Web lists-archives.com

Re: [Samba] New AD user cannot access file share from member server




On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote:
That's correct, I don't have "Unix Attributes" but through the advanced
view I have access to all attributes.

The ldbsearch command is not returning anything in my case, it gives me 0
records - no matter which user I try, even the Administrator. I checked the
command several times to make sure there are no typos. I even changed the
objectclass from "person" to "user" to see if it makes any difference but
it doesn't.

I tried borth /var/lib/samba/sam.ldb and /var/lib/samba/private/sam.ldb)
and the environment environment has LDB_MODULES_PATH set.

I can easily look at the objects using the ADUC from the RSAT, not sure why
this isn't working...

On 19 June 2017 at 12:59, Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
wrote:

On Mon, 19 Jun 2017 12:38:09 +0200
Viktor Trojanovic <viktor@xxxxxxxx> wrote:

Here is the DC's smb.conf:


[global]
         workgroup = SAMDOM
         realm = SAMDOM.EXAMPLE.COM
         netbios name = DC
         interfaces = lo br-lxc
         bind interfaces only = Yes
         server role = active directory domain controller
         dns forwarder = 192.168.1.2
         idmap_ldb:use rfc2307 = yes

[netlogon]
         path = /var/lib/samba/sysvol/samdom.example.com/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No
Nothing wrong there

I'm not sure what you mean by showing you the user's AD object, can
you elaborate?
OK, install ldb-tools if not installed, then run this:

ldbsearch -H /usr/local/samba/private/sam.ldb -b
'cn=users,dc=samdom,dc=example,dc=com' -s sub
"(&(objectclass=person)(samaccountname=rowland))"

Just in case it has got split up over multiple lines, the above should
just one line.

Replace:
/usr/local/samba/private/sam.ldb with the path to your sam.ldb

dc=samdom,dc=example,dc=com with your dns/realm names

rowland with your users name

You should get something like this back:

# record 1
dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
CN: Rowland Penny
sn: Penny
description: A Unix user
givenName: Rowland
instanceType: 4
whenCreated: 20151109093821.0Z
displayName: Rowland Penny
uSNCreated: 3365
name: Rowland Penny
objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72
userAccountControl: 66048
codePage: 0
countryCode: 0
homeDrive: H:
pwdLastSet: 130915355010000000
primaryGroupID: 513
objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
accountExpires: 0
sAMAccountName: rowland
sAMAccountType: 805306368
userPrincipalName: rowland@xxxxxxxxxxxxxxxxxx
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=
example,DC=c
  om
unixUserPassword: ABCD!efgh12345$67890
uid: rowland
msSFU30Name: rowland
msSFU30NisDomain: samdom
uidNumber: 10000
gecos: Rowland Penny
unixHomeDirectory: /home/rowland
loginShell: /bin/bash
memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com
homeDirectory: \\MEMBER1\home\rowland
objectClass: top
objectClass: securityPrincipal
objectClass: person
objectClass: organizationalPerson
objectClass: user
gidNumber: 10000
lastLogonTimestamp: 131418520439158520
whenChanged: 20170613182723.0Z
uSNChanged: 121030
lastLogon: 131423412865104840
logonCount: 633
distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com

# returned 1 records
# 1 entries
# 0 referrals

Please post that, though you can sanitise it if you like, but if you
do, use the same changes through out.

Samba is running on (Arch) Linux with Kernel 4.11. Clients are
Windows 10 with all the latest updates, I'm running the RSAT from
there.

In which case you will not have 'Unix Attributes' tab in ADUC.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Use this command replace my name with your username.

/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=local' -s sub "(&(objectclass=person)(samaccountname=james))"

Rowland was linking to the CN=users. Yours may not be located there.

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba