samba - Jun 2019 - chown and AD users

Hi everyone,

I want to set ACL's on some directories for AD users with chown command, 
but it doesn't work.

wbinfo -u is ok and return all users. i.e :

DOMAIN\administrator
DOMAIN\user
...

if I try :
      #chown -R "DOMAIN\user" /my_dir

I obtain this :
     chown: incorrect user : "DOMAIN\\user"

chown systematically "adds" a backslash, but I don't know if
it's the
real cause of the problem.

If I set user without DOMAIN, it doesn't work too.

Any idea to fix that ?

Thanks in advance.

On 03/06/2019 14:43, Nicolas Boissé via samba wrote:
> Hi everyone,
>
> I want to set ACL's on some directories for AD users with chown 
> command, but it doesn't work.
>
> wbinfo -u is ok and return all users. i.e :
>
> DOMAIN\administrator
> DOMAIN\user
OK, your AD has Windows users
> ...
>
> if I try :
>      #chown -R "DOMAIN\user" /my_dir
>
> I obtain this :
>     chown: incorrect user : "DOMAIN\\user"
>
> chown systematically "adds" a backslash, but I don't know if
it's the
> real cause of the problem.
OH look, your Unix OS doesn't know your Windows AD users

Just because wbinfo shows your users means nothing to Unix, until 
'getent passwd username' does.

What is this on ?

A Samba AD DC or a Unix domain member ?

Can you post your smb.conf and /etc/nsswitch.conf

Rowland

On 03/06/2019 15:17, Nico wrote:
> Sorry, I forgot to precise : It's on a Samba AD DC (v4.10.3 and CentOS 
> 7).
>
> My smb.conf :
>
> [global]
>     server role = active directory domain controller
>     netbios name = server_name
>     realm = DOMAIN.LAN
>     workgroup = DOMAIN
>
>     server services = -dns
>
>     idmap_ldb:use rfc2307 = yes
>
>     bind interfaces only = yes
>     interfaces = p3p1
>
Nothing wrong with the lines above
> idmap config DOMAIN:range = 600-4000000
>     idmap config DOMAIN:backend = tdb
>     idmap uid = 600-4000000
>     idmap gid = 600-4000000
>
>     winbind gid = 600-4000000
>     winbind uid = 600-4000000
Well, if you are going to get it wrong, you might as well get it 
absolutely totally wrong ;-)

To put it another way, remove the lines above, they have no place in a 
Samba AD DC smb.conf
> winbind enum groups = yes
>     winbind enum users = yes
Remove the lines above once you are sure everything is working
correctly
> winbind use default domain = yes
The line above doesn't work on a DC
> winbind nested groups = yes
>     winbind refresh tickets = yes
>
>     vfs objects = acl_xattr
>     map acl inherit = yes
>     store dos attributes = yes
>
The three lines above definitely shouldn't be in a Samba DC
smb.conf
> log level = 3
>     log file = /var/log/samba/samba_ad.log
>     max log size = 50
>
> [sysvol]
>     path = /usr/local/samba/var/locks/sysvol
>     read only = No
>
> [netlogon]
>     path = /usr/local/samba/var/locks/sysvol/ensim.univ-lemans.fr/scripts
>     read only = No
>
> My nsswitch.conf :
> Signature mail
> passwd:     compat winbind
> shadow:     compat winbind
> group:      compat winbind
Remove 'winbind' from the 'shadow' line, it can cause problems
and
doesn't actually do anything.
>
> hosts:      files dns wins
>
AD runs on DNS, it doesn't use wins.

Do the libnss_winbind links exist ?

does 'getent passwd username' produce output ?

Rowland

On Mon, Jun 3, 2019 at 10:58 AM Rowland penny via samba
<samba at lists.samba.org> wrote:
>
> On 03/06/2019 15:17, Nico wrote:
> > Sorry, I forgot to precise : It's on a Samba AD DC (v4.10.3 and
CentOS
> > 7).
That took me a few moments checking to realize it was "Nicolas" and
not me!

Nico Kadel-Garcia