Domain member server: user access

classic Classic list List threaded Threaded
58 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Domain member server: user access

Samba - General mailing list

samba-4.6.8 on both DC and DM.

3 users were created as suggested:

DC # samba-tool user create kamleitnerl Le26xxx
--nis-domain=arbeitsgruppe --unix-home=/home/kamleitnerl
--uid-number=10070 --login-shell=/bin/false --gid-number=100

this user can login to a Windows PC, but not access/connect shares.

log for the PC's IP:

[2017/09/25 15:45:10.522051,  1]
../source3/auth/token_util.c:431(add_local_groups)
  SID S-1-5-21-2777655458-4002997014-749295002-3141 -> getpwuid(10070)
failed
[2017/09/25 15:45:10.522091,  1]
../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac)
  Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
[2017/09/25 15:45:10.522120,  1]
../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session
setup: NT_STATUS_ACCESS_DENIED


on the DM I see the user like:

main # wbinfo  -S S-1-5-21-2777655458-4002997014-749295002-3141
10070

but why:

# smbclient -L main -Ukamleitnerl%Le26xxx
session setup failed: NT_STATUS_ACCESS_DENIED

auth works:

# wbinfo -a kamleitnerl%Le26xxx
plaintext password authentication succeeded
challenge/response password authentication succeeded

wrong group?

It is the same as for other users which work.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Domain member server: user access

Samba - General mailing list
Hai Stefan,

Can you try the following.
Reboot the server, then reboot the pc, then login with the not working user.
When/If that works, then login and login with the other users try then.

And, i bet you checked it, but must ask, time in sync?

Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Stefan G. Weichinger via samba
> Verzonden: maandag 25 september 2017 16:02
> Aan: samba
> Onderwerp: [Samba] Domain member server: user access
>
>
> samba-4.6.8 on both DC and DM.
>
> 3 users were created as suggested:
>
> DC # samba-tool user create kamleitnerl Le26xxx
> --nis-domain=arbeitsgruppe --unix-home=/home/kamleitnerl
> --uid-number=10070 --login-shell=/bin/false --gid-number=100
>
> this user can login to a Windows PC, but not access/connect shares.
>
> log for the PC's IP:
>
> [2017/09/25 15:45:10.522051,  1]
> ../source3/auth/token_util.c:431(add_local_groups)
>   SID S-1-5-21-2777655458-4002997014-749295002-3141 ->
> getpwuid(10070) failed
> [2017/09/25 15:45:10.522091,  1]
> ../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac)
>   Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
> [2017/09/25 15:45:10.522120,  1]
> ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
>   Failed to generate session_info (user and group token) for session
> setup: NT_STATUS_ACCESS_DENIED
>
>
> on the DM I see the user like:
>
> main # wbinfo  -S S-1-5-21-2777655458-4002997014-749295002-3141
> 10070
>
> but why:
>
> # smbclient -L main -Ukamleitnerl%Le26xxx session setup
> failed: NT_STATUS_ACCESS_DENIED
>
> auth works:
>
> # wbinfo -a kamleitnerl%Le26xxx
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> wrong group?
>
> It is the same as for other users which work.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Domain member server: user access

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 25 Sep 2017 16:01:59 +0200
"Stefan G. Weichinger via samba" <[hidden email]> wrote:

>
> samba-4.6.8 on both DC and DM.
>
> 3 users were created as suggested:
>
> DC # samba-tool user create kamleitnerl Le26xxx
> --nis-domain=arbeitsgruppe --unix-home=/home/kamleitnerl
> --uid-number=10070 --login-shell=/bin/false --gid-number=100
>

Where did you get the GID '100' from ?
Is this the gidNumber for Domain Users ?

Can you please post the smb.conf from the DC and DM.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Domain member server: user access

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 2017-09-25 um 16:24 schrieb L.P.H. van Belle via samba:
> Hai Stefan,
>
> Can you try the following.
> Reboot the server, then reboot the pc, then login with the not working user.
> When/If that works, then login and login with the other users try then.

not now, users *work* right now! ;-)

> And, i bet you checked it, but must ask, time in sync?

sure, checked that

-

Recreating the user on the DC made this work now on DM:

# smbclient -L main -Ukamleitnerl%Le26xxx
OS=[Windows 6.1] Server=[Samba 4.6.8]

        Sharename       Type      Comment
        ---------       ----      -------
        Daten           Disk      Daten
        Scans_Plotter   Disk      Scans vom Plotter
        IPC$            IPC       IPC Service (Samba 4.6.8)

...

I am waiting for an OK from the admin there, he checks if shares get
connected now on the PC. Right now they have maintenance of their
firewall ... takes some time.

--

I don't like those

../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac)
  Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)

they are in several logfiles for other PCs as well (but samba-shares work)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Domain member server: user access

Samba - General mailing list
In reply to this post by Samba - General mailing list
100 is debian default for users
And as far i remember stefhan uses debian.



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Rowland Penny via samba
> Verzonden: maandag 25 september 2017 16:29
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Domain member server: user access
>
> On Mon, 25 Sep 2017 16:01:59 +0200
> "Stefan G. Weichinger via samba" <[hidden email]> wrote:
>
> >
> > samba-4.6.8 on both DC and DM.
> >
> > 3 users were created as suggested:
> >
> > DC # samba-tool user create kamleitnerl Le26xxx
> > --nis-domain=arbeitsgruppe --unix-home=/home/kamleitnerl
> > --uid-number=10070 --login-shell=/bin/false --gid-number=100
> >
>
> Where did you get the GID '100' from ?
> Is this the gidNumber for Domain Users ?
>
> Can you please post the smb.conf from the DC and DM.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Domain member server: user access

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 2017-09-25 um 16:29 schrieb Rowland Penny via samba:

>> DC # samba-tool user create kamleitnerl Le26xxx
>> --nis-domain=arbeitsgruppe --unix-home=/home/kamleitnerl
>> --uid-number=10070 --login-shell=/bin/false --gid-number=100
>>
>
> Where did you get the GID '100' from ?
> Is this the gidNumber for Domain Users ?

I think so:

# wbinfo --gid-info=100
ARBEITSGRUPPE\domain users:x:100:

?

> Can you please post the smb.conf from the DC and DM.

Sure. We had both in an earlier thread, btw, but here again:

DC:

# samba-tool testparm
Press enter to see a dump of your service definitions

# Global parameters
[global]
        netbios name = BACKUP
        realm = ARBEITSGRUPPE.MY.TLD
        workgroup = ARBEITSGRUPPE
        dns forwarder = 10.0.0.254
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/arbeitsgruppe.my.tld/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

DM:

# testparm -s
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[Daten]"
Processing section "[Scans_Plotter]"
Loaded services file OK.

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
        realm = ARBEITSGRUPPE.MY.TLD
        workgroup = ARBEITSGRUPPE
        log file = /var/log/samba/%m.log
        load printers = No
        printcap name = /dev/null
        security = ADS
        username map = /etc/samba/user.map
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        winbind use default domain = Yes
        idmap config arbeitsgruppe:schema_mode = rfc2307
        idmap config arbeitsgruppe:range = 10000-9999999
        idmap config arbeitsgruppe:backend = ad
        idmap config * : range = 2000-2999
        idmap config * : backend = tdb

...

thx, Stefan

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Domain member server: user access

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 2017-09-25 um 16:35 schrieb L.P.H. van Belle via samba:
> 100 is debian default for users
> And as far i remember stefhan uses debian.

DC: debian 9.1 with Louis' packages, yes.

# apt-cache policy samba
samba:
  Installiert:           2:4.6.8+nmu-1~deb9
  Installationskandidat: 2:4.6.8+nmu-1~deb9
  Versionstabelle:
 *** 2:4.6.8+nmu-1~deb9 500
        500 http://apt.van-belle.nl/debian stretch/main amd64 Packages
        100 /var/lib/dpkg/status

DM: gentoo linux, samba-4.6.8

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Domain member server: user access

Samba - General mailing list
In reply to this post by Samba - General mailing list
Arg..

wbinfo --gid-info=100
DC:  Confirmed, DOMAIN\Domain Users

Member: Fail.
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 100

But both server show the same with  :
wbinfo -n "NTDOM\domain users"

So imho, report bug if Rowland can confirm this with a samba from source.


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Stefan G. Weichinger via samba
> Verzonden: maandag 25 september 2017 16:40
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Domain member server: user access
>
> Am 2017-09-25 um 16:29 schrieb Rowland Penny via samba:
>
> >> DC # samba-tool user create kamleitnerl Le26xxx
> >> --nis-domain=arbeitsgruppe --unix-home=/home/kamleitnerl
> >> --uid-number=10070 --login-shell=/bin/false --gid-number=100
> >>
> >
> > Where did you get the GID '100' from ?
> > Is this the gidNumber for Domain Users ?
>
> I think so:
>
> # wbinfo --gid-info=100
> ARBEITSGRUPPE\domain users:x:100:
>
> ?
>
> > Can you please post the smb.conf from the DC and DM.
>
> Sure. We had both in an earlier thread, btw, but here again:
>
> DC:
>
> # samba-tool testparm
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> netbios name = BACKUP
> realm = ARBEITSGRUPPE.MY.TLD
> workgroup = ARBEITSGRUPPE
> dns forwarder = 10.0.0.254
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/arbeitsgruppe.my.tld/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> DM:
>
> # testparm -s
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows
> limit (16384) Processing section "[Daten]"
> Processing section "[Scans_Plotter]"
> Loaded services file OK.
>
> Server role: ROLE_DOMAIN_MEMBER
>
> # Global parameters
> [global]
> realm = ARBEITSGRUPPE.MY.TLD
> workgroup = ARBEITSGRUPPE
> log file = /var/log/samba/%m.log
> load printers = No
> printcap name = /dev/null
> security = ADS
> username map = /etc/samba/user.map
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> idmap config arbeitsgruppe:schema_mode = rfc2307
> idmap config arbeitsgruppe:range = 10000-9999999
> idmap config arbeitsgruppe:backend = ad
> idmap config * : range = 2000-2999
> idmap config * : backend = tdb
>
> ...
>
> thx, Stefan
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Domain member server: user access

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 25 Sep 2017 16:35:52 +0200
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> 100 is debian default for users
> And as far i remember stefhan uses debian.
>

Yes, I know that, but I also know that it is usually only used on a DC,
is an xidNumber and wont work on a Unix domain member, unless, for some
unknown reason, Domain Users id given the gidNumber '100'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Domain member server: user access

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 2017-09-25 um 16:48 schrieb L.P.H. van Belle via samba:

> Arg..
>
> wbinfo --gid-info=100
> DC:  Confirmed, DOMAIN\Domain Users
>
> Member: Fail.
> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for gid 100
>
> But both server show the same with  :
> wbinfo -n "NTDOM\domain users"
>
> So imho, report bug if Rowland can confirm this with a samba from source.

Same here on DM:

# wbinfo --gid-info=100
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 100

# wbinfo -n "ARBEITSGRUPPE\Domain Users"
S-1-5-21-2777655458-4002997014-749295002-513 SID_DOM_GROUP (2)

DC:

# wbinfo --gid-info=100
ARBEITSGRUPPE\domain users:x:100:

# wbinfo -n "ARBEITSGRUPPE\Domain Users"
S-1-5-21-2777655458-4002997014-749295002-513 SID_DOM_GROUP (2)


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Domain member server: user access

Samba - General mailing list
In reply to this post by Samba - General mailing list
Looks to me thats what the AD DC does, i think a automapping of Domain users to users.

I can remember if i normaly see "domain User"

Now, looking good at my config i say its a bug, explained below why.

If i look at my "winadmin" user.  ( on DC )
id admin
uid=10000(NTDOM\admin) gid=100(users) groups=100(users),3000004(NTDOM\group policy creator owners),10001(NTDOM\domain admins),3000005(NTDOM\denied rodc password replication group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)

The member:
uid=10000(admin) gid=10000(domain users) groups=10000(domain users),10001(domain admins),2001(BUILTIN\users),2000(BUILTIN\administrators)
This one is the only correct one.

BUILTIN\users should be mapped to users imo, but lets the devs tell us.



Greetz,

Louis


 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Rowland Penny via samba
> Verzonden: maandag 25 september 2017 16:50
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Domain member server: user access
>
> On Mon, 25 Sep 2017 16:35:52 +0200
> "L.P.H. van Belle via samba" <[hidden email]> wrote:
>
> > 100 is debian default for users
> > And as far i remember stefhan uses debian.
> >
>
> Yes, I know that, but I also know that it is usually only
> used on a DC, is an xidNumber and wont work on a Unix domain
> member, unless, for some unknown reason, Domain Users id
> given the gidNumber '100'
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Domain member server: user access

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 25 Sep 2017 16:39:50 +0200
"Stefan G. Weichinger via samba" <[hidden email]> wrote:

> Am 2017-09-25 um 16:29 schrieb Rowland Penny via samba:
>
> >> DC # samba-tool user create kamleitnerl Le26xxx
> >> --nis-domain=arbeitsgruppe --unix-home=/home/kamleitnerl
> >> --uid-number=10070 --login-shell=/bin/false --gid-number=100
> >>
> >
> > Where did you get the GID '100' from ?
> > Is this the gidNumber for Domain Users ?
>
> I think so:
>
> # wbinfo --gid-info=100
> ARBEITSGRUPPE\domain users:x:100:

This is on the DC ?

>
> ?
>
> > Can you please post the smb.conf from the DC and DM.
>
> Sure. We had both in an earlier thread, btw, but here again:
>
> DC:
>
> # samba-tool testparm
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> netbios name = BACKUP
> realm = ARBEITSGRUPPE.MY.TLD
> workgroup = ARBEITSGRUPPE
> dns forwarder = 10.0.0.254
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/arbeitsgruppe.my.tld/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> DM:
>
> # testparm -s
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) Processing section "[Daten]"
> Processing section "[Scans_Plotter]"
> Loaded services file OK.
>
> Server role: ROLE_DOMAIN_MEMBER
>
> # Global parameters
> [global]
> realm = ARBEITSGRUPPE.MY.TLD
> workgroup = ARBEITSGRUPPE
> log file = /var/log/samba/%m.log
> load printers = No
> printcap name = /dev/null
> security = ADS
> username map = /etc/samba/user.map
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> idmap config arbeitsgruppe:schema_mode = rfc2307
> idmap config arbeitsgruppe:range = 10000-9999999
> idmap config arbeitsgruppe:backend = ad
> idmap config * : range = 2000-2999
> idmap config * : backend = tdb
>

Yes, it is the DC and Domain Users does not have a gidNumber attribute,
otherwise it wouldn't be showing '100'. Unless, for some very strange
reason, Domain Users does have the gidNumber '100'. In which case, no
Unix users will be found, because '100' isn't inside the range
'10000-9999999'.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Domain member server: user access

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 2017-09-25 um 16:49 schrieb Rowland Penny via samba:

> On Mon, 25 Sep 2017 16:35:52 +0200
> "L.P.H. van Belle via samba" <[hidden email]> wrote:
>
>> 100 is debian default for users
>> And as far i remember stefhan uses debian.
>>
>
> Yes, I know that, but I also know that it is usually only used on a DC,
> is an xidNumber and wont work on a Unix domain member, unless, for some
> unknown reason, Domain Users id given the gidNumber '100'

I can't remember any decision for a gidNumber '100'.

This funny domain was converted from NT4 back then via classic upgrade,
I bugged you and the list for weeks back then ;-)

Maybe this is some legacy from then?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Domain member server: user access

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 25 Sep 2017 16:54:24 +0200
"Stefan G. Weichinger via samba" <[hidden email]> wrote:

> Am 2017-09-25 um 16:48 schrieb L.P.H. van Belle via samba:
> > Arg..
> >
> > wbinfo --gid-info=100
> > DC:  Confirmed, DOMAIN\Domain Users
> >
> > Member: Fail.
> > failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not get info for gid 100
> >
> > But both server show the same with  :
> > wbinfo -n "NTDOM\domain users"
> >
> > So imho, report bug if Rowland can confirm this with a samba from
> > source.
>
> Same here on DM:
>
> # wbinfo --gid-info=100
> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for gid 100
>
> # wbinfo -n "ARBEITSGRUPPE\Domain Users"
> S-1-5-21-2777655458-4002997014-749295002-513 SID_DOM_GROUP (2)
>
> DC:
>
> # wbinfo --gid-info=100
> ARBEITSGRUPPE\domain users:x:100:
>
> # wbinfo -n "ARBEITSGRUPPE\Domain Users"
> S-1-5-21-2777655458-4002997014-749295002-513 SID_DOM_GROUP (2)
>
>

How many times do I have to say this, 'wbinfo' connects directly to AD.
To show that your users & groups are known to Unix, you MUST use
'getent'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Domain member server: user access

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 25 Sep 2017 17:01:09 +0200
"Stefan G. Weichinger via samba" <[hidden email]> wrote:

> Am 2017-09-25 um 16:49 schrieb Rowland Penny via samba:
> > On Mon, 25 Sep 2017 16:35:52 +0200
> > "L.P.H. van Belle via samba" <[hidden email]> wrote:
> >
> >> 100 is debian default for users
> >> And as far i remember stefhan uses debian.
> >>
> >
> > Yes, I know that, but I also know that it is usually only used on a
> > DC, is an xidNumber and wont work on a Unix domain member, unless,
> > for some unknown reason, Domain Users id given the gidNumber '100'
>
> I can't remember any decision for a gidNumber '100'.
>
> This funny domain was converted from NT4 back then via classic
> upgrade, I bugged you and the list for weeks back then ;-)
>
> Maybe this is some legacy from then?
>
>

Not sure, run this on both the DC and the DM:

getent group "Domain Users" | awk -F ':' '{print $3}'

You should get the same number.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Domain member server: user access

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 2017-09-25 um 17:04 schrieb Rowland Penny via samba:

> How many times do I have to say this, 'wbinfo' connects directly to AD.
> To show that your users & groups are known to Unix, you MUST use
> 'getent'

I am sorry.

So you want me to do:

DC # getent group "domain users"
ARBEITSGRUPPE\domain users:x:100:

DM # getent group "domain users"
domain users:x:10513

?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Domain member server: user access

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 2017-09-25 um 17:10 schrieb Rowland Penny via samba:

> Not sure, run this on both the DC and the DM:
>
> getent group "Domain Users" | awk -F ':' '{print $3}'
>
> You should get the same number.

as mentioned in the other reply

DC: 100
DM: 10513

- and using "id" as Louis did:

DC # id kamleitnerl
uid=10072(ARBEITSGRUPPE\kamleitnerl) gid=100(users)
Gruppen=100(users),3000001(BUILTIN\users)

DM # id kamleitnerl
uid=10072(kamleitnerl) gid=10513(domain users) Gruppen=10513(domain
users),100(users),3001(BUILTIN\users)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Domain member server: user access

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 25 Sep 2017 17:10:57 +0200
"Stefan G. Weichinger via samba" <[hidden email]> wrote:

> Am 2017-09-25 um 17:04 schrieb Rowland Penny via samba:
>
> > How many times do I have to say this, 'wbinfo' connects directly to
> > AD. To show that your users & groups are known to Unix, you MUST use
> > 'getent'
>
> I am sorry.
>
> So you want me to do:
>

This is strange.

> DC # getent group "domain users"
> ARBEITSGRUPPE\domain users:x:100:

If I turn off winbind in /etc/nsswitch and run 'getent group "Domain
Users"' I get nothing returned, even though there is this in idmap.ldb

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-513
cn: S-1-5-21-1768301897-3342589593-1064908849-513
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-513
type: ID_TYPE_GID
xidNumber: 100
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-513

>
> DM # getent group "domain users"
> domain users:x:10513

Whereas with winbind in /etc/nsswitch.conf on both machines, I get the
same result.

I always set up libnss-winbind on DCs and use the 'ad' backend on Unix
domain members. So, I cannot remember if this is how a DC works if
you don't setup PAM and libnss_winbind on a DC, but I don't think it
is.

Rowland
 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Domain member server: user access

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 2017-09-25 um 17:18 schrieb Stefan G. Weichinger via samba:

> as mentioned in the other reply
>
> DC: 100
> DM: 10513
>
> - and using "id" as Louis did:
>
> DC # id kamleitnerl
> uid=10072(ARBEITSGRUPPE\kamleitnerl) gid=100(users)
> Gruppen=100(users),3000001(BUILTIN\users)
>
> DM # id kamleitnerl
> uid=10072(kamleitnerl) gid=10513(domain users) Gruppen=10513(domain
> users),100(users),3001(BUILTIN\users)

maybe I am still wrong but I assume I have to use "--gid-number=10513"
when creating a user, and not "100" ?

as in:

# samba-tool user create User5 P#ssw5rd --nis-domain=ARBEITSGRUPPE
--unix-home=/home/User5 --uid-number=10098 --login-shell=/bin/false
--gid-number=10513

Or skip that option ?

We will test that tmrw, thanks so far ....

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Domain member server: user access

Samba - General mailing list
On Mon, 25 Sep 2017 17:33:55 +0200
"Stefan G. Weichinger via samba" <[hidden email]> wrote:

> Am 2017-09-25 um 17:18 schrieb Stefan G. Weichinger via samba:
>
> > as mentioned in the other reply
> >
> > DC: 100
> > DM: 10513
> >
> > - and using "id" as Louis did:
> >
> > DC # id kamleitnerl
> > uid=10072(ARBEITSGRUPPE\kamleitnerl) gid=100(users)
> > Gruppen=100(users),3000001(BUILTIN\users)
> >
> > DM # id kamleitnerl
> > uid=10072(kamleitnerl) gid=10513(domain users) Gruppen=10513(domain
> > users),100(users),3001(BUILTIN\users)
>
> maybe I am still wrong but I assume I have to use "--gid-number=10513"
> when creating a user, and not "100" ?
>
> as in:
>
> # samba-tool user create User5 P#ssw5rd --nis-domain=ARBEITSGRUPPE
> --unix-home=/home/User5 --uid-number=10098 --login-shell=/bin/false
> --gid-number=10513

Yes

>
> Or skip that option ?

No, you will get an error message if you do (unless you also drop the
'--nis-domain' option as well)

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
123