user works on DC, not on DM

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

user works on DC, not on DM

Samba - General mailing list

good morning (here)

At a customer we face the issue that a new user (we tested creating via
RSAT and samba-tool) can't login to the DM server, but works on the DC.

DM: gentoo linux, samba 4.6.7
DC: Debian 9.1, samba 4.6.7

-

on the DM "main":

main ~ # smbclient  -L localhost -U hansi%Kwaksi29+
session setup failed: NT_STATUS_LOGON_FAILURE

main ~ # wbinfo -i hansi
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user hansi

main ~ # wbinfo -a hansi%Kwaksi29+
plaintext password authentication succeeded
challenge/response password authentication succeeded

main ~ # wbinfo -u | grep hansi
hansi

Sure, we restarted the daemons, even rebooted the server.

on DC:

# wbinfo -i hansi
ARBEITSGRUPPE\hansi:*:3000044:100::/home/ARBEITSGRUPPE/hansi:/bin/false

I noticed the --------^^^^^^^  id ... and checked against the id range
on the DM:


[global]
        realm = ARBEITSGRUPPE.THEIR.TLD
        workgroup = ARBEITSGRUPPE
        log file = /var/log/samba/%m.log
        load printers = No
        printcap name = /dev/null
        security = ADS
        username map = /etc/samba/user.map
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        winbind use default domain = Yes
        idmap config arbeitsgruppe:schema_mode = rfc2307
        idmap config arbeitsgruppe:range = 10000-9999999
        idmap config arbeitsgruppe:backend = ad
        idmap config * : range = 2000-2999
        idmap config * : backend = tdb

it was 999999 before, I increased that and restarted/rebooted DM, no change.

The user can login to the domain, it only can't connect to a share on
the DM (group membership is OK, we only filter for "Domain Users", and
the GPOs are applied).

Any hints? What can I provide to help you help me?
Thanks, Stefan

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user works on DC, not on DM

Samba - General mailing list
On Fri, 1 Sep 2017 08:49:26 +0200
"Stefan G. Weichinger via samba" <[hidden email]> wrote:

>
> good morning (here)
>
> At a customer we face the issue that a new user (we tested creating
> via RSAT and samba-tool) can't login to the DM server, but works on
> the DC.
>
> DM: gentoo linux, samba 4.6.7
> DC: Debian 9.1, samba 4.6.7
>
> -
>
> on the DM "main":
>
> main ~ # smbclient  -L localhost -U hansi%Kwaksi29+
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> main ~ # wbinfo -i hansi
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user hansi
>
> main ~ # wbinfo -a hansi%Kwaksi29+
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> main ~ # wbinfo -u | grep hansi
> hansi
>
> Sure, we restarted the daemons, even rebooted the server.
>
> on DC:
>
> # wbinfo -i hansi
> ARBEITSGRUPPE\hansi:*:3000044:100::/home/ARBEITSGRUPPE/hansi:/bin/false
>
> I noticed the --------^^^^^^^  id ... and checked against the id range
> on the DM:

 I noticed that these   ^^^^^^^^^^^^ are xidNumbers.

xidNumbers are only used on a DC, they are NOT used anywhere else!

>
> [global]
> realm = ARBEITSGRUPPE.THEIR.TLD
> workgroup = ARBEITSGRUPPE
> log file = /var/log/samba/%m.log
> load printers = No
> printcap name = /dev/null
> security = ADS
> username map = /etc/samba/user.map
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> idmap config arbeitsgruppe:schema_mode = rfc2307
> idmap config arbeitsgruppe:range = 10000-9999999
> idmap config arbeitsgruppe:backend = ad
> idmap config * : range = 2000-2999
> idmap config * : backend = tdb
>
> it was 999999 before, I increased that and restarted/rebooted DM, no
> change.
>
> The user can login to the domain, it only can't connect to a share on
> the DM (group membership is OK, we only filter for "Domain Users", and
> the GPOs are applied).

Have you given the user a 'uidNumber' attribute containing a unique
number inside 10000-9999999 ? and have you given Domain Users a
gidNumber attribute containing a number inside the same range (I don't
think you have, or it wouldn't be '100' above)
 
Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user works on DC, not on DM

Samba - General mailing list
Am 2017-09-01 um 09:17 schrieb Rowland Penny via samba:

>> The user can login to the domain, it only can't connect to a share on
>> the DM (group membership is OK, we only filter for "Domain Users", and
>> the GPOs are applied).
>
> Have you given the user a 'uidNumber' attribute containing a unique
> number inside 10000-9999999 ? and have you given Domain Users a
> gidNumber attribute containing a number inside the same range (I don't
> think you have, or it wouldn't be '100' above)

We expected that creating the user via RSAT would be enough.
But now as I read this I remember a similar thread from back then.

How to add that uidNumber in the easiest way?
I would like to be able to let the local admin do that ...

can't remember the steps anymore, something with LDAP, I assume?

thx


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user works on DC, not on DM

Samba - General mailing list
On Fri, 1 Sep 2017 09:35:50 +0200
"Stefan G. Weichinger via samba" <[hidden email]> wrote:

> Am 2017-09-01 um 09:17 schrieb Rowland Penny via samba:
>
> >> The user can login to the domain, it only can't connect to a share
> >> on the DM (group membership is OK, we only filter for "Domain
> >> Users", and the GPOs are applied).
> >
> > Have you given the user a 'uidNumber' attribute containing a unique
> > number inside 10000-9999999 ? and have you given Domain Users a
> > gidNumber attribute containing a number inside the same range (I
> > don't think you have, or it wouldn't be '100' above)
>
> We expected that creating the user via RSAT would be enough.
> But now as I read this I remember a similar thread from back then.
>
> How to add that uidNumber in the easiest way?
> I would like to be able to let the local admin do that ...
>
> can't remember the steps anymore, something with LDAP, I assume?
>
> thx
>
>

It all depends on what version of Windows you are running RSAT on, If
you are using a version before Win10, you can add the Unix attributes
tab and set the uidNumber there. Windows 10 doesn't have the Unix
attributes tab, it has been removed, so you would have to use the
attribute editor.
If you want to do this on the Samba DC, then you can create new users
with the required rfc2307 attributes using 'samba-tool user create'.
If you want to add rfc2307 attributes, then you will have to write your
own scripts, there are no Samba tools to do this.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user works on DC, not on DM

Samba - General mailing list
Am 2017-09-01 um 10:02 schrieb Rowland Penny via samba:
> It all depends on what version of Windows you are running RSAT on, If
> you are using a version before Win10, you can add the Unix attributes
> tab and set the uidNumber there. Windows 10 doesn't have the Unix
> attributes tab, it has been removed, so you would have to use the
> attribute editor.

The admin runs Win7 pro on his RSAT-machine.
I will google how to add that tab.

In general: why isn't that attribute added automatically?


> If you want to do this on the Samba DC, then you can create new users
> with the required rfc2307 attributes using 'samba-tool user create'.

The mentioned user was created like that, and seems not to have that
attribute ... ?

> If you want to add rfc2307 attributes, then you will have to write your
> own scripts, there are no Samba tools to do this.

I expected things to get easier with ADS ;-)


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user works on DC, not on DM

Samba - General mailing list
On Fri, 1 Sep 2017 10:09:43 +0200
"Stefan G. Weichinger via samba" <[hidden email]> wrote:

> Am 2017-09-01 um 10:02 schrieb Rowland Penny via samba:
> > It all depends on what version of Windows you are running RSAT on,
> > If you are using a version before Win10, you can add the Unix
> > attributes tab and set the uidNumber there. Windows 10 doesn't have
> > the Unix attributes tab, it has been removed, so you would have to
> > use the attribute editor.
>
> The admin runs Win7 pro on his RSAT-machine.
> I will google how to add that tab.
>
> In general: why isn't that attribute added automatically?

Because no one knows what to set the ID to and Samba doesn't have the
'counting' attributes by default.

>
>
> > If you want to do this on the Samba DC, then you can create new
> > users with the required rfc2307 attributes using 'samba-tool user
> > create'.
>
> The mentioned user was created like that, and seems not to have that
> attribute ... ?

Probably because the create command wasn't run correctly, to create a
Unix user with samba-tool you need something like this:

samba-tool user create User5 passw5rd --nis-domain=samdom
--unix-home=/home/User5 --uid-number=10005 --login-shell=/bin/false
--gid-number=10000

Your user was probably created with this:

samba-tool user create User5 passw5rd

Which makes it just a windows user.

> > If you want to add rfc2307 attributes, then you will have to write
> > your own scripts, there are no Samba tools to do this.
>
> I expected things to get easier with ADS ;-)

Once you get everything right, it is ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user works on DC, not on DM

Samba - General mailing list
Am 2017-09-01 um 10:32 schrieb Rowland Penny via samba:
> On Fri, 1 Sep 2017 10:09:43 +0200
> "Stefan G. Weichinger via samba" <[hidden email]> wrote:

>> In general: why isn't that attribute added automatically?
>
> Because no one knows what to set the ID to and Samba doesn't have the
> 'counting' attributes by default.

aha ...

And how do *I* know what to set the ID to?

> Probably because the create command wasn't run correctly, to create a
> Unix user with samba-tool you need something like this:
>
> samba-tool user create User5 passw5rd --nis-domain=samdom
> --unix-home=/home/User5 --uid-number=10005 --login-shell=/bin/false
> --gid-number=10000
>
> Your user was probably created with this:
>
> samba-tool user create User5 passw5rd
>
> Which makes it just a windows user.

fine, will test that asap, thanks.

>>> If you want to add rfc2307 attributes, then you will have to write
>>> your own scripts, there are no Samba tools to do this.
>>
>> I expected things to get easier with ADS ;-)
>
> Once you get everything right, it is ;-)

:-P

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user works on DC, not on DM

Samba - General mailing list
Am 2017-09-01 um 10:36 schrieb Stefan G. Weichinger via samba:

>> samba-tool user create User5 passw5rd
>>
>> Which makes it just a windows user.

Additional q: how to *add* that attribute without re-creating that user?

Or can I recreate a user that has already been used to log into a
Windows PC (and has its profile there already etc)?  I assume that this
wouldn't work because of some mismatching IDs etc etc ?



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user works on DC, not on DM

Samba - General mailing list
Just follow the win 7 steps.

https://wiki.samba.org/index.php/Installing_RSAT 

And make sure you activate : Server for NIS Tools

Samba get the next uid/gid from AD. ( starts normaly at 10.000 uid and gid. )

If you goto a user his unix tap, and select you NIX domain, the first next uid is used.
If you have multple groups with GID, make sure you select the correct "primary group"  
I suggest, use only Domain Users for all you windows users.
( linux only users from Ad can be any GID, imo. )
This has all todo with GPO settings, share rights, etc.

You can configure template (shell/homedir) on the servers als fallback if you forget to set shell or homedir.


Greetz,

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Stefan G. Weichinger via samba
> Verzonden: vrijdag 1 september 2017 10:46
> Aan: [hidden email]
> Onderwerp: Re: [Samba] user works on DC, not on DM
>
> Am 2017-09-01 um 10:36 schrieb Stefan G. Weichinger via samba:
>
> >> samba-tool user create User5 passw5rd
> >>
> >> Which makes it just a windows user.
>
> Additional q: how to *add* that attribute without re-creating
> that user?
>
> Or can I recreate a user that has already been used to log
> into a Windows PC (and has its profile there already etc)?  I
> assume that this wouldn't work because of some mismatching
> IDs etc etc ?
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user works on DC, not on DM

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 1 Sep 2017 10:36:38 +0200
"Stefan G. Weichinger via samba" <[hidden email]> wrote:

> Am 2017-09-01 um 10:32 schrieb Rowland Penny via samba:
> > On Fri, 1 Sep 2017 10:09:43 +0200
> > "Stefan G. Weichinger via samba" <[hidden email]> wrote:
>
> >> In general: why isn't that attribute added automatically?
> >
> > Because no one knows what to set the ID to and Samba doesn't have
> > the 'counting' attributes by default.
>
> aha ...
>
> And how do *I* know what to set the ID to?

This is your decision and why you must set ' idmap config SAMDOM :
range =' in smb.conf on a Unix domain member. You set it based on what
you have set your uidNumber & gidNumber attributes in AD. RSAT using
the 'Unix attributes' starts at 10000 by default.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user works on DC, not on DM

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 2017-09-01 um 11:31 schrieb L.P.H. van Belle:

> Just follow the win 7 steps.
>
> https://wiki.samba.org/index.php/Installing_RSAT 
>
> And make sure you activate : Server for NIS Tools
>
> Samba get the next uid/gid from AD. ( starts normaly at 10.000 uid and gid. )
>
> If you goto a user his unix tap, and select you NIX domain, the first next uid is used.
> If you have multple groups with GID, make sure you select the correct "primary group"  
> I suggest, use only Domain Users for all you windows users.
> ( linux only users from Ad can be any GID, imo. )
> This has all todo with GPO settings, share rights, etc.
>
> You can configure template (shell/homedir) on the servers als fallback if you forget to set shell or homedir.

yes, thanks, we check that asap (the admin there is at home already
today) ...



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: user works on DC, not on DM

Samba - General mailing list
Am 2017-09-01 um 14:32 schrieb Stefan G. Weichinger via samba:

> yes, thanks, we check that asap (the admin there is at home already
> today) ...

adding uid/gid to an existing user via RSAT did not work for the admin,
after recreating the user via samba-tool and the suggested commandline
the new users work now.

thanks


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba