Rowland Penny
2018-Nov-30 09:27 UTC
[Samba] Fw: AD usres are not show in Domain Controller when apply setfacl command
On Fri, 30 Nov 2018 09:06:34 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Fri, 30 Nov 2018 06:16:42 +0000 (UTC) > barani tharan <aru_barani at yahoo.com> wrote: > > > Dear Rowland Penny > > I follow your mentioned step still i am face the same problem > > I have 1 Domain Controller [sambadc] and 1 Domain member for Samba > > Share and backup [backupserver] > > > > 1.when try view the ACL rights is backup server i can able view the > > domain user name [root at backupserver Rishinox]# > > getfacl /ADHDD/Rishinox/ getfacl: Removing leading '/' from absolute > > path names # file: ADHDD/Rishinox/ > > > [root at backupserver Rishinox]# vi /etc/samba/smb.conf > > > > [global] > > > > > workgroup = RISHI > > Lets start with the obvious question, why do you think it is a good > idea to use the workgroup 'ADHDD' on the DC and 'RISHI' on the Unix > domain member ? > > All domain members need to use the same workgroup.And now I am fully awake, you can ignore the above, you are using the same workgroup OOPs Rowland> > > password server = sambadc.rishi.com > > realm = RISHI.COM > > security = ads > > idmap config * : range = 16777216-33554431 > > template shell = /bin/bash > > kerberos method = secrets only > > winbind use default domain = yes > > winbind offline logon = true > > > > Why are you using that range ? > Are you also using sssd on that machine ? > I ask the last question because your smb.conf isn't set up correctly > for winbind and you used red-hat tools to set up smb.conf > Stop trying to use 'Administrator' as a user on Unix domain members, > that user is a Windows user and should be mapped to the Unix user > 'root' > > Rowland >
barani tharan
2018-Dec-04 12:37 UTC
[Samba] Fw: AD usres are not show in Domain Controller when apply setfacl command
Dear Team 1. I get same error in domain controller when try to set acl in share the file [root at samba4dc ~]# setfacl -m group:"EIPL\administrator":rwx /Share setfacl: Option -m: Invalid argument near character 7 [root at samba4dc ~]# id EIPL\administrator id: EIPLadministrator: no such user 2. My smb.conf file [root at samba4dc ~]# vi /usr/local/samba/etc/smb.conf # Global parameters [global] netbios name = SAMBA4DC realm = EIPL.COM server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = EIPL idmap_ldb:use rfc2307 = yes # idmap config EIPL:backend = ad # idmap config EIPL:schema_mode = rfc2307 # idmap config EIPL:range = 10000-999999 # tls enabled = yes # tls keyfile = tls/Domainkey.pem # tls certfile = tls/Mydomain.pem [netlogon] path = /usr/local/samba/var/locks/sysvol/eipl.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [Comon] path = /Share read Only = No ~ 3. When view the ACL in that share folder. I view the user id only not user name [root at samba4dc ~]# getfacl /Share getfacl: Removing leading '/' from absolute path names # file: Share # owner: root # group: root # flags: -s- user::rwx user:root:rwx user:3000000:rwx group::r-x group:root:r-x group:3000000:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:group::r-x default:group:root:r-x default:group:3000000:rwx default:mask::rwx default:other::r-x 4. when use the samba-tool to view users it show the users name [root at samba4dc ~]# samba-tool user list Administrator Ramkumar dns-samba4dc rhevadmin krbtgt Guest 5. [root at samba4dc ~]# samba -V Version 4.7.11 I don't know how to solve this problem. One more thing i view the link Identity Mapping Back Ends - SambaWiki and Setting up RFC2307 in AD - SambaWiki 6. In this links it says that like 1. ID mapping back ends are not supported in the smb.conf file on a Samba AD DC 2. On a AD DC there should not be more than the sysvol and netlogon share, so the usage of unified RFC2307 idmappings is not really important. If you want to enable RFC2307 ID mappings on the DC for whatever reason, the you would have to verify on the Samba DC, that the idmap_ldb:use rfc2307 7. In other link Updating Samba - SambaWiki In that link i view like this option so please guide me solve this issue i am really in confusion Failure To Access Shares on Domain Controllers If idmap config Parameters Set in the smb.conf File 4.4.6 or later The winbindd service on a Samba Active Directory (AD) domain controller (DC) automatically uses the IDs set in the Active Directory uidNumber and gidNumber attributes of user accounts and groups. If the attributes are not set, Samba generates IDs locally on the DC and stores them in the idmap.ldb database. Thus, on a Samba AD DC, idmap config parameters set in the smb.conf file were ignored. Due to a bug in Samba 4.4.6 and later, the parameters are no longer ignored and clients fail to connect to shares on the DC. To fix the problem: - Remove all idmap config parameters in the smb.conf file on DCs. - Restart the samba service. - Restart the clients. As a result, clients now correctly connect to shares on the DC | | | | Updating Samba - SambaWiki | | | | | | | Setting up RFC2307 in AD - SambaWiki | | | | | | | Identity Mapping Back Ends - SambaWiki | | | RegardsBaranitharan On Friday, 30 November, 2018, 2:57:36 PM IST, Rowland Penny via samba <samba at lists.samba.org> wrote: On Fri, 30 Nov 2018 09:06:34 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Fri, 30 Nov 2018 06:16:42 +0000 (UTC) > barani tharan <aru_barani at yahoo.com> wrote: > > > Dear Rowland Penny > > I follow your mentioned step still i am face the same problem > > I have 1 Domain Controller [sambadc] and 1 Domain member for Samba > > Share and backup [backupserver] > > > > 1.when try view the ACL rights is backup server i can able view the > > domain user name [root at backupserver Rishinox]# > > getfacl /ADHDD/Rishinox/ getfacl: Removing leading '/' from absolute > > path names # file: ADHDD/Rishinox/ > > > [root at backupserver Rishinox]# vi /etc/samba/smb.conf > > > > [global] > > > > > workgroup = RISHI > > Lets start with the obvious question, why do you think it is a good > idea to use the workgroup 'ADHDD' on the DC and 'RISHI' on the Unix > domain member ? > > All domain members need to use the same workgroup.And now I am fully awake, you can ignore the above, you are using the same workgroup OOPs Rowland> > > password server = sambadc.rishi.com > > realm = RISHI.COM > > security = ads > > idmap config * : range = 16777216-33554431 > > template shell = /bin/bash > > kerberos method = secrets only > > winbind use default domain = yes > > winbind offline logon = true > > > > Why are you using that range ? > Are you also using sssd on that machine ? > I ask the last question because your smb.conf isn't set up correctly > for winbind and you used red-hat tools to set up smb.conf > Stop trying to use 'Administrator' as a user on Unix domain members, > that user is a Windows user and should be mapped to the Unix user > 'root' > > Rowland >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2018-Dec-04 13:31 UTC
[Samba] Fw: AD usres are not show in Domain Controller when apply setfacl command
If i may say.. In managing your servers/network. Dont use users but user groups. Just a tip. Your attempt is ok with : setfacl -m group:"EIPL\administrator":rwx /Share But the use its not correct, you try to set a user for group in linux.. Thats not working. Or setfacl -m group:"EIPL\Domain Admins":rwx /Share ( but this is on the DC ) Or setfacl -m group:"BUILTIN\Administrators":rwx /Share ( domain admins is member of BUILTIN\Administrators ) Preffered, use BUILTIN\Administrators works always on the DC's. Or setfacl -m user:"BUILTIN\Administrator":rwx /Share And really try to work with groups the more the better, i never set a user on things always groups. About the mail below.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > barani tharan via samba > Verzonden: dinsdag 4 december 2018 13:37 > Aan: samba at lists.samba.org; Rowland Penny > Onderwerp: Re: [Samba] Fw: AD usres are not show in Domain > Controller when apply setfacl command > > Dear Team > 1. I get same error in domain controller when try to set acl > in share the file > > [root at samba4dc ~]# setfacl -m group:"EIPL\administrator":rwx /Share > setfacl: Option -m: Invalid argument near character 7 > > [root at samba4dc ~]# id EIPL\administrator > id: EIPLadministrator: no such userYes, correct, user Administrator does not have a UID because Adminsitrator is mapped to root. If its correct. ( most probely solution at the end of the mail. ) id Administrator uid=0(root) gid=0(root) groups=0(root)> 2. My smb.conf fileI've compared this one with mine, its the same, at least yours is ok/sufficient for what you want.> [root at samba4dc ~]# vi /usr/local/samba/etc/smb.conf > # Global parameters > [global] > netbios name = SAMBA4DC > realm = EIPL.COM > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = EIPL > idmap_ldb:use rfc2307 = yes > > > # idmap config EIPL:backend = ad > # idmap config EIPL:schema_mode = rfc2307 > # idmap config EIPL:range = 10000-999999 > # tls enabled = yes > # tls keyfile = tls/Domainkey.pem > # tls certfile = tls/Mydomain.pem > > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/eipl.com/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > [Comon] > path = /Share > read Only = No > ~ > > > 3. When view the ACL in that share folder. I view the user id > only not user name > [root at samba4dc ~]# getfacl /Share > getfacl: Removing leading '/' from absolute path names > # file: Share > # owner: root > # group: root > # flags: -s- > user::rwx > user:root:rwx > user:3000000:rwx > group::r-x > group:root:r-x > group:3000000:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:group::r-x > default:group:root:r-x > default:group:3000000:rwx > default:mask::rwx > default:other::r-xWhats shown, that is correct. What you see is the id off user/groups for the AD DC. wbinfo --gid-to-sid 3000000 wbinfo --uid-to-sid 3000000 Results both in : S-1-5-32-544 wbinfo --sid-to-name S-1-5-32-544 BUILTIN\Administrators 4> > > 4. when use the samba-tool to view users it show the users name > > [root at samba4dc ~]# samba-tool user list > Administrator > Ramkumar > dns-samba4dc > rhevadmin > krbtgt > GuestIts still correct, all good here..> 5. [root at samba4dc ~]# samba -V > Version 4.7.11 > > > I don't know how to solve this problem. One more > thing i view the link Identity Mapping Back Ends - SambaWiki > and Setting up RFC2307 in AD - SambaWiki > 6. In this links it says that like > 1. ID mapping back ends are not supported in the smb.conf > file on a Samba AD DC 2. On a AD DC there should not be more > than the sysvol and netlogon share, so the usage of unified > RFC2307 idmappings is not really important. If you want to > enable RFC2307 ID mappings on the DC for whatever reason, the > you would have to verify on the Samba DC, that the > idmap_ldb:use rfc2307 >I dont see a problem in your setup, only missing one thing.. ( thats the link below. )> 7. In other link Updating Samba - SambaWiki > In that link i view like this option so please guide > me solve this issue i am really in confusion > Failure To Access Shares on Domain Controllers If idmap > config Parameters Set in the smb.conf File >Did you configure winbind https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC Greetz, Louis
Rowland Penny
2018-Dec-04 13:34 UTC
[Samba] Fw: AD usres are not show in Domain Controller when apply setfacl command
On Tue, 4 Dec 2018 12:37:23 +0000 (UTC) barani tharan <aru_barani at yahoo.com> wrote:> Dear Team > 1. I get same error in domain controller when try to set acl in > share the file > > [root at samba4dc ~]# setfacl -m group:"EIPL\administrator":rwx /Share > setfacl: Option -m: Invalid argument near character 7Never try to use 'Administrator' on a Unix machine, use 'root' instead> > [root at samba4dc ~]# id EIPL\administrator > id: EIPLadministrator: no such userYou have hit a Unix problem there a single '\' is a Unix 'escape' character, you need to use two: root at dc4:~# id SAMDOM\\Administrator uid=0(root) gid=0(root) groups=0(root) That also shows one of the reasons why you shouldn't use the WINDOWS user 'Administrator' on UNIX.> > > > 3. When view the ACL in that share folder. I view the user id only > not user name [root at samba4dc ~]# getfacl /Share > getfacl: Removing leading '/' from absolute path names > # file: Share > # owner: root > # group: root > # flags: -s- > user::rwx > user:root:rwx > user:3000000:rwx > group::r-x > group:root:r-x > group:3000000:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:group::r-x > default:group:root:r-x > default:group:3000000:rwx > default:mask::rwx > default:other::r-xI am prepared to lay money on '3000000' being the group 'Administrators' and not the user 'Administrator'> > > 4. when use the samba-tool to view users it show the users name > > [root at samba4dc ~]# samba-tool user list > Administrator > Ramkumar > dns-samba4dc > rhevadmin > krbtgt > GuestSamba-tool works in a similar manner to 'wbinfo -u', that is they both show all AD users, but those users are not necessarily known to UNix.> 5. [root at samba4dc ~]# samba -V > Version 4.7.11 > > > I don't know how to solve this problem. One more thing i view > the link Identity Mapping Back Ends - SambaWiki and Setting up > RFC2307 in AD - SambaWiki 6. In this links it says that like >1. ID mapping back ends are not supported in the smb.conf file on a Samba > AD DCThey never have been and they used to be totally ignored, but an update meant they started to interfere with Samba, but they still didn't work.>2. On a AD DC there should not be more than the sysvol and > netlogon share, so the usage of unified RFC2307 idmappings is not > really important.No, it says it isn't recommended, but you can have shares if you really must.>If you want to enable RFC2307 ID mappings on the > DC for whatever reason, the you would have to verify on the Samba DC, > that the idmap_ldb:use rfc2307 > > 7. In other link Updating Samba - SambaWiki > In that link i view like this option so please guide me solve > this issue i am really in confusion Failure To Access Shares on > Domain Controllers If idmap config Parameters Set in the smb.conf FileVery simple, do not add any 'idmap config' lines to an AD DC smb.conf> > 4.4.6 or later > > The winbindd service on a Samba Active Directory (AD) domain > controller (DC) automatically uses the IDs set in the Active > Directory uidNumber and gidNumber attributes of user accounts and > groups. If the attributes are not set, Samba generates IDs locally on > the DC and stores them in the idmap.ldb database. Thus, on a Samba AD > DC, idmap config parameters set in the smb.conf file were ignored. > Due to a bug in Samba 4.4.6 and later, the parameters are no longer > ignored and clients fail to connect to shares on the DC. To fix the > problem: > - Remove all idmap config parameters in the smb.conf file on DCs. > - Restart the samba service. > - Restart the clients. > As a result, clients now correctly connect to shares on the DC >It is actually the other way around, by default, the 'xidNumbers' in idmap.ldb are used, but if 'uidNumber' & 'gidNumber' attributes are added to AD, these will be used instead. Everything else is correct. Rowland
Possibly Parallel Threads
- Fw: AD usres are not show in Domain Controller when apply setfacl command
- Fw: AD usres are not show in Domain Controller when apply setfacl command
- Fw: AD usres are not show in Domain Controller when apply setfacl command
- Fw: AD usres are not show in Domain Controller when apply setfacl command
- Fw: AD usres are not show in Domain Controller when apply setfacl command