samba - Dec 2018 - Fw: AD usres are not show in Domain Controller when apply setfacl command

On Fri, 30 Nov 2018 09:06:34 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Fri, 30 Nov 2018 06:16:42 +0000 (UTC)
> barani tharan <aru_barani at yahoo.com> wrote:
> 
> >  Dear Rowland Penny
> >  I follow your mentioned step still i am face the same problem
> > I have 1 Domain Controller [sambadc] and 1 Domain member for Samba
> > Share and backup [backupserver]
> > 
> > 1.when try view the ACL rights is backup server i can able view the
> > domain user name [root at backupserver Rishinox]#
> > getfacl /ADHDD/Rishinox/ getfacl: Removing leading '/' from
absolute
> > path names # file: ADHDD/Rishinox/
> 
> > [root at backupserver Rishinox]# vi /etc/samba/smb.conf
> > 
> > [global]
> 
> > 
> >    workgroup = RISHI
> 
> Lets start with the obvious question, why do you think it is a good
> idea to use the workgroup 'ADHDD' on the DC and 'RISHI' on
the Unix
> domain member ?
> 
> All domain members need to use the same workgroup.
And now I am fully awake, you can ignore the above, you are using the
same workgroup OOPs

Rowland
 
> 
> >    password server = sambadc.rishi.com
> >    realm = RISHI.COM
> >    security = ads
> >    idmap config * : range = 16777216-33554431
> >    template shell = /bin/bash
> >    kerberos method = secrets only
> >    winbind use default domain = yes
> >    winbind offline logon = true
> > 
> 
> Why are you using that range ?
> Are you also using sssd on that machine ?
> I ask the last question because your smb.conf isn't set up correctly
> for winbind and you used red-hat tools to set up smb.conf
> Stop trying to use 'Administrator' as a user on Unix domain
members,
> that user is a Windows user and should be mapped to the Unix user
> 'root'
> 
> Rowland
>

Dear Team
1.  I get same error in domain controller when try to set acl in  share the file

[root at samba4dc ~]# setfacl -m group:"EIPL\administrator":rwx /Share
setfacl: Option -m: Invalid argument near character 7

[root at samba4dc ~]# id EIPL\administrator
id: EIPLadministrator: no such user
2.  My smb.conf file    
  [root at samba4dc ~]# vi /usr/local/samba/etc/smb.conf
# Global parameters
[global]
        netbios name = SAMBA4DC
        realm = EIPL.COM
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = EIPL
        idmap_ldb:use rfc2307 = yes


#       idmap config EIPL:backend = ad
#       idmap config EIPL:schema_mode = rfc2307
#       idmap config EIPL:range = 10000-999999
#       tls enabled = yes
#       tls keyfile = tls/Domainkey.pem
#       tls certfile = tls/Mydomain.pem


[netlogon]
        path = /usr/local/samba/var/locks/sysvol/eipl.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[Comon]
        path = /Share
        read Only = No
~


3. When view the ACL in that share folder. I view the user id only not user name
[root at samba4dc ~]# getfacl /Share
getfacl: Removing leading '/' from absolute path names
# file: Share
# owner: root
# group: root
# flags: -s-
user::rwx
user:root:rwx
user:3000000:rwx
group::r-x
group:root:r-x
group:3000000:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:group::r-x
default:group:root:r-x
default:group:3000000:rwx
default:mask::rwx
default:other::r-x


4. when use the samba-tool to view users it show the users name

    [root at samba4dc ~]# samba-tool user list
Administrator
Ramkumar
dns-samba4dc
rhevadmin
krbtgt
Guest
5. [root at samba4dc ~]# samba -V
Version 4.7.11


        I don't know how to solve this problem. One more thing i view the
link Identity Mapping Back Ends - SambaWiki and Setting up RFC2307 in AD -
SambaWiki
6.  In this links it says that like
  1. ID mapping back ends are not supported in the smb.conf file on a Samba AD
DC  2. On a AD DC there should not be more than the sysvol and netlogon share,
so the usage of unified RFC2307 idmappings is not really important. If you want
to    enable RFC2307 ID mappings on the DC for whatever reason, the you would
have to verify on the Samba DC, that the idmap_ldb:use rfc2307

7.  In other link Updating Samba - SambaWiki
       In that link i view like this option so please guide me solve this issue
i am really in  confusion
Failure To Access Shares on Domain Controllers If idmap config Parameters Set in
the smb.conf File


4.4.6 or later

The winbindd service on a Samba Active Directory (AD) domain controller (DC)
automatically uses the IDs set in the Active Directory uidNumber and gidNumber
attributes of user accounts and groups. If the attributes are not set, Samba
generates IDs locally on the DC and stores them in the idmap.ldb database. Thus,
on a Samba AD DC, idmap config parameters set in the smb.conf file were ignored.
Due to a bug in Samba 4.4.6 and later, the parameters are no longer ignored and
clients fail to connect to shares on the DC. To fix the problem:
   
   -  Remove all idmap config parameters in the smb.conf file on DCs.
   -  Restart the samba service.
   -  Restart the clients.
As a result, clients now correctly connect to shares on the DC


| 
| 
|  | 
Updating Samba - SambaWiki


 |

 |

 |






| 
| 
|  | 
Setting up RFC2307 in AD - SambaWiki


 |

 |

 |





| 
| 
|  | 
Identity Mapping Back Ends - SambaWiki


 |

 |

 |




RegardsBaranitharan

    On Friday, 30 November, 2018, 2:57:36 PM IST, Rowland Penny via samba
<samba at lists.samba.org> wrote:
 
 On Fri, 30 Nov 2018 09:06:34 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Fri, 30 Nov 2018 06:16:42 +0000 (UTC)
> barani tharan <aru_barani at yahoo.com> wrote:
> 
> >  Dear Rowland Penny
> >  I follow your mentioned step still i am face the same problem
> > I have 1 Domain Controller [sambadc] and 1 Domain member for Samba
> > Share and backup [backupserver]
> > 
> > 1.when try view the ACL rights is backup server i can able view the
> > domain user name [root at backupserver Rishinox]#
> > getfacl /ADHDD/Rishinox/ getfacl: Removing leading '/' from
absolute
> > path names # file: ADHDD/Rishinox/
> 
> > [root at backupserver Rishinox]# vi /etc/samba/smb.conf
> > 
> > [global]
> 
> > 
> >    workgroup = RISHI
> 
> Lets start with the obvious question, why do you think it is a good
> idea to use the workgroup 'ADHDD' on the DC and 'RISHI' on
the Unix
> domain member ?
> 
> All domain members need to use the same workgroup.
And now I am fully awake, you can ignore the above, you are using the
same workgroup OOPs

Rowland
 
> 
> >    password server = sambadc.rishi.com
> >    realm = RISHI.COM
> >    security = ads
> >    idmap config * : range = 16777216-33554431
> >    template shell = /bin/bash
> >    kerberos method = secrets only
> >    winbind use default domain = yes
> >    winbind offline logon = true
> > 
> 
> Why are you using that range ?
> Are you also using sssd on that machine ?
> I ask the last question because your smb.conf isn't set up correctly
> for winbind and you used red-hat tools to set up smb.conf
> Stop trying to use 'Administrator' as a user on Unix domain
members,
> that user is a Windows user and should be mapped to the Unix user
> 'root'
> 
> Rowland
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

If i may say.. 

In managing your servers/network. Dont use users but user groups. Just a tip. 

Your attempt is ok with :  setfacl -m group:"EIPL\administrator":rwx
/Share
But the use its not correct, you try to set a user for group in linux.. Thats
not working.
Or setfacl -m group:"EIPL\Domain Admins":rwx /Share    ( but this is
on the DC )
Or setfacl -m group:"BUILTIN\Administrators":rwx /Share  ( domain
admins is member of BUILTIN\Administrators )
Preffered, use BUILTIN\Administrators works always on the DC's. 

Or setfacl -m user:"BUILTIN\Administrator":rwx /Share 

And really try to work with groups the more the better, i never set a user on
things always groups.

About the mail below. 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> barani tharan via samba
> Verzonden: dinsdag 4 december 2018 13:37
> Aan: samba at lists.samba.org; Rowland Penny
> Onderwerp: Re: [Samba] Fw: AD usres are not show in Domain 
> Controller when apply setfacl command
> 
>  Dear Team
> 1.  I get same error in domain controller when try to set acl 
> in  share the file
> 
> [root at samba4dc ~]# setfacl -m group:"EIPL\administrator":rwx
/Share
> setfacl: Option -m: Invalid argument near character 7
> 
> [root at samba4dc ~]# id EIPL\administrator
> id: EIPLadministrator: no such user
Yes, correct, user Administrator does not have a UID because Adminsitrator is
mapped to root.

If its correct.  ( most probely solution at the end of the mail. )

id Administrator
uid=0(root) gid=0(root) groups=0(root)
> 2.  My smb.conf file    
I've compared this one with mine, its the same, at least yours is
ok/sufficient for what you want.
>   [root at samba4dc ~]# vi /usr/local/samba/etc/smb.conf
> # Global parameters
> [global]
>         netbios name = SAMBA4DC
>         realm = EIPL.COM
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, 
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = EIPL
>         idmap_ldb:use rfc2307 = yes
> 
> 
> #       idmap config EIPL:backend = ad
> #       idmap config EIPL:schema_mode = rfc2307
> #       idmap config EIPL:range = 10000-999999
> #       tls enabled = yes
> #       tls keyfile = tls/Domainkey.pem
> #       tls certfile = tls/Mydomain.pem
> 
> 
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/eipl.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
> 
> [Comon]
>         path = /Share
>         read Only = No
> ~
> 
> 
> 3. When view the ACL in that share folder. I view the user id 
> only not user name
> [root at samba4dc ~]# getfacl /Share
> getfacl: Removing leading '/' from absolute path names
> # file: Share
> # owner: root
> # group: root
> # flags: -s-
> user::rwx
> user:root:rwx
> user:3000000:rwx
> group::r-x
> group:root:r-x
> group:3000000:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:group::r-x
> default:group:root:r-x
> default:group:3000000:rwx
> default:mask::rwx
> default:other::r-x
Whats shown, that is correct. 
What you see is the id off user/groups for the AD DC. 
wbinfo --gid-to-sid 3000000 
wbinfo --uid-to-sid 3000000

Results both in : S-1-5-32-544

wbinfo --sid-to-name S-1-5-32-544
BUILTIN\Administrators 4
> 
> 
> 4. when use the samba-tool to view users it show the users name
> 
>     [root at samba4dc ~]# samba-tool user list
> Administrator
> Ramkumar
> dns-samba4dc
> rhevadmin
> krbtgt
> Guest
Its still correct, all good here.. 

> 5. [root at samba4dc ~]# samba -V
> Version 4.7.11
> 
> 
>         I don't know how to solve this problem. One more 
> thing i view the link Identity Mapping Back Ends - SambaWiki 
> and Setting up RFC2307 in AD - SambaWiki
> 6.  In this links it says that like
>   1. ID mapping back ends are not supported in the smb.conf 
> file on a Samba AD DC  2. On a AD DC there should not be more 
> than the sysvol and netlogon share, so the usage of unified 
> RFC2307 idmappings is not really important. If you want to    
> enable RFC2307 ID mappings on the DC for whatever reason, the 
> you would have to verify on the Samba DC, that the 
> idmap_ldb:use rfc2307
> 
I dont see a problem in your setup, only missing one thing..  ( thats the link
below. )

> 7.  In other link Updating Samba - SambaWiki
>        In that link i view like this option so please guide 
> me solve this issue i am really in  confusion 
> Failure To Access Shares on Domain Controllers If idmap 
> config Parameters Set in the smb.conf File
> 
Did you configure winbind

https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC


Greetz, 

Louis

On Tue, 4 Dec 2018 12:37:23 +0000 (UTC)
barani tharan <aru_barani at yahoo.com> wrote:
>  Dear Team
> 1.  I get same error in domain controller when try to set acl in
> share the file
> 
> [root at samba4dc ~]# setfacl -m group:"EIPL\administrator":rwx
/Share
> setfacl: Option -m: Invalid argument near character 7
Never try to use 'Administrator' on a Unix machine, use 'root'
instead
> 
> [root at samba4dc ~]# id EIPL\administrator
> id: EIPLadministrator: no such user
You have hit a Unix problem there a single '\' is a Unix
'escape'
character, you need to use two:

root at dc4:~# id SAMDOM\\Administrator
uid=0(root) gid=0(root) groups=0(root)

That also shows one of the reasons why you shouldn't use the WINDOWS
user 'Administrator' on UNIX.
>
> 
> 
> 3. When view the ACL in that share folder. I view the user id only
> not user name [root at samba4dc ~]# getfacl /Share
> getfacl: Removing leading '/' from absolute path names
> # file: Share
> # owner: root
> # group: root
> # flags: -s-
> user::rwx
> user:root:rwx
> user:3000000:rwx
> group::r-x
> group:root:r-x
> group:3000000:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:group::r-x
> default:group:root:r-x
> default:group:3000000:rwx
> default:mask::rwx
> default:other::r-x
I am prepared to lay money on '3000000' being the group
'Administrators' and not the user 'Administrator'
> 
> 
> 4. when use the samba-tool to view users it show the users name
> 
>     [root at samba4dc ~]# samba-tool user list
> Administrator
> Ramkumar
> dns-samba4dc
> rhevadmin
> krbtgt
> Guest
Samba-tool works in a similar manner to 'wbinfo -u', that is they both
show all AD users, but those users are not necessarily known to UNix.
 
> 5. [root at samba4dc ~]# samba -V
> Version 4.7.11
> 
> 
>         I don't know how to solve this problem. One more thing i view
> the link Identity Mapping Back Ends - SambaWiki and Setting up
> RFC2307 in AD - SambaWiki 6.  In this links it says that like 
>1. ID mapping back ends are not supported in the smb.conf file on a Samba
> AD DC  
They never have been and they used to be totally ignored, but an update
meant they started to interfere with Samba, but they still didn't work.
>2. On a AD DC there should not be more than the sysvol and
> netlogon share, so the usage of unified RFC2307 idmappings is not
> really important. 
No, it says it isn't recommended, but you can have shares if you really
must.
>If you want to    enable RFC2307 ID mappings on the
> DC for whatever reason, the you would have to verify on the Samba DC,
> that the idmap_ldb:use rfc2307
> 
> 7.  In other link Updating Samba - SambaWiki
>        In that link i view like this option so please guide me solve
> this issue i am really in  confusion Failure To Access Shares on
> Domain Controllers If idmap config Parameters Set in the smb.conf File
Very simple, do not add any 'idmap config' lines to an AD DC smb.conf
> 
> 4.4.6 or later
> 
> The winbindd service on a Samba Active Directory (AD) domain
> controller (DC) automatically uses the IDs set in the Active
> Directory uidNumber and gidNumber attributes of user accounts and
> groups. If the attributes are not set, Samba generates IDs locally on
> the DC and stores them in the idmap.ldb database. Thus, on a Samba AD
> DC, idmap config parameters set in the smb.conf file were ignored.
> Due to a bug in Samba 4.4.6 and later, the parameters are no longer
> ignored and clients fail to connect to shares on the DC. To fix the
> problem: 
>    -  Remove all idmap config parameters in the smb.conf file on DCs.
>    -  Restart the samba service.
>    -  Restart the clients.
> As a result, clients now correctly connect to shares on the DC
> 
It is actually the other way around, by default, the 'xidNumbers' in
idmap.ldb are used, but if 'uidNumber' & 'gidNumber'
attributes are
added to AD, these will be used instead. Everything else is correct.
 
Rowland