Hi Rowland, The user's ID range would have been below 3600, the current max rid is 3506 The links have been setup following this link, then restarted the samba-ad-dc service https://wiki.samba.org/index.php/Libnss_winbind_Links I followed the following to configure the winbindd stuff, https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC template shell = /bin/bash template homedir = /home/%U 9833 pts/0 S+ 0:00 \_ grep --color=auto winbind 17196 ? Ss 0:00 | \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground 17199 ? S 0:01 | \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground Regards, Praveen -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba Sent: Friday, 8 February 2019 8:01 PM To: samba at lists.samba.org Subject: Re: [Samba] Permission issue On Fri, 8 Feb 2019 06:22:05 +0000 Praveen Ghimire via samba <samba at lists.samba.org> wrote:> Hi, > > We did a classicupgrade of our Ubuntu Server (4.3.11, TDB), the server > DC5 also host shares. Post the migration we are seeing some permission > issues. > > When trying to give permission to a domain group/user to folder/file > we get the following > > chown "LIN\\myadmin:LIN\\adgroup" adtest/ > chown: invalid user: 'LIN\\myadmin:LIN\\adgroup' > > wbinfo --ping-dc : checking the NETLOGON for domain[LIN] dc connection > to "dc5.LIN.group" succeeded > > The getent group comes up with no results getent group "LIN\\adgroup" > getent passwd "LIN\\mygroup" > > > Here is the smb.conf > > workgroup = LIN > realm = LIN.GROUP > netbios name = dc5 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > log file = /var/log/samba/log.%m > log level = 1 > > winbind nss info = rfc2307 > > idmap config * : backend = tdb > idmap config * : range = 4000-7999 > idmap config LIN:backend = ad > idmap config LIN:schema_mode = rfc2307 > idmap config LIN:range = 10000-999999OK, you classicupgraded your NT4-style PDC to an AD DC, did your users have ID's in the '10000-999999' range before the upgrade ? Have you set up the libnss-winbind links ? Rowland> > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > # Template settings for login shell and home directory > template shell = /bin/bash > template homedir = /home/%U > > > here is nsswitch.conf > passwd: files winbind > group: files winbind > shadow: compat > > > If the group in question exist in /etc/group it works, because it is > local. But if the group is new or if the group has been removed from > /etc/group and AD it doesn't. > > We have added the SeDiskOperatorPrivilege to the user making the chown > calls. > > Any suggestions? > > > Regards, > Praveen Ghimire >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
On Fri, 8 Feb 2019 12:12:34 +0000 Praveen Ghimire <PGhimire at sundata.com.au> wrote:> Hi Rowland, > > The user's ID range would have been below 3600, the current max rid > is 3506 > > The links have been setup following this link, then restarted the > samba-ad-dc service > > https://wiki.samba.org/index.php/Libnss_winbind_Links > > > I followed the following to configure the winbindd stuff, > > https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC > > > template shell = /bin/bash > template homedir = /home/%U > > 9833 pts/0 S+ 0:00 \_ grep --color=auto > winbind 17196 ? Ss 0:00 | \_ /usr/sbin/winbindd -D > --option=server role check:inhibit=yes --foreground 17199 ? > S 0:01 | \_ /usr/sbin/winbindd -D --option=server role > check:inhibit=yes --foreground > > > > Regards, > > Praveen > > > -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of > Rowland Penny via samba Sent: Friday, 8 February 2019 8:01 PM > To: samba at lists.samba.org > Subject: Re: [Samba] Permission issue > > On Fri, 8 Feb 2019 06:22:05 +0000 > Praveen Ghimire via samba <samba at lists.samba.org> wrote: > > > Hi, > > > > We did a classicupgrade of our Ubuntu Server (4.3.11, TDB), the > > server DC5 also host shares. Post the migration we are seeing some > > permission issues. > > > > When trying to give permission to a domain group/user to > > folder/file we get the following > > > > chown "LIN\\myadmin:LIN\\adgroup" adtest/ > > chown: invalid user: 'LIN\\myadmin:LIN\\adgroup' > > > > wbinfo --ping-dc : checking the NETLOGON for domain[LIN] dc > > connection to "dc5.LIN.group" succeeded > > > > The getent group comes up with no results getent group > > "LIN\\adgroup" getent passwd "LIN\\mygroup" > > > > > > Here is the smb.conf > > > > workgroup = LIN > > realm = LIN.GROUP > > netbios name = dc5 > > server role = active directory domain controller > > idmap_ldb:use rfc2307 = yes > > log file = /var/log/samba/log.%m > > log level = 1 > > > > winbind nss info = rfc2307 > > > > idmap config * : backend = tdb > > idmap config * : range = 4000-7999 > > idmap config LIN:backend = ad > > idmap config LIN:schema_mode = rfc2307 > > idmap config LIN:range = 10000-999999 > > OK, you classicupgraded your NT4-style PDC to an AD DC, did your > users have ID's in the '10000-999999' range before the upgrade ? > > Have you set up the libnss-winbind links ? > > Rowland > > > > > vfs objects = acl_xattr > > map acl inherit = yes > > store dos attributes = yes > > > > # Template settings for login shell and home directory > > template shell = /bin/bash > > template homedir = /home/%U > > > > > > here is nsswitch.conf > > passwd: files winbind > > group: files winbind > > shadow: compat > > > > > > If the group in question exist in /etc/group it works, because it > > is local. But if the group is new or if the group has been removed > > from /etc/group and AD it doesn't. > > > > We have added the SeDiskOperatorPrivilege to the user making the > > chown calls. > > > > Any suggestions?Yes, lets rewind this conversation, Whilst concentrating on the range, I totally missed the fact you were doing this on a DC :-( So, remove these lines: winbind nss info = rfc2307 idmap config * : backend = tdb idmap config * : range = 4000-7999 idmap config LIN:backend = ad idmap config LIN:schema_mode = rfc2307 idmap config LIN:range = 10000-999999 vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes Did you miss the warning at the top of this wiki page: https://wiki.samba.org/index.php/Idmap_config_ad ID mapping back ends are not supported in the smb.conf file on a Samba Active Directory (AD) domain controller (DC). Rowland
On Mon, 11 Feb 2019 06:31:21 +0000 Praveen Ghimire <PGhimire at sundata.com.au> wrote:> Hi Rowland, > > Thank you for that. > > I had that link but got a bit confused about should I leave it or add > it. This is because the DC also has file shares I thought I need to > add the idmap configs to enable the domain users to be able to access > the shares I'll remove the lines from the smb.confI will try and make it a bit more obvious on the Samba wiki. It isn't recommended to use a DC as a fileserver, this is for various reasons, but one of them is you haven't got the control that you have with a Unix domain member.> > There is another question that I would request your input on. During > the classicupgrade we selected the SAMBA INTERNAL as our dns. The DC > box didn’t originally have any DNS roles. That role and DHCP is > assigned to a different Ubuntu box and is Bind9. I've read somewhere > in this forums that I can just add the AD zone as a zone in the > Bind9(named.conf.local) box and the DC box as the master of the zone.If you read this wiki page: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End Under the heading 'Introduction', there is this: BIND must be installed on the same machine as the Samba AD domain controller (DC). This is for several reasons, but the main one is, bind_dlz needs to access the Samba database directly. Normally you would have the DC be Authoritative for the AD domain and forward anything outside the AD domain to an external dns server (note: All DC's are authoritative for the dns domain, it is multi-master) As I don't know your setup, I cannot really suggest further, what I can say is that you can also run a DHCP server on the DC.> > Would that work? If it does , is there a way we can import all the > bind9 zones into the Internal DNS automagically or do we need to dump > the zones out of the Bind9 files and use samba-tool to create them in > AD?You should not be using a Samba DC with Bind flatfiles, so you would probably have to create the zones in AD, except I think you will find they already exist. Samba also provides a script to upgrade to Bind9, this is 'samba_upgradedns', see 'samba_upgradedns --help' Rowland
On Wed, 13 Feb 2019 06:36:29 +0000 Praveen Ghimire <PGhimire at sundata.com.au> wrote:> Hi Rowland, > > The DNS will be in the AD Domain Controller. What I was asking is > that if you have another DNS server (bind) , can we replicate the DNS > between them?The DNS records in AD should be replicated to all DC's in the domain and if you install Bind9 on your Samba AD DC your DC can use it.>We'll change the DHCP to point the primary DNS to the > AD box. However, there will be machines (including servers) which > will be pointing to the existing DNS server. To allow them to > resolve the new AD zone, what do we do?If the machines are in the AD domain, they should use an AD DC as their nameserver.> > As it stands, the Samba (NT4) box doesn’t have either DHCP or DNS , > for argument sake let's call it ServerA. It is handled by a another > Ubuntu server, Server B. When we classic upgrade , Server A, it will > have the DNS setup as part of the upgrade process. The question is do > I use Samba_Internal or Bind9_DLZ? I've tried both.The choice is up to you, whatever works best for you, the only thing to really consider, Bind9 scales better than the internal.>It sets DNS > server as it doesn’t have much to populate, the AD DNS zone is pretty > empty. I then setup the smb.conf with dns update = secure and > nonsecure. I then promoted a 2008R2 box as DC and used powershell > to dump the zone info from ServerB.There wouldn't be much in the AD DNS zones, it is a new AD domain. I don't understand why you needed the 2008R2, you could have done the same with bash etc.> > I was thinking of setting up Server A as secondary DNS server in > Server B to resolve the AD DNS zones.I am sure I have already said this, but, ALL Samba AD DC's are authoritative for the DNS domain, they cannot be secondary servers, you also shouldn't be using flatfiles with Bind9 and Samba AD DC's. Rowland
On Wed, 13 Feb 2019 09:11:43 +0000 Praveen Ghimire <PGhimire at sundata.com.au> wrote:> Hi Rowland, > > Used the 2008R2 box as I already had done up a script a while ago. > The problem I found is that I could update the DNS record on the > Samba AD server using the script but not the Windows AD box. It came > up with permission denied. I checked the dns update setting and it > was set to both secure and unsecure (in DNS and also in smb.conf). I > was running the script as the Domain Administrator.Try reading this: https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9> > The Server B I mentioned is not joined to the domain (Samba Nt4 or > AD), it's just a standalone Ubuntu box with bind/dhcp and some other > application. This part of the project doesn’t cover the DNS and DHCP > migration from ServerB to the AD box.Then it shouldn't hold any AD dns records, though it could be used as a forwarder by the AD DC's> > Just a curiosity, how long before the classicupgrade, the clients > starts seeing and joining the AD domain? I know there is no reverting > back the changes once they do, if we gauge the time lapse, it might > help us . The one way I have been testing is shutting down all > windows VMs bar the Samba box and a Windows server. If I see some > issues, then we just revert back the /var/lib/samba and etc files and > stop the ad-dc service and restart the samba services, seems to work > well , till nowIf any of your existing clients 'see' the AD DC, that's it, they will not connect to the old PDC again. Rowland