samba - Apr 2020 - steps to get automatic home folder created at user logon windows 10 with samba 4.9.5-Debian

On 2020-04-30 09:49, Rowland penny via samba wrote:
> On 29/04/2020 22:07, Jelle de Jong via samba wrote:
>> Hello everybody,
>>
>> I been at this for more then a week and went through the archives and 
>> wiki but can not get it to work.
>>
>>
>> root at samba01:~# cat /etc/samba/smb.conf
>> [global]
>>
>> ?? #username map = /usr/local/samba/etc/user.map
> You need the user.map
>>
>>
>> ?? idmap config SAMDOM:backend = rid
>> ?? idmap config SAMDOM:range = 10000-999999
> You need to use the 'ad' backend
>>
>> ?? template homedir = /home/%U
> I think that is your problem right there, if you are trying to create a 
> link something like map 'H:' to '/home/%U' in the
'profiles' tab (%U
> could be a username), it will not work. This was raised here recently 
> and I said it didn't work, well it does, provide you do not specify
'%U'
> in the share path in smb.conf, the only possible problem could be the 
> permissions the users dir gets created with and you can fix that with a 
> 'root preexec' script.
>>
>> ?? idmap config SAMDOM:unix_primary_group = yes
> That only works with the 'ad' backend
>>
>> ?? winbind enum users = yes
>> ?? winbind enum groups = yes
> Never set those, they just slow things down.
>>
>> [documenten]
>> ??? path = /srv/storage/shares
>> ??? read only = No
>> ??? create mask = 0660
>> ??? directory mask = 0770
>> ??? inherit acls = Yes
>> ??? map acl inherit = Yes
>> ??? hide unreadable = Yes
>> ??? store dos attributes = Yes
>> ??? vfs objects = recycle
> You have turned acl_xattr off
I never was able to get the backend = ad working

I only need my user to be able to login to Windows 10 systems from a 
domain joined machine.

This is how I add my users:

samba-tool user create lgaga passwd --login-shell /bin/bash --given-name 
"Lady Gaga" --home-drive=H
--home-directory="\\\SAMBA01\users\lgaga"

Based on this wiki https://wiki.samba.org/index.php/Idmap_config_ad I 
tried the bellow configuration again but it did now work. getent passwd 
user or id user does not do anything. I think I am missing the 
prerequisites when using samba-tool to create the user as above?

Can I use the rid backend when I just want windows users to have file 
access?

root at samba01:~# cat /etc/samba/smb.conf
[global]
    workgroup = SAMDOM
    security = ADS
    realm = SAMDOM.HUIGHAVERLAG.NL

    winbind refresh tickets = Yes
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = yes

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    winbind use default domain = yes

    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    username map = /usr/local/samba/etc/user.map

    log file = /var/log/samba/%m.log
    log level = 1

    idmap config * : backend = tdb
    idmap config * : range = 3000-7999

#  idmap config SAMDOM:backend = rid
    idmap config SAMDOM:backend = ad
    idmap config SAMDOM:schema_mode = rfc2307
    idmap config SAMDOM:range = 10000-999999
    idmap config SAMDOM:unix_nss_info = yes

#  template shell = /bin/bash
#  template homedir = /home/%U

    idmap config SAMDOM:unix_primary_group = yes

[documenten]
     path = /srv/storage/shares
     read only = No
     create mask = 0660
     directory mask = 0770
     inherit acls = Yes
     map acl inherit = Yes
     hide unreadable = Yes
     store dos attributes = Yes
     vfs objects = recycle
     recycle:touch_mtime = Yes
     recycle:versions = Yes
     recycle:keeptree = Yes

[openbaar]
     path = /srv/storage/guestshare
     store dos attributes = Yes
     writable = yes
     printable = no
     only guest = yes
     public = yes
     guest ok = yes
     guest only = yes
     guest account = nobody
     browsable = yes
     create mask = 0660
     directory mask = 0770
     inherit acls = Yes
     map acl inherit = Yes
     hide unreadable = Yes
     store dos attributes = Yes

[users]
     path = /srv/storage/users/
     read only = No
     root preexec = /usr/local/bin/samba-mkdir-home %H %U

[profiles]
     path = /srv/storage/profiles/
     read only = No
     browsable = yes

On 30/04/2020 20:57, Jelle de Jong via samba wrote:
>
> I never was able to get the backend = ad working
>
> I only need my user to be able to login to Windows 10 systems from a 
> domain joined machine.
>
> This is how I add my users:
>
> samba-tool user create lgaga passwd --login-shell /bin/bash 
> --given-name "Lady Gaga" --home-drive=H 
> --home-directory="\\\SAMBA01\users\lgaga"
>
> Based on this wiki https://wiki.samba.org/index.php/Idmap_config_ad I 
> tried the bellow configuration again but it did now work. getent 
> passwd user or id user does not do anything. I think I am missing the 
> prerequisites when using samba-tool to create the user as above?
You are not adding the required RFC2307 attributes (uidNumber etc), 
these are not added automatically and without them, the 'ad' backend 
will not work.

Rowland

On 2020-04-30 22:57, Rowland penny via samba wrote:
> On 30/04/2020 20:57, Jelle de Jong via samba wrote:
>>
>> I never was able to get the backend = ad working
>>
>> I only need my user to be able to login to Windows 10 systems from a 
>> domain joined machine.
>>
>> This is how I add my users:
>>
>> samba-tool user create lgaga passwd --login-shell /bin/bash 
>> --given-name "Lady Gaga" --home-drive=H 
>> --home-directory="\\\SAMBA01\users\lgaga"
>>
>> Based on this wiki https://wiki.samba.org/index.php/Idmap_config_ad I 
>> tried the bellow configuration again but it did now work. getent 
>> passwd user or id user does not do anything. I think I am missing the 
>> prerequisites when using samba-tool to create the user as above?
> 
> You are not adding the required RFC2307 attributes (uidNumber etc), 
> these are not added automatically and without them, the 'ad'
backend
> will not work.
Yes that is why I am using rid backend again. Is there a way to 
automatic add uidNumber etc with the samba-tool when creating a user, I 
do not want to manually have to track uids when adding users...

Kind regards,

Jelle de Jong