[Samba] Unable to set up home share correctly
Udo Willke via samba
after some struggling I have finally set up a Samba AD DC and a file
server more or less successfully. Unfortunately I am failing at one of
the last steps: the configuration of the home share, where I can't set
the permissions correctly which, as a consequence, seems to prevent the
creation of the users' folders on the home share
I am using the standard Samba packages on ubuntu 16.04 LTS
("2:4.3.11+dfsg-0ubuntu0.16.04") and opted for winbind and the AD
backend for id mapping of the domain users. My smb.conf of the member
server looks like this:
[global]
netbios name = FILESERVER
security = ADS
workgroup = MYDOMAIN
realm = MYDOMAIN.LAN
log level = 5
log file = /var/log/samba/%m.log
password server = 192.168.6.8
interfaces = lo br0
bind interfaces only = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = no
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
winbind cache time = 60
;; Default idmap config used for BUILTIN and local accounts/groups
idmap config * : backend = tdb
idmap config * : range = 100000-4294967295
;; idmap config for domain MYDOMAIN
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : schema_mode = rfc2307
idmap config MYDOMAIN : range = 10000-99999
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
template homedir = /var/share/samba/homes/%U
[home]
path = /var/share/samba/homes
guest ok = no
read only = no
browseable = yes
[profiles]
path = /var/share/samba/profiles
read only = no
store dos attributes = yes
create mask = 0600
directory mask = 0700
guest ok = no
profile acls = yes
csc policy = disable
"interfaces" and "bind interfaces only = yes" is needed because the
server is dual-homed. By setting the tdb id range to 100000-4294967295,
I hoped to get the Windows system accounts mapped.
winbind seems to work ok. "getent passwd" and "getent group" show the AD
users with the uidNumber and gidNumber attributes set on the AD in the
right range. Example
root@fileserver:/var/share/samba# id MYDOMAIN\\Administrator
uid=10000(MYDOMAIN\administrator) gid=10000(MYDOMAIN\domain admins)
groups=10000(MYDOMAIN\domain admins),10004(MYDOMAIN\enterprise
admins),10003(MYDOMAIN\schema admins),10001(MYDOMAIN\domain
users),100000(BUILTIN\administrators),100001(BUILTIN\users)
After adding the [home] section to smb.conf I create the directory as
described in the Samba wiki
root@fileserver:/var/share/samba# mkdir homes
root@fileserver:/var/share/samba# chgrp MYDOMAIN\\Domain\ Admins homes/
root@fileserver:/var/share/samba# chmod g=rwx homes/
root@fileserver:/var/share/samba# ls -ld homes/
drwxrwxr-x 2 root MYDOMAIN\domain admins 4096 Okt 12 16:05 homes/
Then I continue with the RSAT Tools (German Language Version) on Windows
7 where I log in as "MYDOMAIN\Administrator" and use the "Computer
Management" Console to configure the home share.
Here I face two problems on the "Security" tab:
1) When I add the Administrator user, the account is shown as "locked"
(red dot with cross) but I can set "Full Control"
2) When I add the Creator Owner (in my case, I have to look for
ERSTELLER-BESITZER) I can check "Full Control", but when I click "Apply"
all the check marks disappear
Additionally, extra users like "Everyone", "root" or "Creator Group" are
already listed in the dialogue box without me doing anything.
On the Linux side, the extended permissions of the
/var/share/samba/homes directory look like this
root@fileserver:/var/share/samba# getfacl homes/
# file: homes/
# owner: MYDOMAIN\134administrator
# group: MYDOMAIN\134domain\040admins
user::rwx
user:MYDOMAIN\134administrator:rwx
group::rwx
group:MYDOMAIN\134domain\040admins:rwx
group:100004:r-x
group:100005:rwx
mask::rwx
other::---
default:user::rwx
default:user:MYDOMAIN\134administrator:rwx
default:group::---
default:group:MYDOMAIN\134domain\040admins:rwx
default:group:100004:r-x
default:group:100005:rwx
default:mask::rwx
default:other::---
I noticed GIDs 100004 and 100005 are not resolved so I tried to find out why
root@fileserver:/var/share/samba# net idmap dump
dumping id mapping from /var/lib/samba/winbindd_idmap.tdb
GID 100004 S-1-5-11
GID 100005 S-1-5-18
GID 100006 S-1-3-0
USER HWM 100000
GID 100002 S-1-1-0
GID 100007 S-1-5-4
GID 100003 S-1-5-2
GROUP HWM 100008
With wbinfo --sid-to-fullname I find
GID 100004 S-1-5-11 --> NT AUTHORITY\Authenticated Users 5
GID 100005 S-1-5-18 --> NT AUTHORITY\SYSTEM 5
S-1-3-0 is the well-known SID of the Creator Owner (thus known to the
server)
Finally, when I log into a Windows 7 workstation (previously joined to
the domain) with my test user account
root@fileserver:/var/share/samba# id MYDOMAIN\\kbudwi
uid=10002(MYDOMAIN\kbudwi) gid=10001(MYDOMAIN\domain users)
groups=10001(MYDOMAIN\domain
users),10010(MYDOMAIN\workgroup-1),100001(BUILTIN\users)
my home folder "kbudwi" is neither created nor mounted.
When I navigate manually to the home base folder by entering
"\\fileserver\home" into Windows Explorer, I get an empty folder.
When I try to create my home folder manually I get a message box saying
something like "home: You need permissions to continue the operation"
(loosely translated from German). I suspect, the missing "Creator Owner"
rights block the folder creation.
Generally speaking, I am very unsure how to handle the id mapping for
the ad backend. The documentation (I found) does not specify, whether I
have to set the Unix UIDs and GIDs on system accounts or on user
accounts only. Maybe I have messed it up at this level?
Any help would by highly appreciated as I am seriously running out of ideas
Thanks and best regards
Udo
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny via samba
Do you really need '4294867295' spaces for the '*' range, I only have
'7999' and feel that is an overkill, see here for more info:
https://support.microsoft.com/en-us/kb/243330
As for your users home dir not getting created, try running this on the
fileserver:
echo "session required pam_mkhomedir.so skel=/etc/skel/
umask=0022" >> /etc/pam.d/common-account
Add this line to smb.conf:
username map = /etc/samba/user.map
And create the the /etc/samba/user.map with this content:
!root = MYDOMAIN\Administrator MYDOMAIN\administrator Administrator
administrator
That will map the windows administrator to the Unix root user
To make windows users visible to the domain member whilst using the
winbind 'ad' backend, you must give each user a unique uidNumber
attribute inside the range you set for the domain (MYDOMAIN) in
smb.conf, you MUST also give Domain Users a gidNumber attribute inside
the range.
Rowland
Udo Willke via samba
thank you for your swift reply. I made the modifications you suggested,
which unfortunately did not better the situation. No change as to the
"Creator Owner" rights and the Administrator account still shown as
locked. Also, I couldn't spot any suspicious messages in the Samba
logfiles besides maybe
get_referred_path: |profiles| in dfs path
\fileserver.mydomain.lan\profiles is not a dfs root.
get_referred_path: |home| in dfs path \fileserver.mydomain.lan\home is
not a dfs root.
My test users have uidNumbers und gidNumbers defined. I found this nifty
command to list them
root@fileserver:/var/log/samba# net ads search
'(|(uidNumber=*)(gidNumber=*))' sAMAccountName uidNumber gidNumber -P
Got 15 replies
sAMAccountName: Enterprise Read-Only Domain Controllers
gidNumber: 10005
sAMAccountName: Administrator
uidNumber: 10000
gidNumber: 10000
sAMAccountName: Enterprise Admins
gidNumber: 10004
sAMAccountName: workgroup-1
gidNumber: 10010
sAMAccountName: Users
gidNumber: 10008
sAMAccountName: DnsAdmins
gidNumber: 10006
sAMAccountName: kbudwi
uidNumber: 10002
gidNumber: 10001
sAMAccountName: kbmamu
uidNumber: 10004
gidNumber: 10001
sAMAccountName: Guest
uidNumber: 10001
gidNumber: 10000
sAMAccountName: Schema Admins
gidNumber: 10003
sAMAccountName: Administrators
gidNumber: 10007
sAMAccountName: Domain Admins
gidNumber: 10000
sAMAccountName: Domain Users
gidNumber: 10001
uidNumber: 10003
gidNumber: 10001
sAMAccountName: kbanre
sAMAccountName: Domain Guests
gidNumber: 10002
I can list those users and groups on the member server using "getent
passwd" and "getent group".
What else could be wrong? My impression is that samba and winbind caches
a lot of information. Should I start over with the member server?
BTW: I rebooted the server after making the changes - just to be sure.
Thanks in advance an best regards
Udo
Rowland Penny via samba
Can I suggest you remove uid/gidNumber attributes from:
Enterprise Read-Only Domain Controllers
Administrator
Enterprise Admins
Users
DnsAdmins
Guest
Schema Admins
Administrators
Domain Guests
They will be mapped as required by '*' in smb.conf
You have also made 'Administrator' a normal Unix user by giving it a
uidNumber.
L.P.H. van Belle via samba
If you use windows RSAT tools, the user/computer manager.
Enable View, advanced.
So follow this and its imo always ok.
- Dont assign any group found in the "Buildin"
- Do assing the groups in Users, at least Domain Admins and Domain Users.
This applies always to backend AD !
Backend rid, this is not needed.
And i do really advice to give "Domain Admin" All of the SePrivileges.
Greetz,
Louis
Udo Willke via samba
I have removed the rfc2307-IDs now. I guess going to the "Unix
Attributes" tab in ADUC and setting "NIS Domain" to "none" is sufficient?
Checking the getent commands:
root@fileserver:/var/log/samba# getent passwd | grep ^MYDOMAIN
MYDOMAIN\kbanre:*:10003:10001:XXXXXXXXXX:/var/share/samba/homes/kbanre:/bin/sh
MYDOMAIN\kbmamu:*:10004:10001:Max
Mustermann:/var/share/samba//homes/kbmamu:/bin/sh
MYDOMAIN\kbudwi:*:10002:10001:Udo
Willke:/var/share/samba/homes/kbudwi:/bin/sh
root@fileserver:/var/log/samba# getent group | grep ^MYDOMAIN
MYDOMAIN\domain admins:x:10000:
MYDOMAIN\domain users:x:10001:
MYDOMAIN\workgroup-1:x:10010:
Does this look good?
Should I recreate the /var/share/samba/homes directory? The owner with
UID 10000 is not known to Linux now:
root@fileserver:~# getfacl /var/share/samba/homes/
getfacl: Removing leading '/' from absolute path names
# file: var/share/samba/homes/
# owner: 10000
# group: MYDOMAIN\134domain\040admins
....
Apart from that: Still no home folders, even not able to create them
manually. All the initial symptoms persist :-(
Any ideas?
Thanks and best regards
Udo
Rowland Penny via samba
Udo Willke via samba <sa...@lists.samba.org> wrote:
> Hello Rowland,
>
> I have removed the rfc2307-IDs now. I guess going to the "Unix
> Attributes" tab in ADUC and setting "NIS Domain" to "none" is
> sufficient?
No, it should show your domain name.
>
> Checking the getent commands:
>
> root@fileserver:/var/log/samba# getent passwd | grep ^MYDOMAIN
> MYDOMAIN\kbanre:*:10003:10001:XXXXXXXXXX:/var/share/samba/homes/kbanre:/bin/sh
> MYDOMAIN\kbmamu:*:10004:10001:Max
> Mustermann:/var/share/samba//homes/kbmamu:/bin/sh
> MYDOMAIN\kbudwi:*:10002:10001:Udo
> Willke:/var/share/samba/homes/kbudwi:/bin/sh
>
> root@fileserver:/var/log/samba# getent group | grep ^MYDOMAIN
> MYDOMAIN\domain admins:x:10000:
> MYDOMAIN\domain users:x:10001:
> MYDOMAIN\workgroup-1:x:10010:
>
> Does this look good?
Yes
>
> Should I recreate the /var/share/samba/homes directory? The owner
> with UID 10000 is not known to Linux now:
Probably easiest, as long as the old dirs don't contain anything you
need.
>
> root@fileserver:~# getfacl /var/share/samba/homes/
> getfacl: Removing leading '/' from absolute path names
> # file: var/share/samba/homes/
> # owner: 10000
> # group: MYDOMAIN\134domain\040admins
>
> ....
>
> Apart from that: Still no home folders, even not able to create them
> manually. All the initial symptoms persist :-(
>
Altering the PAM config should create the home dirs as the users
connect, but why are you putting them in /var ??
What is wrong with /home/DOMAIN/%U
Rowland
Udo Willke via samba
Am 13.10.2016 um 16:53 schrieb Rowland Penny via samba:
> On Thu, 13 Oct 2016 16:22:47 +0200
> Udo Willke via samba <sa...@lists.samba.org> wrote:
>
>> Hello Rowland,
>>
>> I have removed the rfc2307-IDs now. I guess going to the "Unix
>> Attributes" tab in ADUC and setting "NIS Domain" to "none" is
>> sufficient?
> No, it should show your domain name.
Hmm, the "NIS Domain" setting is a drop-down menu. When I choose
mydomain (in lower case this time) a UID Number is automatically
assigned, when I choose <none> the fields are greyed out. So "no
uidNumber" and "should show your domain name" don't work at the same
time. Or should I choose mydomain and delete the remaining field entries?
>
>> Checking the getent commands:
>>
>> root@fileserver:/var/log/samba# getent passwd | grep ^MYDOMAIN
>> MYDOMAIN\kbanre:*:10003:10001:XXXXXXXXXX:/var/share/samba/homes/kbanre:/bin/sh
>> MYDOMAIN\kbmamu:*:10004:10001:Max
>> Mustermann:/var/share/samba//homes/kbmamu:/bin/sh
>> MYDOMAIN\kbudwi:*:10002:10001:Udo
>> Willke:/var/share/samba/homes/kbudwi:/bin/sh
>>
>> root@fileserver:/var/log/samba# getent group | grep ^MYDOMAIN
>> MYDOMAIN\domain admins:x:10000:
>> MYDOMAIN\domain users:x:10001:
>> MYDOMAIN\workgroup-1:x:10010:
>>
>> Does this look good?
> Yes
>
>> Should I recreate the /var/share/samba/homes directory? The owner
>> with UID 10000 is not known to Linux now:
> Probably easiest, as long as the old dirs don't contain anything you
> need.
Yes, already made this. Now Administrator account is not shown as locked
(!) in ADUC but still not able to assign rights to the "Creator Owner".
HOWEVER: In the Advanced View the check marks are there (!) together
with the restriction "Files and Subfolders only". But, still the
unwanted accounts "Everyone", "root" and "Creator Group" are listed on
the Security tab?!? And still no home folders ....
>
>> root@fileserver:~# getfacl /var/share/samba/homes/
>> getfacl: Removing leading '/' from absolute path names
>> # file: var/share/samba/homes/
>> # owner: 10000
>> # group: MYDOMAIN\134domain\040admins
>>
>> ....
>>
>> Apart from that: Still no home folders, even not able to create them
>> manually. All the initial symptoms persist :-(
>>
> Altering the PAM config should create the home dirs as the users
> connect, but why are you putting them in /var ??
> What is wrong with /home/DOMAIN/%U
Nothing at all. I somewhere read that this was a "recommendation" for
user shares on Linux. So I mounted my xattr-enabled partition underneath
/var/share, but maybe that's wrong? However, would prefer not changing
this right now.
This is /etc/pam.d/common-account - just for verification:
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#
# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account required pam_krb5.so minimum_uid=1000
# end of pam-auth-update config
#
# Modification for Samba
#
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Entries are TAB-separated. Also checked the syslog for PAM errors with
no result. pam_mkhomedir.so is installed.
root@fileserver:/var/log# locate pam_mkhomedir.so
/lib/x86_64-linux-gnu/security/pam_mkhomedir.so
Would be looking forward to continue finding the problem tomorrow.
Thanks and best regards
Udo
>
Rowland Penny via samba
It sounds like you don't have IDMU installed, not sure if you can
install it on 2012.
Udo Willke via samba
Am 13.10.2016 um 18:25 schrieb Rowland Penny via samba:
> It sounds like you don't have IDMU installed, not sure if you can
> install it on 2012.
are you trying to say that I should install "Identity Management for
Unix" on a Windows Server 2012? If yes, I am afraid we have a
misunderstanding here: I don't use any Windows Server in my set-up.
I use a Fileserver with two network interfaces, one connected to a
private network, the other connected to our university network. A Samba
AD DC is supposed to manage a small Windows Domain in the private net.
The fileserver also serves as a gateway to the Windows 7 workstations in
the private net. Fileserver and AD DC are both running ubuntu 16.04 and
have the respective Samba packages installed. For testing I have set up
two Windows 7 Instances on ESXi inside the private net, one with the
RSAT Tools installed and one as a user PC.
Update: I spent the morning setting up a fresh member server
("FILESERVER2") for testing inside the private net (with 1 NIC only,
thereby reducing complexity) I think, I have made all the necessary
steps and did not forget to grant the SeDiskOperatorPrivilege rights to
the Domain Admins
root@fileserver2:/var/log/samba# net rpc rights list 'MYDOMAIN\Domain
Admins' -U'MYDOMAIN\Administrator' -S addc01
Enter MYDOMAIN\Administrator's password:
SeDiskOperatorPrivilege
Now I'm stuck in the RSAT Computer Management Console where I am denied
access to the share configuration. On the navigation tree in the left
window "Local users and groups" is shown as locked (and I remember this
went only away after I assigned a uidNumber to the Adminstrator account
and made it a member of the Domain Admins Unix Group). Can't tell if
this is a useful hint.
Best Regards
Udo
L.P.H. van Belle via samba
> Now I'm stuck in the RSAT Computer Management Console where I am denied
> access to the share configuration.
So can someone tell me which of the below Se Privileges should not be on the "Domain Admins" group? Because setting only SeDiskOperatorPrivilege is just stupid, really this needs to be changed on the wiki.
root = Adminstrator and Adminsitrator is in "Domain Admins" ....
so why not giving all privileges.
This should be always on Domain Admins imo, how else are you going to manage a domain without all needed privleges.
net rpc rights list "NTDOM\Domain Admins" -S ADDC1.dnsdomain.tld \
-UAdministrator
Enter Administrator's password:
SeDiskOperatorPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
SeMachineAccountPrivilege
On my domain member.
cat /etc/samba/samba_usermapping
!root = NTDOM\Administrator NTDOM\administrator
And in smb.conf (global)
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping
.. reboot ! the server..
and dont forget to login into the domain as DOMAIN\Adminstrator on you pc.
now try again.
And right clik choose connect to , select your server name (not localhost)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Udo Willke via
> samba
> Verzonden: vrijdag 14 oktober 2016 14:33
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] Unable to set up home share correctly
Rowland Penny via samba
Udo Willke via samba <sa...@lists.samba.org> wrote:
I could have sworn you mentioned a 2012 server, so if you are
authenticating the fileserver to a Samba AD DC, did you provision the
DC with '--use-rfc2307' ?
Not a problem if you didn't, see here:
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_NIS_extensions
The 'Administrator' is always a member of 'Domain Admins'
Did you remember to add the 'user.map' line to smb.conf ?
Rowland
Udo Willke via samba
> so if you are
> authenticating the fileserver to a Samba AD DC, did you provision the
> DC with '--use-rfc2307' ?
samba-tool domain provision --use-rfc2307 --function-level=2008_R2
--dns-backend=BIND9_DLZ --host-name=addc01 --realm=MYDOMAIN.LAN
--domain=MYDOMAIN --server-role='dc' --
adminpass='*******************'
> Not a problem if you didn't, see here:
>
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_NIS_extensions
>
> The 'Administrator' is always a member of 'Domain Admins'
>
> Did you remember to add the 'user.map' line to smb.conf ?
Yes I did, but had a typo in the real domain name .... and this was
the problem :-[
Now I have access to the share configuration :-)
What's a little confusing:
"Share Permsissions" has the "Everyone" account already filled in with
"Full Control".
"Security" has "Everyone", "root", "ERSTELLER-BESITZER" (Creator Owner),
ERSTELLERGRUPPE (Creator Group) and "Domain Admins" accounts already
filled in
---> What would you suggest? Remove all unwanted accounts first an then
follow the wiki? I remember trouble started when I removed the
"Everyone" account.
Extended attributes on [home] look like this at this point
root@fileserver2:/var/log/samba# LANG=en_US getfacl /var/share/samba/homes/
getfacl: Removing leading '/' from absolute path names
# file: var/share/samba/homes/
# owner: root
# group: MYDOMAIN\134domain\040admins
user::rwx
group::rwx
other::r-x
BTW: On this server, I changed the id ranges to more modest values
root@fileserver2:/var/log/samba# grep idmap /etc/samba/smb.conf
;; Default idmap config used for BUILTIN and local accounts/groups
idmap config * : backend = tdb
idmap config * : range = 2000-9999
;; idmap config for domain MYDOMAIN
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : schema_mode = rfc2307
idmap config MYDOMAIN : range = 10000-99999
This is correctly reflected in the id mappings
root@fileserver2:/var/log/samba# net idmap dump
dumping id mapping from /var/lib/samba/winbindd_idmap.tdb
GID 2004 S-1-5-11
USER HWM 2000
GID 2002 S-1-1-0
GID 2003 S-1-5-2
GROUP HWM 2005
Thanks an best regards
Udo
Udo Willke via samba
Am 14.10.2016 um 14:59 schrieb L.P.H. van Belle via samba:
> On my domain member.
> cat /etc/samba/samba_usermapping
> !root = NTDOM\Administrator NTDOM\administrator
>
> And in smb.conf (global)
> # user Administrator workaround, without it you are unable to set privileges
> username map = /etc/samba/samba_usermapping
>
> .. reboot ! the server..
Fun fact: It worked for me without a reboot .... Corrected my typo in
user.map, went back to ADUC, reopend the Management Console and "Local
users and groups" was not locked anymore. Could finally access the
shares dialog box, but are now a little scared as to how to deal with
those unwanted accounts. Previously I had locked myself out. See my
other reply.
>
> and dont forget to login into the domain as DOMAIN\Adminstrator on you pc.
> now try again.
> And right clik choose connect to , select your server name (not localhost)
Thanks and best regards
L.P.H. van Belle via samba
Create a new "Adminsitrator" account but DONT user the name Adminsitrator
Use Admin or any other name that dont not exist on you linux env.
And add this one to "Domain Admins"
Now login again with the new admin. Remove the wrongly created users.
! it may be that you need to set the rights on share and folders again.
So do check.
> Fun fact: It worked for me without a reboot ....
Great, something it does not so thats why the reboot, but if it works ok.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Udo Willke via
> samba
> Verzonden: vrijdag 14 oktober 2016 16:14
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] Unable to set up home share correctly
>
Rowland Penny via samba
Are you following this wiki page ?
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
Also, when you changed the ranges in smb.conf, have you changed th
uidNumber & gidNumber attributes in AD ?
Udo Willke via samba
Yes, the page is linked in the "Preparatory work" section of the "User
home drives" page <https://wiki.samba.org/index.php/User_home_drives>
However it is not very specific as to what permissions should actually
be configured: "Go to the "Security" tab, click the "Edit" button and
configure the desired Windows ACLs".
>
> Also, when you changed the ranges in smb.conf, have you changed th
> uidNumber & gidNumber attributes in AD ?
Not necessary in my opinion as I only modified the "overkill" range of
the * domain (100000 - 2^32 -1) .
BTW: There is no range checking in the code. I started with 2^32 =
4294967296 as the upper limit and the mapping didn't work at all.
Discovered later in the logs the range was parsed into "range 100000-0".
Two questions:
1) Do you agree with the directions given by L.P.H. van Belle: Create
new user "Admin" and remove all the already filled in accounts (much
like in the screenshot on the
<https://wiki.samba.org/index.php/Shares_with_Windows_ACLs> page?
2) Can you elaborate on this?
I have removed the rfc2307-IDs now. I guess going to the "Unix
Attributes" tab in ADUC and setting "NIS Domain" to "none" is
sufficient?
--> No, it should show your domain name.
Hmm, the "NIS Domain" setting is a drop-down menu. When I choose
mydomain (in lower case this time) a UID Number is automatically
assigned, when I choose <none> the fields are greyed out. So "no
uidNumber" and "should show your domain name" don't work at the same
time. Or should I choose mydomain and delete the remaining field
entries?
Thanks a lot an best regards
Udo
Rowland Penny via samba
Udo Willke via samba <sa...@lists.samba.org> wrote:
> However it is not very specific as to what permissions should
> actually be configured: "Go to the "Security" tab, click the "Edit"
> button and configure the desired Windows ACLs".
>
What it means is, you need to add/change the users and groups and set
permissions to meet your requirements.
> >
> > Also, when you changed the ranges in smb.conf, have you changed th
> > uidNumber & gidNumber attributes in AD ?
>
> Not necessary in my opinion as I only modified the "overkill" range
> of the * domain (100000 - 2^32 -1) .
>
> BTW: There is no range checking in the code. I started with 2^32 =
> 4294967296 as the upper limit and the mapping didn't work at all.
> Discovered later in the logs the range was parsed into "range
> 100000-0".
>
> Two questions:
>
> 1) Do you agree with the directions given by L.P.H. van Belle: Create
> new user "Admin" and remove all the already filled in accounts (much
> like in the screenshot on the
> <https://wiki.samba.org/index.php/Shares_with_Windows_ACLs> page?
This is up to you, by doing what Louis is suggesting, is security
through obscurity. It means that anybody trying to get into your system
has to know (or obtain by whatever means) not only the password, they
also have to know the username to go with it.
As for removing the accounts, you need to decide just who has access
and how much access they have, this may mean removing, altering or
adding accounts.
>
> 2) Can you elaborate on this?
>
i think I just did ;-)
> I have removed the rfc2307-IDs now. I guess going to the "Unix
> Attributes" tab in ADUC and setting "NIS Domain" to "none" is
> sufficient?
>
> --> No, it should show your domain name.
>
> Hmm, the "NIS Domain" setting is a drop-down menu. When I choose
> mydomain (in lower case this time) a UID Number is automatically
> assigned, when I choose <none> the fields are greyed out. So "no
> uidNumber" and "should show your domain name" don't work at the same
> time. Or should I choose mydomain and delete the remaining field
> entries?
If the windows machine that ADUC is running on is joined to the domain,
it normally allows you to set the domain on the 'Unix Attributes' tab
and setting this, fills in all the other boxes (uidNumber etc)
Udo Willke via samba
Sorry for asking this twice, I just wanted to see if I understood
everything correctly.
So, to summarize the discussion:
System accounts should not have rfc2307 IDs, only (unprivileged) users
should. The Administrator account is the exception. It can be mapped to
root trough the "username map" directive
Today, I followed the wiki page
<https://wiki.samba.org/index.php/User_home_drives> with all the
prerequisites. Unfortunately, the automatic home folder creation still
does not work. So I checked all my logs and I guess I have another
problem with DDNS and DHCP:
Oct 17 16:15:41 addc01 named[6074]: samba_dlz: starting transaction on
zone 6.168.192.in-addr.arpa
Oct 17 16:15:41 addc01 named[6074]: samba_dlz: spnego update failed
Oct 17 16:15:41 addc01 named[6074]: client 127.0.0.1#59487/key rndc-key:
updating zone '6.168.192.in-addr.arpa/NONE': update failed: rejected by
secure update (REFUSED)
Oct 17 16:15:41 addc01 named[6074]: samba_dlz: cancelling transaction on
zone 6.168.192.in-addr.arpa
Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPREQUEST for 192.168.6.56 from
00:0c:29:3c:4c:bc (Admin-PC) via ens32
Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPACK on 192.168.6.56 to
00:0c:29:3c:4c:bc (Admin-PC) via ens32
Oct 17 16:15:41 addc01 dhcpd[6062]: Unable to add reverse map from
56.6.168.192.in-addr.arpa. to Admin-PC.mydomain.lan: REFUSED
This translates into missing PTR records of my two virtual PCs in the
DNS (configured to get their IPs over DHCP). Can this be related to my
first problem or has this other side effects?
When I run the command
samba_dnsupdate --verbose --all-names
everything looks fine.
Is this an known issue/mistake in the configuration?
Best regards
Udo
Rowland Penny via samba
See inline comments:
On Mon, 17 Oct 2016 17:14:43 +0200
Udo Willke via samba <sa...@lists.samba.org> wrote:
> So, to summarize the discussion:
>
> System accounts should not have rfc2307 IDs, only (unprivileged)
> users should. The Administrator account is the exception. It can be
> mapped to root trough the "username map" directive
Basically yes, you can also give Domain Admins a gidNumber and then
make any users you want to be admins, members of this group.
>
> Today, I followed the wiki page
> <https://wiki.samba.org/index.php/User_home_drives> with all the
> prerequisites. Unfortunately, the automatic home folder creation
> still does not work.
Just followed it myself and it does work against a Samba fileserver.
Where do you expect the home directory to be created ?
Is it on a Samba machine and if so what have you got in smb.conf ?
> So I checked all my logs and I guess I have
> another problem with DDNS and DHCP:
>
> Oct 17 16:15:41 addc01 named[6074]: samba_dlz: starting transaction
> on zone 6.168.192.in-addr.arpa
> Oct 17 16:15:41 addc01 named[6074]: samba_dlz: spnego update failed
> Oct 17 16:15:41 addc01 named[6074]: client 127.0.0.1#59487/key
> rndc-key: updating zone '6.168.192.in-addr.arpa/NONE': update failed:
> rejected by secure update (REFUSED)
> Oct 17 16:15:41 addc01 named[6074]: samba_dlz: cancelling transaction
> on zone 6.168.192.in-addr.arpa
> Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPREQUEST for 192.168.6.56 from
> 00:0c:29:3c:4c:bc (Admin-PC) via ens32
> Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPACK on 192.168.6.56 to
> 00:0c:29:3c:4c:bc (Admin-PC) via ens32
> Oct 17 16:15:41 addc01 dhcpd[6062]: Unable to add reverse map from
> 56.6.168.192.in-addr.arpa. to Admin-PC.mydomain.lan: REFUSED
>
Are you running the dhcp server on the DC along with Bind9 ?
If so, please post your dhcpd.conf
> This translates into missing PTR records of my two virtual PCs in the
> DNS (configured to get their IPs over DHCP). Can this be related to
> my first problem or has this other side effects?
>
Not having reverse records isn't go to help, but I don't think this is
your problem.
Udo Willke via samba
Am 17.10.2016 um 18:06 schrieb Rowland Penny via samba:
> See inline comments:
>
> On Mon, 17 Oct 2016 17:14:43 +0200
> Udo Willke via samba <sa...@lists.samba.org> wrote:
>
>> So, to summarize the discussion:
>>
>> System accounts should not have rfc2307 IDs, only (unprivileged)
>> users should. The Administrator account is the exception. It can be
>> mapped to root trough the "username map" directive
> Basically yes, you can also give Domain Admins a gidNumber and then
> make any users you want to be admins, members of this group.
>
>> Today, I followed the wiki page
>> <https://wiki.samba.org/index.php/User_home_drives> with all the
>> prerequisites. Unfortunately, the automatic home folder creation
>> still does not work.
> Just followed it myself and it does work against a Samba fileserver.
Hmm, then I must be doing it wrong somehow ... :-[
>
> Where do you expect the home directory to be created ?
On the Samba member server as defined in the [home] share definition
(and also as defined in the user profile (home drive/home share))
> Is it on a Samba machine and if so what have you got in smb.conf ?
Here comes my smb.conf of the member server == file server
[global]
netbios name = FILESERVER2
security = ADS
workgroup = MYDOMAIN
realm = MYDOMAIN.LAN
server string = Virtual Server
log level = 5
log file = /var/log/samba/%m.log
password server = 192.168.6.8
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
username map = /etc/samba/user.map
;; Use settings from AD for login shell and home directory
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = no
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
winbind cache time = 60
;; Default idmap config used for BUILTIN and local accounts/groups
idmap config * : backend = tdb
idmap config * : range = 2000-9999
;; idmap config for domain MYDOMAIN
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : schema_mode = rfc2307
idmap config MYDOMAIN : range = 10000-99999
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
template homedir = /var/share/samba/homes/%U
[home]
path = /var/share/samba/homes
guest ok = no
read only = no
browseable = yes
[profiles]
path = /var/share/samba/profiles
read only = no
store dos attributes = yes
create mask = 0600
directory mask = 0700
guest ok = no
profile acls = yes
csc policy = disable
>
>> So I checked all my logs and I guess I have
>> another problem with DDNS and DHCP:
>>
>> Oct 17 16:15:41 addc01 named[6074]: samba_dlz: starting transaction
>> on zone 6.168.192.in-addr.arpa
>> Oct 17 16:15:41 addc01 named[6074]: samba_dlz: spnego update failed
>> Oct 17 16:15:41 addc01 named[6074]: client 127.0.0.1#59487/key
>> rndc-key: updating zone '6.168.192.in-addr.arpa/NONE': update failed:
>> rejected by secure update (REFUSED)
>> Oct 17 16:15:41 addc01 named[6074]: samba_dlz: cancelling transaction
>> on zone 6.168.192.in-addr.arpa
>> Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPREQUEST for 192.168.6.56 from
>> 00:0c:29:3c:4c:bc (Admin-PC) via ens32
>> Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPACK on 192.168.6.56 to
>> 00:0c:29:3c:4c:bc (Admin-PC) via ens32
>> Oct 17 16:15:41 addc01 dhcpd[6062]: Unable to add reverse map from
>> 56.6.168.192.in-addr.arpa. to Admin-PC.mydomain.lan: REFUSED
>>
> Are you running the dhcp server on the DC along with Bind9 ?
Yes, I do.
> If so, please post your dhcpd.conf
This is my dhcpd.conf
include "/etc/dhcp/ddns-keys/rndc.key";
update-static-leases on;
allow unknown-clients;
use-host-decl-names on;
default-lease-time 3600;
zone mydomain.lan. {
primary 127.0.0.1; # This server is the primary DNS server for the zone
key rndc-key; # Use the key we defined earlier for dynamic updates
}
zone 6.168.192.in-addr.arpa. {
primary 127.0.0.1; # This server is the primary reverse DNS server
for the zone
key rndc-key; # Use the key we defined earlier for dynamic updates
}
subnet 192.168.6.0 netmask 255.255.255.0 {
range 192.168.6.16 192.168.6.63;
authoritative;
option subnet-mask 255.255.255.0;
option routers 192.168.6.1;
option domain-name-servers 192.168.6.8;
option domain-name "mydomain.lan";
ddns-domainname "mydomain.lan.";
# ddns-rev-domainname "6.168.192.in-addr.arpa.";
ddns-rev-domainname "in-addr.arpa.";
}
ddns-update-style interim;
max-lease-time 7200;
authoritative;
log-facility local7;
My intention was to have static addresses for the DC(s) an the file
server(s) from 192.168.6.1 - 192.168.6.15 and use DHCP for the Windows 7
Workstations (easier to roll out).
Best regards
Udo
Rowland Penny via samba
See inline comments:
On Mon, 17 Oct 2016 23:09:34 +0200
Udo Willke via samba <sa...@lists.samba.org> wrote:
> Hello Rowland,
>
> >> Today, I followed the wiki page
> >> <https://wiki.samba.org/index.php/User_home_drives> with all the
> >> prerequisites. Unfortunately, the automatic home folder creation
> >> still does not work.
> > Just followed it myself and it does work against a Samba fileserver.
> Hmm, then I must be doing it wrong somehow ... :-[
> >
> > Where do you expect the home directory to be created ?
>
> On the Samba member server as defined in the [home] share definition
> (and also as defined in the user profile (home drive/home share))
>
> > Is it on a Samba machine and if so what have you got in smb.conf ?
>
> Here comes my smb.conf of the member server == file server
>
> [global]
> netbios name = FILESERVER2
> security = ADS
> workgroup = MYDOMAIN
> realm = MYDOMAIN.LAN
> server string = Virtual Server
>
> log level = 5
> log file = /var/log/samba/%m.log
>
> password server = 192.168.6.8
>
It would be better if you let Samba find the AD DC
If you want to use the template line, you do not need the 'schema_mode'
line in 'idmap config'
>
>
> [home]
> path = /var/share/samba/homes
> guest ok = no
> read only = no
> browseable = yes
Sure you are following the wiki page ?, just where on that page does it
tell you to add 'guest ok' and browseable' lines ??
>
> [profiles]
> path = /var/share/samba/profiles
> read only = no
> store dos attributes = yes
> create mask = 0600
> directory mask = 0700
> guest ok = no
> profile acls = yes
> csc policy = disable
> >
There is also a wiki page on setting up the profile share, see here:
https://wiki.samba.org/index.php/Implementing_roaming_profiles
I would look at the 'shares' wiki page again, follow it to letter,
adding the users & groups shown, removing any others not shown and see
if you can make it work.
Udo Willke via samba
the home folder creation works now(!) It was a misunderstanding on my
side. The key phrase in the wiki is:
"Close the users properties window with „OK“ to save the modification.
**The users home directory is created on the fly during the save
processes.**"
This is a different behaviour as with the "profiles" folders which are
created during the first login with a new account. I thought it would be
the same mechanism with the home shares too, which was wrong. Sorry for
taking so much of your time.
Does folder creation also work when I create user accounts on the linux
side with samba-tool
samba-tool user create kbuwi first_time_passwd \
--userou=CN=Users \
--surname="Willke" \
--given-name="Udo" \
--profile-path="\\\\fileserver\\profiles\\kbudwi" \
--home-drive="H" \
--home-directory="\\\\fileserver\\home\\kbudwi" \
--job-title="IT Specialist" \
--department="Some Department" \
--company="Some Company" \
--description="Some Description" \
--mail-address="Udo.W...@somedomain.edu" \
--internet-address="http://somedomain.edu/somepage" \
--telephone-number="+49 123/4567890" \
--physical-delivery-office="Some Office" \
--nis-domain="mydomain" \
--unix-home="/var/share/samba/homes/kbudwi" \
--uid="$USERNAME" \
--uid-number="$uidNumber" \
--gid-number="$gidNumber" \
--gecos="$PRENAME $NAME" \
--login-shell="/bin/false" \
--must-change-at-next-login
Is the command meant to be used in this way?
What I also noticed is, that wbinfo has the --allocate-gid und
--allocate-uid options which could be used to assign the $uidNumber and
$uidNumber variables in my script. However "samba-tool create user" is
supposed to run as "root" on the DC while "wbinfo --allocate-gid" seems
to give results only on the member server. Is there a possibility to run
everything on the same machine? OK, the obvious solution is to execute
it remotely over ssh.
Many thanks again and best regards
Udo
L.P.H. van Belle via samba
> --profile-path="\\\\fileserver\\profiles\\kbudwi" \
> --home-directory="\\\\fileserver\\home\\kbudwi" \
Use FQDN. ="\\\\fileserver.domain.tld\\....
https://technet.microsoft.com/en-us/library/cc974331(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc794753(v=ws.10).aspx
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Udo Willke via
> samba
> Verzonden: dinsdag 18 oktober 2016 11:37
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] Unable to set up home share correctly
>
Rowland Penny via samba
Udo Willke via samba <sa...@lists.samba.org> wrote:
> Hello Rowland,
>
> the home folder creation works now(!) It was a misunderstanding on my
> side. The key phrase in the wiki is:
>
> "Close the users properties window with „OK“ to save the
> modification. **The users home directory is created on the fly during
> the save processes.**"
>
> This is a different behaviour as with the "profiles" folders which
> are created during the first login with a new account. I thought it
> would be the same mechanism with the home shares too, which was
> wrong. Sorry for taking so much of your time.
No problem, just glad you got it working ;-)
No, it would be created at first connection, as long as you have set
PAM up to do it for you.
>
> Is the command meant to be used in this way?
Yes, you can script around samba-tool.
>
> What I also noticed is, that wbinfo has the --allocate-gid und
> --allocate-uid options which could be used to assign the $uidNumber
> and $uidNumber variables in my script. However "samba-tool create
> user" is supposed to run as "root" on the DC while "wbinfo
> --allocate-gid" seems to give results only on the member server. Is
> there a possibility to run everything on the same machine? OK, the
> obvious solution is to execute it remotely over ssh.
To be honest, I have never tried using wbinfo to set uid & gid, but if
you are scripting this and can use ldap or ldb tools their are a couple
of attributes you can set in AD, these store the next uid & gid numbers.
You can create users from a domain member with samba-tool, by using the
-H or --url option with ldap//<name of DC>