user cannot access shares on new ad-dc

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

user cannot access shares on new ad-dc

Samba - General mailing list
Hi,

I just installed a new AD-DC as described in the wiki.
Administrator can log on and see the two default-shares.
Then I used ADUC from RSAT to create an OU and a user.
User can see the shares (and can map them to a drive letter),
but is denied to look inside.
Same for another share which I added.
Even when administrator grants permission to everybody.

I read more wiki, which made me to add a group,
and use the Unix-Tab to give the group and the user an UID.
Then rebootet both server and client, but still no success.

What else is missing?

I know that using the DC as fileserver is not recommended,
but at least netlogon and sysvol should work.

Klaus


Client: Win7
Server: Ubuntu 14.04 server
Samba : 4.6.8 compiled from source (./configure; make; make install)


Both run in VirtualBox.
First ethernet adapter is NAT to outside world,
second adapter is hostonly.
Samba is told to use only the second one.


provision command:

samba-tool domain provision --use-rfc2307 --interactive \
--option="interfaces=lo eth1" --option="bind interfaces only=yes"


/etc/resolv.conf:

nameserver 192.168.56.42
search company.de


/etc/hosts:

127.0.0.1       localhost  localhost.localdomain
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.1   adminpc
192.168.56.42  dc1 dc1.ad.company.de


smb.conf:

# Global parameters
[global]
      bind interfaces only = Yes
      interfaces = lo eth1
      netbios name = DC1
      realm = AD.COMPANY.DE
      workgroup = COMPANY
      dns forwarder = 195.50.140.114
      server role = active directory domain controller
      idmap_ldb:use rfc2307 = yes
      comment =

[netlogon]
      path = /usr/local/samba/var/locks/sysvol/ad.company.de/scripts
      read only = No

[sysvol]
      path = /usr/local/samba/var/locks/sysvol
      read only = No

[test]
      path = /srv/samba/test
      read only = No


--
Message sent from a mobile device, please excuse brevity and typos

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user cannot access shares on new ad-dc

Samba - General mailing list
On Fri, 29 Sep 2017 11:32:16 +0200
Klaus Hartnegg via samba <[hidden email]> wrote:

> Hi,
>
> I just installed a new AD-DC as described in the wiki.
> Administrator can log on and see the two default-shares.
> Then I used ADUC from RSAT to create an OU and a user.
> User can see the shares (and can map them to a drive letter),
> but is denied to look inside.
> Same for another share which I added.
> Even when administrator grants permission to everybody.
>
> I read more wiki, which made me to add a group,
> and use the Unix-Tab to give the group and the user an UID.
> Then rebootet both server and client, but still no success.
>
> What else is missing?
>
> I know that using the DC as fileserver is not recommended,
> but at least netlogon and sysvol should work.
>
> Klaus
>
>
> Client: Win7
> Server: Ubuntu 14.04 server
> Samba : 4.6.8 compiled from source (./configure; make; make install)
>
>
> Both run in VirtualBox.
> First ethernet adapter is NAT to outside world,
> second adapter is hostonly.
> Samba is told to use only the second one.
>
>
> provision command:
>
> samba-tool domain provision --use-rfc2307 --interactive \
> --option="interfaces=lo eth1" --option="bind interfaces only=yes"
>
>
> /etc/resolv.conf:
>
> nameserver 192.168.56.42
> search company.de
>
>
> /etc/hosts:
>
> 127.0.0.1       localhost  localhost.localdomain
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 192.168.56.1   adminpc
> 192.168.56.42  dc1 dc1.ad.company.de
>
>
> smb.conf:
>
> # Global parameters
> [global]
>       bind interfaces only = Yes
>       interfaces = lo eth1
>       netbios name = DC1
>       realm = AD.COMPANY.DE
>       workgroup = COMPANY
>       dns forwarder = 195.50.140.114
>       server role = active directory domain controller
>       idmap_ldb:use rfc2307 = yes
>       comment =
>
> [netlogon]
>       path = /usr/local/samba/var/locks/sysvol/ad.company.de/scripts
>       read only = No
>
> [sysvol]
>       path = /usr/local/samba/var/locks/sysvol
>       read only = No
>
> [test]
>       path = /srv/samba/test
>       read only = No
>
>

Have you set up the libnss_winbind links, PAM and /etc/nsswitch.conf ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user cannot access shares on new ad-dc

Samba - General mailing list
In reply to this post by Samba - General mailing list

And I suggest, in you /etc/hosts:
Change this part.
192.168.56.1   adminpc.ad.company.de adminpc
192.168.56.42  dc1.ad.company.de dc1

And
/etc/resolv.conf
search ad.company.de company.de
nameserver 192.168.56.42

The pc used, is domain joined?

Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Klaus Hartnegg via samba
> Verzonden: vrijdag 29 september 2017 11:32
> Aan: [hidden email]
> Onderwerp: [Samba] user cannot access shares on new ad-dc
>
> Hi,
>
> I just installed a new AD-DC as described in the wiki.
> Administrator can log on and see the two default-shares.
> Then I used ADUC from RSAT to create an OU and a user.
> User can see the shares (and can map them to a drive letter),
> but is denied to look inside.
> Same for another share which I added.
> Even when administrator grants permission to everybody.
>
> I read more wiki, which made me to add a group, and use the
> Unix-Tab to give the group and the user an UID.
> Then rebootet both server and client, but still no success.
>
> What else is missing?
>
> I know that using the DC as fileserver is not recommended,
> but at least netlogon and sysvol should work.
>
> Klaus
>
>
> Client: Win7
> Server: Ubuntu 14.04 server
> Samba : 4.6.8 compiled from source (./configure; make; make install)
>
>
> Both run in VirtualBox.
> First ethernet adapter is NAT to outside world, second
> adapter is hostonly.
> Samba is told to use only the second one.
>
>
> provision command:
>
> samba-tool domain provision --use-rfc2307 --interactive \
> --option="interfaces=lo eth1" --option="bind interfaces only=yes"
>
>
> /etc/resolv.conf:
>
> nameserver 192.168.56.42
> search company.de
>
>
> /etc/hosts:
>
> 127.0.0.1       localhost  localhost.localdomain
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 192.168.56.1   adminpc
> 192.168.56.42  dc1 dc1.ad.company.de
>
>
> smb.conf:
>
> # Global parameters
> [global]
>       bind interfaces only = Yes
>       interfaces = lo eth1
>       netbios name = DC1
>       realm = AD.COMPANY.DE
>       workgroup = COMPANY
>       dns forwarder = 195.50.140.114
>       server role = active directory domain controller
>       idmap_ldb:use rfc2307 = yes
>       comment =
>
> [netlogon]
>       path = /usr/local/samba/var/locks/sysvol/ad.company.de/scripts
>       read only = No
>
> [sysvol]
>       path = /usr/local/samba/var/locks/sysvol
>       read only = No
>
> [test]
>       path = /srv/samba/test
>       read only = No
>
>
> --
> Message sent from a mobile device, please excuse brevity and typos
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user cannot access shares on new ad-dc

Samba - General mailing list
In reply to this post by Samba - General mailing list

> On 29.09.2017 11:44 Rowland Penny wrote:
> Have you set up the libnss_winbind links, PAM and /etc/nsswitch.conf ?

Yes, I had modified two lines in /etc/nsswitch.conf:
 passwd:         files winbind
 group:          files winbind

No, I had not seen a pointer to libnss, but now did
 ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/i386-linux-gnu/
 ln -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so
 ldconfig

The wiki page Authenticating_Domain_Users_Using_PAM tell to
NOT configure PAM on a DC.

I tried "net cache flush"

These tests succeed:
 wbinfo --ping-dc
 getent passwd COMPANY\\user
 getent group "COMPANY\\Domain Users"


The output of “getfacl sysvol” looks strange:

# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:3000000:rwx
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

I tried "samba-tool ntacl sysvolreset".
This added a few lines to the output of getfacl:

# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

Users still cannot see the contents of any share.

What else could be missing?

Klaus



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user cannot access shares on new ad-dc

Samba - General mailing list
On Fri, 29 Sep 2017 13:19:44 +0200
Klaus Hartnegg via samba <[hidden email]> wrote:

>
> > On 29.09.2017 11:44 Rowland Penny wrote:
> > Have you set up the libnss_winbind links, PAM
> > and /etc/nsswitch.conf ?
>
> Yes, I had modified two lines in /etc/nsswitch.conf:
>  passwd:         files winbind
>  group:          files winbind
>
> No, I had not seen a pointer to libnss, but now did
>  ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/i386-linux-gnu/
>  ln
> -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so
> ldconfig
>
> The wiki page Authenticating_Domain_Users_Using_PAM tell to
> NOT configure PAM on a DC.

I have just checked the page again:
https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM


I cannot see where it says not to use on a DC

> I tried "net cache flush"
>
> These tests succeed:
>  wbinfo --ping-dc
>  getent passwd COMPANY\\user
>  getent group "COMPANY\\Domain Users"
>
>
> The output of “getfacl sysvol” looks strange:
>
> # file: usr/local/samba/var/locks/sysvol
> # owner: root
> # group: BUILTIN\134administrators
> user::rwx
> user:root:rwx
> user:3000000:rwx
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:BUILTIN\134server\040operators:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:group::---
> default:group:BUILTIN\134administrators:rwx
> default:group:BUILTIN\134server\040operators:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> I tried "samba-tool ntacl sysvolreset".
> This added a few lines to the output of getfacl:
>
> # file: usr/local/samba/var/locks/sysvol
> # owner: root
> # group: BUILTIN\134administrators
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:BUILTIN\134server\040operators:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:BUILTIN\134administrators:rwx
> default:group:BUILTIN\134server\040operators:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>

By 'strange', I take it you are referring to the numbers instead of
names, don't worry, this perfectly normal on a DC. The numbers are the
'xidNumbers' you will find in idmap.ldb

> Users still cannot see the contents of any share.

What does 'getent passwd username' actually produce ?

>
> What else could be missing?

Not sure, if PAM isn't set up, then set it up by installing the
required packages and try again

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user cannot access shares on new ad-dc

Samba - General mailing list

> On 29.09.2017 14:32 Rowland Penny wrote:
> I cannot see where it says not to use on a DC

I misread the first section.

> What does 'getent passwd username' actually produce ?

root@dc1:~# getent passwd administrator
COMPANY\administrator:*:0:100::/home/COMPANY/administrator:/bin/false
root@dc1:~# getent passwd klaus
COMPANY\klaus:*:10000:100::/home/COMPANY/klaus:/bin/false

> if PAM isn't set up, then set it up by installing the
> required packages and try again

Ok, I ran "pam-auth-update" and pressed enter twice.
Have no idea what this does.

But is PAM really necessary on a DC?
The Wiki says that winbindd is optional.
Should not at least sysvol work without it?

Klaus

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user cannot access shares on new ad-dc

Samba - General mailing list
Now with this email also, you at least 3 problems.

1) incorrect hosts file. ( see previous post of me )
2) incorrect resolv.conf  ( see previous post of me )
3) you did hit the "Group bug"  ( group 100 should be minimal 10000)
https://bugzilla.samba.org/show_bug.cgi?id=13054

Fix that with
wbinfo -G 10000
net cache flush

> Then I used ADUC from RSAT to create an OU and a user.
> User can see the shares (and can map them to a drive letter), but is
> denied to look inside.
> Same for another share which I added.
> Even when administrator grants permission to everybody.

Did you "copy" an other user?
Or did you create a templete for you users?

If you copy from an other user, and if you have set the Unix attributes.
Try this, remove the profile and user folder, goto the ADUC , Profile tab.
Change something in the user and profile field so windows see's a change.
Then klik apply.


For other quick fix.
You see the 2005 there, make sure that matchs your own
wbinfo -G 2005
S-1-5-18

wbinfo -Y S-1-5-18


#!/bin/bash

RIGHTSFILE="default-rights-user-profile.acl"
GROUP_WRITE_RIGHTS="domain\040users"
USER_SYSTEM="$(wbinfo -Y S-1-5-18)"

cat << EOF > ${RIGHTSFILE}
# file: user.V6/
# owner: user
# group: domain\040users
user::rwx
user:${1}:rwx
group::---
group:${USER_SYSTEM}:rwx
group:${GROUP_WRITE_RIGHTS:---
mask::rwx
other::---
default:user::rwx
default:user:${1}:rwx
default:group::---
default:group:2005:rwx
default:group:${GROUP_WRITE_RIGHTS):---
default:mask::rwx
default:other::---
EOF

echo "Run : setfacl -R -b -M $RIGHTSFILE The_Users_Profile_Folder"

As Administrator check the rights on the share.


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Klaus Hartnegg via samba
> Verzonden: vrijdag 29 september 2017 15:42
> Aan: [hidden email]
> Onderwerp: Re: [Samba] user cannot access shares on new ad-dc
>
>
> > On 29.09.2017 14:32 Rowland Penny wrote:
> > I cannot see where it says not to use on a DC
>
> I misread the first section.
>
> > What does 'getent passwd username' actually produce ?
>
> root@dc1:~# getent passwd administrator
> COMPANY\administrator:*:0:100::/home/COMPANY/administrator:/bin/false
> root@dc1:~# getent passwd klaus
> COMPANY\klaus:*:10000:100::/home/COMPANY/klaus:/bin/false
>
> > if PAM isn't set up, then set it up by installing the required
> > packages and try again
>
> Ok, I ran "pam-auth-update" and pressed enter twice.
> Have no idea what this does.
>
> But is PAM really necessary on a DC?
> The Wiki says that winbindd is optional.
> Should not at least sysvol work without it?
>
> Klaus
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user cannot access shares on new ad-dc

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 29 Sep 2017 15:42:17 +0200
Klaus Hartnegg via samba <[hidden email]> wrote:

>
> > On 29.09.2017 14:32 Rowland Penny wrote:
> > I cannot see where it says not to use on a DC
>
> I misread the first section.
>
> > What does 'getent passwd username' actually produce ?
>
> root@dc1:~# getent passwd administrator
> COMPANY\administrator:*:0:100::/home/COMPANY/administrator:/bin/false
> root@dc1:~# getent passwd klaus
> COMPANY\klaus:*:10000:100::/home/COMPANY/klaus:/bin/false
>
> > if PAM isn't set up, then set it up by installing the
> > required packages and try again
>
> Ok, I ran "pam-auth-update" and pressed enter twice.
> Have no idea what this does.
>
> But is PAM really necessary on a DC?

Yes, if you want to use it as a fileserver

> The Wiki says that winbindd is optional.

Point me to where it says that and if required, I will alter it.

> Should not at least sysvol work without it?

Yes, sysvol will work without it, but sysvol is only used by Windows
clients and users.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user cannot access shares on new ad-dc

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 29 Sep 2017 15:57:44 +0200
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> Now with this email also, you at least 3 problems.
>
> 1) incorrect hosts file. ( see previous post of me )
> 2) incorrect resolv.conf  ( see previous post of me )
> 3) you did hit the "Group bug"  ( group 100 should be minimal 10000)
> https://bugzilla.samba.org/show_bug.cgi?id=13054
>

He might not have hit the bug, this is a DC and on a DC '100' is valid.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user cannot access shares on new ad-dc

Samba - General mailing list
Yes, the 100 "maybe" valid.

wbinfo --group-info="Domain Users" wil show what its set to.

I did believe that at time of provisioning with RFC2307, the UID en GID start is set at 10000
But please correct what i missed..



Greetz,

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Rowland Penny via samba
> Verzonden: vrijdag 29 september 2017 16:36
> Aan: [hidden email]
> Onderwerp: Re: [Samba] user cannot access shares on new ad-dc
>
> On Fri, 29 Sep 2017 15:57:44 +0200
> "L.P.H. van Belle via samba" <[hidden email]> wrote:
>
> > Now with this email also, you at least 3 problems.
> >
> > 1) incorrect hosts file. ( see previous post of me )
> > 2) incorrect resolv.conf  ( see previous post of me )
> > 3) you did hit the "Group bug"  ( group 100 should be minimal 10000)
> > https://bugzilla.samba.org/show_bug.cgi?id=13054
> >
>
> He might not have hit the bug, this is a DC and on a DC '100'
> is valid.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user cannot access shares on new ad-dc

Samba - General mailing list
On 29.09.2017 16:44 L.P.H. van Belle wrote:
> Yes, the 100 "maybe" valid.
>
> wbinfo --group-info="Domain Users" wil show what its set to.

root@dc1:~# wbinfo --group-info="Domain Users"
COMPANY\domain users:x:100:

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user cannot access shares on new ad-dc

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 29 Sep 2017 16:44:31 +0200
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> Yes, the 100 "maybe" valid.
>
> wbinfo --group-info="Domain Users" wil show what its set to.
>
> I did believe that at time of provisioning with RFC2307, the UID en
> GID start is set at 10000 But please correct what i missed..
>

You missed that the provision doesn't set any start UID or GID numbers.
This is left to the sysadmin, but ADUC by default starts at '10000'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user cannot access shares on new ad-dc

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 29.09.2017 11:49 L.P.H. van Belle wrote:
> And I suggest, in you /etc/hosts:
> Change this part.
> 192.168.56.1   adminpc.ad.company.de adminpc
> 192.168.56.42  dc1.ad.company.de dc1

I changed theorder of fqn and alias in second line, but it did not make
a difference.

adminpc is not used during this test, so this line should be irrelevant.

> /etc/resolv.conf
> search ad.company.de company.de
> nameserver 192.168.56.42

So far I always used the full name to access the server, so this cannot
be the reason. And it would not explain why it works for Administrator.

> The pc used, is domain joined?

yes


Klaus

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user cannot access shares on new ad-dc

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 29.09.2017 16:00 Rowland Penny wrote;
>> But is PAM really necessary on a DC?
> Yes, if you want to use it as a fileserver
>> The Wiki says that winbindd is optional.
> Point me to where it says that and if required, I will alter it.

Page: Setting_up_Samba_as_an_Active_Directory_Domain_Controller
Section: Configuring Winbindd on a Samba AD DC

> Yes, sysvol will work without it, but sysvol is only used by Windows
> clients and users.

But it does not work! Only Administrator can access the contents of shares, users cannot.

Can I somehow ask samba to log the reason for why it denies users access to all shares? I could not find that in any of the logfiles.

By the way the page Pam_winbind_Link had a typo 368 vs 386 in the command
ln -s /usr/local/samba/lib/security/pam_winbind.so /lib/i368-linux-gnu/security/
I fixed that in the wiki, ran the correct command, then ran "pam-auth-update" again.
Chown still cannot use AD-Names.

The wiki is confusing. If several more steps are required to get a working AD (like links for nss and pam), it should tell so IN ONE PLACE. Not ask the readers to jump around between several different pages, which themselves point to yet other pages.

Klaus


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user cannot access shares on new ad-dc

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hello,

Is it normal that "Computer Management" cannot configure shared
directories of a Samba4 AD-DC? Is this only possible on member servers?
It can connect to the DC, but when I click on shares it tells that
either the server does not support "virtual disk service" (translated
from German), or a firewall blocks the connection. There is no firewall
between these machines in my test environment. I started Computer
Management as domain-admin on domain-joined Win7.

Is it normal that non-admin users (on Win7) get permission denied if
they want to look inside of \\dc.ad.domain\sysvol or netlogon? They can
look inside these directories on Windows servers, but not on my newly
provisioned AD-DC test server.

They cannot even access a test-share when I make them owner of it with
chown.

The wiki page
    Configuring_Winbindd_on_a_Samba_AD_DC
instructs to append "winbind" behind "files" in the lines "passwd" and
"group". But my nsswitch.conf (ubuntu 14) had "compat" there, not
"files". Should I replace "compat" with "files", or append "winbind"
behind "compat"?

The command "pam-auth-update" does not produce any output. How can I
check if it has done anything?
I can do
   chown "domain\\user" file
and then that domain-user is shown in
   ls -la file
Does that mean that everything works?

I get the impression that winbindd and PAM are needed mostly (only?) if
users want to log on to the DC with ssh. The page about winbindd
describes howto set up templates for shell and homedir. The page about
PAM talks about "SSH authentication". I just want to access shares!
Reading the wiki I cannot determine what precisely are the required
steps to access shares on a DC.

Klaus

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user cannot access shares on new ad-dc

Samba - General mailing list
Samba version?
 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Klaus Hartnegg via samba
> Verzonden: dinsdag 10 oktober 2017 12:09
> Aan: [hidden email]
> Onderwerp: Re: [Samba] user cannot access shares on new ad-dc
>
> Hello,
>
> Is it normal that "Computer Management" cannot configure
> shared directories of a Samba4 AD-DC? Is this only possible
> on member servers?
No, did you set the SePrivileges.

> It can connect to the DC, but when I click on shares it tells
> that either the server does not support "virtual disk
> service" (translated from German), or a firewall blocks the
> connection. There is no firewall between these machines in my
> test environment. I started Computer Management as
> domain-admin on domain-joined Win7.
Go shares, configure there.

>
> Is it normal that non-admin users (on Win7) get permission
> denied if they want to look inside of \\dc.ad.domain\sysvol
> or netlogon? They can look inside these directories on
> Windows servers, but not on my newly provisioned AD-DC test server.
Yes/No, the non-admin users, its a domain users then No, not normal.
Not a domain users, yes thats normal.

When prompted for a username user DOM\user or username@REALM

>
> They cannot even access a test-share when I make them owner
> of it with chown.
>
> The wiki page
>     Configuring_Winbindd_on_a_Samba_AD_DC
> instructs to append "winbind" behind "files" in the lines
> "passwd" and "group". But my nsswitch.conf (ubuntu 14) had
> "compat" there, not "files". Should I replace "compat" with
> "files", or append "winbind"
> behind "compat"?
No compat winbind is correct. ( dont set winbind compat )
( debian/ubuntu use compat )


>
> The command "pam-auth-update" does not produce any output.
> How can I check if it has done anything?
> I can do
>    chown "domain\\user" file
I suggest use getfacl and setfacl
Since only want windows acces, dont use posix acl, stay with windows ACL.

> and then that domain-user is shown in
>    ls -la file
> Does that mean that everything works?
Yes, that looks good.

>
> I get the impression that winbindd and PAM are needed mostly
> (only?) if users want to log on to the DC with ssh.
Yes, correct.

> The page
> about winbindd describes howto set up templates for shell and
> homedir. The page about PAM talks about "SSH authentication".
> I just want to access shares!
> Reading the wiki I cannot determine what precisely are the
> required steps to access shares on a DC.

https://github.com/thctlo/samba4/tree/master/howtos 
Start at the top. Tested on debian strech, but i dont see
for ubuntu 14.04 and 16.04 any problems, the steps are almost the same.
( you might need to change some package name )
If you notice a different, make a comment and i'll adapt it.

Review the file : stretch-base-2.0-samba-minimal-ad.txt
That setup resulted for me in to be able to access a share ( as domain admin )

\\ip
\\ip\
\\ip\share
\\hostname
\\hostname\
\\hostname\share
\\FQDN
\\FQDN\
\\FQDN\share.

Or same as normal (domain) user and when promted i enter a regular domain\username or username@REALM
And im also able to access the server.

So review you setup base on this one.


Greetz,

Louis
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user cannot access shares on new ad-dc

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 10 Oct 2017 12:09:28 +0200
Klaus Hartnegg via samba <[hidden email]> wrote:

> Hello,
>
> Is it normal that "Computer Management" cannot configure shared
> directories of a Samba4 AD-DC? Is this only possible on member
> servers? It can connect to the DC, but when I click on shares it
> tells that either the server does not support "virtual disk
> service" (translated from German), or a firewall blocks the
> connection. There is no firewall between these machines in my test
> environment. I started Computer Management as domain-admin on
> domain-joined Win7.
>
> Is it normal that non-admin users (on Win7) get permission denied if
> they want to look inside of \\dc.ad.domain\sysvol or netlogon? They
> can look inside these directories on Windows servers, but not on my
> newly provisioned AD-DC test server.
>
> They cannot even access a test-share when I make them owner of it
> with chown.
>
> The wiki page
>     Configuring_Winbindd_on_a_Samba_AD_DC
> instructs to append "winbind" behind "files" in the lines "passwd"
> and "group". But my nsswitch.conf (ubuntu 14) had "compat" there, not
> "files". Should I replace "compat" with "files", or append "winbind"
> behind "compat"?
>
> The command "pam-auth-update" does not produce any output. How can I
> check if it has done anything?
> I can do
>    chown "domain\\user" file
> and then that domain-user is shown in
>    ls -la file
> Does that mean that everything works?
>
> I get the impression that winbindd and PAM are needed mostly (only?)
> if users want to log on to the DC with ssh. The page about winbindd
> describes howto set up templates for shell and homedir. The page
> about PAM talks about "SSH authentication". I just want to access
> shares! Reading the wiki I cannot determine what precisely are the
> required steps to access shares on a DC.
>
> Klaus
>

OK, this could get a bit long :-)

As standard, a Samba AD DC is only used for authentication i.e. a user
called 'fred' is trying to connect to the domain, so do we know him ?

If you want to use a Samba AD DC for anything else, then you need to
make the user 'fred' known to the underlying Unix OS, you do this by
creating the libnss_winbind links, either manually or by installing
distro packages, on Ubuntu these will probably be 'libpam-winbind
libpam-krb5 libnss-winbind'
You will also need to check that the passwd & group lines
in /etc/nsswitch.conf have 'winbind' at the end. You may find that the
lines have 'compat' instead of 'files', they are interchangeable as far
Samba is concerned, but see 'man nsswitch.conf' for more info.

Once everything is set up correctly on the DC, 'getent passwd fred' or
'getent group fredgroup' should produce output, if there is no output,
there is either something wrong, or the user (or group) doesn't exist.

There are a lot of webpages out there that tell you to use 'wbinfo' to
check if users or groups exist, this will only tell you that they
exist in AD, it will not tell you if Unix knows who they are.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba