Web lists-archives.com

Re: [Samba] New AD user cannot access file share from member server




On 6/19/2017 9:12 AM, Viktor Trojanovic via samba wrote:
On 19 June 2017 at 14:56, Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
wrote:

On Mon, 19 Jun 2017 14:46:34 +0200
Viktor Trojanovic <viktor@xxxxxxxx> wrote:

On 19 June 2017 at 14:20, lingpanda101 via samba
<samba@xxxxxxxxxxxxxxx> wrote:

On 6/19/2017 7:51 AM, Viktor Trojanovic via samba wrote:

That's correct, I don't have "Unix Attributes" but through the
advanced view I have access to all attributes.

The ldbsearch command is not returning anything in my case, it
gives me 0 records - no matter which user I try, even the
Administrator. I checked the
command several times to make sure there are no typos. I even
changed the objectclass from "person" to "user" to see if it makes
any difference but it doesn't.

I tried borth /var/lib/samba/sam.ldb
and /var/lib/samba/private/sam.ldb) and the environment
environment has LDB_MODULES_PATH set.

I can easily look at the objects using the ADUC from the RSAT, not
sure why
this isn't working...

On 19 June 2017 at 12:59, Rowland Penny via samba
<samba@xxxxxxxxxxxxxxx> wrote:

On Mon, 19 Jun 2017 12:38:09 +0200
Viktor Trojanovic <viktor@xxxxxxxx> wrote:

Here is the DC's smb.conf:

[global]
          workgroup = SAMDOM
          realm = SAMDOM.EXAMPLE.COM
          netbios name = DC
          interfaces = lo br-lxc
          bind interfaces only = Yes
          server role = active directory domain controller
          dns forwarder = 192.168.1.2
          idmap_ldb:use rfc2307 = yes

[netlogon]
          path = /var/lib/samba/sysvol/samdom.example.com/scripts
          read only = No

[sysvol]
          path = /var/lib/samba/sysvol
          read only = No

Nothing wrong there

I'm not sure what you mean by showing you the user's AD object,
can
you elaborate?

OK, install ldb-tools if not installed, then run this:

ldbsearch -H /usr/local/samba/private/sam.ldb -b
'cn=users,dc=samdom,dc=example,dc=com' -s sub
"(&(objectclass=person)(samaccountname=rowland))"

Just in case it has got split up over multiple lines, the above
should just one line.

Replace:
/usr/local/samba/private/sam.ldb with the path to your sam.ldb

dc=samdom,dc=example,dc=com with your dns/realm names

rowland with your users name

You should get something like this back:

# record 1
dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
CN: Rowland Penny
sn: Penny
description: A Unix user
givenName: Rowland
instanceType: 4
whenCreated: 20151109093821.0Z
displayName: Rowland Penny
uSNCreated: 3365
name: Rowland Penny
objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72
userAccountControl: 66048
codePage: 0
countryCode: 0
homeDrive: H:
pwdLastSet: 130915355010000000
primaryGroupID: 513
objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
accountExpires: 0
sAMAccountName: rowland
sAMAccountType: 805306368
userPrincipalName: rowland@xxxxxxxxxxxxxxxxxx
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=
example,DC=c
   om
unixUserPassword: ABCD!efgh12345$67890
uid: rowland
msSFU30Name: rowland
msSFU30NisDomain: samdom
uidNumber: 10000
gecos: Rowland Penny
unixHomeDirectory: /home/rowland
loginShell: /bin/bash
memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com
homeDirectory: \\MEMBER1\home\rowland
objectClass: top
objectClass: securityPrincipal
objectClass: person
objectClass: organizationalPerson
objectClass: user
gidNumber: 10000
lastLogonTimestamp: 131418520439158520
whenChanged: 20170613182723.0Z
uSNChanged: 121030
lastLogon: 131423412865104840
logonCount: 633
distinguishedName: CN=Rowland
Penny,CN=Users,DC=samdom,DC=example,DC=com

# returned 1 records
# 1 entries
# 0 referrals

Please post that, though you can sanitise it if you like, but if
you do, use the same changes through out.

Samba is running on (Arch) Linux with Kernel 4.11. Clients are
Windows 10 with all the latest updates, I'm running the RSAT from
there.

In which case you will not have 'Unix Attributes' tab in ADUC.
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Use this command replace my name with your username.
/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb
-b 'dc=samdom,dc=example,dc=local' -s sub
"(&(objectclass=person)(samacc ountname=james))"

Rowland was linking to the CN=users. Yours may not be located there.


I could swear I tried this before, too, but it didn't give me any
results.
Now all of a sudden it does. I must have made a mistake. It gives me
one entry and 3 referrals.

[root@DC ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
'dc=samdom,dc=example,dc=ch' -s sub
"(&(objectclass=person)(samaccountname=jd))"
# record 1
dn: CN=First Last,OU=OFFICE,DC=samdom,DC=example,DC=ch
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Jane Doe
sn: Doe
givenName: Jane
instanceType: 4
whenCreated: 20170618195208.0Z
displayName: Jane Doe
uSNCreated: 26951
name: Jane Doe
objectGUID: e2df5086-fa25-4a25-93f2-d8f5e85a47e7
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-4280320235-2980747731-3738778716-1116
accountExpires: 9223372036854775807
sAMAccountName: jd
sAMAccountType: 805306368
userPrincipalName: jd@xxxxxxxxxxxxxxxxx
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example ,DC=ch
userAccountControl: 512
msSFU30NisDomain: samdom
homeDrive: P:
homeDirectory: \\fileserver\users\jd
lastLogonTimestamp: 131422908301256970
pwdLastSet: 131422908304075720
uidNumber: 11008
whenChanged: 20170618203831.0Z
uSNChanged: 26964
lastLogon: 131423462588474750
logonCount: 49
distinguishedName: CN=Jane Doe,OU=OFFICE,DC=samdom,DC=example,DC=ch
OK, glad we got that sorted out ;-)

Your user 'Jane Doe' does not have a 'gidNumber' attribute, does
'Domain Users have a 'gidNumber attribute' ?

It does, it's set to 10001.

And none of the users have gidNumber set.

Is the users Primary group name/GID set as 'Domain Users'?

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba