Marco Gaiarin
2019-Dec-03 16:51 UTC
[Samba] Account locked and delayed user data propagation...
Mandi! Rowland penny via samba In chel di` si favelave...> Do you mean apart from '$((${LOT} + ${LOD}))' should really be > '$((LOT+LOD))' ?Apart bashism, this seems not the point: root at vdcsv1:~# bash -vx /tmp/test LOT=1 + LOT=1 LOD=1 + LOD=1 TMPF=$((${LOT} + ${LOD})) + TMPF=2 echo $TMPF + echo 2 2 TMPF=$((LOT+LOD)) + TMPF=2 echo $TMPF + echo 2 2> I take it that you are calling the function like this: user_is_locked gaio > try it like this: res=$(user_is_locked gaio) > change all 'return' to 'echo' > Then check what "$res" isI've runm the script manually with 'bash -x', and so i've seen that LOT is non zero, while LOD is zero. But clearly 'LockoutTime' is in the past, and with a duration of zero... it is still in the past. ;-) So, i restate the question: how can i determine if account is locked with an LDAP query?! Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland penny
2019-Dec-03 17:11 UTC
[Samba] Account locked and delayed user data propagation...
On 03/12/2019 16:51, Marco Gaiarin via samba wrote:> Mandi! Rowland penny via samba > In chel di` si favelave... > >> Do you mean apart from '$((${LOT} + ${LOD}))' should really be >> '$((LOT+LOD))' ? > Apart bashism, this seems not the point: > > root at vdcsv1:~# bash -vx /tmp/test > LOT=1 > + LOT=1 > > LOD=1 > + LOD=1 > > TMPF=$((${LOT} + ${LOD})) > + TMPF=2 > echo $TMPF > + echo 2 > 2 > > TMPF=$((LOT+LOD)) > + TMPF=2 > echo $TMPF > + echo 2 > 2 > > >> I take it that you are calling the function like this: user_is_locked gaio >> try it like this: res=$(user_is_locked gaio) >> change all 'return' to 'echo' >> Then check what "$res" is > I've runm the script manually with 'bash -x', and so i've seen that LOT > is non zero, while LOD is zero. > > But clearly 'LockoutTime' is in the past, and with a duration of > zero... it is still in the past. ;-) > > > So, i restate the question: how can i determine if account is locked > with an LDAP query?! > > > Thanks. >I think you are over thinking this ;-) By default, a user object doesn't have a lockouttime attribute, so isn't locked out. If it does have a lockouttime attribute, it can be zero or non zero, if it is zero, it isn't locked out. If it is non zero, the account is locked out. So, all you need to do, check for the lockouttime attribute and if found and it isn't '0', set it to '0' Rowland
Marco Gaiarin
2019-Dec-04 11:21 UTC
[Samba] Account locked and delayed user data propagation...
Mandi! Rowland penny via samba In chel di` si favelave...> I think you are over thinking this ;-)I'm simply applying the policy... ;-) https://docs.microsoft.com/it-it/windows/win32/adschema/a-lockouttime say at the bottom: This attribute value is only reset when the account is logged onto successfully. This means that this value may be non zero, yet the account is not locked out. To accurately determine if the account is locked out, you must add the Lockout-Duration to this time and compare the result to the current time, accounting for local time zones and daylight savings time.> So, all you need to do, check for the lockouttime attribute and if found and > it isn't '0', set it to '0'Better to fire up a bug? Or there's an operational field like 'LockoutExpiration' to test with? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Howard Fleming
2019-Dec-08 18:18 UTC
[Samba] Building a replacement Samba4 server to replace a Samba3 system, running into file rights issues.
I am building a Samba4 setup to replace a Samba3 server I built for small non profit school back in 2012. It is running CentOS 6.x, samba version 3.6.23-52.el6_10.? Rather than attempt to upgrade this system to Samba4, it makes more sense (to me at least) to build a new server and move the data. Currently I have 2 samba servers running as virtual machines under kvm.? One is the AD server, the other is a member server that is running the file shares.? The kvm server and the samba servers are all running Debian 10, and I am using the default Debian 10 repos for the samba packages. The current problem I am running into are the rights on the shares for the users.? When I create a user via aduc, and set the home directory, it gets created as it should, but all users can see all the home directories, including contents.? I am also running into rights issues with the shared directories also. I can join Windows 10 and 7 computers into AD with out any issues, so I am assuming I set something up wrong, either in AD or when I added the 2nd server for file services. Config info for the 2 servers follow: AD server Collected config? --- 2019-11-30-09:05 ----------- Hostname: srv1 DNS Domain: brec.example.org FQDN: srv1.brec.example.org ipaddress: 192.168.15.4 ----------- Kerberos SRV _kerberos._tcp.brec.example.org record verified ok, sample output: Server:??? ??? 192.168.15.4 Address:??? 192.168.15.4#53 _kerberos._tcp.brec.example.org??? service = 0 100 88 srv1.brec.example.org. Samba is running as an AD DC ----------- ?????? Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 10 (buster)" NAME="Debian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 10.2 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 ??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 ??? inet 127.0.0.1/8 scope host lo ??? inet6 ::1/128 scope host 2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 ??? link/ether 52:54:00:0e:ca:e6 brd ff:ff:ff:ff:ff:ff ??? inet 192.168.15.4/24 brd 192.168.15.255 scope global enp1s0 ??? inet6 fe80::5054:ff:fe0e:cae6/64 scope link ----------- ?????? Checking file: /etc/hosts 127.0.0.1??? localhost 192.168.15.4??? srv1.brec.example.org srv1 # The following lines are desirable for IPv6 capable hosts # ::1???? localhost ip6-localhost ip6-loopback # ff02::1 ip6-allnodes # ff02::2 ip6-allrouters ----------- ?????? Checking file: /etc/resolv.conf domain brec.example.org search brec.example.org. example.org. nameserver 192.168.15.4 ----------- ?????? Checking file: /etc/krb5.conf [libdefaults] ??? default_realm = BREC.EXAMPLE.ORG ??? dns_lookup_realm = false ??? dns_lookup_kdc = true ----------- ?????? Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd:???????? compat files systemd group:????????? compat files systemd shadow:???????? compat files gshadow:??????? files hosts:????????? files dns networks:?????? files protocols:????? db files services:?????? db files ethers:???????? db files rpc:??????????? db files netgroup:?????? nis ----------- ?????? Checking file: /etc/samba/smb.conf # Global parameters [global] ??? dns forwarder = 192.168.15.1 ??? netbios name = SRV1 ??? realm = BREC.EXAMPLE.ORG ??? server role = active directory domain controller ??? workgroup = BREC ??? idmap_ldb:use rfc2307 = yes ??? template shell = /bin/bash ??? template homedir = /home/%U [netlogon] ??? path = /var/lib/samba/sysvol/brec.example.org/scripts ??? read only = No [sysvol] ??? path = /var/lib/samba/sysvol ??? read only = No ----------- BIND_DLZ not detected in smb.conf ----------- Installed packages: ii? attr?????????????????????????? 1:2.4.48-4 amd64??????? utilities for manipulating filesystem extended attributes ii? krb5-config??????????????????? 2.6 all????????? Configuration files for Kerberos Version 5 ii? krb5-locales?????????????????? 1.17-3 all????????? internationalization support for MIT Kerberos ii? krb5-user????????????????????? 1.17-3 amd64??????? basic programs to authenticate using MIT Kerberos ii? libacl1:amd64????????????????? 2.2.53-4 amd64??????? access control list - shared library ii? libattr1:amd64???????????????? 1:2.4.48-4 amd64??????? extended attribute handling - shared library ii? libgssapi-krb5-2:amd64???????? 1.17-3 amd64??????? MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii? libkrb5-3:amd64??????????????? 1.17-3 amd64??????? MIT Kerberos runtime libraries ii? libkrb5support0:amd64????????? 1.17-3 amd64??????? MIT Kerberos runtime libraries - Support library ii? libnss-winbind:amd64?????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? Samba nameservice integration plugins ii? libpam-winbind:amd64?????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? Windows domain authentication integration plugin ii? libsmbclient:amd64???????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? shared library for communication with SMB/CIFS servers ii? libwbclient0:amd64???????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? Samba winbind client library ii? python-samba?????????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? Python bindings for Samba ii? samba????????????????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? SMB/CIFS file, print, and login server for Unix ii? samba-common?????????????????? 2:4.9.5+dfsg-5+deb10u1 all????????? common files used by both the Samba server and client ii? samba-common-bin?????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? Samba common files used by both the server and the client ii? samba-dsdb-modules:amd64?????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? Samba Directory Services Database ii? samba-libs:amd64?????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? Samba core libraries ii? samba-vfs-modules:amd64??????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? Samba Virtual FileSystem plugins ii? smbclient????????????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? command-line SMB/CIFS clients for Unix ii? winbind??????????????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? service to resolve user and group information from Windows NT servers ----------- Member server, for file services: Collected config? --- 2019-11-30-10:16 ----------- Hostname: srv2 DNS Domain: brec.example.org FQDN: srv2.brec.example.org ipaddress: 192.168.15.5 ----------- Kerberos SRV _kerberos._tcp.brec.example.org record verified ok, sample output: Server:??? ??? 192.168.15.4 Address:??? 192.168.15.4#53 _kerberos._tcp.brec.example.org??? service = 0 100 88 srv1.brec.example.org. Samba is running as a Unix domain member ----------- ?????? Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 10 (buster)" NAME="Debian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 10.2 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 ??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 ??? inet 127.0.0.1/8 scope host lo ??? inet6 ::1/128 scope host 2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 ??? link/ether 52:54:00:73:02:4b brd ff:ff:ff:ff:ff:ff ??? inet 192.168.15.5/24 brd 192.168.15.255 scope global enp1s0 ??? inet6 fe80::5054:ff:fe73:24b/64 scope link ----------- ?????? Checking file: /etc/hosts 127.0.0.1??? localhost 192.168.15.5??? srv2.brec.example.org srv2 # The following lines are desirable for IPv6 capable hosts # ::1???? localhost ip6-localhost ip6-loopback # ff02::1 ip6-allnodes # ff02::2 ip6-allrouters ----------- ?????? Checking file: /etc/resolv.conf domain example.org search brec.example.org. example.org. nameserver 192.168.15.4 ----------- ?????? Checking file: /etc/krb5.conf [libdefaults] ??????? default_realm = BREC.EXAMPLE.ORG ??????? dns_lookup_realm = false ??????? dns_lookup_kdc = true ??? forwardable = true ??? proxiable = true ;??? ticket_lifetime = 24h ;??? renew_lifetime = 7d ;??? ccache_type = 4 ; ; Enable this one if you have a tight setup where only the user can enter the user home dir. ; You might need it with cifs mounts, nfs mounts ;??? ignore_k5login = true ; A note: This is not used for nfs4 but cifs uses it. ; for Windows 2003 ;??? default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ;??? default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ;??? permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; ; for Windows 2008 with AES ??? default_tgs_enctypes =? aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ??? default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ??? permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ----------- ?????? Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd:???????? compat files systemd winbind group:????????? compat files systemd winbind shadow:???????? files gshadow:??????? files hosts:????????? files dns networks:?????? files protocols:????? db files services:?????? db files ethers:???????? db files rpc:??????????? db files netgroup:?????? nis ----------- ?????? Checking file: /etc/samba/smb.conf # Global parameters [global] ??????? realm = BREC.EXAMPLE.ORG ??????? workgroup = BREC ??? security = ADS # ??? preferred master = no ??? domain master = no ??? dedicated keytab file = /etc/krb5.keytab ??? kerberos method = secrets and keytab # ??? idmap config * : backend = tdb ??? idmap config * : range = 3000-7000 # ??? idmap config BREC : backend = ad ??? idmap config BREC : schema_mode = rfc2307 ??? idmap config BREC : range = 10000-999999 # idmap config BREC : unix_nss_info = yes # Only in Samba 4.6+ ??????? template shell = /bin/bash ??????? template homedir = /brecdata/user/%U # Renew the kerberos tickets ??? winbind refresh tickets = yes # Enable offline logins ??? winbind offline logon = yes # User uid/Gid from AD. (rfc2307) ??? winbind nss info = rfc2307 # # With default domain, wbinfo -u, yes = username, no is SAMBADOM\username ??? winbind use default domain = yes #??? winbind trusted domains only = no # Keep no in production, set yes when debugging, this slows down your samba. ??? winbind enum users? = no ??? winbind enum groups = no # Check depth of nested groups, ! slows down you samba, if to much groups depth # Samba default is 0, i suggest a minimal of 2 in this setup, advices is 4. ??? winbind expand groups = 4 # User Administrator workaround, without it you are unable to set privileges # !Note: When using the AD ID mapping back end, do not set the uidNumber attribute for the domain administrator account. # If the account has the attribute set, the value overrides the local UID 0 of the root user and thus the mapping fails. ??? username map = /etc/samba/samba_usermapping # disable usershares creating, when set empty no error log messages. ??? usershare path # Disable printing completely ??? load printers = no ??? printing = bsd ??? printcap name = /dev/null ??? disable spoolss = yes # # For Windows ACL support on member file server, enabled globaly, OBLIGATED # For a mixed setup of rights, put this per share! ??? vfs objects = acl_xattr ??? map acl inherit = yes ??? store dos attributes = yes # # Share Setting Globally ??? veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ ??? hide unreadable = yes # ######## SHARE DEFINITIONS ################## [samba$] ??? # Used for Administrative things only. ??? browseable = yes ??? path = /brecdata/samba ??? read only = no [profiles] ??? # user profiles folder ??? browseable = yes ??? path = /brecdata/samba/profiles ??? read only = no ??? acl_xattr:ignore system acl = yes [users] ??? # user homedirs ??? browseable = yes ??? path = /brecdata/users ??? read only = no ??? acl_xattr:ignore system acl = yes [staff] ??? # data share for domain/company ??? browseable = yes ??? path = /brecdata/staff ??? read only = no [hr] ??? # data share for hr files ??? browseable = yes ??? path = /brecdata/hr ??? read only = no [sysadmin] ??? # sysadmin related files ??? browseable = yes ??? path = /brecdata/sysadmin ??? read only = no ----------- Running as Unix domain member and user.map detected. Contents of /etc/samba/samba_usermapping !root = BREC\Administrator BREC\administrator Server Role is set to :? auto ----------- Installed packages: ii? acl??????????????????????????? 2.2.53-4 amd64??????? access control list - utilities ii? attr?????????????????????????? 1:2.4.48-4 amd64??????? utilities for manipulating filesystem extended attributes ii? krb5-config??????????????????? 2.6 all????????? Configuration files for Kerberos Version 5 ii? krb5-locales?????????????????? 1.17-3 all????????? internationalization support for MIT Kerberos ii? krb5-user????????????????????? 1.17-3 amd64??????? basic programs to authenticate using MIT Kerberos ii? libacl1:amd64????????????????? 2.2.53-4 amd64??????? access control list - shared library ii? libattr1:amd64???????????????? 1:2.4.48-4 amd64??????? extended attribute handling - shared library ii? libgssapi-krb5-2:amd64???????? 1.17-3 amd64??????? MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii? libkrb5-3:amd64??????????????? 1.17-3 amd64??????? MIT Kerberos runtime libraries ii? libkrb5support0:amd64????????? 1.17-3 amd64??????? MIT Kerberos runtime libraries - Support library ii? libnss-winbind:amd64?????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? Samba nameservice integration plugins ii? libpam-winbind:amd64?????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? Windows domain authentication integration plugin ii? libsmbclient:amd64???????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? shared library for communication with SMB/CIFS servers ii? libwbclient0:amd64???????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? Samba winbind client library ii? python-samba?????????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? Python bindings for Samba ii? samba????????????????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? SMB/CIFS file, print, and login server for Unix ii? samba-common?????????????????? 2:4.9.5+dfsg-5+deb10u1 all????????? common files used by both the Samba server and client ii? samba-common-bin?????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? Samba common files used by both the server and the client ii? samba-dsdb-modules:amd64?????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? Samba Directory Services Database ii? samba-libs:amd64?????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? Samba core libraries ii? samba-vfs-modules:amd64??????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? Samba Virtual FileSystem plugins ii? smbclient????????????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? command-line SMB/CIFS clients for Unix ii? winbind??????????????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? service to resolve user and group information from Windows NT servers ----------- The intent is to manage the system using rsat, and all clients machines will be running windows 10 once this is done. All user data, home directories and shared directories are on srv2, located under \brecdata. If you need any more info, let me know, I am sure I left something out.... :o). Thanks, Howard
Rowland penny
2019-Dec-08 20:01 UTC
[Samba] Building a replacement Samba4 server to replace a Samba3 system, running into file rights issues.
On 08/12/2019 18:18, Howard Fleming via samba wrote:> I am building a Samba4 setup to replace a Samba3 server I built for > small non profit school back in 2012. > > It is running CentOS 6.x, samba version 3.6.23-52.el6_10.? Rather than > attempt to upgrade this system to Samba4, it makes more sense (to me > at least) to build a new server and move the data.Good plan, at least you start without any bad ideas from an NT4-style domain> > Currently I have 2 samba servers running as virtual machines under > kvm.? One is the AD server, the other is a member server that is > running the file shares.? The kvm server and the samba servers are all > running Debian 10, and I am using the default Debian 10 repos for the > samba packages. > > The current problem I am running into are the rights on the shares for > the users.? When I create a user via aduc, and set the home directory, > it gets created as it should, but all users can see all the home > directories, including contents.? I am also running into rights issues > with the shared directories also.How are the users home directories being created, are you using pam_mkhomedir ? If so, this could be your problem.> > I can join Windows 10 and 7 computers into AD with out any issues, so > I am assuming I set something up wrong, either in AD or when I added > the 2nd server for file services.Just a few notes on your files: I would remove example.com from the search line in the /etc/resolv.conf files You do not need the template lines in the DC smb.conf, you are not allowing anyone to login in. I would also install the libpam-krb5 package on both machines On the Member server, you have commented out 'idmap config BREC : unix_nss_info = yes' which is correct for your version of Samba, but you have 'winbind nss info = rfc2307' which is wrong for your Samba version. You also have: ??????? template shell = /bin/bash ??????? template homedir = /brecdata/user/%U Which means that you are not using the RFC2307 attributes in AD, so you don't need 'idmap config BREC : unix_nss_info = yes' anyway You do not need to set 'browseable = yes' on the shares, it is the default It might help if you read this: https://wiki.samba.org/index.php/User_Home_Folders Rowland