failed to open file >> '/mnt/home/rachelj/.Xauthority': Permission denied >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: Error writing X authority: >> Failed to open X authority /mnt/home/rachelj/.Xauthority: Permission >> denied >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:116): Clean >> global config (0) >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:133): clean >> system authtok=0x1a22910 (0) >> Jun 20 10:29:36 CY-MKT-10 acpid: client 880[0:0] has disconnected >> Jun 20 10:29:36 CY-MKT-10 acpid: client connected from 1463[0:0] >> Jun 20 10:29:36 CY-MKT-10 acpid: 1 client rule loaded >> Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169343] Status code returned >> 0xc000006d STATUS_LOGON_FAILURE >> Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169355] CIFS VFS: Send error >> in SessSetup = -13 >> Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169436] CIFS VFS: cifs_mount >> failed w/return code = -13 >> >> Bob Thomas >> >> On Wed, 20 Jun 2018 11:36:06 +0200 >> "L.P.H. van Belle via samba"<samba at lists.samba.org> wrote: >> >>> Hai Bob, >>> >>> And what does the wiki tell you about RID/AD backend AND ..... >>> Well even i had troubles finding the page again. So.. .its not you.. >>> >>> The wiki, is getting to complex and is having to much side links to >>> other pages. You need to set one or more of the following settings. >>> >>> template homedir =/home/%D/%U >>> template shell = /bin/false >>> usershare template share >>> winbind nss info = template >>> >>> >>> Rowland can you follow this path. >>> ( think in, install a member ) >>> 1) >>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member >>> Look for any reference for the template settings, if you use RID. >>> >>> Maybe its an option to link some specific settings to these on the >>> page. ad idmap config ad idmap_ad(8) >>> rid idmap config rid idmap_rid(8) >>> >>> Anyhow, for you i suggest the folling. >>> >>> Member : home path in the share. >>> /mnt/Filestore/user-folders >>> >>> And this is the default: >>> template homedir =/home/%D/%U >>> >>> Change/add this >>> template homedir =/mnt/Filestore/%U >>> >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >> The problem with the wikipage is, just what Louis said, it is too >> complex and all over the place. Until somebody said something, I wasn't >> going to alter it, mainly because when I pointed this out, I upset the >> person that wrote it. >> >> In my opinion, the wiki should be easy to understand and follow, even >> if this means the same information being on several pages. To me, the >> whole idea of a wiki, is to get the information across to users, not to >> make it easy to maintain. >> >> As is, it is very easy to miss that you must add various options to >> smb.conf to get a fully working Unix domain member. >> >> I am open to ideas on how to update the Unix domain member wikipage, my >> first thought is to put everything on one page, but as I say, I am open >> to suggestions. >> >> Rowland >> >> >> On Wed, 20 Jun 2018 11:36:06 +0200 >> "L.P.H. van Belle via samba"<samba at lists.samba.org> wrote: >> >>> Hai Bob, >>> >>> And what does the wiki tell you about RID/AD backend AND ..... >>> Well even i had troubles finding the page again. So.. .its not you.. >>> >>> The wiki, is getting to complex and is having to much side links to >>> other pages. You need to set one or more of the following settings. >>> >>> template homedir =/home/%D/%U >>> template shell = /bin/false >>> usershare template share >>> winbind nss info = template >>> >>> >>> Rowland can you follow this path. >>> ( think in, install a member ) >>> 1) >>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member >>> Look for any reference for the template settings, if you use RID. >>> >>> Maybe its an option to link some specific settings to these on the >>> page. ad idmap config ad idmap_ad(8) >>> rid idmap config rid idmap_rid(8) >>> >>> Anyhow, for you i suggest the folling. >>> >>> Member : home path in the share. >>> /mnt/Filestore/user-folders >>> >>> And this is the default: >>> template homedir =/home/%D/%U >>> >>> Change/add this >>> template homedir =/mnt/Filestore/%U >>> >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >> The problem with the wikipage is, just what Louis said, it is too >> complex and all over the place. Until somebody said something, I wasn't >> going to alter it, mainly because when I pointed this out, I upset the >> person that wrote it. >> >> In my opinion, the wiki should be easy to understand and follow, even >> if this means the same information being on several pages. To me, the >> whole idea of a wiki, is to get the information across to users, not to >> make it easy to maintain. >> >> As is, it is very easy to miss that you must add various options to >> smb.conf to get a fully working Unix domain member. >> >> I am open to ideas on how to update the Unix domain member wikipage, my >> first thought is to put everything on one page, but as I say, I am open >> to suggestions. >> >> Rowland >> >> >> recommendation >> >> >> On 6/19/2018 2:57 PM, Bob Thomas wrote: >>> >>> Hello, >>> >>> I've been trying to get Ubuntu 18.04 to work with Samba AD, seems I >>> am almost there but am unable to get home directories to mount >>> properly. The domain join went without a problem but because the >>> default cifs ver changed in Ubuntu to get other Samba shares on a >>> samba file server to mount I had to add to it's smb.conf: >>> >>> client min protocol = SMB2 >>> client min protocol = SMB3 >>> >>> So I can now mount shares, but home directory will not mount and >>> build on the Ubuntu 18.04 client. I believe the the issue is this: >>> >>> On Ubuntu 16.04 client getent passwd kiarar properly gives the DC's >>> home directory setting of: >>> root at CY-SALES-JM:~# getent passwd 'kiarar' >>> kiarar:*:10155:10001:Kiara Ratcliff:/mnt/home/kiarar:/bin/sh >>> >>> On Ubuntu 18.04 client getent passwd kiarar gives: >>> root at CY-SALE:~# getent passwd 'kiarar' >>> kiarar:*:10155:10001::/home/CY/kiarar:/bin/false >>> >>> So it gets the correct UID and GID but not the login shell or home >>> directory set in the UNIX Attributes tab. >>> >>> Samba DC version 4.8.2 on Ubuntu 18.04 config: >>> >>> [global] >>> netbios name = CY-DC >>> realm = CY.MYDOMAIN.COM >>> workgroup = CY >>> server role = active directory domain controller >>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>> drepl, winbindd, ntp_signd, kcc, dnsupdate >>> idmap_ldb:use rfc2307 = yes >>> idmap config CY:unix_nss_info = yes >>> ldap server require strong auth = no >>> allow dns updates = nonsecure and secure >>> log level = 2 >>> ntlm auth = yes >>> >>> # stops cups errors in log file >>> load printers = no >>> printing = bsd >>> printcap name = /dev/null >>> disable spoolss = yes >>> >>> [netlogon] >>> path = /var/lib/samba/sysvol/cy.cybernetics.com/scripts >>> read only = No >>> >>> [sysvol] >>> path = /var/lib/samba/sysvol >>> read only = No >>> >>> Samba File server version 4.7.4 on Ubuntu 16.04 config: >>> >>> [global] >>> realm = CY.CYBERNETICS.COM >>> workgroup = CY >>> netbios name = cy-vault >>> security = ADS >>> server role = member server >>> encrypt passwords = yes >>> client min protocol = SMB2 >>> client max protocol = SMB3 >>> >>> idmap config *:backend = tdb >>> idmap config *:range = 2000-9999 >>> >>> idmap config CY:backend = ad >>> idmap config CY:schema_mode = rfc2307 >>> idmap config CY:range = 10000-99999 >>> idmap config CY : unix_nss_info = yes >>> >>> winbind trusted domains only = no >>> winbind use default domain = yes >>> >>> vfs objects = acl_xattr >>> map acl inherit = Yes >>> store dos attributes = Yes >>> >>> username map = /etc/samba/user.map >>> >>> log level=3 >>> log file = /var/log/samba/log.%m >>> max log size = 500 >>> >>> # Stops cups errors in log file >>> load printers = no >>> printing = bsd >>> printcap name = /dev/null >>> disable spoolss = yes >>> >>> ####### User folder for Ubuntu ########## >>> >>> [home] >>> comment = UNIX Home Directories >>> path = /mnt/Filestore/user-folders >>> read only = no >>> level2 oplocks =no >>> oplocks = no >>> locking = no >>> strict locking = no >>> >>> Any help? >>> >>> Bob Thomas >>> >>> >> >> On Wed, 20 Jun 2018 11:36:06 +0200 >> "L.P.H. van Belle via samba"<samba at lists.samba.org> wrote: >> >>> Hai Bob, >>> >>> And what does the wiki tell you about RID/AD backend AND ..... >>> Well even i had troubles finding the page again. So.. .its not you.. >>> >>> The wiki, is getting to complex and is having to much side links to >>> other pages. You need to set one or more of the following settings. >>> >>> template homedir =/home/%D/%U >>> template shell = /bin/false >>> usershare template share >>> winbind nss info = template >>> >>> >>> Rowland can you follow this path. >>> ( think in, install a member ) >>> 1) >>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member >>> Look for any reference for the template settings, if you use RID. >>> >>> Maybe its an option to link some specific settings to these on the >>> page. ad idmap config ad idmap_ad(8) >>> rid idmap config rid idmap_rid(8) >>> >>> Anyhow, for you i suggest the folling. >>> >>> Member : home path in the share. >>> /mnt/Filestore/user-folders >>> >>> And this is the default: >>> template homedir =/home/%D/%U >>> >>> Change/add this >>> template homedir =/mnt/Filestore/%U >>> >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >> The problem with the wikipage is, just what Louis said, it is too >> complex and all over the place. Until somebody said something, I wasn't >> going to alter it, mainly because when I pointed this out, I upset the >> person that wrote it. >> >> In my opinion, the wiki should be easy to understand and follow, even >> if this means the same information being on several pages. To me, the >> whole idea of a wiki, is to get the information across to users, not to >> make it easy to maintain. >> >> As is, it is very easy to miss that you must add various options to >> smb.conf to get a fully working Unix domain member. >> >> I am open to ideas on how to update the Unix domain member wikipage, my >> first thought is to put everything on one page, but as I say, I am open >> to suggestions. >> >> Rowland >
L.P.H. van Belle
2018-Jun-22 06:44 UTC
[Samba] Ubuntu 18:04 not getting 'home' directory from DC
Do you have the "cifs/UPN" for both servers set? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bob > Thomas via samba > Verzonden: donderdag 21 juni 2018 18:02 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Ubuntu 18:04 not getting 'home' > directory from DC > > Thank You Louis and Rowland for your help, > > Seems samba version in Ubuntu 18.04 was the key, (Samba > version 4.7.6-Ubuntu). > I was using an old smb.conf that has always worked on my > Ubuntu 16.04 workstations: > > [global] > realm = XX.DOMAIN.COM > workgroup = XX > security = ADS > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config XX:backend = ad > idmap config XX:range = 10000-99999 > idmap config XX:schema_mode = rfc2307 > *idmap config XX:unix_nss_info = yes****# winbind nss info = rfc2307* > winbind use default domain = Yes > winbind refresh tickets = Yes > winbind normalize names = Yes > store dos attributes = Yes > vfs objects = acl_xattr > map acl inherit = Yes > > After changing: 'winbind nss info = rfc2307' to 'idmap config > CY:unix_nss_info = yes' > the DC UNIX attributes are correctly applied. > > I am still having issues running some programs after home > mounts from the server, for example > Thunderbird doesn't get to the account setup popup, and > chromium doesn't even start. > both seem to be "permissions" related. I think will see if > the sec=krb5 resolves it but haven't got that working yet, > setting "sec=krb5" > give me this. (ips edited) > > cifs.upcall: key description: > cifs.spnego;0;0;39010000;ver=0x2;host=1x.1xx.1.3x;ip4=1x.1xx.1 > .3x;sec=krb5;uid=0x277d;creduid=0x0;user=test;pid=0x4ba > cifs.upcall: ver=2 > cifs.upcall: host=1x.1xx.1.3x > cifs.upcall: ip=1x.1xx.1.3x > cifs.upcall: sec=1 > uid=10109 > creduid=0 > user=test > pid=1210 > get_cachename_from_process_env: pid == 0 > get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 > cifs.upcall: get_tgt_time: unable to get principal > cifs.upcall: krb5_get_init_creds_keytab: -1765328203 > cifs.upcall: Exit status 1 > lightdm[830]: (mount.c:72): Messages from underlying mount program: > lightdm[830]: (mount.c:76): mount error(126): Required key > not available > > Do you have a good wiki for setting up sec=krb5 for mount > authentication? > > Thanks again, > > Bob > > > > --------------------------------------- > > > Hai, > > Now i dont use GUI on my servers, but i would check the > following if i had your problem. > Ubuntu 16 and 18 its samba versions are very different keep > that in mind. > > This must be checked: smbmount/smblcient and protocol mismatches. > Lookup where the mount command is done and add -m SMB2 > Probely /etc/security/pam_mount.conf.xml > > Last, smbclient/mount are also using krb5.conf settings. > Adding this to libdefaults might help also a bit so the > cyphers are more aligned. > ; for Windows 2003 > ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > > ; for Windows 2008 with AES > default_tgs_enctypes = aes128-cts-hmac-sha1-96 > aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > default_tkt_enctypes = aes128-cts-hmac-sha1-96 > aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > permitted_enctypes = aes128-cts-hmac-sha1-96 > aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > > If im correct above would fix a possible right problem on > /home/username/.Xauthority but you only know that if you mount works. > If the mount works but login fails: check this one > out.https://blog.laczik.org/xauth-and-xauthority/ > > > This looks a bit the same as a problem, i had when mounting > the user homedir with kerberos nfsv4 mounts. > I needed to add : ignore_k5login = true > Because even root and Administrator are locked out of my user > home dirs. ( ! Note, as it should imo. Its my default setting) > > > > Greetz, > > Louis > > > > > On 6/20/2018 3:12 PM, Bob Thomas wrote: > > Rowland, > > > > How would I find this info? > > > > Check if 'Rachel Jones' has a 'gecos' attribute in AD. > > > > You seem to be being denied access to '.Xauthority', was it > created on > > another machine ? No > > > > However, I am sure '-13' usually means incorrect password. > > > > I am sure the password is correct, the /mnt/home/rachel > folder is created > > > but the user files are not created because access is > denied. The folder > > stays empty and the computer flashes back to the login screen. > > > > > > Bob > > > > > > > > On Wed, 20 Jun 2018 12:01:57 -0400 > > Bob Thomas via samba <samba at lists.samba.org > <https://lists.samba.org/mailman/listinfo/samba>> wrote: > > > > >/Thank you for your reply. />//>/First I am using 'ad' > backend (DC config is in first post below) and > > wland />/until I did a fresh install of a new DC Samba > 4.8.2 on Ubuntu 18.04 />/the user/group id, shell, and home > directory paths were correctly />/obtained from the RSAT UNIX > Attribute Tab settings on the DC. It />/seems that is still > working for users already created with existing />/home > directories on the file server, it is new users or any user > that />/needs to build a home directory on the file server. > This behavior is />/happening on both Ubuntu 18.04 and 16.04 > now, so I believe it is />/related to the new DC. />//>/do I > need 'winbind nss info = template' and if so what does it do? / > > No, because it is the default setting and it tells winbind to only > > obtain the users ID amd primary group from AD. > > > > >//>/Anyway, I tried Louis' suggestion and was able to get > a better />/response after adding this to the *file server > smb.conf*: />//>/ template homedir = /mnt/home/%U ( > also tried />//mnt/Filestore/user-folders/%U ) />/ > template shell = /bin/sh />//>/both resulted in correct mount > points and shell: />//>/getent passwd 'rachelj' > />/rachelj:*:10161:10001::/mnt/home/rachelj:/bin/sh />//>/but > expected: />/rachelj:*:10161:10001:Rachel > Jones:/mnt/home/rachelj:/bin/sh / > > Check if 'Rachel Jones' has a 'gecos' attribute in AD. > > > > >/But when I tried to login, after a short pause it snaps > back to a />/login. The mount point (rachelj) was created > but nothing is in the />/directory. Note this is a new user > and nothing exists on the file />/server other than the > folder created via RSAT during the user setup. />//>/Jun 20 > 10:29:35 CY-MKT-10 systemd[1]: Started User Manager for > />/UID 10161. Jun 20 10:29:35 CY-MKT-10 lightdm[823]: ** > (process:1419): />/WARNING **: Error reading existing > Xauthority: Failed to open file > />/'/mnt/home/rachelj/.Xauthority': Permission denied />/Jun > 20 10:29:35 CY-MKT-10 lightdm[823]: Error writing X > authority: />/Failed to open X authority > /mnt/home/rachelj/.Xauthority: Permission />/denied Jun 20 > 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:116): />/Clean > global config (0) />/Jun 20 10:29:35 CY-MKT-10 lightdm[823]: > (pam_mount.c:133): clean />/system authtok=0x1a22910 (0) > />/Jun 20 10:29:36 CY-MKT-10 acpid: client 880[0:0] has > disconnected />/Jun 20 10:29:36 CY-MKT-10 acpid: clie > nt connected from 1463[0:0] />/Jun 20 10:29:36 CY-MKT-10 > acpid: 1 client rule loaded />/Jun 20 10:29:36 CY-MKT-10 > kernel: [ 97.169343] Status code returned />/0xc000006d > STATUS_LOGON_FAILURE />/Jun 20 10:29:36 CY-MKT-10 kernel: [ > 97.169355] CIFS VFS: Send error />/in SessSetup = -13 />/Jun > 20 10:29:36 CY-MKT-10 kernel: [ 97.169436] CIFS VFS: > cifs_mount />/failed w/return code = -13 / > > You seem to be being denied access to '.Xauthority', was it > created on > > another machine ? > > However, I am sure '-13' usually means incorrect password. > > > > Rowland > > > > On 6/20/2018 12:01 PM, Bob Thomas wrote: > >> > >> Thank you for your reply. > >> > >> First I am using 'ad' backend (DC config is in first post > below) and > >> until I did a fresh install of a new DC Samba 4.8.2 on > Ubuntu 18.04 > >> the user/group id, shell, and home directory paths were correctly > >> obtained from the RSAT UNIX Attribute Tab settings on the DC. It > >> seems that is still working for users already created with > existing > >> home directories on the file server, it is new users or > any user that > >> needs to build a home directory on the file server. This > behavior is > >> happening on both Ubuntu 18.04 and 16.04 now, so I believe it is > >> related to the new DC. > >> > >> do I need 'winbind nss info = template' and if so what does it do? > >> > >> Anyway, I tried Louis' suggestion and was able to get a better > >> response after adding this to the *file server smb.conf*: > >> > >> template homedir = /mnt/home/%U ( also tried > >> /mnt/Filestore/user-folders/%U ) > >> template shell = /bin/sh > >> > >> both resulted in correct mount points and shell: > >> > >> getent passwd 'rachelj' > >> rachelj:*:10161:10001::/mnt/home/rachelj:/bin/sh > >> > >> but expected: > >> rachelj:*:10161:10001:Rachel Jones:/mnt/home/rachelj:/bin/sh > >> > >> But when I tried to login, after a short pause it snaps back to a > >> login. The mount point (rachelj) was created but nothing > is in the > >> directory. Note this is a new user and nothing exists on the file > >> server other than the folder created via RSAT during the > user setup. > >> > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (rdconf1.c:744): path to > >> luserconf set to /mnt/home/rachelj/.pam_mount.conf.xml > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:568): > pam_mount > >> 2.14: entering session stage > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:786): > Could not get > >> realpath of /mnt/home/rachelj: No such file or directory > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:267): Mount info: > >> globalconf, user=rachelj <volume fstype="cifs" server="cy-vault" > >> path="home/rachelj" mountpoint="/mnt/home/rachelj" cipher="(null)" > >> fskeypath="(null)" fskeycipher="(n$ > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:309): > mkmountpoint: > >> checking /mnt > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:309): > mkmountpoint: > >> checking /mnt/home > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:309): > mkmountpoint: > >> checking /mnt/home/rachelj > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:349): mkdir[0] > >> /mnt/home/rachelj > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:357): chown > >> /mnt/home/rachelj -> 10161:10001 > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:664): > Password will > >> be sent to helper as-is. > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: command: 'mount' > '-t' 'cifs' > >> '//cy-vault/home/rachelj' '/mnt/home/rachelj' '-o' > >> 'username=rachelj,uid=10161,gid=10001,vers=2.1' > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 18 > 24 0:17 / > >> /sys rw,nosuid,nodev,noexec,relatime shared:7 - sysfs sysfs rw > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 19 24 0:4 / > >> /proc rw,nosuid,nodev,noexec,relatime shared:12 - proc proc rw > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 20 24 0:6 / > >> /dev rw,nosuid,relatime shared:2 - devtmpfs udev > >> rw,size=1965792k,nr_inodes=491448,mode=755 > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 21 > 20 0:18 / > >> /dev/pts rw,nosuid,noexec,relatime shared:3 - devpts devpts > >> rw,gid=5,mode=620,ptmxmode=000 > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 22 > 24 0:19 / > >> /run rw,nosuid,noexec,relatime shared:5 - tmpfs tmpfs > >> rw,size=397688k,mode=755 > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 24 > 0 8:1 / / > >> rw,relatime shared:1 - ext4 /dev/sda1 > rw,errors=remount-ro,data=ordered > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 25 > 18 0:13 / > >> /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:8 - > >> securityfs securityfs rw > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 26 > 20 0:21 / > >> /dev/shm rw,nosuid,nodev shared:4 - tmpfs tmpfs rw > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 27 > 22 0:22 / > >> /run/lock rw,nosuid,nodev,noexec,relatime shared:6 - tmpfs tmpfs > >> rw,size=5120k > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 28 > 18 0:23 / > >> /sys/fs/cgroup rw shared:9 - tmpfs tmpfs rw,mode=755 > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 29 > 28 0:24 / > >> /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:10 - > >> cgroup cgroup > >> > rw,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 30 > 18 0:25 / > >> /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:11 - pstore > >> pstore rw > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 31 > 28 0:26 / > >> /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:13 - > >> cgroup cgroup rw,memory > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 32 > 28 0:27 / > >> /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:14 - > >> cgroup cgroup rw,devices > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 33 > 28 0:28 / > >> /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime > shared:15 - > >> cgroup cgroup > >> > rw,perf_event,release_agent=/run/cgmanager/agents/cgm-release- > agent.perf_event > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 34 > 28 0:29 / > >> /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime > shared:16 > >> - cgroup cgroup rw,cpu,cpuacct > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 35 > 28 0:30 / > >> /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:17 - > >> cgroup cgroup rw,cpuset,clone_children > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 36 > 28 0:31 / > >> /sys/fs/cgroup/pids rw,nosuid,nodev,noexec,relatime shared:18 - > >> cgroup cgroup > >> rw,pids,release_agent=/run/cgmanager/agents/cgm-release-agent.pids > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 37 > 28 0:32 / > >> /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime shared:19 - > >> cgroup cgroup > >> > rw,hugetlb,release_agent=/run/cgmanager/agents/cgm-release-age > nt.hugetlb > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 38 > 28 0:33 / > >> /sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime > >> shared:20 - cgroup cgroup rw,net_cls,net_prio > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 39 > 28 0:34 / > >> /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:21 - > >> cgroup cgroup rw,blkio > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 40 > 28 0:35 / > >> /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:22 - > >> cgroup cgroup rw,freezer > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 41 > 19 0:36 / > >> /proc/sys/fs/binfmt_misc rw,relatime shared:23 - autofs systemd-1 > >> > rw,fd=31,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=12818 > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 75 18 0:7 / > >> /sys/kernel/debug rw,relatime shared:56 - debugfs debugfs rw > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 77 > 20 0:37 / > >> /dev/hugepages rw,relatime shared:58 - hugetlbfs hugetlbfs rw > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 79 > 20 0:16 / > >> /dev/mqueue rw,relatime shared:60 - mqueue mqueue rw > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 81 > 18 0:38 / > >> /sys/fs/fuse/connections rw,relatime shared:62 - fusectl fusectl rw > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 42 > 41 0:39 / > >> /proc/sys/fs/binfmt_misc rw,relatime shared:24 - binfmt_misc > >> binfmt_misc rw > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 44 > 22 0:40 / > >> /run/cgmanager/fs rw,relatime shared:25 - tmpfs cgmfs > >> rw,size=100k,mode=755 > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 155 > 22 0:43 / > >> /run/user/108 rw,nosuid,nodev,relatime shared:113 - tmpfs tmpfs > >> rw,size=397688k,mode=700,uid=108,gid=114 > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 163 > 22 0:45 / > >> /run/user/0 rw,nosuid,nodev,relatime shared:121 - tmpfs tmpfs > >> rw,size=397688k,mode=700 > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 109 24 0:42 > >> /rachelj /mnt/home/rachelj rw,relatime shared:68 - cifs > >> //cy-vault/home/rachelj > >> > rw,vers=2.1,sec=ntlmssp,cache=strict,username=rachelj,domain=C > Y,uid=10161,forceuid,gid$ > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: command: 'pmvarrun' '-u' > >> 'rachelj' '-o' '1' > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pmvarrun.c:258): parsed > >> count value 0 > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:441): > pmvarrun > >> says login count is 1 > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:660): done > >> opening session (ret=0) > >> Jun 20 10:29:35 CY-MKT-10 systemd[1]: Created slice User Slice of > >> rachelj. > >> Jun 20 10:29:35 CY-MKT-10 systemd[1]: Starting User > Manager for UID > >> 10161...Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached > target Paths. > >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Sockets. > >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Timers. > >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target > Basic System. > >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Default. > >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Startup finished in 22ms. > >> Jun 20 10:29:35 CY-MKT-10 systemd[1]: Started User Manager > for UID 10161. > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: ** (process:1419): WARNING > >> **: Error reading existing Xauthority: Failed to open file > >> '/mnt/home/rachelj/.Xauthority': Permission denied > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: Error writing X authority: > >> Failed to open X authority /mnt/home/rachelj/.Xauthority: > Permission > >> denied > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:116): Clean > >> global config (0) > >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:133): clean > >> system authtok=0x1a22910 (0) > >> Jun 20 10:29:36 CY-MKT-10 acpid: client 880[0:0] has disconnected > >> Jun 20 10:29:36 CY-MKT-10 acpid: client connected from 1463[0:0] > >> Jun 20 10:29:36 CY-MKT-10 acpid: 1 client rule loaded > >> Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169343] Status > code returned > >> 0xc000006d STATUS_LOGON_FAILURE > >> Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169355] CIFS VFS: > Send error > >> in SessSetup = -13 > >> Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169436] CIFS VFS: > cifs_mount > >> failed w/return code = -13 > >> > >> Bob Thomas > >> > >> On Wed, 20 Jun 2018 11:36:06 +0200 > >> "L.P.H. van Belle via samba"<samba at lists.samba.org> wrote: > >> > >>> Hai Bob, > >>> > >>> And what does the wiki tell you about RID/AD backend AND ..... > >>> Well even i had troubles finding the page again. So.. > .its not you.. > >>> > >>> The wiki, is getting to complex and is having to much > side links to > >>> other pages. You need to set one or more of the following > settings. > >>> > >>> template homedir =/home/%D/%U > >>> template shell = /bin/false > >>> usershare template share > >>> winbind nss info = template > >>> > >>> > >>> Rowland can you follow this path. > >>> ( think in, install a member ) > >>> 1) > >>> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > >>> Look for any reference for the template settings, if you use RID. > >>> > >>> Maybe its an option to link some specific settings to these on the > >>> page. ad idmap config ad idmap_ad(8) > >>> rid idmap config rid idmap_rid(8) > >>> > >>> Anyhow, for you i suggest the folling. > >>> > >>> Member : home path in the share. > >>> /mnt/Filestore/user-folders > >>> > >>> And this is the default: > >>> template homedir =/home/%D/%U > >>> > >>> Change/add this > >>> template homedir =/mnt/Filestore/%U > >>> > >>> > >>> > >>> Greetz, > >>> > >>> Louis > >>> > >>> > >> The problem with the wikipage is, just what Louis said, it is too > >> complex and all over the place. Until somebody said > something, I wasn't > >> going to alter it, mainly because when I pointed this out, > I upset the > >> person that wrote it. > >> > >> In my opinion, the wiki should be easy to understand and > follow, even > >> if this means the same information being on several pages. > To me, the > >> whole idea of a wiki, is to get the information across to > users, not to > >> make it easy to maintain. > >> > >> As is, it is very easy to miss that you must add various options to > >> smb.conf to get a fully working Unix domain member. > >> > >> I am open to ideas on how to update the Unix domain member > wikipage, my > >> first thought is to put everything on one page, but as I > say, I am open > >> to suggestions. > >> > >> Rowland > >> > >> > >> On Wed, 20 Jun 2018 11:36:06 +0200 > >> "L.P.H. van Belle via samba"<samba at lists.samba.org> wrote: > >> > >>> Hai Bob, > >>> > >>> And what does the wiki tell you about RID/AD backend AND ..... > >>> Well even i had troubles finding the page again. So.. > .its not you.. > >>> > >>> The wiki, is getting to complex and is having to much > side links to > >>> other pages. You need to set one or more of the following > settings. > >>> > >>> template homedir =/home/%D/%U > >>> template shell = /bin/false > >>> usershare template share > >>> winbind nss info = template > >>> > >>> > >>> Rowland can you follow this path. > >>> ( think in, install a member ) > >>> 1) > >>> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > >>> Look for any reference for the template settings, if you use RID. > >>> > >>> Maybe its an option to link some specific settings to these on the > >>> page. ad idmap config ad idmap_ad(8) > >>> rid idmap config rid idmap_rid(8) > >>> > >>> Anyhow, for you i suggest the folling. > >>> > >>> Member : home path in the share. > >>> /mnt/Filestore/user-folders > >>> > >>> And this is the default: > >>> template homedir =/home/%D/%U > >>> > >>> Change/add this > >>> template homedir =/mnt/Filestore/%U > >>> > >>> > >>> > >>> Greetz, > >>> > >>> Louis > >>> > >>> > >> The problem with the wikipage is, just what Louis said, it is too > >> complex and all over the place. Until somebody said > something, I wasn't > >> going to alter it, mainly because when I pointed this out, > I upset the > >> person that wrote it. > >> > >> In my opinion, the wiki should be easy to understand and > follow, even > >> if this means the same information being on several pages. > To me, the > >> whole idea of a wiki, is to get the information across to > users, not to > >> make it easy to maintain. > >> > >> As is, it is very easy to miss that you must add various options to > >> smb.conf to get a fully working Unix domain member. > >> > >> I am open to ideas on how to update the Unix domain member > wikipage, my > >> first thought is to put everything on one page, but as I > say, I am open > >> to suggestions. > >> > >> Rowland > >> > >> > >> recommendation > >> > >> > >> On 6/19/2018 2:57 PM, Bob Thomas wrote: > >>> > >>> Hello, > >>> > >>> I've been trying to get Ubuntu 18.04 to work with Samba > AD, seems I > >>> am almost there but am unable to get home directories to mount > >>> properly. The domain join went without a problem but because the > >>> default cifs ver changed in Ubuntu to get other Samba shares on a > >>> samba file server to mount I had to add to it's smb.conf: > >>> > >>> client min protocol = SMB2 > >>> client min protocol = SMB3 > >>> > >>> So I can now mount shares, but home directory will not mount and > >>> build on the Ubuntu 18.04 client. I believe the the > issue is this: > >>> > >>> On Ubuntu 16.04 client getent passwd kiarar properly > gives the DC's > >>> home directory setting of: > >>> root at CY-SALES-JM:~# getent passwd 'kiarar' > >>> kiarar:*:10155:10001:Kiara Ratcliff:/mnt/home/kiarar:/bin/sh > >>> > >>> On Ubuntu 18.04 client getent passwd kiarar gives: > >>> root at CY-SALE:~# getent passwd 'kiarar' > >>> kiarar:*:10155:10001::/home/CY/kiarar:/bin/false > >>> > >>> So it gets the correct UID and GID but not the login > shell or home > >>> directory set in the UNIX Attributes tab. > >>> > >>> Samba DC version 4.8.2 on Ubuntu 18.04 config: > >>> > >>> [global] > >>> netbios name = CY-DC > >>> realm = CY.MYDOMAIN.COM > >>> workgroup = CY > >>> server role = active directory domain controller > >>> server services = s3fs, rpc, nbt, wrepl, ldap, > cldap, kdc, > >>> drepl, winbindd, ntp_signd, kcc, dnsupdate > >>> idmap_ldb:use rfc2307 = yes > >>> idmap config CY:unix_nss_info = yes > >>> ldap server require strong auth = no > >>> allow dns updates = nonsecure and secure > >>> log level = 2 > >>> ntlm auth = yes > >>> > >>> # stops cups errors in log file > >>> load printers = no > >>> printing = bsd > >>> printcap name = /dev/null > >>> disable spoolss = yes > >>> > >>> [netlogon] > >>> path = /var/lib/samba/sysvol/cy.cybernetics.com/scripts > >>> read only = No > >>> > >>> [sysvol] > >>> path = /var/lib/samba/sysvol > >>> read only = No > >>> > >>> Samba File server version 4.7.4 on Ubuntu 16.04 config: > >>> > >>> [global] > >>> realm = CY.CYBERNETICS.COM > >>> workgroup = CY > >>> netbios name = cy-vault > >>> security = ADS > >>> server role = member server > >>> encrypt passwords = yes > >>> client min protocol = SMB2 > >>> client max protocol = SMB3 > >>> > >>> idmap config *:backend = tdb > >>> idmap config *:range = 2000-9999 > >>> > >>> idmap config CY:backend = ad > >>> idmap config CY:schema_mode = rfc2307 > >>> idmap config CY:range = 10000-99999 > >>> idmap config CY : unix_nss_info = yes > >>> > >>> winbind trusted domains only = no > >>> winbind use default domain = yes > >>> > >>> vfs objects = acl_xattr > >>> map acl inherit = Yes > >>> store dos attributes = Yes > >>> > >>> username map = /etc/samba/user.map > >>> > >>> log level=3 > >>> log file = /var/log/samba/log.%m > >>> max log size = 500 > >>> > >>> # Stops cups errors in log file > >>> load printers = no > >>> printing = bsd > >>> printcap name = /dev/null > >>> disable spoolss = yes > >>> > >>> ####### User folder for Ubuntu ########## > >>> > >>> [home] > >>> comment = UNIX Home Directories > >>> path = /mnt/Filestore/user-folders > >>> read only = no > >>> level2 oplocks =no > >>> oplocks = no > >>> locking = no > >>> strict locking = no > >>> > >>> Any help? > >>> > >>> Bob Thomas > >>> > >>> > >> > >> On Wed, 20 Jun 2018 11:36:06 +0200 > >> "L.P.H. van Belle via samba"<samba at lists.samba.org> wrote: > >> > >>> Hai Bob, > >>> > >>> And what does the wiki tell you about RID/AD backend AND ..... > >>> Well even i had troubles finding the page again. So.. > .its not you.. > >>> > >>> The wiki, is getting to complex and is having to much > side links to > >>> other pages. You need to set one or more of the following > settings. > >>> > >>> template homedir =/home/%D/%U > >>> template shell = /bin/false > >>> usershare template share > >>> winbind nss info = template > >>> > >>> > >>> Rowland can you follow this path. > >>> ( think in, install a member ) > >>> 1) > >>> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > >>> Look for any reference for the template settings, if you use RID. > >>> > >>> Maybe its an option to link some specific settings to these on the > >>> page. ad idmap config ad idmap_ad(8) > >>> rid idmap config rid idmap_rid(8) > >>> > >>> Anyhow, for you i suggest the folling. > >>> > >>> Member : home path in the share. > >>> /mnt/Filestore/user-folders > >>> > >>> And this is the default: > >>> template homedir =/home/%D/%U > >>> > >>> Change/add this > >>> template homedir =/mnt/Filestore/%U > >>> > >>> > >>> > >>> Greetz, > >>> > >>> Louis > >>> > >>> > >> The problem with the wikipage is, just what Louis said, it is too > >> complex and all over the place. Until somebody said > something, I wasn't > >> going to alter it, mainly because when I pointed this out, > I upset the > >> person that wrote it. > >> > >> In my opinion, the wiki should be easy to understand and > follow, even > >> if this means the same information being on several pages. > To me, the > >> whole idea of a wiki, is to get the information across to > users, not to > >> make it easy to maintain. > >> > >> As is, it is very easy to miss that you must add various options to > >> smb.conf to get a fully working Unix domain member. > >> > >> I am open to ideas on how to update the Unix domain member > wikipage, my > >> first thought is to put everything on one page, but as I > say, I am open > >> to suggestions. > >> > >> Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Bob Thomas
2018-Jun-26 14:09 UTC
[Samba] Fwd: Re: Ubuntu 18:04 not getting 'home' directory from DC
Sorry for the delayed response, Louis, I'm not sure how to tell about having "cifs/UPN" - Please advise. I was able to mount with sec=krb5 after the user is logged in but that does not help getting "home" mounted during the login. But here is where I am now: I have been able to pam_mount "home" during the login but could not get the ACLs during the mount using any combination of sec= and/or vers= other than "vers=1.0,sec=ntlm". This seems strange because on the file server where the "home" share is I have "client min protocol = SMB2" in smb.conf, yet setting options="vers=1.0,sec=ntlm" does mount with the correct ACLs. Versions 2.0, 2.1, 3.0 mount but without ACLs. Without the correct ACLs the user is not able to alter some of the user configurations and that is why many programs would not run. see the mounts below: Correct and works ("vers=1.0,sec=ntlm"): root at CY-SALE:~# mount -v | grep /home/test //10.157.1.32/home/test on /mnt/home/test type cifs (rw,relatime,vers=1.0,sec=ntlm,cache=strict,username=test,uid=10109,forceuid,gid=10001,forcegid,addr=10.157.1.32,soft,unix,posixpaths,serverino,mapposix,*acl*,rsize=1048576,wsize=65536,echo_interval=60,actimeo=1) Does not work Default (no vers or sec): root at CY-SALE:~# mount -v | grep /home/test //10.157.1.32/home/test on /mnt/home/test type cifs (rw,relatime,vers=default,cache=strict,username=test,domain=,uid=10109,forceuid,gid=10001,forcegid,addr=10.157.1.32,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1) vers=3.0: //10.157.1.32/home/test on /mnt/home/test type cifs (rw,relatime,vers=3.0,cache=strict,username=test,domain=,uid=10109,forceuid,gid=10001,forcegid,addr=10.157.1.32,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1) vers=2.0,sec=ntlmssp //10.157.1.32/home/test on /mnt/home/test type cifs (rw,relatime,vers=2.0,sec=ntlmssp,cache=strict,username=test,domain=,uid=10109,forceuid,gid=10001,forcegid,addr=10.157.1.32,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=65536,wsize=65536,echo_interval=60,actimeo=1) Other combinations of vers & sec yield the same - No ACLs Bob --------------- Do you have the "cifs/UPN" for both servers set? Greetz, Louis -------- Forwarded Message -------- Subject: Re: Ubuntu 18:04 not getting 'home' directory from DC From: Bob Thomas <bthomas at cybernetics.com> To: samba at lists.samba.org References: <2423a2ed-4ec6-4dcd-7503-0114e8ef7bff at cybernetics.com> <b6ca8e07-41cf-2697-fcf5-88b3ac011bd0 at cybernetics.com> <74b6e13d-8123-bc5f-16fd-9ca5656c3ad6 at cybernetics.com> Message-ID: <4ad7a8c0-1648-6cca-afd8-ae567172b363 at cybernetics.com> Date: Thu, 21 Jun 2018 12:02:12 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: <74b6e13d-8123-bc5f-16fd-9ca5656c3ad6 at cybernetics.com> Content-Type: multipart/alternative; boundary="------------F909B7EB248DE0B0D48BDEB0" Content-Language: en-US Thank You Louis and Rowland for your help, Seems samba version in Ubuntu 18.04 was the key, (Samba version 4.7.6-Ubuntu). I was using an old smb.conf that has always worked on my Ubuntu 16.04 workstations: [global] realm = XX.DOMAIN.COM workgroup = XX security = ADS dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config XX:backend = ad idmap config XX:range = 10000-99999 idmap config XX:schema_mode = rfc2307 *idmap config XX:unix_nss_info = yes****# winbind nss info = rfc2307* winbind use default domain = Yes winbind refresh tickets = Yes winbind normalize names = Yes store dos attributes = Yes vfs objects = acl_xattr map acl inherit = Yes After changing: 'winbind nss info = rfc2307' to 'idmap config CY:unix_nss_info = yes' the DC UNIX attributes are correctly applied. I am still having issues running some programs after home mounts from the server, for example Thunderbird doesn't get to the account setup popup, and chromium doesn't even start. both seem to be "permissions" related. I think will see if the sec=krb5 resolves it but haven't got that working yet, setting "sec=krb5" give me this. (ips edited) cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=1x.1xx.1.3x;ip4=1x.1xx.1.3x;sec=krb5;uid=0x277d;creduid=0x0;user=test;pid=0x4ba cifs.upcall: ver=2 cifs.upcall: host=1x.1xx.1.3x cifs.upcall: ip=1x.1xx.1.3x cifs.upcall: sec=1 uid=10109 creduid=0 user=test pid=1210 get_cachename_from_process_env: pid == 0 get_existing_cc: default ccache isFILE:/tmp/krb5cc_0 cifs.upcall: get_tgt_time: unable to get principal cifs.upcall: krb5_get_init_creds_keytab: -1765328203 cifs.upcall: Exit status 1 lightdm[830]: (mount.c:72): Messages from underlying mount program: lightdm[830]: (mount.c:76): mount error(126): Required key not available Do you have a good wiki for setting up sec=krb5 for mount authentication? Thanks again, Bob --------------------------------------- Hai, Now i dont use GUI on my servers, but i would check the following if i had your problem. Ubuntu 16 and 18 its samba versions are very different keep that in mind. This must be checked: smbmount/smblcient and protocol mismatches. Lookup where the mount command is done and add -m SMB2 Probely /etc/security/pam_mount.conf.xml Last, smbclient/mount are also using krb5.conf settings. Adding this to libdefaults might help also a bit so the cyphers are more aligned. ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 If im correct above would fix a possible right problem on /home/username/.Xauthority but you only know that if you mount works. If the mount works but login fails: check this one out.https://blog.laczik.org/xauth-and-xauthority/ This looks a bit the same as a problem, i had when mounting the user homedir with kerberos nfsv4 mounts. I needed to add : ignore_k5login = true Because even root and Administrator are locked out of my user home dirs. ( ! Note, as it should imo. Its my default setting) Greetz, Louis On 6/20/2018 3:12 PM, Bob Thomas wrote:> Rowland, > > How would I find this info? > > Check if 'Rachel Jones' has a 'gecos' attribute in AD. > > You seem to be being denied access to '.Xauthority', was it created on > another machine ? No > > However, I am sure '-13' usually means incorrect password. > > I am sure the password is correct, the /mnt/home/rachel folder is created > but the user files are not created because access is denied. The folder > stays empty and the computer flashes back to the login screen. > > > Bob > > > > On Wed, 20 Jun 2018 12:01:57 -0400 > Bob Thomas via samba <samba at lists.samba.org <https://lists.samba.org/mailman/listinfo/samba>> wrote: > > >/Thank you for your reply. />//>/First I am using 'ad' backend (DC config is in first post below) and > wland />/until I did a fresh install of a new DC Samba 4.8.2 on Ubuntu 18.04 />/the user/group id, shell, and home directory paths were correctly />/obtained from the RSAT UNIX Attribute Tab settings on the DC. It />/seems that is still working for users already created with existing />/home directories on the file server, it is new users or any user that />/needs to build a home directory on the file server. This behavior is />/happening on both Ubuntu 18.04 and 16.04 now, so I believe it is />/related to the new DC. />//>/do I need 'winbind nss info = template' and if so what does it do? / > No, because it is the default setting and it tells winbind to only > obtain the users ID amd primary group from AD. > > >//>/Anyway, I tried Louis' suggestion and was able to get a better />/response after adding this to the *file server smb.conf*: />//>/ template homedir = /mnt/home/%U ( also tried />//mnt/Filestore/user-folders/%U ) />/ template shell = /bin/sh />//>/both resulted in correct mount points and shell: />//>/getent passwd 'rachelj' />/rachelj:*:10161:10001::/mnt/home/rachelj:/bin/sh />//>/but expected: />/rachelj:*:10161:10001:Rachel Jones:/mnt/home/rachelj:/bin/sh / > Check if 'Rachel Jones' has a 'gecos' attribute in AD. > > >/But when I tried to login, after a short pause it snaps back to a />/login. The mount point (rachelj) was created but nothing is in the />/directory. Note this is a new user and nothing exists on the file />/server other than the folder created via RSAT during the user setup. />//>/Jun 20 10:29:35 CY-MKT-10 systemd[1]: Started User Manager for />/UID 10161. Jun 20 10:29:35 CY-MKT-10 lightdm[823]: ** (process:1419): />/WARNING **: Error reading existing Xauthority: Failed to open file />/'/mnt/home/rachelj/.Xauthority': Permission denied />/Jun 20 10:29:35 CY-MKT-10 lightdm[823]: Error writing X authority: />/Failed to open X authority /mnt/home/rachelj/.Xauthority: Permission />/denied Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:116): />/Clean global config (0) />/Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:133): clean />/system authtok=0x1a22910 (0) />/Jun 20 10:29:36 CY-MKT-10 acpid: client 880[0:0] has disconnected />/Jun 20 10:29:36 CY-MKT-10 acpid: client connected from 1463[0:0] />/Jun 20 10:29:36 CY-MKT-10 acpid: 1 client rule loaded />/Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169343] Status code returned />/0xc000006d STATUS_LOGON_FAILURE />/Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169355] CIFS VFS: Send error />/in SessSetup = -13 />/Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169436] CIFS VFS: cifs_mount />/failed w/return code = -13 / > You seem to be being denied access to '.Xauthority', was it created on > another machine ? > However, I am sure '-13' usually means incorrect password. > > Rowland > > On 6/20/2018 12:01 PM, Bob Thomas wrote: >> >> Thank you for your reply. >> >> First I am using 'ad' backend (DC config is in first post below) and >> until I did a fresh install of a new DC Samba 4.8.2 on Ubuntu 18.04 >> the user/group id, shell, and home directory paths were correctly >> obtained from the RSAT UNIX Attribute Tab settings on the DC. It >> seems that is still working for users already created with existing >> home directories on the file server, it is new users or any user that >> needs to build a home directory on the file server. This behavior is >> happening on both Ubuntu 18.04 and 16.04 now, so I believe it is >> related to the new DC. >> >> do I need 'winbind nss info = template' and if so what does it do? >> >> Anyway, I tried Louis' suggestion and was able to get a better >> response after adding this to the *file server smb.conf*: >> >> template homedir = /mnt/home/%U ( also tried >> /mnt/Filestore/user-folders/%U ) >> template shell = /bin/sh >> >> both resulted in correct mount points and shell: >> >> getent passwd 'rachelj' >> rachelj:*:10161:10001::/mnt/home/rachelj:/bin/sh >> >> but expected: >> rachelj:*:10161:10001:Rachel Jones:/mnt/home/rachelj:/bin/sh >> >> But when I tried to login, after a short pause it snaps back to a >> login. The mount point (rachelj) was created but nothing is in the >> directory. Note this is a new user and nothing exists on the file >> server other than the folder created via RSAT during the user setup. >> >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (rdconf1.c:744): path to >> luserconf set to /mnt/home/rachelj/.pam_mount.conf.xml >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:568): pam_mount >> 2.14: entering session stage >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:786): Could not get >> realpath of /mnt/home/rachelj: No such file or directory >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:267): Mount info: >> globalconf, user=rachelj <volume fstype="cifs" server="cy-vault" >> path="home/rachelj" mountpoint="/mnt/home/rachelj" cipher="(null)" >> fskeypath="(null)" fskeycipher="(n$ >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:309): mkmountpoint: >> checking /mnt >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:309): mkmountpoint: >> checking /mnt/home >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:309): mkmountpoint: >> checking /mnt/home/rachelj >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:349): mkdir[0] >> /mnt/home/rachelj >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:357): chown >> /mnt/home/rachelj -> 10161:10001 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:664): Password will >> be sent to helper as-is. >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: command: 'mount' '-t' 'cifs' >> '//cy-vault/home/rachelj' '/mnt/home/rachelj' '-o' >> 'username=rachelj,uid=10161,gid=10001,vers=2.1' >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 18 24 0:17 / >> /sys rw,nosuid,nodev,noexec,relatime shared:7 - sysfs sysfs rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 19 24 0:4 / >> /proc rw,nosuid,nodev,noexec,relatime shared:12 - proc proc rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 20 24 0:6 / >> /dev rw,nosuid,relatime shared:2 - devtmpfs udev >> rw,size=1965792k,nr_inodes=491448,mode=755 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 21 20 0:18 / >> /dev/pts rw,nosuid,noexec,relatime shared:3 - devpts devpts >> rw,gid=5,mode=620,ptmxmode=000 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 22 24 0:19 / >> /run rw,nosuid,noexec,relatime shared:5 - tmpfs tmpfs >> rw,size=397688k,mode=755 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 24 0 8:1 / / >> rw,relatime shared:1 - ext4 /dev/sda1 rw,errors=remount-ro,data=ordered >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 25 18 0:13 / >> /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:8 - >> securityfs securityfs rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 26 20 0:21 / >> /dev/shm rw,nosuid,nodev shared:4 - tmpfs tmpfs rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 27 22 0:22 / >> /run/lock rw,nosuid,nodev,noexec,relatime shared:6 - tmpfs tmpfs >> rw,size=5120k >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 28 18 0:23 / >> /sys/fs/cgroup rw shared:9 - tmpfs tmpfs rw,mode=755 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 29 28 0:24 / >> /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:10 - >> cgroup cgroup >> rw,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 30 18 0:25 / >> /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:11 - pstore >> pstore rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 31 28 0:26 / >> /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:13 - >> cgroup cgroup rw,memory >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 32 28 0:27 / >> /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:14 - >> cgroup cgroup rw,devices >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 33 28 0:28 / >> /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:15 - >> cgroup cgroup >> rw,perf_event,release_agent=/run/cgmanager/agents/cgm-release-agent.perf_event >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 34 28 0:29 / >> /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:16 >> - cgroup cgroup rw,cpu,cpuacct >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 35 28 0:30 / >> /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:17 - >> cgroup cgroup rw,cpuset,clone_children >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 36 28 0:31 / >> /sys/fs/cgroup/pids rw,nosuid,nodev,noexec,relatime shared:18 - >> cgroup cgroup >> rw,pids,release_agent=/run/cgmanager/agents/cgm-release-agent.pids >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 37 28 0:32 / >> /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime shared:19 - >> cgroup cgroup >> rw,hugetlb,release_agent=/run/cgmanager/agents/cgm-release-agent.hugetlb >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 38 28 0:33 / >> /sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime >> shared:20 - cgroup cgroup rw,net_cls,net_prio >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 39 28 0:34 / >> /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:21 - >> cgroup cgroup rw,blkio >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 40 28 0:35 / >> /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:22 - >> cgroup cgroup rw,freezer >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 41 19 0:36 / >> /proc/sys/fs/binfmt_misc rw,relatime shared:23 - autofs systemd-1 >> rw,fd=31,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=12818 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 75 18 0:7 / >> /sys/kernel/debug rw,relatime shared:56 - debugfs debugfs rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 77 20 0:37 / >> /dev/hugepages rw,relatime shared:58 - hugetlbfs hugetlbfs rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 79 20 0:16 / >> /dev/mqueue rw,relatime shared:60 - mqueue mqueue rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 81 18 0:38 / >> /sys/fs/fuse/connections rw,relatime shared:62 - fusectl fusectl rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 42 41 0:39 / >> /proc/sys/fs/binfmt_misc rw,relatime shared:24 - binfmt_misc >> binfmt_misc rw >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 44 22 0:40 / >> /run/cgmanager/fs rw,relatime shared:25 - tmpfs cgmfs >> rw,size=100k,mode=755 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 155 22 0:43 / >> /run/user/108 rw,nosuid,nodev,relatime shared:113 - tmpfs tmpfs >> rw,size=397688k,mode=700,uid=108,gid=114 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 163 22 0:45 / >> /run/user/0 rw,nosuid,nodev,relatime shared:121 - tmpfs tmpfs >> rw,size=397688k,mode=700 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (mount.c:558): 109 24 0:42 >> /rachelj /mnt/home/rachelj rw,relatime shared:68 - cifs >> //cy-vault/home/rachelj >> rw,vers=2.1,sec=ntlmssp,cache=strict,username=rachelj,domain=CY,uid=10161,forceuid,gid$ >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: command: 'pmvarrun' '-u' >> 'rachelj' '-o' '1' >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pmvarrun.c:258): parsed >> count value 0 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:441): pmvarrun >> says login count is 1 >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:660): done >> opening session (ret=0) >> Jun 20 10:29:35 CY-MKT-10 systemd[1]: Created slice User Slice of >> rachelj. >> Jun 20 10:29:35 CY-MKT-10 systemd[1]: Starting User Manager for UID >> 10161...Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Paths. >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Sockets. >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Timers. >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Basic System. >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Reached target Default. >> Jun 20 10:29:35 CY-MKT-10 systemd[1437]: Startup finished in 22ms. >> Jun 20 10:29:35 CY-MKT-10 systemd[1]: Started User Manager for UID 10161. >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: ** (process:1419): WARNING >> **: Error reading existing Xauthority: Failed to open file >> '/mnt/home/rachelj/.Xauthority': Permission denied >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: Error writing X authority: >> Failed to open X authority /mnt/home/rachelj/.Xauthority: Permission >> denied >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:116): Clean >> global config (0) >> Jun 20 10:29:35 CY-MKT-10 lightdm[823]: (pam_mount.c:133): clean >> system authtok=0x1a22910 (0) >> Jun 20 10:29:36 CY-MKT-10 acpid: client 880[0:0] has disconnected >> Jun 20 10:29:36 CY-MKT-10 acpid: client connected from 1463[0:0] >> Jun 20 10:29:36 CY-MKT-10 acpid: 1 client rule loaded >> Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169343] Status code returned >> 0xc000006d STATUS_LOGON_FAILURE >> Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169355] CIFS VFS: Send error >> in SessSetup = -13 >> Jun 20 10:29:36 CY-MKT-10 kernel: [ 97.169436] CIFS VFS: cifs_mount >> failed w/return code = -13 >> >> Bob Thomas >> >> On Wed, 20 Jun 2018 11:36:06 +0200 >> "L.P.H. van Belle via samba"<samba at lists.samba.org> wrote: >> >>> Hai Bob, >>> >>> And what does the wiki tell you about RID/AD backend AND ..... >>> Well even i had troubles finding the page again. So.. .its not you.. >>> >>> The wiki, is getting to complex and is having to much side links to >>> other pages. You need to set one or more of the following settings. >>> >>> template homedir =/home/%D/%U >>> template shell = /bin/false >>> usershare template share >>> winbind nss info = template >>> >>> >>> Rowland can you follow this path. >>> ( think in, install a member ) >>> 1) >>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member >>> Look for any reference for the template settings, if you use RID. >>> >>> Maybe its an option to link some specific settings to these on the >>> page. ad idmap config ad idmap_ad(8) >>> rid idmap config rid idmap_rid(8) >>> >>> Anyhow, for you i suggest the folling. >>> >>> Member : home path in the share. >>> /mnt/Filestore/user-folders >>> >>> And this is the default: >>> template homedir =/home/%D/%U >>> >>> Change/add this >>> template homedir =/mnt/Filestore/%U >>> >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >> The problem with the wikipage is, just what Louis said, it is too >> complex and all over the place. Until somebody said something, I wasn't >> going to alter it, mainly because when I pointed this out, I upset the >> person that wrote it. >> >> In my opinion, the wiki should be easy to understand and follow, even >> if this means the same information being on several pages. To me, the >> whole idea of a wiki, is to get the information across to users, not to >> make it easy to maintain. >> >> As is, it is very easy to miss that you must add various options to >> smb.conf to get a fully working Unix domain member. >> >> I am open to ideas on how to update the Unix domain member wikipage, my >> first thought is to put everything on one page, but as I say, I am open >> to suggestions. >> >> Rowland >> >> >> On Wed, 20 Jun 2018 11:36:06 +0200 >> "L.P.H. van Belle via samba"<samba at lists.samba.org> wrote: >> >>> Hai Bob, >>> >>> And what does the wiki tell you about RID/AD backend AND ..... >>> Well even i had troubles finding the page again. So.. .its not you.. >>> >>> The wiki, is getting to complex and is having to much side links to >>> other pages. You need to set one or more of the following settings. >>> >>> template homedir =/home/%D/%U >>> template shell = /bin/false >>> usershare template share >>> winbind nss info = template >>> >>> >>> Rowland can you follow this path. >>> ( think in, install a member ) >>> 1) >>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member >>> Look for any reference for the template settings, if you use RID. >>> >>> Maybe its an option to link some specific settings to these on the >>> page. ad idmap config ad idmap_ad(8) >>> rid idmap config rid idmap_rid(8) >>> >>> Anyhow, for you i suggest the folling. >>> >>> Member : home path in the share. >>> /mnt/Filestore/user-folders >>> >>> And this is the default: >>> template homedir =/home/%D/%U >>> >>> Change/add this >>> template homedir =/mnt/Filestore/%U >>> >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >> The problem with the wikipage is, just what Louis said, it is too >> complex and all over the place. Until somebody said something, I wasn't >> going to alter it, mainly because when I pointed this out, I upset the >> person that wrote it. >> >> In my opinion, the wiki should be easy to understand and follow, even >> if this means the same information being on several pages. To me, the >> whole idea of a wiki, is to get the information across to users, not to >> make it easy to maintain. >> >> As is, it is very easy to miss that you must add various options to >> smb.conf to get a fully working Unix domain member. >> >> I am open to ideas on how to update the Unix domain member wikipage, my >> first thought is to put everything on one page, but as I say, I am open >> to suggestions. >> >> Rowland >> >> >> recommendation >> >> >> On 6/19/2018 2:57 PM, Bob Thomas wrote: >>> >>> Hello, >>> >>> I've been trying to get Ubuntu 18.04 to work with Samba AD, seems I >>> am almost there but am unable to get home directories to mount >>> properly. The domain join went without a problem but because the >>> default cifs ver changed in Ubuntu to get other Samba shares on a >>> samba file server to mount I had to add to it's smb.conf: >>> >>> client min protocol = SMB2 >>> client min protocol = SMB3 >>> >>> So I can now mount shares, but home directory will not mount and >>> build on the Ubuntu 18.04 client. I believe the the issue is this: >>> >>> On Ubuntu 16.04 client getent passwd kiarar properly gives the DC's >>> home directory setting of: >>> root at CY-SALES-JM:~# getent passwd 'kiarar' >>> kiarar:*:10155:10001:Kiara Ratcliff:/mnt/home/kiarar:/bin/sh >>> >>> On Ubuntu 18.04 client getent passwd kiarar gives: >>> root at CY-SALE:~# getent passwd 'kiarar' >>> kiarar:*:10155:10001::/home/CY/kiarar:/bin/false >>> >>> So it gets the correct UID and GID but not the login shell or home >>> directory set in the UNIX Attributes tab. >>> >>> Samba DC version 4.8.2 on Ubuntu 18.04 config: >>> >>> [global] >>> netbios name = CY-DC >>> realm = CY.MYDOMAIN.COM >>> workgroup = CY >>> server role = active directory domain controller >>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>> drepl, winbindd, ntp_signd, kcc, dnsupdate >>> idmap_ldb:use rfc2307 = yes >>> idmap config CY:unix_nss_info = yes >>> ldap server require strong auth = no >>> allow dns updates = nonsecure and secure >>> log level = 2 >>> ntlm auth = yes >>> >>> # stops cups errors in log file >>> load printers = no >>> printing = bsd >>> printcap name = /dev/null >>> disable spoolss = yes >>> >>> [netlogon] >>> path = /var/lib/samba/sysvol/cy.cybernetics.com/scripts >>> read only = No >>> >>> [sysvol] >>> path = /var/lib/samba/sysvol >>> read only = No >>> >>> Samba File server version 4.7.4 on Ubuntu 16.04 config: >>> >>> [global] >>> realm = CY.CYBERNETICS.COM >>> workgroup = CY >>> netbios name = cy-vault >>> security = ADS >>> server role = member server >>> encrypt passwords = yes >>> client min protocol = SMB2 >>> client max protocol = SMB3 >>> >>> idmap config *:backend = tdb >>> idmap config *:range = 2000-9999 >>> >>> idmap config CY:backend = ad >>> idmap config CY:schema_mode = rfc2307 >>> idmap config CY:range = 10000-99999 >>> idmap config CY : unix_nss_info = yes >>> >>> winbind trusted domains only = no >>> winbind use default domain = yes >>> >>> vfs objects = acl_xattr >>> map acl inherit = Yes >>> store dos attributes = Yes >>> >>> username map = /etc/samba/user.map >>> >>> log level=3 >>> log file = /var/log/samba/log.%m >>> max log size = 500 >>> >>> # Stops cups errors in log file >>> load printers = no >>> printing = bsd >>> printcap name = /dev/null >>> disable spoolss = yes >>> >>> ####### User folder for Ubuntu ########## >>> >>> [home] >>> comment = UNIX Home Directories >>> path = /mnt/Filestore/user-folders >>> read only = no >>> level2 oplocks =no >>> oplocks = no >>> locking = no >>> strict locking = no >>> >>> Any help? >>> >>> Bob Thomas >>> >>> >> >> On Wed, 20 Jun 2018 11:36:06 +0200 >> "L.P.H. van Belle via samba"<samba at lists.samba.org> wrote: >> >>> Hai Bob, >>> >>> And what does the wiki tell you about RID/AD backend AND ..... >>> Well even i had troubles finding the page again. So.. .its not you.. >>> >>> The wiki, is getting to complex and is having to much side links to >>> other pages. You need to set one or more of the following settings. >>> >>> template homedir =/home/%D/%U >>> template shell = /bin/false >>> usershare template share >>> winbind nss info = template >>> >>> >>> Rowland can you follow this path. >>> ( think in, install a member ) >>> 1) >>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member >>> Look for any reference for the template settings, if you use RID. >>> >>> Maybe its an option to link some specific settings to these on the >>> page. ad idmap config ad idmap_ad(8) >>> rid idmap config rid idmap_rid(8) >>> >>> Anyhow, for you i suggest the folling. >>> >>> Member : home path in the share. >>> /mnt/Filestore/user-folders >>> >>> And this is the default: >>> template homedir =/home/%D/%U >>> >>> Change/add this >>> template homedir =/mnt/Filestore/%U >>> >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >> The problem with the wikipage is, just what Louis said, it is too >> complex and all over the place. Until somebody said something, I wasn't >> going to alter it, mainly because when I pointed this out, I upset the >> person that wrote it. >> >> In my opinion, the wiki should be easy to understand and follow, even >> if this means the same information being on several pages. To me, the >> whole idea of a wiki, is to get the information across to users, not to >> make it easy to maintain. >> >> As is, it is very easy to miss that you must add various options to >> smb.conf to get a fully working Unix domain member. >> >> I am open to ideas on how to update the Unix domain member wikipage, my >> first thought is to put everything on one page, but as I say, I am open >> to suggestions. >> >> Rowland >