On Mon, 26 Aug 2024 12:18:31 +0000
Ivan Novosad via samba <samba at lists.samba.org> wrote:
>
> >> Hello,
> >>
> >> I have fresh instalation samba 4.17.12+dfsg from apt on Debian 12.
> >>
> >> I made new domain ADS2
> >>
(https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller).
> >> root at dc-ads2:/etc/samba# samba-tool domain provision
--use-rfc2307
> >> --realm=ADS2.SES.SK --domain=ads2 --server-role=dc
> >> --dns-backend=BIND9_DLZ --adminpass=XXXXXXX
> >>
> >> In the future, I want to use IDMAP = ad, but for simplicity,
I'm
> >> currently using tdb.
> >>
> >> File /etc/samba/smb.conf:
> >>
> >> [global]
> >> netbios name = DC-ADS2
> >> realm = ADS2.SES.SK
> >> server role = active directory domain controller
> >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> >> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = ADS2
> >>
> >> idmap_ldb:use rfc2307 = yes
> >>
> >> template homedir = /home/%D/%U
> >> template shell = /bin/bash
> >>
> >> [sysvol]
> >> path = /var/lib/samba/sysvol
> >> read only = No
> >>
> >> [netlogon]
> >> path = /var/lib/samba/sysvol/ads2.ses.sk/scripts
> >> read only = No
> >>
> >>
> >> After provisioning, there is only one user - administrator.
> >> The command wbinfo displays the following information about the
> >> administrator: root at dc-ads2:/tmp# wbinfo -i administrator
> >> ADS2\administrator:*:0:100::/home/ADS2/administrator:/bin/bash
> >>
> >> root at dc-ads2:/tmp# id administrator
> >> uid=0(root) gid=100(users)
> >> groups=0(root),100(users),3000006(ADS2\schema
> >> admins),3000007(ADS2\enterprise admins),3000004(ADS2\domain
> >> admins),3000008(ADS2\group policy creator
> >> owners),3000005(ADS2\denied rodc password replication
> >> group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)
> >>
> >>
> >> Question 1:
> >> Administrator has primaryGroupID = 513 (Domain users). Where, in
> >> which file or directive, is the group 'Domain Users'
mapped to the
> >> Linux group 'Users (100)'?
> >>
> >>
> >> I created a new group called IT4.
> >> root at dc-ads2:/tmp# samba-tool group add IT4 --gid-number=2004
> >> --nis-domain=ads2 --group-scope=Global --group-type=Security
> >> --description=DomainUnixGroup Added group IT4
> >>
> >> I created a new user called john4.
> >> root at dc-ads2:/tmp# samba-tool user create john4 Skuska.
--uid=john4
> >> --uid-number=3004 --gid-number=2004 --given-name=John4
> >> --surname=Wick --department=IT4 --script-path=IT4.bat User
'john4'
> >> added successfully
> >>
> >> root at dc-ads2:/tmp# wbinfo -i john4
> >> ADS2\john4:*:3004:100::/home/ADS2/john4:/bin/bash
> >> root at dc-ads2:/tmp# id john4
> >> uid=3004(ADS2\john4) gid=100(users)
> >> groups=100(users),3000009(BUILTIN\users)
> >>
> >>
> >> I added the user john4 to the group IT4:
> >> root at dc-ads2:/tmp# samba-tool group addmembers IT4 john4 Added
> >> members to group IT4
> >>
> >> I changed the user's primary group to the previously created
group
> >> IT4. root at dc-ads2:/tmp# samba-tool user setprimarygroup john4
IT4
> >> Changed primary group to 'IT4'
> >>
> >> The attributes of the user john4 are now:
> >> dn: CN=John4 Wick,CN=Users,DC=ads2,DC=ses,DC=sk
> >> objectClass: top
> >> objectClass: person
> >> objectClass: organizationalPerson
> >> objectClass: user
> >> cn: John4 Wick
> >> sn: Wick
> >> givenName: John4
> >> instanceType: 4
> >> whenCreated: 20240823105419.0Z
> >> displayName: John4 Wick
> >> uSNCreated: 4180
> >> department: IT4
> >> name: John4 Wick
> >> objectGUID: 55fb6813-1f12-4955-b009-6840ae0f370b
> >> badPwdCount: 0
> >> codePage: 0
> >> countryCode: 0
> >> badPasswordTime: 0
> >> lastLogoff: 0
> >> lastLogon: 0
> >> scriptPath: IT4.bat
> >> objectSid: S-1-5-21-3810246146-2675359531-1496275737-1111
> >> accountExpires: 9223372036854775807
> >> logonCount: 0
> >> sAMAccountName: john4
> >> sAMAccountType: 805306368
> >> userPrincipalName: john4 at ads2.ses.sk<mailto:john4 at
ads2.ses.sk>>
> >> objectCategory:
> >> CN=Person,CN=Schema,CN=Configuration,DC=ads2,DC=ses,DC=sk uid:
> >> john4 uidNumber: 3004
> >> gidNumber: 2004
> >> pwdLastSet: 133688840595194710
> >> userAccountControl: 512
> >> memberOf: CN=Domain Users,CN=Users,DC=ads2,DC=ses,DC=sk
> >> primaryGroupID: 1110
> >> whenChanged: 20240823105847.0Z
> >> uSNChanged: 4187
> >> distinguishedName: CN=John4 Wick,CN=Users,DC=ads2,DC=ses,DC=sk
> >>
> >> wbinfo and id now provide the following information:
> >> root at dc-ads2:/tmp# wbinfo -i john4
> >> ADS2\john4:*:3004:100::/home/ADS2/john4:/bin/bash
> >> root at dc-ads2:/tmp# id john4
> >> uid=3004(ADS2\john4) gid=100(users)
> >> groups=100(users),2004(ADS2\it4),3000009(BUILTIN\users)
> >>
> >> Question 2:
> >> john4 has had its primaryGroupID changed to 1110 (IT4). Why
hasn't
> >> the primary group changed in the wbinfo output?
> >>
> >> I logged in to Linux as john4 through another terminal
(PuTTY)."
> >>
> >> And now, wbinfo and id start showing different values (the ones I
> >> want). root at dc-ads2:/tmp# wbinfo -i john4
> >> ADS2\john4:*:3004:2004:John4 Wick:/home/ADS2/john4:/bin/bash
> >> root at dc-ads2:/tmp# id john4
> >> uid=3004(ADS2\john4) gid=2004(ADS2\it4)
> >> groups=2004(ADS2\it4),100(users),3000009(BUILTIN\users)
> >>
> >> Question 3:
> >> Why does the primary group change when I log in interactively? How
> >> can I configure Samba/Winbind to provide the correct values
> >> without needing to log in?
> >>
> >>
> >> Thanks in advance
> >> Ivan Novosad
> >
> >Before we get carried away here, can I ask a few questions ?
> >
> >Do you have experience of setting up the old classic NT4-style
> >domains (as in PDC's) ?
> Yes. We use Samba from version 3.0.2.
Thought so, you need to forget a lot of what you know, AD is NOT the
same as an NT4-style domain.
I would suggest that you upgrade Samba by using the Samba packages from
bookworm-backports, this will get you 4.20.4
>
> >Why do you want to change the users primary group ?
> Every user has primary group according to his department (in case
> above, the user jonh4 belongs to department IT4). On our file
> servers, we use the primary group to set permissions for certain
> shares. We also prefer that the primary group is set when a file is
> created, i.e. -rw-r--r-- 1 ADS2\john4 ADS2\it4 5 2024-08-26
> 14:02 aaa.txt
As this is AD, you need to use and understand EAs, where it will not
matter about the primaryGroupID, you can allow access based upon group
membership. See here for a start:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> In production, we use samba 4.4.3. There the command wbinfo gives
> correct information. root at dc-ads:/usr/local# wbinfo -i jergus_lapin
> ADS\jergus_lapin:*:11214:998008:Jergus
> Lapin:/home/ADS/jergus_lapin:/bin/false On new DC3 (samba 4.17.12),
> wbinfo gives this: root at dc3-ads:/etc/pam.d# wbinfo -i jergus_lapin
> ADS\jergus_lapin:*:11214:513::/home/ADS/jergus_lapin:/bin/false
>
> Since I didn't want to test in the production environment, I
> installed a clean setup with a new domain (ADS2 mentioned in the
> previous email) and I'm testing it there. I assume that once we
> resolve it on the clean installation, we'll configure it the same way
> in the production environment.
Good plan, but you need to understand the differences between AD and
NT4-style domains.
>
>
> >Are you thinking of using the DC as a fileserver ? (which isn't
> >recommended).
> No.
Good, but this means that whatever IDs you get on a DC are unlikely to
be the same IDs on Unix domain members. It also doesn't really matter
if the users have different IDs on different Unix machines, after all,
the Unix IDs are meaningless on Windows machines.
Rowland