Quantcast

Samba 4.5.8 ADS user not showing in directory tree - chown "invalid user"

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba 4.5.8 ADS user not showing in directory tree - chown "invalid user"

Samba - General mailing list
Hi,
I'm currently working on evalutating a AD-Domain for my Department. Since I have a couple of year experince in running a NT-Style Domain, my choice is samba - nowadays AD-DS.

Now I'm stuck, and I would really appreciate some more thoughts and a push in the right direction. :-)

Thank your in advance
Franz


The facts:
A quick test installation is working as expected - Debian Jessie, Samba 4.2.14 from official repository.
A wbinfo - u lists domain users, and I can chown as neccesary. Of course, the list is without the Realm in front.

# wbinfo -u
demo1
administrator
krbtgt

Over to the designated production server, which behaves different:
Here I have a Stretch with Samba 4.5.8, also from the standard reps
deb http://ftp.de.debian.org/debian stretch main
deb-src http://ftp.de.debian.org/debian stretch main

This commands are all executed on the PDC.


The same command produces different output:
# wbinfo -u
H955\administrator
H955\krbtgt
H955\guest
H955\demo1

I get the mentioned error on chown - invalid user.

ls produces this- uid are korrekt.

#ls -al
total 56
drwxrwxrwx  8 root    root  4096 May 19 10:03 .
drwxr-xr-x  3 root    root  4096 May  8 15:36 ..

drwxrwxr-x+ 2 3000019 users 4096 May 19 09:40 demo1
drwxrwxr-x+ 2 3000019 users 4096 May 19 10:03 demo1_new
drwxrwxr-x+ 2 3000000 users 4096 May 18 16:12 admin


Here's my system environment:
# uname -a
Linux vw-ads 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30) x86_64 GNU/Linux

# samba -V
Version 4.5.8-Debian

#samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=H955.TEST.AC.AT --domain=H955 --adminpass=passw0rd

#net rpc rights grant 'H955\Domain Admins' SeDiskOperatorPrivilege -Uadministrator


# cat /etc/samba/smb.conf
# Global parameters
[global]
            netbios name = VW1-ADS
            realm = H955.TEST.AC.AT
            workgroup = H955
            dns forwarder = 8.8.8.8
            server role = active directory domain controller
            idmap_ldb:use rfc2307 = yes

[netlogon]
            path = /data/data-nfs-vw/netlogon-ads/
            read only = No

[sysvol]
            path = /var/lib/samba/sysvol
            read only = No

[profiles]
comment = Roaming Profiles
path = /data/data-nfs-vw/profiles-ads/
writeable = yes
store dos attributes = yes
profile acls = yes
csc policy = disable


[test]
path = /data/data/test
writeable = yes


# locate libnss_winbind.so
/lib/x86_64-linux-gnu/libnss_winbind.so
/lib/x86_64-linux-gnu/libnss_winbind.so.2
/lib64/libnss_winbind.so
/lib64/libnss_winbind.so.2

 #ls -al /etc/krb5.conf
lrwxrwxrwx 1 root root 32 May 16 20:40 /etc/krb5.conf -> /var/lib/samba/private/krb5.conf

# cat /etc/nsswitch.conf
# /etc/nsswitch.conf

passwd: files winbind
group:  files winbind
passwd: compat
group:  compat
shadow: compat
gshadow:    files
hosts:  files dns
networks:   files
protocols:  db files
services:   db files
ethers: db files
rpc:    db files
netgroup:   nis












--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.5.8 ADS user not showing in directory tree - chown "invalid user"

Samba - General mailing list

>Of course, the list is without the Realm in front.
>
> # wbinfo -u
> demo1
> administrator

Small correction.
>Of course, the list is without the NTDOMAIN in front.
                                                ^^^^^^^^
NTDOM\user or  user@REALM

And change your nsswitch to :
passwd:         compat winbind
group:          compat winbind

Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Franz Gansberger via samba
> Verzonden: vrijdag 19 mei 2017 11:49
> Aan: [hidden email]
> Onderwerp: [Samba] Samba 4.5.8 ADS user not showing in
> directory tree - chown "invalid user"
>
> Hi,
> I'm currently working on evalutating a AD-Domain for my
> Department. Since I have a couple of year experince in
> running a NT-Style Domain, my choice is samba - nowadays AD-DS.
>
> Now I'm stuck, and I would really appreciate some more
> thoughts and a push in the right direction. :-)
>
> Thank your in advance
> Franz
>
>
> The facts:
> A quick test installation is working as expected - Debian
> Jessie, Samba 4.2.14 from official repository.
> A wbinfo - u lists domain users, and I can chown as
> neccesary. Of course, the list is without the Realm in front.
>
> # wbinfo -u
> demo1
> administrator
> krbtgt
>
> Over to the designated production server, which behaves different:
> Here I have a Stretch with Samba 4.5.8, also from the
> standard reps deb http://ftp.de.debian.org/debian stretch
> main deb-src http://ftp.de.debian.org/debian stretch main
>
> This commands are all executed on the PDC.
>
>
> The same command produces different output:
> # wbinfo -u
> H955\administrator
> H955\krbtgt
> H955\guest
> H955\demo1
>
> I get the mentioned error on chown - invalid user.
>
> ls produces this- uid are korrekt.
>
> #ls -al
> total 56
> drwxrwxrwx  8 root    root  4096 May 19 10:03 .
> drwxr-xr-x  3 root    root  4096 May  8 15:36 ..
>
> drwxrwxr-x+ 2 3000019 users 4096 May 19 09:40 demo1
> drwxrwxr-x+ 2 3000019 users 4096 May 19 10:03 demo1_new
> drwxrwxr-x+ 2 3000000 users 4096 May 18 16:12 admin
>
>
> Here's my system environment:
> # uname -a
> Linux vw-ads 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2
> (2017-04-30) x86_64 GNU/Linux
>
> # samba -V
> Version 4.5.8-Debian
>
> #samba-tool domain provision --server-role=dc --use-rfc2307
> --dns-backend=SAMBA_INTERNAL --realm=H955.TEST.AC.AT
> --domain=H955 --adminpass=passw0rd
>
> #net rpc rights grant 'H955\Domain Admins'
> SeDiskOperatorPrivilege -Uadministrator
>
>
> # cat /etc/samba/smb.conf
> # Global parameters
> [global]
>    netbios name = VW1-ADS
>    realm = H955.TEST.AC.AT
>    workgroup = H955
>    dns forwarder = 8.8.8.8
>    server role = active directory domain controller
>    idmap_ldb:use rfc2307 = yes
>
> [netlogon]
>    path = /data/data-nfs-vw/netlogon-ads/
>    read only = No
>
> [sysvol]
>    path = /var/lib/samba/sysvol
>    read only = No
>
> [profiles]
> comment = Roaming Profiles
> path = /data/data-nfs-vw/profiles-ads/
> writeable = yes
> store dos attributes = yes
> profile acls = yes
> csc policy = disable
>
>
> [test]
> path = /data/data/test
> writeable = yes
>
>
> # locate libnss_winbind.so
> /lib/x86_64-linux-gnu/libnss_winbind.so
> /lib/x86_64-linux-gnu/libnss_winbind.so.2
> /lib64/libnss_winbind.so
> /lib64/libnss_winbind.so.2
>
>  #ls -al /etc/krb5.conf
> lrwxrwxrwx 1 root root 32 May 16 20:40 /etc/krb5.conf ->
> /var/lib/samba/private/krb5.conf
>
> # cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
>
> passwd: files winbind
> group:  files winbind
> passwd: compat
> group:  compat
> shadow: compat
> gshadow:    files
> hosts:  files dns
> networks:   files
> protocols:  db files
> services:   db files
> ethers: db files
> rpc:    db files
> netgroup:   nis
>
>
>
>
>
>
>
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.5.8 ADS user not showing in directory tree - chown "invalid user"

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 19 May 2017 11:49:26 +0200
Franz Gansberger via samba <[hidden email]> wrote:

> Hi,
> I'm currently working on evalutating a AD-Domain for my Department.
> Since I have a couple of year experince in running a NT-Style Domain,
> my choice is samba - nowadays AD-DS.
>
> Now I'm stuck, and I would really appreciate some more thoughts and a
> push in the right direction. :-)
>
> Thank your in advance
> Franz
>
>
> The facts:
> A quick test installation is working as expected - Debian Jessie,
> Samba 4.2.14 from official repository. A wbinfo - u lists domain
> users, and I can chown as neccesary. Of course, the list is without
> the Realm in front.
>
> # wbinfo -u
> demo1
> administrator
> krbtgt
>
> Over to the designated production server, which behaves different:
> Here I have a Stretch with Samba 4.5.8, also from the standard reps
> deb http://ftp.de.debian.org/debian stretch main
> deb-src http://ftp.de.debian.org/debian stretch main
>
> This commands are all executed on the PDC.

Please don't call it a PDC, your old machine was a PDC, your new one is
just a DC and if you add any other DCs, they will be just a DC as
well ;-)

>
>
> The same command produces different output:
> # wbinfo -u
> H955\administrator
> H955\krbtgt
> H955\guest
> H955\demo1
>
> I get the mentioned error on chown - invalid user.

OK, 'wbinfo' == this is windows user or group
You need to use 'getent passwd username' or 'getent group groupname'
If either of the above commands doesn't produce output, the user or
group is unknown to the OS.
 

>
> ls produces this- uid are korrekt.
>
> #ls -al
> total 56
> drwxrwxrwx  8 root    root  4096 May 19 10:03 .
> drwxr-xr-x  3 root    root  4096 May  8 15:36 ..
>
> drwxrwxr-x+ 2 3000019 users 4096 May 19 09:40 demo1
> drwxrwxr-x+ 2 3000019 users 4096 May 19 10:03 demo1_new
> drwxrwxr-x+ 2 3000000 users 4096 May 18 16:12 admin

Who is '3000019' ?
You can find out by running ldbedit on idmap.ldb and then searching for
'3000019'
'users' is correct, Domain Users is mapped to 'users' in idmap.ldb

>
>
> Here's my system environment:
> # uname -a
> Linux vw-ads 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30)
> x86_64 GNU/Linux
>
> # samba -V
> Version 4.5.8-Debian
>
> #samba-tool domain provision --server-role=dc --use-rfc2307
> --dns-backend=SAMBA_INTERNAL --realm=H955.TEST.AC.AT --domain=H955
> --adminpass=passw0rd
>
> #net rpc rights grant 'H955\Domain Admins' SeDiskOperatorPrivilege
> -Uadministrator
>
>
> # cat /etc/samba/smb.conf
> # Global parameters
> [global]
>    netbios name = VW1-ADS
>    realm = H955.TEST.AC.AT
>    workgroup = H955
>    dns forwarder = 8.8.8.8
>    server role = active directory domain controller
>    idmap_ldb:use rfc2307 = yes
>
> [netlogon]
>    path = /data/data-nfs-vw/netlogon-ads/
>    read only = No
>
> [sysvol]
>    path = /var/lib/samba/sysvol
>    read only = No
>
> [profiles]
> comment = Roaming Profiles
> path = /data/data-nfs-vw/profiles-ads/
> writeable = yes
> store dos attributes = yes
> profile acls = yes
> csc policy = disable

You can remove the above three lines, they do nothing a DC.

>
>
> [test]
> path = /data/data/test
> writeable = yes
>
>
> # locate libnss_winbind.so
> /lib/x86_64-linux-gnu/libnss_winbind.so
> /lib/x86_64-linux-gnu/libnss_winbind.so.2
> /lib64/libnss_winbind.so
> /lib64/libnss_winbind.so.2
>
>  #ls -al /etc/krb5.conf
> lrwxrwxrwx 1 root root 32 May 16 20:40 /etc/krb5.conf
> -> /var/lib/samba/private/krb5.conf
>
> # cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
>
> passwd: files winbind
> group:  files winbind
> passwd: compat
> group:  compat

You seem to have 'passwd' and 'group' twice, remove the second two, the
first is correct.

Do you have these packages installed:
libpam-winbind libpam-krb5 libnss-winbind

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Antw: Re: Samba 4.5.8 ADS user not showing in directory tree - chown "invalid user"

Samba - General mailing list
Hi Rowland,

thank you for your almost immediate answer, and your tips. :-)
And well - it is solved now. :-))

I've overseen this rediculous obvious double entry in the nsswitch.conf.
After correcting this mistake a

# getent passwd demo1

resloves to

H955\demo1:*:3000019:100:demo1:/home/H955/demo1:/bin/false

So directory listing is now more human readable, and 3000019 is displayed as demo1

# ls -al
total 56
drwxrwxrwx  8 root      root  4096 May 19 10:03 .
drwxr-xr-x  3 root      root  4096 May  8 15:36 ..
drwxrwxr-x+ 2 H955\demo1 users 4096 May 19 09:40 demo2
drwxrwxr-x+ 2 H955\demo1 users 4096 May 19 10:03 demo1_new
drwxrwxr-x+ 2 BUILTIN\administrators users 4096 May 18 16:12 admin

Good. :-)

Nonetheless the packages
libpam-winbind libpam-krb5
are not installed - yet.


Thank you for doing this great job!!

Franz



>>> Rowland Penny <[hidden email]> 19.05.2017 12:42 >>>
On Fri, 19 May 2017 11:49:26 +0200
Franz Gansberger via samba <[hidden email]> wrote:

> Hi,
> I'm currently working on evalutating a AD-Domain for my Department.
> Since I have a couple of year experince in running a NT-Style Domain,
> my choice is samba - nowadays AD-DS.
>
> Now I'm stuck, and I would really appreciate some more thoughts and a
> push in the right direction. :-)
>
> Thank your in advance
> Franz
>
>
> The facts:
> A quick test installation is working as expected - Debian Jessie,
> Samba 4.2.14 from official repository. A wbinfo - u lists domain
> users, and I can chown as neccesary. Of course, the list is without
> the Realm in front.
>
> # wbinfo -u
> demo1
> administrator
> krbtgt
>
> Over to the designated production server, which behaves different:
> Here I have a Stretch with Samba 4.5.8, also from the standard reps
> deb http://ftp.de.debian.org/debian stretch main

> deb-src http://ftp.de.debian.org/debian stretch main

>
> This commands are all executed on the PDC.

Please don't call it a PDC, your old machine was a PDC, your new one is
just a DC and if you add any other DCs, they will be just a DC as
well ;-)

>
>
> The same command produces different output:
> # wbinfo -u
> H955\administrator
> H955\krbtgt
> H955\guest
> H955\demo1
>
> I get the mentioned error on chown - invalid user.

OK, 'wbinfo' == this is windows user or group
You need to use 'getent passwd username' or 'getent group groupname'
If either of the above commands doesn't produce output, the user or
group is unknown to the OS.

>
> ls produces this- uid are korrekt.
>
> #ls -al
> total 56
> drwxrwxrwx  8 root    root  4096 May 19 10:03 .
> drwxr-xr-x  3 root    root  4096 May  8 15:36 ..
>
> drwxrwxr-x+ 2 3000019 users 4096 May 19 09:40 demo1
> drwxrwxr-x+ 2 3000019 users 4096 May 19 10:03 demo1_new
> drwxrwxr-x+ 2 3000000 users 4096 May 18 16:12 admin

Who is '3000019' ?
You can find out by running ldbedit on idmap.ldb and then searching for
'3000019'
'users' is correct, Domain Users is mapped to 'users' in idmap.ldb

>
>
> Here's my system environment:
> # uname -a
> Linux vw-ads 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30)
> x86_64 GNU/Linux
>
> # samba -V
> Version 4.5.8-Debian
>
> #samba-tool domain provision --server-role=dc --use-rfc2307
> --dns-backend=SAMBA_INTERNAL --realm=H955.TEST.AC.AT --domain=H955
> --adminpass=passw0rd
>
> #net rpc rights grant 'H955\Domain Admins' SeDiskOperatorPrivilege
> -Uadministrator
>
>
> # cat /etc/samba/smb.conf
> # Global parameters
> [global]
>    netbios name = VW1-ADS
>    realm = H955.TEST.AC.AT
>    workgroup = H955
>    dns forwarder = 8.8.8.8
>    server role = active directory domain controller
>    idmap_ldb:use rfc2307 = yes
>
> [netlogon]
>    path = /data/data-nfs-vw/netlogon-ads/
>    read only = No
>
> [sysvol]
>    path = /var/lib/samba/sysvol
>    read only = No
>
> [profiles]
> comment = Roaming Profiles
> path = /data/data-nfs-vw/profiles-ads/
> writeable = yes
> store dos attributes = yes
> profile acls = yes
> csc policy = disable

You can remove the above three lines, they do nothing a DC.

>
>
> [test]
> path = /data/data/test
> writeable = yes
>
>
> # locate libnss_winbind.so
> /lib/x86_64-linux-gnu/libnss_winbind.so
> /lib/x86_64-linux-gnu/libnss_winbind.so.2
> /lib64/libnss_winbind.so
> /lib64/libnss_winbind.so.2
>
>  #ls -al /etc/krb5.conf
> lrwxrwxrwx 1 root root 32 May 16 20:40 /etc/krb5.conf
> -> /var/lib/samba/private/krb5.conf
>
> # cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
>
> passwd: files winbind
> group:  files winbind
> passwd: compat
> group:  compat

You seem to have 'passwd' and 'group' twice, remove the second two, the
first is correct.

Do you have these packages installed:
libpam-winbind libpam-krb5 libnss-winbind

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...