Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: [Samba] Samba as AD member can not validate domain user

1,741 views
Skip to first unread message

j...@ionica.lv

unread,
Apr 7, 2015, 2:16:01 AM4/7/15
to

Citēju Rowland Penny <rowlan...@googlemail.com>:

>> after assigning UNIX attributes to users and domain groups all of them have
>> uidNUmbers and gidNumbers starting from 10000,
>> ldbsearch gives:
>> dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv
>> objectSid: S-1-5-21-216404829-505555237-127066545-513
>> gidNumber: 10000
>>
>>> If you use the 'ad' backend, then giving your users a 'uidNumber'
>>> is not enough, you must give their primarygroup (Domain Users) a
>>> 'gidNumber' attribute.
>
>> all of the AD users are members of the Domain Users group now.
>
> what do you mean 'all of the AD users are members of the Domain
> Users group now.' ??
>
> I hope you haven't changed the users primaryGroupID attribute.

I assigned primary group to each domain user through UNIX
attributes(?) in Windows (8.1) domain management tool, choosing
INTERNAL as NIS realm.

> This is what I get when I run getent on one of my DCs:
>
> root@dc01:~# getent passwd rowland
> EXAMPLE\rowland:*:10000:10000:Rowland Penny:/home/EXAMPLE/rowland:/bin/bash

yes, I am getting similar:
username:*:10000:10000::/home/INTERNAL/username:/bin/false

Some questions related to this -

- can I have domain user's home directory kind of \\FS\home\username?
As far as I understand, home directory /home/INTERNAL/username is not
created automatically. I tried to create it by hand (and chown to
10000.10000) in order to see what's changing, but is remained empty.

- does the shell parameter play any role if all domain users are pure
windows users?

- if the shell is set to /bin/bash, for example, is the domain user
able to login to any Linux server's, which is domain member, shell?

> Hmm, if I run (on a member server):
>
> getent passwd EXAMPLE\\rowland
>
> I get:
>
> rowland:*:10000:10000::/home/rowland:/bin/bash

Yes, finally, I am getting similar now. I'll check later what effect
it has overall.

Janis

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Rowland Penny

unread,
Apr 7, 2015, 4:12:22 AM4/7/15
to

You only need the 'template' line if you intend to log into the DC

Rowland

j...@ionica.lv

unread,
Apr 12, 2015, 5:34:06 AM4/12/15
to
Hi!

the previous problems were solved (thank you, Rowland!), but few
issues remains:

I get such msg in log:
0. Is it possible to tell samba to output messages in logs as one line
per message (even if it is long one?)

1. 2015/04/12 11:32:39.293583, 3]
../source3/smbd/msdfs.c:971(get_referred_path)
get_referred_path: |shareX| in dfs path \FS\shareX is not a dfs root.
(seems it is not making problems as access to other shares giving such
error not influences anything)


2. 2015/04/12 11:32:18.852138, 3]
../libcli/security/dom_sid.c:209(dom_sid_parse_endp) string_to_sid:
SID @INTERNAL\\group is not in a valid format

such messages I get after attempt to open a share (from smb.conf):
[shareX]
comment = What it serves
path = /home/shares/data/sharex
browseable = yes
read only = no
valid users = @"INTERNAL\\group"
force group = @"INTERNAL\\group"
force create mode = 0660
force directory mode = 0770

the directory is owned by a domain user, which is not the member of
INTERNAL\\group and group ownership of the dir is INTERNAl\\group. I
do not understand why in that particular case it is important, because
the other, working shares, has the same domain user as owner having
their own specific domain group ownership.

At the moment I have two non working shares for the specific group and
one - with Domain Users.

In all cases Windows client argues that group name can not be found.
If for the first two cases it could have some salt, for the other -
not at all, because other shares accessible to Domain Users and having
respective group ownership works.

getent group INTERNAL\\group gives correct domain group information.

The other issue I have - if the user is not a member of particular
domain group, but has the right to accees the share, it is requested
to enter username/pw, but can not access it anyway:

[shareY]
comment = Other share
path=/home/shares/data/shareY
browseable = yes
read only = no
valid users = @INTERNAL\\group1, @INTERNAL\\otheruser
force group = @INTERNAL\\group1
force create mode = 0660
force directory mode = 0770

j...@ionica.lv

unread,
Apr 12, 2015, 6:21:30 AM4/12/15
to

Citēju j...@ionica.lv:

> Hi!
>
> the previous problems were solved (thank you, Rowland!), but few
> issues remains:
>
> I get such msg in log:
> 0. Is it possible to tell samba to output messages in logs as one
> line per message (even if it is long one?)
>
> 1. 2015/04/12 11:32:39.293583, 3]
> ../source3/smbd/msdfs.c:971(get_referred_path)
> get_referred_path: |shareX| in dfs path \FS\shareX is not a dfs root.
> (seems it is not making problems as access to other shares giving
> such error not influences anything)
>
>
> 2. 2015/04/12 11:32:18.852138, 3]
> ../libcli/security/dom_sid.c:209(dom_sid_parse_endp) string_to_sid:
> SID @INTERNAL\\group is not in a valid format
>
> such messages I get after attempt to open a share (from smb.conf):
> [shareX]
> comment = What it serves
> path = /home/shares/data/sharex
> browseable = yes
> read only = no
> valid users = @"INTERNAL\\group"
> force group = @"INTERNAL\\group"
> force create mode = 0660
> force directory mode = 0770

SOLVED:

the line valid users shuold look as such:
valid users = @INTERNAL\\group

That one remains

> The other issue I have - if the user is not a member of particular
> domain group, but has the right to accees the share, it is requested
> to enter username/pw, but can not access it anyway:
>
> [shareY]
> comment = Other share
> path=/home/shares/data/shareY
> browseable = yes
> read only = no
> valid users = @INTERNAL\\group1, @INTERNAL\\otheruser
> force group = @INTERNAL\\group1
> force create mode = 0660
> force directory mode = 0770

I found one additional problem - when I request Domain Users group
information, no users are listed

gentent group "INTERNAL\\Domain Users" returns plain
domain_users:x:10000:
the same goes on DC.

Do I need to create alternative Domain Users group?

Rowland Penny

unread,
Apr 12, 2015, 7:50:47 AM4/12/15
to
No, "INTERNAL\\Domain Users" is the same group as 'domain_users', you
probably have 'winbind normalize names = Yes' in smb.conf

Rowland

j...@ionica.lv

unread,
Apr 13, 2015, 8:42:48 AM4/13/15
to

Citēju Rowland Penny <rowlan...@googlemail.com>:

>> I found one additional problem - when I request Domain Users group
>> information, no users are listed
>>
>> gentent group "INTERNAL\\Domain Users" returns plain
>> domain_users:x:10000:
>> the same goes on DC.
>>
>> Do I need to create alternative Domain Users group?
>>
>>
> No, "INTERNAL\\Domain Users" is the same group as 'domain_users',
> you probably have 'winbind normalize names = Yes' in smb.conf

it is strange, because
gentent group "INTERNAL\\Domain Admins"
returns what is expected - gid and list of persons in the group

Janis

Rowland Penny

unread,
Apr 13, 2015, 9:32:12 AM4/13/15
to
On 13/04/15 13:40, j...@ionica.lv wrote:
>
> Citēju Rowland Penny <rowlan...@googlemail.com>:
>
>>> I found one additional problem - when I request Domain Users group
>>> information, no users are listed
>>>
>>> gentent group "INTERNAL\\Domain Users" returns plain
>>> domain_users:x:10000:
>>> the same goes on DC.
>>>
>>> Do I need to create alternative Domain Users group?
>>>
>>>
>> No, "INTERNAL\\Domain Users" is the same group as 'domain_users', you
>> probably have 'winbind normalize names = Yes' in smb.conf
>
> it is strange, because
> gentent group "INTERNAL\\Domain Admins"
> returns what is expected - gid and list of persons in the group
>
> Janis
>

No, not strange, just the way you have formatted the getent command,
this is what I get on my laptop with different formatting:

rowland@ThinkPad ~ $ getent group "EXAMPLE\\Domain Admins"
domain_admins:x:10002:s4admin,administrator
rowland@ThinkPad ~ $ getent group EXAMPLE\\Domain\ Admins
domain_admins:x:10002:s4admin,administrator
rowland@ThinkPad ~ $ getent group EXAMPLE\\domain_admins
domain_admins:x:10002:s4admin,administrator
rowland@ThinkPad ~ $ getent group domain_admins
domain_admins:x:10002:s4admin,administrator

The same commands on a DC:

root@dc01:~# getent group "EXAMPLE\\Domain Admins"
EXAMPLE\Domain Admins:*:10002:
root@dc01:~# getent group EXAMPLE\\Domain\ Admins
EXAMPLE\Domain Admins:*:10002:
root@dc01:~# getent group EXAMPLE\\domain_admins
root@dc01:~# getent group domain_admins

As you can see, it differs between the two machine, you cannot seem to
'normalise' the group names on a Samba AD DC.

Rowland

Mario Pio Russo

unread,
Apr 27, 2015, 12:42:51 PM4/27/15
to
Good Day All

we have are planning to upgrade our samba 3 PDC to a new samba 4 AD-DC. We
want to go directly to Samba 4.2.X because we must have the "user account
password lockout" feature.

Also for internal policy we cannot compile the source tarball for a prod
environment. so my question is: do you know which distros currently provide
their own pacakge samba4.2.0 ? Ubutu server, Cent0S, RedHat do not ship it
yet, any other idea?

thanks

Daniel Carrasco Marín

unread,
Apr 27, 2015, 1:29:39 PM4/27/15
to
I'm using Archlinux on my work computer and have almost the latest version
of samba (4.2.0) and cups (2.0.2), but I don't know if is good as server
distro.

Greetings!!

Tim

unread,
Apr 27, 2015, 3:58:09 PM4/27/15
to
Hey Mario,

I would consider to have a look at sernet packages. I use them on my own with centos 7 and samba 4.1. They also have 4.2.

Regards
Tim

Nico Kadel-Garcia

unread,
Apr 28, 2015, 12:12:44 AM4/28/15
to
On Mon, Apr 27, 2015 at 11:35 AM, Mario Pio Russo
<mariop...@ie.ibm.com> wrote:
> Good Day All
>
> we have are planning to upgrade our samba 3 PDC to a new samba 4 AD-DC. We
> want to go directly to Samba 4.2.X because we must have the "user account
> password lockout" feature.
>
> Also for internal policy we cannot compile the source tarball for a prod
> environment. so my question is: do you know which distros currently provide
> their own pacakge samba4.2.0 ? Ubutu server, Cent0S, RedHat do not ship it
> yet, any other idea?

CentOS and RHEL are not going to get it for some time, unless RHEL
decides to assemble a "samba42" package in their "exras" repositories.
They'll be staying at 4.1.x for stability's sake. Fedora 22 release
candidate has samba-4.2.0, but that's not a development OS, not a
production stable OS.

I personally publish hooks and patches to get Samba 4.2.x compiled as
RPM's on RHEL 7 and Fedora 21, at github.com/nkadel/samba4repo/.
You're certainly welcome to them. But if you need a pre-built binary,
for now, you'll need to decide if you want a full domain controller or
not. The RHEL/CentOS/Fedora builds disable that, by default, in order
to use the operating systems's incompatible Kerberos.

I've not been using the sernet packages, partially because I *loathe*
having to register to download an open source or freeware package,
partly because I've been building Samba for.... well almost 20 years.
0 new messages