Web lists-archives.com

Re: [Samba] Regular users can't log in to Samba AD DC from Windows






On 02/06/2017 11:48, Rowland Penny via samba wrote:
On Mon, 6 Feb 2017 11:11:09 +0200
Alnis Morics via samba <samba@xxxxxxxxxxxxxxx> wrote:

Thank you, Rowland, for the reply.


And the nss tests as per Wiki seem to pass:



# getent passwd Administrator
RW\administrator:*:0:20::/home/administrator:/usr/sbin/nologin

# getent passwd user1
RW\user1:*:3000017:20:User1 Tester1:/home/user1:/usr/sbin/nologin

The above is interesting, you don't have a template homedir line in
smb.conf but you have '/home/username' instead of '/home/RW/username'

Oh, yes, didn't notice that. But the directory doesn't actually exist. I guess it would be created on first logon which has not yet occurred ?) And I can't login with it locally (I would need PAM configured for it, right?)

Although, when I create a FreeBSD user ("pw useradd testuser -m /home/testuser"), the home directory is immediately created without loging in.

I tried now to create a user explicitly telling the home directory:
samba-tool user create user2 Pa$$w0rd --surname=Tester2 --given-name=User2 --mail-address=user2@xxxxxx --home-directory=/home/RW/user2

getent passwd user2
RW\user2:*:3000020:20:User2 Tester2:/home/RW/user2:/usr/sbin/nologin

But otherwise nothing changes: directory isn't created, and I can't login from Windows. And the logs repeat the same thing.



# getent group "Domain Users"
RW\domain users:x:20

# touch testfile
# ll testfile
-rw-r--r--  1 root  wheel  0 Jan 28 19:25 testfile
# chown user1:"domain users" testfile
# ll testfile
-rw-r--r--  1 RW\user1  staff  0 Jan 28 19:25 testfile

Only I would expect that a regular users' GID numbers are not within
0-1000, but I don't know.


On a Samba AD DC, 'Domain Users' should be mapped to the users group
(on Debian anyway, could be a different group on freebsd), but your
example seems to show that it is mapped to the group 'staff'.

Yes, there's a group "staff" in /etc/group with GID number 20. Ok, so that shouldn't be a problem.


Here is the big thing that people seem to find hard to understand, when
asking for the users info with 'getent passwd' the users 'gidNumber
attribute is ignored, in fact, the user doesn't need to have a
gidNumber. In AD, all users are members of 'Domain Users' and this group
is used as the Unix users primary group.

Rowland




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba