Allow user without uidNumber to access to a Samba member file server

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Allow user without uidNumber to access to a Samba member file server

Samba - General mailing list
Hi everybody,

I have a samba server member for file sharing configured like below. 
Domains controllers are on samba too. 
Every servers are on samba 4.5.3.
When I created the domain I activated rfc2307.

Now I think rfc2307 was a bad idea...

My problem is that I'd like to allow users and computers to access to
the file server even if uidNumber is not set.
If I create an user without uidNumber, he is able to access to sysvol
(by exemple) on all DC without problems. But if he try to access to the
file server (from a Windows 10 client), he get an "Access refused".
I understand that the problem come from uidNumber not set. And I think
that the solution is in relation with idmap, winbind and rfc2307.

So I'm completely lost with those features : How can I disable
idmapping for get the same behavior on the file server than the Domain
controller ?
And if I do that, is the MacOS users will have problems to access to
the shares with afp protocol (netatalk).

I'd like this behavior to permit computers to access to shares for
installing application with GPO set on DC and applied to computers
instead of users section in the GPO.

Thanks

Below my smb.conf on the file server :

=========================================================
[global]
       netbios name = FS1
       security = ADS
       workgroup = IFPOAD
       realm = IFPOAD.IFPORIENT.ORG

       log file = /var/log/samba/%m.log
       log level = 1
       
       interfaces=lo eth0
       bind interfaces only=yes

       server string = %h samba server
       wins support = yes

       # Default idmap config used for BUILTIN and local
accounts/groups
       idmap config *:backend = tdb
       idmap config *:range = 2000-9999

       idmap config IFPOAD:backend = ad
       idmap config IFPOAD:schema_mode = rfc2307
       idmap config IFPOAD:range = 10000-99999

       winbind nss info = rfc2307
       winbind enum users = yes
       winbind enum groups = yes
       winbind trusted domains only = no
       winbind use default domain = yes

       # Activation des attributs Etendus Windows
       vfs objects = acl_xattr
       map acl inherit = yes
       store dos attributes = yes

       # For Mac OS compatibility ?
        unix extensions = no

        # Spool d'impression
        rpc_server:spoolss = external
        rpc_daemon:spoolssd = fork
        spoolss: architecture = Windows x64

        veto files = /._*/.DS_Store/~*/
        delete veto files = yes

[Shares]
       path = /srv/samba/shares
       read only = no

[home]
       path = /home/samba
       read only = no

[profile$]
       path = /srv/samba/Profiles
       read only = no

[deploy$]
       path = /srv/samba/deploy
       read only = no

[BkShares]
       path = /srv/Backups/bkIFPO/shares
       read only = no

[printers]
       path = /var/spool/samba/
       printable = yes
       printing = CUPS
==========================================================


-- 

Arnaud Cruzel
Administrateur Système et Réseau
Institut français du Proche-Orient (Ifpo)


المعهد الفرنسي للشرق الأدنى


UMIFRE 6 - MAEDI - CNRS - USR 3135
Tél. Liban : +961 76 596 131
Tél. France : +33 6 67 51 68 50
[hidden email] 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Allow user without uidNumber to access to a Samba member file server

Samba - General mailing list
On Wed, 15 Mar 2017 14:23:23 +0200
Arnaud Cruzel via samba <[hidden email]> wrote:

> Hi everybody,
>
> I have a samba server member for file sharing configured like below. 
> Domains controllers are on samba too. 
> Every servers are on samba 4.5.3.
> When I created the domain I activated rfc2307.
>
> Now I think rfc2307 was a bad idea...
>

You could use the winbind 'rid' backend instead, this will mean that
your users will get different 'IDs', so you will have to change the
ownership of any files and directories stored on the fileserver.

You will also have to use 'template' lines in smb.conf for Unix home
dirs and shell.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Allow user without uidNumber to access to a Samba member file server

Samba - General mailing list
In reply to this post by Samba - General mailing list
> But if he try to access to the file server (from a Windows 10 client),
> he get an "Access refused".

How did he access the share.
\\servername\share  or  \\servername.dnsdom.tld\share
(or by \\ip )

Can he access \\servername  without the share.

And the Win10 eventid + discription of the "Access refused" would be nice.
The "Share Security" settings are?

It should work with rfc2307, i works fine for me
ADDC 4.5.3 + members 4.5.3/4.6.0
All servers in rfc2307 mode.

But i did set extra things, so before i advice something i need the above info first.


Greetz,

Louis





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Allow user without uidNumber to access to a Samba member file server

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, Mar 15, 2017 at 7:56 AM Arnaud Cruzel via samba <
[hidden email]> wrote:

>
> I'd like this behavior to permit computers to access to shares for
> installing application with GPO set on DC and applied to computers
> instead of users section in the GPO.


when a client connects to a share, smbd spawns a new process owned by that
user, which is why it needs a uid.  if you want your share to be readable
by anyone, look into the "map to guest" option to give users that can't be
validated an alternate uid.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Allow user without uidNumber to access to a Samba member file server

Samba - General mailing list
In reply to this post by Samba - General mailing list
Le mercredi 15 mars 2017 à 13:17 +0000, Rowland Penny via samba a
écrit :

> On Wed, 15 Mar 2017 14:23:23 +0200
> Arnaud Cruzel via samba <[hidden email]> wrote:
>
> > Hi everybody,
> >
> > I have a samba server member for file sharing configured like
> > below. 
> > Domains controllers are on samba too. 
> > Every servers are on samba 4.5.3.
> > When I created the domain I activated rfc2307.
> >
> > Now I think rfc2307 was a bad idea...
> >
>
> You could use the winbind 'rid' backend instead, this will mean that
> your users will get different 'IDs', so you will have to change the
> ownership of any files and directories stored on the fileserver.
>
> You will also have to use 'template' lines in smb.conf for Unix home
> dirs and shell.
>
> Rowland 
>

Thanks for your answer.

OK, I tried that. After what there is no long problems for access to file server by an user without uidNumber.
But now it's impossible for unix client to access to samba shares on this server. I think because of uid are differents.
For information I didn't have to change shares owner, the server kept the same uids for users (I think because of caching ?)

What I did :

# diff smb.conf.ad smb.conf.rid
37,39c37,39
<        idmap config IFPOAD:backend = ad
<        idmap config IFPOAD:schema_mode = rfc2307
<        idmap config IFPOAD:range = 10000-99999
---
> #       idmap config IFPOAD:backend = ad
> #       idmap config IFPOAD:schema_mode = rfc2307
> #       idmap config IFPOAD:range = 10000-99999
41,42c41,42
< #       idmap config IFPOAD : backend = rid
< #       idmap config IFPOAD : range = 10000-999999
---
>        idmap config IFPOAD : backend = rid
>        idmap config IFPOAD : range = 10000-999999
45,46c45,46
< #       winbind nss info = template
< #       template shell = /bin/bash
---
>        winbind nss info = template
>        template shell = /bin/bash
47a48,50
>        template homedir = /Users/%U
>
> #       winbind nss info = rfc2307
49d51
<        winbind nss info = rfc2307
61c63
<        unix extensions = no
---
> #       unix extensions = no
75c77
<         #username map = /usr/local/samba/etc/user.map
---
>         username map = /usr/local/samba/etc/user.map


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Allow user without uidNumber to access to a Samba member file server

Samba - General mailing list
In reply to this post by Samba - General mailing list
Le mercredi 15 mars 2017 à 15:16 +0100, L.P.H. van Belle via samba a
écrit :
> > But if he try to access to the file server (from a Windows 10
> > client), 
> > he get an "Access refused".
>
> How did he access the share. 
> \\servername\share  or  \\servername.dnsdom.tld\share 
> (or by \\ip ) 
by \\servername\share


>
> Can he access \\servername  without the share.
no it can't
>
> And the Win10 eventid + discription of the "Access refused" would be
> nice.
There is no event ID neither descriptions. I don't find any entry on
Windows event viewer.
>  
> The "Share Security" settings are? 
by exemple for the share 'Shares' :
For Administrator / Domain Admins / System / Creator Owner = Full
Control on folder, subfolders and files
For Authenticated Users / Domain Users = Read and Execute on this
folder only


>
> It should work with rfc2307, i works fine for me
> ADDC 4.5.3 + members 4.5.3/4.6.0 
> All servers in rfc2307 mode.
Yes I don't say it's not working. The problem is for set a GPO to
deploy applications, I have to deploy it by user GPO.
If I want to do that by computer GPO I have to set uidNumber to all
computers. I'm lazy to do that :)
And now with Windows 10 who don't allow to set rfc2307 easily with ADUC
 it become very complicate to set uidNumber manually for each user.

>
> But i did set extra things, so before i advice something i need the
> above info first. 
>
>
> Greetz, 
>
> Louis
>
>
>
>
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Allow user without uidNumber to access to a Samba member file server

Samba - General mailing list
In reply to this post by Samba - General mailing list
Le mercredi 15 mars 2017 à 14:31 +0000, Chris Weiss via samba a écrit :

> On Wed, Mar 15, 2017 at 7:56 AM Arnaud Cruzel via samba <
> [hidden email]> wrote:
>
> >
> > I'd like this behavior to permit computers to access to shares for
> > installing application with GPO set on DC and applied to computers
> > instead of users section in the GPO.
>
>
> when a client connects to a share, smbd spawns a new process owned by
> that
> user, which is why it needs a uid.  if you want your share to be
> readable
> by anyone, look into the "map to guest" option to give users that
> can't be
> validated an alternate uid.
>
Ok thanks 
I understand why it does that now. So your suggestion can be a solution but
it's not very safe.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Allow user without uidNumber to access to a Samba member file server

Samba - General mailing list
In reply to this post by Samba - General mailing list
Ok, these :
> For Administrator / Domain Admins / System / Creator Owner = Full
> Control on folder, subfolders and files
Are not available on the "Share security" but are on the "Security"

So the "Share security settings" need only.
Everyone FULL CONTROLL  ( or Verified users )

And i think your done.

> For Administrator / Domain Admins / System / Creator Owner = Full Control on folder, subfolders and files

> For Authenticated Users / Domain Users = Read and Execute on this folder only

In your case i suggest,

Domain Admins
SYSTEM
CREATOR OWNER ( or better GROUP )
CREATOR GROUP
All full controll.

Authenticated users OR Domain Users. Setting both isnt needed. With at least read.
I suggest you set ( in case of GPO things ) Authenticated users.
Since that include also the computers.

In other cases, use "domain users" and/or the other groups you need.


Greetz,

Louis





> -----Oorspronkelijk bericht-----
> Van: Arnaud Cruzel [mailto:[hidden email]]
> Verzonden: woensdag 15 maart 2017 16:40
> Aan: L.P.H. van Belle; [hidden email]
> Onderwerp: Re: [Samba] Allow user without uidNumber to access to a Samba
> member file server
>
> Le mercredi 15 mars 2017 à 15:16 +0100, L.P.H. van Belle via samba a
> écrit :
> > > But if he try to access to the file server (from a Windows 10
> > > client),
> > > he get an "Access refused".
> >
> > How did he access the share.
> > \\servername\share  or  \\servername.dnsdom.tld\share
> > (or by \\ip )
> by \\servername\share
>
>
> >
> > Can he access \\servername  without the share.
> no it can't
> >
> > And the Win10 eventid + discription of the "Access refused" would be
> > nice.
> There is no event ID neither descriptions. I don't find any entry on
> Windows event viewer.
> >
> > The "Share Security" settings are?
> by exemple for the share 'Shares' :
> For Administrator / Domain Admins / System / Creator Owner = Full
> Control on folder, subfolders and files
> For Authenticated Users / Domain Users = Read and Execute on this
> folder only
>
>
> >
> > It should work with rfc2307, i works fine for me
> > ADDC 4.5.3 + members 4.5.3/4.6.0
> > All servers in rfc2307 mode.
> Yes I don't say it's not working. The problem is for set a GPO to
> deploy applications, I have to deploy it by user GPO.
> If I want to do that by computer GPO I have to set uidNumber to all
> computers. I'm lazy to do that :)
> And now with Windows 10 who don't allow to set rfc2307 easily with ADUC
>  it become very complicate to set uidNumber manually for each user.
>
> >
> > But i did set extra things, so before i advice something i need the
> > above info first.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> >
> >



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Allow user without uidNumber to access to a Samba member file server

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 15 Mar 2017 17:13:43 +0200
Arnaud Cruzel <[hidden email]> wrote:


>
> OK, I tried that. After what there is no long problems for access to
> file server by an user without uidNumber. But now it's impossible for
> unix client to access to samba shares on this server.

You never mentioned Unix users

The 'rid' backend works by calculating the users ID from its Windows
RID, Unix users do not have a RID, so they don't get an ID.

If you have Unix users, you will have to create the users in AD,
set the Unix machines up as a domain member (info available on the Samba wiki)
and remove the users from the Unix machine (they cannot be
in /etc/passwd and AD). You could also return to using the 'ad'
backend, but you would still have to make the Unix machines domain
members.
 
> I think because of uid are differents. For information I didn't have
>to change shares
> owner, the server kept the same uids for users (I think because of
> caching ?)

Wait until the cache expires and wait for the screams :-)

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Allow user without uidNumber to access to a Samba member file server

Samba - General mailing list
In reply to this post by Samba - General mailing list

> > And now with Windows 10 who don't allow to set rfc2307 easily with
> > ADUC it become very complicate to set uidNumber manually for each
> > user.
> >

Are you reading this Andrew ??

I told you this with my patches to allow adding RFC2307 attributes with
samba-tool.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Allow user without uidNumber to access to a Samba member file server

Samba - General mailing list
In reply to this post by Samba - General mailing list
Le mercredi 15 mars 2017 à 17:01 +0100, L.P.H. van Belle via samba a
écrit :
> Ok, these : 
> > For Administrator / Domain Admins / System / Creator Owner = Full
> > Control on folder, subfolders and files 
>
> Are not available on the "Share security" but are on the "Security"
>
> So the "Share security settings" need only.
> Everyone FULL CONTROLL  ( or Verified users )
Yes sorry, it's what I have on Share security settings

>  
>
> And i think your done. 
>
> > For Administrator / Domain Admins / System / Creator Owner = Full
> > Control on folder, subfolders and files
> > For Authenticated Users / Domain Users = Read and Execute on this
> > folder only
>
> In your case i suggest, 
>
>
> Domain Admins 
> SYSTEM 
> CREATOR OWNER ( or better GROUP ) 
> CREATOR GROUP
> All full controll. n case of GPO things ) Authenticated users.
> Since that include also the computers. 

Ok I did it.
On the 'deploy$' share for GPO, I set
Domain Admins 
SYSTEM 
CREATOR OWNER
CREATOR GROUP
to full control
and read and execute for everybody

on security tab everybody with full control.

But it's the same : if uidNumber is not set, no access

>
> In other cases, use "domain users" and/or the other groups you need.
>
>
> Greetz, 
>
> Louis
>
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: Arnaud Cruzel [mailto:[hidden email]]
> > Verzonden: woensdag 15 maart 2017 16:40
> > Aan: L.P.H. van Belle; [hidden email]
> > Onderwerp: Re: [Samba] Allow user without uidNumber to access to a
> > Samba
> > member file server
> >
> > Le mercredi 15 mars 2017 à 15:16 +0100, L.P.H. van Belle via samba
> > a
> > écrit :
> > > > But if he try to access to the file server (from a Windows 10
> > > > client),
> > > > he get an "Access refused".
> > >
> > > How did he access the share.
> > > \\servername\share  or  \\servername.dnsdom.tld\share
> > > (or by \\ip )
> >
> > by \\servername\share
> >
> >
> > >
> > > Can he access \\servername  without the share.
> >
> > no it can't
> > >
> > > And the Win10 eventid + discription of the "Access refused" would
> > > be
> > > nice.
> >
> > There is no event ID neither descriptions. I don't find any entry
> > on
> > Windows event viewer.
> > >
> > > The "Share Security" settings are?
> >
> > by exemple for the share 'Shares' :
> > For Administrator / Domain Admins / System / Creator Owner = Full
> > Control on folder, subfolders and files
> > For Authenticated Users / Domain Users = Read and Execute on this
> > folder only
> >
> >
> > >
> > > It should work with rfc2307, i works fine for me
> > > ADDC 4.5.3 + members 4.5.3/4.6.0
> > > All servers in rfc2307 mode.
> >
> > Yes I don't say it's not working. The problem is for set a GPO to
> > deploy applications, I have to deploy it by user GPO.
> > If I want to do that by computer GPO I have to set uidNumber to all
> > computers. I'm lazy to do that :)
> > And now with Windows 10 who don't allow to set rfc2307 easily with
> > ADUC
> >  it become very complicate to set uidNumber manually for each user.
> >
> > >
> > > But i did set extra things, so before i advice something i need
> > > the
> > > above info first.
> > >
> > >
> > > Greetz,
> > >
> > > Louis
> > >
> > >
> > >
> > >
> > >
> > >
>
>
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Allow user without uidNumber to access to a Samba member file server

Samba - General mailing list
In reply to this post by Samba - General mailing list
Le mercredi 15 mars 2017 à 16:08 +0000, Rowland Penny via samba a
écrit :

> On Wed, 15 Mar 2017 17:13:43 +0200
> Arnaud Cruzel <[hidden email]> wrote:
>
>
> >
> > OK, I tried that. After what there is no long problems for access
> > to
> > file server by an user without uidNumber. But now it's impossible
> > for
> > unix client to access to samba shares on this server. 
>
> You never mentioned Unix users
>
> The 'rid' backend works by calculating the users ID from its Windows
> RID, Unix users do not have a RID, so they don't get an ID.
>
> If you have Unix users, you will have to create the users in AD,
> set the Unix machines up as a domain member (info available on the
> Samba wiki)
> and remove the users from the Unix machine (they cannot be
> in /etc/passwd and AD). You could also return to using the 'ad'
> backend, but you would still have to make the Unix machines domain
> members. 
Sorry I said Unix client, but I'd like to say unix machine. 
An active directory user connected on an unix machine member of domain
seem to be unable to access to shares when the share server have idmap
set with rid.


>  
> > I think because of uid are differents. For information I didn't
> > have
> > to change shares
> > owner, the server kept the same uids for users (I think because of
> > caching ?)
>
> Wait until the cache expires and wait for the screams :-)
Yes I heard them... from unix and Mac OSx domains users :D.
I locked my office door !
Windows users kept cool.

So I think I have no choice in a mixed environment Mac OSx, Windows and
Linux, I have to set uidNumber...
Arghhh

But You told about a patch in your other mail for setting automatically
 uidNumbers ?? Where is it ? I want it.

Thanks


>
> Rowland
>
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Allow user without uidNumber to access to a Samba member file server

Samba - General mailing list
On Wed, 15 Mar 2017 18:49:30 +0200
Arnaud Cruzel <[hidden email]> wrote:

> Le mercredi 15 mars 2017 à 16:08 +0000, Rowland Penny via samba a
> écrit :
> > On Wed, 15 Mar 2017 17:13:43 +0200
> > Arnaud Cruzel <[hidden email]> wrote:

> Sorry I said Unix client, but I'd like to say unix machine. 
> An active directory user connected on an unix machine member of domain
> seem to be unable to access to shares when the share server have idmap
> set with rid.

As long as a user is in AD it will have a RID, so the 'rid' backend
should work, as long as smb.conf etc is set up correctly.

Can you post the smb.conf from a Unix machine that this happens on.

> > Wait until the cache expires and wait for the screams :-)
> Yes I heard them... from unix and Mac OSx domains users :D.
> I locked my office door !
> Windows users kept cool.

I would barricade the door ;-)
 
>
> So I think I have no choice in a mixed environment Mac OSx, Windows
> and Linux, I have to set uidNumber...
> Arghhh

Not sure about Mac, never used it, but you should be able to use 'rid'
with Unix

>
> But You told about a patch in your other mail for setting
> automatically uidNumbers ?? Where is it ? I want it.
>

It basically does what the Unix attribute tab did/does, but I don't
really want to upset Andrew by releasing it outside Samba.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...