Web lists-archives.com

Re: [Samba] New AD user cannot access file share from member server

On 6/19/2017 9:50 AM, Viktor Trojanovic wrote:

On 19 June 2017 at 15:31, lingpanda101 via samba <samba@xxxxxxxxxxxxxxx <mailto:samba@xxxxxxxxxxxxxxx>> wrote:

    On 6/19/2017 9:12 AM, Viktor Trojanovic via samba wrote:

        On 19 June 2017 at 14:56, Rowland Penny via samba
        <samba@xxxxxxxxxxxxxxx <mailto:samba@xxxxxxxxxxxxxxx>>

            On Mon, 19 Jun 2017 14:46:34 +0200
            Viktor Trojanovic <viktor@xxxxxxxx
            <mailto:viktor@xxxxxxxx>> wrote:

                On 19 June 2017 at 14:20, lingpanda101 via samba
                <samba@xxxxxxxxxxxxxxx <mailto:samba@xxxxxxxxxxxxxxx>>

                    On 6/19/2017 7:51 AM, Viktor Trojanovic via samba

                        That's correct, I don't have "Unix Attributes"
                        but through the
                        advanced view I have access to all attributes.

                        The ldbsearch command is not returning
                        anything in my case, it
                        gives me 0 records - no matter which user I
                        try, even the
                        Administrator. I checked the
                        command several times to make sure there are
                        no typos. I even
                        changed the objectclass from "person" to
                        "user" to see if it makes
                        any difference but it doesn't.

                        I tried borth /var/lib/samba/sam.ldb
                        and /var/lib/samba/private/sam.ldb) and the
                        environment has LDB_MODULES_PATH set.

                        I can easily look at the objects using the
                        ADUC from the RSAT, not
                        sure why
                        this isn't working...

                        On 19 June 2017 at 12:59, Rowland Penny via samba
                        <mailto:samba@xxxxxxxxxxxxxxx>> wrote:

                        On Mon, 19 Jun 2017 12:38:09 +0200

                            Viktor Trojanovic <viktor@xxxxxxxx
                            <mailto:viktor@xxxxxxxx>> wrote:

                            Here is the DC's smb.conf:

                                          workgroup = SAMDOM
                                          realm = SAMDOM.EXAMPLE.COM
                                          netbios name = DC
                                          interfaces = lo br-lxc
                                          bind interfaces only = Yes
                                          server role = active
                                directory domain controller
                                          dns forwarder =
                                          idmap_ldb:use rfc2307 = yes

                                          path =
                                          read only = No

                                          path = /var/lib/samba/sysvol
                                          read only = No

                            Nothing wrong there

                            I'm not sure what you mean by showing you
                            the user's AD object,

                                you elaborate?

                            OK, install ldb-tools if not installed,
                            then run this:

                            ldbsearch -H
                            /usr/local/samba/private/sam.ldb -b
                            'cn=users,dc=samdom,dc=example,dc=com' -s sub

                            Just in case it has got split up over
                            multiple lines, the above
                            should just one line.

                            /usr/local/samba/private/sam.ldb with the
                            path to your sam.ldb

                            dc=samdom,dc=example,dc=com with your
                            dns/realm names

                            rowland with your users name

                            You should get something like this back:

                            # record 1
                            dn: CN=Rowland
                            CN: Rowland Penny
                            sn: Penny
                            description: A Unix user
                            givenName: Rowland
                            instanceType: 4
                            whenCreated: 20151109093821.0Z
                            displayName: Rowland Penny
                            uSNCreated: 3365
                            name: Rowland Penny
                            userAccountControl: 66048
                            codePage: 0
                            countryCode: 0
                            homeDrive: H:
                            pwdLastSet: 130915355010000000
                            primaryGroupID: 513
                            accountExpires: 0
                            sAMAccountName: rowland
                            sAMAccountType: 805306368
                            unixUserPassword: ABCD!efgh12345$67890
                            uid: rowland
                            msSFU30Name: rowland
                            msSFU30NisDomain: samdom
                            uidNumber: 10000
                            gecos: Rowland Penny
                            unixHomeDirectory: /home/rowland
                            loginShell: /bin/bash
                            memberOf: CN=Unix
                            homeDirectory: \\MEMBER1\home\rowland
                            objectClass: top
                            objectClass: securityPrincipal
                            objectClass: person
                            objectClass: organizationalPerson
                            objectClass: user
                            gidNumber: 10000
                            lastLogonTimestamp: 131418520439158520
                            whenChanged: 20170613182723.0Z
                            uSNChanged: 121030
                            lastLogon: 131423412865104840
                            logonCount: 633
                            distinguishedName: CN=Rowland

                            # returned 1 records
                            # 1 entries
                            # 0 referrals

                            Please post that, though you can sanitise
                            it if you like, but if
                            you do, use the same changes through out.

                            Samba is running on (Arch) Linux with
                            Kernel 4.11. Clients are

                                Windows 10 with all the latest
                                updates, I'm running the RSAT from

                                In which case you will not have 'Unix
                                Attributes' tab in ADUC.


                            To unsubscribe from this list go to the
                            following URL and read the

                            Use this command replace my name with your

                    /usr/local/samba/bin/ldbsearch -H
                    -b 'dc=samdom,dc=example,dc=local' -s sub
                    "(&(objectclass=person)(samacc ountname=james))"

                    Rowland was linking to the CN=users. Yours may not
                    be located there.

                    I could swear I tried this before, too, but it
                    didn't give me any

                Now all of a sudden it does. I must have made a
                mistake. It gives me
                one entry and 3 referrals.

                [root@DC ~]# ldbsearch -H
                /var/lib/samba/private/sam.ldb -b
                'dc=samdom,dc=example,dc=ch' -s sub
                # record 1
                dn: CN=First Last,OU=OFFICE,DC=samdom,DC=example,DC=ch
                objectClass: top
                objectClass: person
                objectClass: organizationalPerson
                objectClass: user
                cn: Jane Doe
                sn: Doe
                givenName: Jane
                instanceType: 4
                whenCreated: 20170618195208.0Z
                displayName: Jane Doe
                uSNCreated: 26951
                name: Jane Doe
                objectGUID: e2df5086-fa25-4a25-93f2-d8f5e85a47e7
                badPwdCount: 0
                codePage: 0
                countryCode: 0
                badPasswordTime: 0
                lastLogoff: 0
                primaryGroupID: 513
                objectSid: S-1-5-21-4280320235-2980747731-3738778716-1116
                accountExpires: 9223372036854775807
                sAMAccountName: jd
                sAMAccountType: 805306368
                userPrincipalName: jd@xxxxxxxxxxxxxxxxx
                userAccountControl: 512
                msSFU30NisDomain: samdom
                homeDrive: P:
                homeDirectory: \\fileserver\users\jd
                lastLogonTimestamp: 131422908301256970
                pwdLastSet: 131422908304075720
                uidNumber: 11008
                whenChanged: 20170618203831.0Z
                uSNChanged: 26964
                lastLogon: 131423462588474750
                logonCount: 49
                distinguishedName: CN=Jane

            OK, glad we got that sorted out ;-)

            Your user 'Jane Doe' does not have a 'gidNumber'
            attribute, does
            'Domain Users have a 'gidNumber attribute' ?

        It does, it's set to 10001.

        And none of the users have gidNumber set.

    Is the users Primary group name/GID set as 'Domain Users'?

Yes. Primary - and only group.

I missed that as I was focused on a GID being present. Thanks. I wonder if this has to do with the recent change in 4.6 to winbind

With 4.6, it will be possible to optionally use the primary group as
set in the "Unix Attributes" tab for the local unix token of a domain
user.  Before 4.6, the Windows primary group was always chosen as
primary group for the local unix token.

To activate the unix primary group, set

idmap config <DOMAIN> : unix_primary_group = yes

Similarly, set

idmap config <DOMAIN> : unix_nss_info = yes

to retrieve the home directory and login shell from the "Unix
Attributes" of the user. This supersedes the "winbind nss info"
parameter with a per-domain configuration option.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba