Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] chgrp "Domain Admins" on folder return invalid group "Domain Admins"
4,577 views
Skip to first unread message
Jules Houantonon
Apr 4, 2016, 2:00:04 PM4/4/16
to
Dear Samba users and admins,
I am trying to deploy Samba4 as a domain controller and a file server and
having some issues.*
The domain have been well provisioned with option --use-rfc2307
I am then trying to create share by following this samba wiki
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
The problem is that i cannot succeed to change the group owner of the
folder I want to share as recommended with the following command
chgrp "Domain Admins" /home/demo
When I try the chgrp command I receive and error : invalid group "Domain
Admins'.
I then read the article that explain the subject about setting up rfc2307
in AD
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#NIS_Extensions_installed_inside_the_directory
and can confirm that the "ypServ30" container exists.
I wonder what is happening and if anyone could help me.
Thank you for reading and helping
Regards
Jules HOUANTONON
*Phone* : (00229) 97578914
*Email *: jules...@gmail.com
*Skype* : houantonon
*linkedin* : www.linkedin.com/in/jhouantonon/en
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I am trying to deploy Samba4 as a domain controller and a file server and
having some issues.*
The domain have been well provisioned with option --use-rfc2307
I am then trying to create share by following this samba wiki
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
The problem is that i cannot succeed to change the group owner of the
folder I want to share as recommended with the following command
chgrp "Domain Admins" /home/demo
When I try the chgrp command I receive and error : invalid group "Domain
Admins'.
I then read the article that explain the subject about setting up rfc2307
in AD
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#NIS_Extensions_installed_inside_the_directory
and can confirm that the "ypServ30" container exists.
I wonder what is happening and if anyone could help me.
Thank you for reading and helping
Regards
Jules HOUANTONON
*Phone* : (00229) 97578914
*Email *: jules...@gmail.com
*Skype* : houantonon
*linkedin* : www.linkedin.com/in/jhouantonon/en
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Denis Cardon
Apr 5, 2016, 3:10:04 AM4/5/16
to
Hi Jules,
> I am trying to deploy Samba4 as a domain controller and a file server and
> having some issues.*
>
> The domain have been well provisioned with option --use-rfc2307
>
> I am then trying to create share by following this samba wiki
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
>
> The problem is that i cannot succeed to change the group owner of the
> folder I want to share as recommended with the following command
>
> chgrp "Domain Admins" /home/demo
>
> When I try the chgrp command I receive and error : invalid group "Domain
> Admins'.
>
> I then read the article that explain the subject about setting up rfc2307
> in AD
when using rfc2307, you have to define a uid or gid for all the users
and groups that you plan to use on your fileserver. By default "domain
admins" group has no gid, only a SID. So you have to set it up. If there
is no gid, you can still see it with wbinfo -g, but you won't see it
using getent group <groupname>.
HTH,
Denis
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#NIS_Extensions_installed_inside_the_directory
>
> and can confirm that the "ypServ30" container exists.
>
> I wonder what is happening and if anyone could help me.
> Thank you for reading and helping
> Regards
>
>
> Jules HOUANTONON
> *Phone* : (00229) 97578914
> *Email *: jules...@gmail.com
> *Skype* : houantonon
> *linkedin* : www.linkedin.com/in/jhouantonon/en
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
> I am trying to deploy Samba4 as a domain controller and a file server and
> having some issues.*
>
> The domain have been well provisioned with option --use-rfc2307
>
> I am then trying to create share by following this samba wiki
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
>
> The problem is that i cannot succeed to change the group owner of the
> folder I want to share as recommended with the following command
>
> chgrp "Domain Admins" /home/demo
>
> When I try the chgrp command I receive and error : invalid group "Domain
> Admins'.
>
> I then read the article that explain the subject about setting up rfc2307
> in AD
and groups that you plan to use on your fileserver. By default "domain
admins" group has no gid, only a SID. So you have to set it up. If there
is no gid, you can still see it with wbinfo -g, but you won't see it
using getent group <groupname>.
HTH,
Denis
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#NIS_Extensions_installed_inside_the_directory
>
> and can confirm that the "ypServ30" container exists.
>
> I wonder what is happening and if anyone could help me.
> Thank you for reading and helping
> Regards
>
>
> Jules HOUANTONON
> *Phone* : (00229) 97578914
> *Email *: jules...@gmail.com
> *Skype* : houantonon
> *linkedin* : www.linkedin.com/in/jhouantonon/en
>
--
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
Jules Houantonon
Apr 5, 2016, 6:10:04 AM4/5/16
to
Hi Denis,
Thank you for your mail.
I assigned the GID 10000 to the domain admins group through ADUC, and
wbinfo --info-group "domain admins" display the correct output.
But i am still not able to execute succesfuly #chgrp "Domain Admins"
/home/demo
And when i go to ADUC and try to open the Unix Attribute of domain admins
group, i have the error "Unable to execute". But ADUC still display the
contain of the tab with the correct NIS domain and the GID.
Is it normal ?
Thank you for helping.
Regards
Thank you for your mail.
I assigned the GID 10000 to the domain admins group through ADUC, and
wbinfo --info-group "domain admins" display the correct output.
But i am still not able to execute succesfuly #chgrp "Domain Admins"
/home/demo
And when i go to ADUC and try to open the Unix Attribute of domain admins
group, i have the error "Unable to execute". But ADUC still display the
contain of the tab with the correct NIS domain and the GID.
Is it normal ?
Thank you for helping.
Regards
L.P.H. van Belle
Apr 5, 2016, 6:20:03 AM4/5/16
to
Hai Jules.
> And when i go to ADUC and try to open the Unix Attribute of domain admins
> group, i have the error "Unable to execute".
Yeah, that can happen.
I fixed this by setting first the GID on the groups.
And then assigning the users, after a few clicks its gone.
At least for me, you can safely ignore it, the setting wil be done.
Try :
getent group "domain admins"
if that dont give results back, your unable to set with chgrp.
Then check you resolv.conf nsswitch.conf and make sure the GID is set in AD.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Jules Houantonon
> Verzonden: dinsdag 5 april 2016 12:06
> Aan: Denis Cardon
> CC: sa...@lists.samba.org
> Onderwerp: Re: [Samba] chgrp "Domain Admins" on folder return invalid
> group "Domain Admins"
> And when i go to ADUC and try to open the Unix Attribute of domain admins
> group, i have the error "Unable to execute".
I fixed this by setting first the GID on the groups.
And then assigning the users, after a few clicks its gone.
At least for me, you can safely ignore it, the setting wil be done.
Try :
getent group "domain admins"
if that dont give results back, your unable to set with chgrp.
Then check you resolv.conf nsswitch.conf and make sure the GID is set in AD.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Jules Houantonon
> Verzonden: dinsdag 5 april 2016 12:06
> Aan: Denis Cardon
> CC: sa...@lists.samba.org
> Onderwerp: Re: [Samba] chgrp "Domain Admins" on folder return invalid
> group "Domain Admins"
Rowland penny
Apr 5, 2016, 6:40:03 AM4/5/16
to
On 05/04/16 11:06, Jules Houantonon wrote:
> Hi Denis,
>
> Thank you for your mail.
>
> I assigned the GID 10000 to the domain admins group through ADUC, and
> wbinfo --info-group "domain admins" display the correct output.
You need to ensure that 'getent group Domain\ Admins' displays the
> Hi Denis,
>
> Thank you for your mail.
>
> I assigned the GID 10000 to the domain admins group through ADUC, and
> wbinfo --info-group "domain admins" display the correct output.
required info, on one of my DCs:
root@dc1:~# getent group Domain\ Admins
SAMDOM\domain admins:x:10001:
What I think you are missing, are the libnss links, see here for info:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#libnss_winbind
I know the page refers to a domain member, but it is the same basic
setup on a DC.
You may also want to consider giving 'Domain Users' a gidNumber
Rowland
>
> But i am still not able to execute succesfuly #chgrp "Domain Admins"
> /home/demo
>
> And when i go to ADUC and try to open the Unix Attribute of domain admins
> group, i have the error "Unable to execute". But ADUC still display the
> contain of the tab with the correct NIS domain and the GID.
>
> Is it normal ?
>
> Thank you for helping.
>
> Regards
>
>
Jules Houantonon
Apr 5, 2016, 8:50:03 AM4/5/16
to
Dear all,
thank you for your previous mails. It realy help me.
Denis, Following your mail and thanks to the link i configure my
/etc/nsswitch.conf file by adding windbind to user and group line and
execute winbindd command.
As i install samba4 from sernet package, init script are created for
starting AD, smbd, nmbd and winbindd. But i read that smbd, nmd and
winbindd should be disable to start samba4 in AD mode. There were even a
Warning that were generated if windbindd service were kept started. So I do
not touch them, as they are disabled.
But after making nsswitch.conf changes, I am able to execute chgrp "domain
admins" /home/demo succesfully and ls -l /home display the permission with
the suitable group.
wbinfo -u also return the users created from AD as wbinfo -g also display
AD domaine groups.
I supposethat things are OK now.
But when i try the getent passwd
I do not have domain user display. Only local users account appear.
I wonder if it is normal.
Thank you for helping again and for your time.
Regards
chgrp
thank you for your previous mails. It realy help me.
Denis, Following your mail and thanks to the link i configure my
/etc/nsswitch.conf file by adding windbind to user and group line and
execute winbindd command.
As i install samba4 from sernet package, init script are created for
starting AD, smbd, nmbd and winbindd. But i read that smbd, nmd and
winbindd should be disable to start samba4 in AD mode. There were even a
Warning that were generated if windbindd service were kept started. So I do
not touch them, as they are disabled.
But after making nsswitch.conf changes, I am able to execute chgrp "domain
admins" /home/demo succesfully and ls -l /home display the permission with
the suitable group.
wbinfo -u also return the users created from AD as wbinfo -g also display
AD domaine groups.
I supposethat things are OK now.
But when i try the getent passwd
I do not have domain user display. Only local users account appear.
I wonder if it is normal.
Thank you for helping again and for your time.
Regards
chgrp
--
Jules HOUANTONON
*Phone* : (00229) 97578914
*Email *: jules...@gmail.com
*Skype* : houantonon
*linkedin* : www.linkedin.com/in/jhouantonon/en
Jules HOUANTONON
*Phone* : (00229) 97578914
*Email *: jules...@gmail.com
*Skype* : houantonon
*linkedin* : www.linkedin.com/in/jhouantonon/en
Rowland penny
Apr 5, 2016, 9:10:04 AM4/5/16
to
On 05/04/16 13:46, Jules Houantonon wrote:
> Dear all,
>
> thank you for your previous mails. It realy help me.
>
> Denis, Following your mail and thanks to the link i configure my
> /etc/nsswitch.conf file by adding windbind to user and group line and
> execute winbindd command.
>
> As i install samba4 from sernet package, init script are created for
> starting AD, smbd, nmbd and winbindd. But i read that smbd, nmd and
> winbindd should be disable to start samba4 in AD mode. There were even
> a Warning that were generated if windbindd service were kept started.
> So I do not touch them, as they are disabled.
It has been sometime since I used a Sernet package, but I seem to
> Dear all,
>
> thank you for your previous mails. It realy help me.
>
> Denis, Following your mail and thanks to the link i configure my
> /etc/nsswitch.conf file by adding windbind to user and group line and
> execute winbindd command.
>
> As i install samba4 from sernet package, init script are created for
> starting AD, smbd, nmbd and winbindd. But i read that smbd, nmd and
> winbindd should be disable to start samba4 in AD mode. There were even
> a Warning that were generated if windbindd service were kept started.
> So I do not touch them, as they are disabled.
remember that it came with an init script to start the 'samba' deamon
and this will start any other required deamons, try looking in /etc/init.d
>
> But after making nsswitch.conf changes, I am able to execute chgrp
> "domain admins" /home/demo succesfully and ls -l /home display the
> permission with the suitable group.
>
> wbinfo -u also return the users created from AD as wbinfo -g also
> display AD domaine groups.
>
passwd' to show users and 'getent group' to show groups. Any users &
groups that getent does not show, are unknown to the underlying Unix OS.
> I supposethat things are OK now.
>
> But when i try the getent passwd
> I do not have domain user display. Only local users account appear.
>
a unique uidNumber attribute, but on a DC you should get an xidNumber in
the 3000000 range.
Do you have users in /etc/passwd that are in AD ?
If so, choose where you want the user to exist and delete the other,
they cannot be in both databases.
Rowland
Jules Houantonon
Apr 5, 2016, 9:40:04 AM4/5/16
to
Thank you Rowland for your mail.
My aim is to create a fileserver with samba4 and with acl supported. Users
most logon through their windows that are in domain to access their shares.
Samba how to and your explanations open my eyes on the interaction between
samba users and group with the Linux OS.
From ADUC, I assign an Unix Attribute to a user accout, and automatically
it is given 10000 as its UID, getent command still not display it.
So in my plan, users should only exist in active directory. Does that mean
that getent can still display user or group information that will only
exist in AD ?
Sorry if i am missing something.
Thank you
My aim is to create a fileserver with samba4 and with acl supported. Users
most logon through their windows that are in domain to access their shares.
Samba how to and your explanations open my eyes on the interaction between
samba users and group with the Linux OS.
From ADUC, I assign an Unix Attribute to a user accout, and automatically
it is given 10000 as its UID, getent command still not display it.
So in my plan, users should only exist in active directory. Does that mean
that getent can still display user or group information that will only
exist in AD ?
Sorry if i am missing something.
Thank you
--
Jules HOUANTONON
*Phone* : (00229) 97578914
*Email *: jules...@gmail.com
*Skype* : houantonon
*linkedin* : www.linkedin.com/in/jhouantonon/en
Jules HOUANTONON
*Phone* : (00229) 97578914
*Email *: jules...@gmail.com
*Skype* : houantonon
*linkedin* : www.linkedin.com/in/jhouantonon/en
Rowland penny
Apr 5, 2016, 10:00:05 AM4/5/16
to
On 05/04/16 14:32, Jules Houantonon wrote:
> Thank you Rowland for your mail.
>
> My aim is to create a fileserver with samba4 and with acl supported.
> Users most logon through their windows that are in domain to access
> their shares.
>
> Samba how to and your explanations open my eyes on the interaction
> between samba users and group with the Linux OS.
>
> From ADUC, I assign an Unix Attribute to a user accout, and
> automatically it is given 10000 as its UID, getent command still not
> display it.
The next one should get 10001
> Thank you Rowland for your mail.
>
> My aim is to create a fileserver with samba4 and with acl supported.
> Users most logon through their windows that are in domain to access
> their shares.
>
> Samba how to and your explanations open my eyes on the interaction
> between samba users and group with the Linux OS.
>
> From ADUC, I assign an Unix Attribute to a user accout, and
> automatically it is given 10000 as its UID, getent command still not
> display it.
>
> So in my plan, users should only exist in active directory. Does that
> mean that getent can still display user or group information that will
> only exist in AD ?
>
specifying what methods to use in /etc/nsswitch.conf. For users, there
is a line that starts 'passwd', this normally contains 'compat ' or
'files' and will mean 'getent passwd auser' will return the users info
found in the file /etc/passwd. If you want to user a different method to
use to get a users info, you would add it after 'compat ' or 'files'
i.e. to use winbind 'passwd compat winbind'. This would mean that when
you run 'getent passwd auser' , the user would be found by first
searching in /etc/passwd (this is why you cannot have users in
/etc/passwd & AD) and then by asking winbind. On a DC, winbind would
assign an xidNumber and then store it in idmap.ldb *or* you can give
each user a 'uidNumber' and then this will be used instead, only problem
is that the old xidNumber will take precedence for a time, but you can
short circuit this by running:
net cache flush
> Sorry if i am missing something.
>
> Thank you
>
Jules Houantonon
Apr 5, 2016, 10:30:03 AM4/5/16
to
Thank you Rowland,
I do not change my existing configuration as far i have already indicate
winbind value on both passwd and group lines in nsswitch.conf.
But i execute the net cahe flush command and then try getent command by
providing the user name and it works.
It provide outpout for a demo acount that it is only creat in AD and has
unix attribute assigned :
#getent passwd demo
demo:*:10001:10001:demo demo:/home/DEMO/demo:/bin/false
So now, i should be able to define file or folder right from Linux OS with
AD users.
I think that we can consider this subject Solved with your permission.
Many thanks again
I do not change my existing configuration as far i have already indicate
winbind value on both passwd and group lines in nsswitch.conf.
But i execute the net cahe flush command and then try getent command by
providing the user name and it works.
It provide outpout for a demo acount that it is only creat in AD and has
unix attribute assigned :
#getent passwd demo
demo:*:10001:10001:demo demo:/home/DEMO/demo:/bin/false
So now, i should be able to define file or folder right from Linux OS with
AD users.
I think that we can consider this subject Solved with your permission.
Many thanks again
--
Jules HOUANTONON
*Phone* : (00229) 97578914
*Email *: jules...@gmail.com
*Skype* : houantonon
*linkedin* : www.linkedin.com/in/jhouantonon/en
Jules HOUANTONON
*Phone* : (00229) 97578914
*Email *: jules...@gmail.com
*Skype* : houantonon
*linkedin* : www.linkedin.com/in/jhouantonon/en
Jules Houantonon
Apr 5, 2016, 10:30:03 AM4/5/16
to
Please, strangely
In AD the user demo have /bin/sh as its shell and with getent we have
/bin/false.
Is it normal ?
On Tue, Apr 5, 2016 at 3:22 PM, Jules Houantonon <jules...@gmail.com>
wrote:
In AD the user demo have /bin/sh as its shell and with getent we have
/bin/false.
Is it normal ?
On Tue, Apr 5, 2016 at 3:22 PM, Jules Houantonon <jules...@gmail.com>
wrote:
Rowland penny
Apr 5, 2016, 10:40:03 AM4/5/16
to
On 05/04/16 15:22, Jules Houantonon wrote:
> Thank you Rowland,
>
> I do not change my existing configuration as far i have already
> indicate winbind value on both passwd and group lines in nsswitch.conf.
>
> But i execute the net cahe flush command and then try getent command
> by providing the user name and it works.
>
> It provide outpout for a demo acount that it is only creat in AD and
> has unix attribute assigned :
> #getent passwd demo
> demo:*:10001:10001:demo demo:/home/DEMO/demo:/bin/false
>
> So now, i should be able to define file or folder right from Linux OS
> with AD users.
>
> I think that we can consider this subject Solved with your permission.
There is just one last thing you may want to know, as you can see, every
> Thank you Rowland,
>
> I do not change my existing configuration as far i have already
> indicate winbind value on both passwd and group lines in nsswitch.conf.
>
> But i execute the net cahe flush command and then try getent command
> by providing the user name and it works.
>
> It provide outpout for a demo acount that it is only creat in AD and
> has unix attribute assigned :
> #getent passwd demo
> demo:*:10001:10001:demo demo:/home/DEMO/demo:/bin/false
>
> So now, i should be able to define file or folder right from Linux OS
> with AD users.
>
> I think that we can consider this subject Solved with your permission.
users home path is set to '/home/DEMO/' and their shell is set to
'/bin/false'. You can change these if you wish, but only on a domain
basis. You probably don't need to change either if your users will never
actually log into the DC, but if they do, these can be changed by adding
'template homedir = /what/ever/path/you/want' & 'template shell = /bin/bash'
Rowland
> /Email /: jules...@gmail.com <mailto:jules...@gmail.com>
> /Skype/ : houantonon
> /linkedin/ : www.linkedin.com/in/jhouantonon/en
> <http://www.linkedin.com/in/jhouantonon/en>
Rowland penny
Apr 5, 2016, 10:40:03 AM4/5/16
to
On 05/04/16 15:26, Jules Houantonon wrote:
> Please, strangely
>
> In AD the user demo have /bin/sh as its shell and with getent we have
> /bin/false.
>
> Is it normal ?
>
>
Yes, it is normal on a DC, the only things obtained from AD are
> Please, strangely
>
> In AD the user demo have /bin/sh as its shell and with getent we have
> /bin/false.
>
> Is it normal ?
>
>
uidNumber & gidNumber attributes.
Rowland
0 new messages