samba - Oct 2019 - Samba domain users AWOL from Samba file server.

Unfortunately, the the Ubuntu 18.04 samba-tool package doesn't have
"user
show" as an option.  The Windows ADUC tool shows user1 uidNumber =10001,
user2 uidNumber=10002,  user3 uidNumber =10003, and user4 uidNumber=10004

Here are the getent command results on the file server/ domain member:

*admin at fsvr0:~$ getent passwd user1*
hq-user1:*:11103:10513::/home/lan/user1:/bin/bash
*admin at fsvr0:~$ getent passwd user2*
hq-user2:*:11106:10513::/home/lan/user2:/bin/bash
*admin at fsvr0:~$ getent passwd user3*
*admin at fsvr0:~$ getent passwd user4*
*admin at fsvr0:~$ getent group "Domain Users"*
domain_users:x:10513:user1,user2,user3,user4,administrator,krbtgt


On Tue, Oct 22, 2019 at 2:12 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 22/10/2019 18:58, John Redmond wrote:
> > Thanks, Rowland.  Here's the smb.conf file on the Unix domain
member.
> > I know you are not a fan of winbind enum, but I add it to see if it
> > helped.
>
> It isn't that I am not a fan of 'winbind enum', it is that it
only does
> two things:
>
> It enumerates users and groups (which isn't actually required)
>
> It slows things down
>
> I would only use the two lines for testing purposes, once you are sure
> everything is working, I would suggest you comment them out.
>
> >
> > #/etc/samba/smb.conf
> > [global]
> >
> >    workgroup = SAMDOM
> >    realm = SAMDOM.EXAMPLE.COM <http://SAMDOM.EXAMPLE.COM>
> >    security = ADS
> >    dedicated keytab file = /etc/krb5.keytab
> >    kerberos method = secrets and keytab
> >    server string = Samba File Server %h (Ubuntu 18.04)
> >
> >    idmap config * : backend = tbd
> >    idmap config * : range = 3000-7999
> >    idmap config SAMDOM : backend = ad
> > #   idmap config SAMDOM : backend = rid
> >    idmap config SAMDOM : schema_mode = rfc2307
> >    idmap config SAMDOM : range = 10000-99999
> >
> >    template homedir = /home/samdom/%U
> >    template shell = /bin/bash
> >
> >    winbind use default domain = true
> >    winbind expand groups = 2
> >    winbind refresh tickets = yes
> >    winbind normalize names = yes
> > #   winbind offline logon = yes
> >    winbind nss info = rfc2307
> >    winbind enum users = yes
> >    winbind enum groups = yes
> >
> >    domain master = no
> >    local master = no
> >    preferred master = no
> > #   os level = 20
> > #   map to guest = bad user
> > #   host msdfs = no
> >
> >    vfs objects = acl_xattr
> >    map acl inherit = yes
> >    store dos attributes = yes
> >
> > #   dns proxy = no
> >
> >    log file = /var/log/samba/log.%m
> >    max log size = 1000
> >
> >    syslog = 0
> >    log level = 1
> > #auth:5 winbind:5
> >
> > #Disable printing completely
> >    load printers = no
> >    printing = bsd
> >    printcap name = /dev/null
> >    disable spoolss = yes
> >
> >
> > [profiles]
> >    comment = User and group files
> >    path = /home/lan
> >    guest ok = no
> >    browseable = no
> >    create mask = 0600
> >    directory mask = 0700
> >
> > [allusers]
> >    comment = Company-wide files
> >    path = /home/lan/allusers
> >    guest ok = no
> >    browseable = yes
> >    create mask = 0600
> >    directory mask = 0700
> >
> > [accounting]
> >    comment = Bookkeeping and accounting files
> >    path = /home/lan/accounting
> >    guest ok = no
> >    browseable = no
> >    create mask = 0600
> >    directory mask = 0700
>
> If you think that the missing users shouldn't be missing because they
> have the correct uidNumber attributes, then I suggest you check in AD,
> the easiest way would be to use samba-tool on the DC:
>
> samba-tool user show <username>
>
> Look for the uidNumber attribute
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 22/10/2019 19:43, John Redmond wrote:
> Unfortunately, the the Ubuntu 18.04 samba-tool package doesn't have 
> "user show" as an option.? The Windows ADUC tool shows user1
uidNumber
> =10001, user2 uidNumber=10002, user3 uidNumber =10003, and user4 
> uidNumber=10004
>
OK, try this:

samba-tool user edit user3 --editor=nano

I take it you have tried 'net cache flush'

Rowland

On 22/10/2019 20:32, John Redmond wrote:
> Running net cache flush does not help.? Here's the result on 
> samba-tool user edit user3 --editor=nano
>
If we strip that down to the important lines:

dn: CN=user3,CN=Users,DC=samdom,DC=example,DC=com
primaryGroupID: 513
sAMAccountName: user3
uidNumber: 10103

dn: CN=user2,CN=Users,DC=samdom,DC=example,DC=com
primaryGroupID: 513
sAMAccountName: user2
uidNumber: 10102

Then, for the life of me, I cannot see any difference. Both users exist 
and have a uidNumber inside your DOMAIN range.

I seem to remember something like this coming up before and the cure was 
(if I remember correctly) to delete and recreate the user.

Rowland

On 22/10/2019 22:34, John Redmond wrote:
> Rebooted both machines, and I got nothing from getent passwd and 
> getent group.
>
> Referred to your notes from yesterday.? The following lines seem to 
> have fixed it so getent passwd finds all users and getent group finds 
> "Domain Users"
>
>     sudo systemctl start smbd
>     sudo systemctl start nmbd
>     sudo systemctl start winbind
>
Then I would check just what is being started at boot, rebooting should 
have started them for you ;-)

Rowland