Hi,
We did a classicupgrade of our Ubuntu Server (4.3.11, TDB), the server DC5 also
host shares. Post the migration we are seeing some permission issues.
When trying to give permission to a domain group/user to folder/file we get the
following
chown "LIN\\myadmin:LIN\\adgroup" adtest/
chown: invalid user: 'LIN\\myadmin:LIN\\adgroup'
wbinfo --ping-dc : checking the NETLOGON for domain[LIN] dc connection to
"dc5.LIN.group" succeeded
The getent group comes up with no results
getent group "LIN\\adgroup"
getent passwd "LIN\\mygroup"
Here is the smb.conf
        workgroup = LIN
        realm = LIN.GROUP
        netbios name = dc5
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        log file = /var/log/samba/log.%m
        log level = 1
        winbind nss info = rfc2307
        idmap config * : backend = tdb
        idmap config * : range = 4000-7999
        idmap config LIN:backend = ad
        idmap config LIN:schema_mode = rfc2307
        idmap config LIN:range = 10000-999999
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        # Template settings for login shell and home directory
        template shell = /bin/bash
        template homedir = /home/%U
here is nsswitch.conf
passwd:         files winbind
group:          files winbind
shadow:         compat
If the group in question exist in /etc/group it works, because it is local. But
if the group is new or if the group has been removed from /etc/group and AD it
doesn't.
We have added the SeDiskOperatorPrivilege to the user making the chown calls.
Any suggestions?
Regards,
Praveen Ghimire
On Fri, 8 Feb 2019 06:22:05 +0000 Praveen Ghimire via samba <samba at lists.samba.org> wrote:> Hi, > > We did a classicupgrade of our Ubuntu Server (4.3.11, TDB), the > server DC5 also host shares. Post the migration we are seeing some > permission issues. > > When trying to give permission to a domain group/user to folder/file > we get the following > > chown "LIN\\myadmin:LIN\\adgroup" adtest/ > chown: invalid user: 'LIN\\myadmin:LIN\\adgroup' > > wbinfo --ping-dc : checking the NETLOGON for domain[LIN] dc > connection to "dc5.LIN.group" succeeded > > The getent group comes up with no results > getent group "LIN\\adgroup" > getent passwd "LIN\\mygroup" > > > Here is the smb.conf > > workgroup = LIN > realm = LIN.GROUP > netbios name = dc5 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > log file = /var/log/samba/log.%m > log level = 1 > > winbind nss info = rfc2307 > > idmap config * : backend = tdb > idmap config * : range = 4000-7999 > idmap config LIN:backend = ad > idmap config LIN:schema_mode = rfc2307 > idmap config LIN:range = 10000-999999OK, you classicupgraded your NT4-style PDC to an AD DC, did your users have ID's in the '10000-999999' range before the upgrade ? Have you set up the libnss-winbind links ? Rowland> > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > # Template settings for login shell and home directory > template shell = /bin/bash > template homedir = /home/%U > > > here is nsswitch.conf > passwd: files winbind > group: files winbind > shadow: compat > > > If the group in question exist in /etc/group it works, because it is > local. But if the group is new or if the group has been removed > from /etc/group and AD it doesn't. > > We have added the SeDiskOperatorPrivilege to the user making the > chown calls. > > Any suggestions? > > > Regards, > Praveen Ghimire >
Hi Rowland, The user's ID range would have been below 3600, the current max rid is 3506 The links have been setup following this link, then restarted the samba-ad-dc service https://wiki.samba.org/index.php/Libnss_winbind_Links I followed the following to configure the winbindd stuff, https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC template shell = /bin/bash template homedir = /home/%U 9833 pts/0 S+ 0:00 \_ grep --color=auto winbind 17196 ? Ss 0:00 | \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground 17199 ? S 0:01 | \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground Regards, Praveen -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba Sent: Friday, 8 February 2019 8:01 PM To: samba at lists.samba.org Subject: Re: [Samba] Permission issue On Fri, 8 Feb 2019 06:22:05 +0000 Praveen Ghimire via samba <samba at lists.samba.org> wrote:> Hi, > > We did a classicupgrade of our Ubuntu Server (4.3.11, TDB), the server > DC5 also host shares. Post the migration we are seeing some permission > issues. > > When trying to give permission to a domain group/user to folder/file > we get the following > > chown "LIN\\myadmin:LIN\\adgroup" adtest/ > chown: invalid user: 'LIN\\myadmin:LIN\\adgroup' > > wbinfo --ping-dc : checking the NETLOGON for domain[LIN] dc connection > to "dc5.LIN.group" succeeded > > The getent group comes up with no results getent group "LIN\\adgroup" > getent passwd "LIN\\mygroup" > > > Here is the smb.conf > > workgroup = LIN > realm = LIN.GROUP > netbios name = dc5 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > log file = /var/log/samba/log.%m > log level = 1 > > winbind nss info = rfc2307 > > idmap config * : backend = tdb > idmap config * : range = 4000-7999 > idmap config LIN:backend = ad > idmap config LIN:schema_mode = rfc2307 > idmap config LIN:range = 10000-999999OK, you classicupgraded your NT4-style PDC to an AD DC, did your users have ID's in the '10000-999999' range before the upgrade ? Have you set up the libnss-winbind links ? Rowland> > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > # Template settings for login shell and home directory > template shell = /bin/bash > template homedir = /home/%U > > > here is nsswitch.conf > passwd: files winbind > group: files winbind > shadow: compat > > > If the group in question exist in /etc/group it works, because it is > local. But if the group is new or if the group has been removed from > /etc/group and AD it doesn't. > > We have added the SeDiskOperatorPrivilege to the user making the chown > calls. > > Any suggestions? > > > Regards, > Praveen Ghimire >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________