samba - Feb 2020 - Winbind problems

Hi,

I have a problem in my Samba 4 file server.

I tried to change a directory's permission, but domain groups are not
recognized:

chown root:"Domain Admins" /home/Empresa
chown: invalid group: ?root:Domain Admins?


When I run "getent passwd" command, only local user are listed.

wbinfo commands (wbinfo -g, wbinfo -u, wbinfo -a <user>) are working
properly.

The following are my configurations files:

cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         files winbind
group:          files winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis




cat /usr/local/samba/etc/smb.conf
[global]
    netbios name = FILESERVER
    workgroup = EMPRESA
    security = ADS
    realm = EMPRESA.COM.BR
    encrypt passwords = yes
    username map = /usr/local/samba/etc/user.map
    log file = /var/log/samba/%m.log
    log level = 1
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999
    idmap config EMPRESA:backend = ad
    idmap config EMPRESA:schema_mode = rfc2307
    idmap config EMPRESA:range = 10000-999999
    idmap config EMPRESA:unix_nss_info = yes
    idmap config EMPRESA:unix_primary_group = yes
    winbind nss info = rfc2307
    winbind refresh tickets = Yes
    winbind separator = +
    winbind use default domain = yes
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes
    template shell = /bin/bash
    template homedir = /home/%U
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    [Empresa]
    comment = Compartilhamentos
    path =  /home/Empresa
    valid users = +EMPRESA\"Domain Users"
    guest ok = no
    writable = yes
    browsable = yes
    create mask = 0777
    directory mask = 0777



cat /etc/resolv.conf
domain empresa.com.br
search empresa.com.br
nameserver 192.168.1.20
nameserver 192.168.1.22


 cat /etc/hosts
127.0.0.1 localhost
192.168.1.23 fileserver.empresa.com.br fileserver


netstat -lntup
Conex?es Internet Ativas (sem os servidores)
Proto Recv-Q Send-Q Endere?o Local          Endere?o Remoto         Estado
     PID/Program name
tcp        0      0 0.0.0.0:81              0.0.0.0:*               LISTEN
      511/lighttpd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
      620/master
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN
      720/smbd
tcp        0      0 0.0.0.0:20000           0.0.0.0:*               LISTEN
      443/sshd
tcp        0      0 0.0.0.0:10050           0.0.0.0:*               LISTEN
      419/zabbix_agentd
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN
      720/smbd
tcp6       0      0 :::81                   :::*                    LISTEN
      511/lighttpd
tcp6       0      0 ::1:25                  :::*                    LISTEN
      620/master
tcp6       0      0 :::445                  :::*                    LISTEN
      720/smbd
tcp6       0      0 :::20000                :::*                    LISTEN
      443/sshd
tcp6       0      0 :::10050                :::*                    LISTEN
      419/zabbix_agentd
tcp6       0      0 :::139                  :::*                    LISTEN
      720/smbd
udp        0      0 0.0.0.0:54695           0.0.0.0:*
    359/rsyslogd
udp        0      0 192.168.1.23:123         0.0.0.0:*
      643/ntpd
udp        0      0 127.0.0.1:123           0.0.0.0:*
    643/ntpd
udp        0      0 0.0.0.0:123             0.0.0.0:*
    643/ntpd
udp        0      0 192.168.255.255:137      0.0.0.0:*
      684/nmbd
udp        0      0 192.168.1.23:137         0.0.0.0:*
      684/nmbd
udp        0      0 0.0.0.0:137             0.0.0.0:*
    684/nmbd
udp        0      0 192.168.255.255:138      0.0.0.0:*
      684/nmbd
udp        0      0 192.168.1.23:138         0.0.0.0:*
      684/nmbd
udp        0      0 0.0.0.0:138             0.0.0.0:*
    684/nmbd
udp6       0      0 fe80::5054:ff:fe00::123 :::*
     643/ntpd
udp6       0      0 ::1:123                 :::*
     643/ntpd
udp6       0      0 :::123                  :::*
     643/ntpd


The samba service isn't started, only smbd, nmbd and winbind services are
started.

I verified that libnss-winbind package isn't installed. Is this package
necessary?

Could anybody help me?

Regards,

M?rcio Bacci

On 03/02/2020 18:03, Marcio Demetrio Bacci via samba
wrote:
> Hi,
>
> I have a problem in my Samba 4 file server.
>
> I tried to change a directory's permission, but domain groups are not
> recognized:
>
> chown root:"Domain Admins" /home/Empresa
> chown: invalid group: ?root:Domain Admins?
>
>
> When I run "getent passwd" command, only local user are listed.
>
> wbinfo commands (wbinfo -g, wbinfo -u, wbinfo -a <user>) are working
> properly.
Yes, but does 'getent passwd username' produce output ?

And does 'getent group Domain\ Admins' produce output ?
> cat /usr/local/samba/etc/smb.conf
> [global]
>      netbios name = FILESERVER
>      workgroup = EMPRESA
>      security = ADS
>      realm = EMPRESA.COM.BR
>      encrypt passwords = yes
>      username map = /usr/local/samba/etc/user.map
>      log file = /var/log/samba/%m.log
>      log level = 1
>      idmap config * : backend = tdb
>      idmap config * : range = 3000-7999
>      idmap config EMPRESA:backend = ad
>      idmap config EMPRESA:schema_mode = rfc2307
>      idmap config EMPRESA:range = 10000-999999
>      idmap config EMPRESA:unix_nss_info = yes
>      idmap config EMPRESA:unix_primary_group = yes
Have you given your users a gidNumber attribute containing a number 
inside '10000-999999'

Have you given the groups that you want to be the users primary groups a 
gidnumber attribute containing a number inside '10000-999999' and then 
given your users a gidNumber attribute containing the gidNumber of a 
relevant group.

Have you given 'Domain Users' a gidNumber attribute containing a number 
inside '10000-999999'
>      winbind nss info = rfc2307
This is not used any more
>      winbind refresh tickets = Yes
>      winbind separator = +
>      winbind use default domain = yes
>      vfs objects = acl_xattr
>      map acl inherit = Yes
>      store dos attributes = Yes
>      template shell = /bin/bash
>      template homedir = /home/%U
>      dedicated keytab file = /etc/krb5.keytab
>      kerberos method = secrets and keytab
>      load printers = no
>      printing = bsd
>      printcap name = /dev/null
>      disable spoolss = yes
>
>      [Empresa]
>      comment = Compartilhamentos
>      path =  /home/Empresa
>      valid users = +EMPRESA\"Domain Users"
>      guest ok = no
>      writable = yes
>      browsable = yes
>      create mask = 0777
>      directory mask = 0777
You should set the share permissions following one of these pages:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs

Rowland

On 03/02/2020 19:06, Marcio Demetrio Bacci wrote:
> Hi Rowland
>
> >And does 'getent group Domain\ Admins' produce output ?
> No output.
Then your fileserver does not know who 'Domain Admins' is, which 
actually is a good thing, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
>
> >Have you given 'Domain Users' a gidNumber attribute containing
a
> number inside '10000-999999'
> To "Domain User" group no, I haven't.
I would give 'Domain Users' a gidNumber.

Rowland

Hi,
>> To "Domain User" group no, I haven't.
>I would give 'Domain Users' a gidNumber.
Now I assign a gidNumber.

I'm following this article:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

But in "Setting Share Permissions and ACLs", the acces is denied, as
the
log messages:

[2020/02/04 15:13:38.266457,  3] ../../lib/util/access.c:371(allow_access)
  Allowed connection from 192.168.0.11 (192.168.0.11)
[2020/02/04 15:13:38.266685,  3]
../../libcli/security/dom_sid.c:215(dom_sid_parse_endp)
  string_to_sid: SID +EMPRESA\Domain Users is not in a valid format
[2020/02/04 15:13:38.268610,  1]
../../source3/smbd/service.c:359(create_connection_session_info)
  create_connection_session_info: user 'marcio' (from session setup) not
permitted to access this share (Arquivos)
[2020/02/04 15:13:38.268822,  1]
../../source3/smbd/service.c:531(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2020/02/04 15:13:38.269014,  3]
../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_tcon.c:142
[2020/02/04 15:13:49.379329,  3]
../../source3/smbd/service.c:1131(close_cnum)
  192.168.0.11 (ipv4:192.168.0.11:61504) closed connection to service IPC$
[2020/02/04 15:13:49.380788,  3]
../../source3/smbd/server_exit.c:244(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)

There are some problem with the domain user account format.

Here is my smb.conf:

cat /usr/local/samba/etc/smb.conf
[global]
    netbios name = FILESERVER
    workgroup = EMPRESA
    security = ADS
    realm = EMPRESA.COM.BR
    encrypt passwords = yes
    username map = /usr/local/samba/etc/user.map
    log file = /var/log/samba/%m.log
    #log level = 1
    log level = 3 passdb:5 auth:5
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999
    idmap config EMPRESA:backend = ad
    idmap config EMPRESA:schema_mode = rfc2307
    idmap config EMPRESA:range = 10000-999999
    idmap config EMPRESA:unix_nss_info = yes
    idmap config EMPRESA:unix_primary_group = yes
    #winbind nss info = rfc2307
    winbind refresh tickets = Yes
    winbind separator = +
    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes
    template shell = /bin/bash
    template homedir = /home/%U
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    [Arquivos]
    comment = Compartilhamentos do Dominio
    path =  /home/Arquivos
    valid users = +EMPRESA\"Domain Users"
    admin users = +EMPRESA\"Domain Admins"
    #valid users = @"EMPRESA\Domain Users"
    #admin users = @"EMPRESA\Domain Admins"
    guest ok = no
    writable = yes
    read only = no
    browsable = yes
    create mask = 0777
    directory mask = 0777

I have already tried to change "valid users" parameter in several
ways.
Would anyone have any ideas to solve this problem?

Regards,

M?rcio Bacci

Em seg., 3 de fev. de 2020 ?s 18:18, Rowland penny via samba <
samba at lists.samba.org> escreveu:
> On 03/02/2020 19:06, Marcio Demetrio Bacci wrote:
> > Hi Rowland
> >
> > >And does 'getent group Domain\ Admins' produce output ?
> > No output.
>
> Then your fileserver does not know who 'Domain Admins' is, which
> actually is a good thing, see here:
>
>
>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
>
> >
> > >Have you given 'Domain Users' a gidNumber attribute
containing a
> > number inside '10000-999999'
> > To "Domain User" group no, I haven't.
> I would give 'Domain Users' a gidNumber.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>