On 04/12/11 09:04, steve wrote:
On 03/12/11 17:32, Matthieu Patou wrote:
Steve
Beware that on your machine where samba 4 DC is running file / folders
needs to have guid/uid of your AD users not your linux users.
Did you read this ^.
Did a git pull ./configure.developer make and make install about an
hour ago.
And, well, something has changed. Now neither user can create nor
delete files!
smbclient //hh3/homes
Password for [HH1\steve]:
smb: \> ls
. D 0 Wed Nov 30 20:37:48 2011
.. D 0 Fri Dec 2 07:15:17 2011
lynn D 0 Thu Dec 1 13:25:45 2011
steve D 0 Fri Dec 2 11:50:09 2011
29284192 blocks of size 512. 10550432 blocks available
smb: \> cd lynn
smb: \lynn\> mkdir h
NT_STATUS_ACCESS_DENIED making remote directory \lynn\h
smb: \lynn\> cd ../steve
smb: \steve\> mkdir h
NT_STATUS_ACCESS_DENIED making remote directory \steve\h
smb: \steve\>
This has something to do with uid/gid no? But wait, both steve and
lynn _are_ AD users who just happen to have linux accounts.
No there is something that you missunderstand, the thing is that in
order to do the file access control samba needs to know on the behalf of
which uid/gid the access are done.
With series of samba 3.x you have different way of doing this mapping or
to create unix users that have the same name as the user declared in
Samba (either in the local sam or in the NT domain sam), but most of the
time now it's winbind that is used. In Samba AD there is just the
winbind solution as other solution didn't have a real interest in the
context of an active directory domain.
So what winbind does ? it allocate a UID to users and GID to groups in a
database it stores the association SID<->UID/GID and next time it is
asked to translate the same SID to a UID/GID it will use the value in
its database.
In your particular case, when you connect to the samba AD with smbclient
as AD user steve and try to create a dir the server checks the
security.NTACL extended attribute, as it didn't exists it knows that it
will have to translate posix rights to NT ACLs. At this moment in order
to know if you are the owner of the parent directory or in group of the
parent directory it will ask its internal winbind to translate user's
SID and the SID of user's groups to UID and GID, and it will turn out
that the UID of unix user steve is not at all the UID of AD user steve
(which is in the 3000000+ range), as other translated posix rights
didn't give any write rights to the AD user the directory creation was
not created.
How do I change the gid/uid of my linux users to gid/uid AD users? Is
there a script? But that shouldn't matter no?
Thinking you may want more info I'll leave it as it is for now. The
users are the same as they were before the new build. I did not delete
and recreate them.
Sure this is the expected behavior, before there was a bug in the posix
to NT ACLs translation that granted the write right even if you had just
the read and execute right you can have the detail by looking at this
changeset: d1274f7f6236b47a1c6aa1737b054ed521d31b67
I don't really know your case but I think it's not such a problem at
least so far nobody complained, on the DC you don't need to create unix
account for the AD users. As you need to create directory for each user
there is a couple of solution:
1) change the rights on the directory that is shared as "home" so that
the group has a write right, then change group to be users (that's
because we map the domain users group to the user unix group)
2) for each user connect using smbclient and create the directory of
this user
or
For each user, use wbinfo -i <ad_user> and then create a folder for this
user and use the uid obtained with wbinfo to set the owner of the
directory.
For instance on my test server I have:
./bin/wbinfo -i steve
MATWS\steve:*:3000010:100::/home/MATWS/steve:/bin/false
Note: first you have to do a ./bin/wbinfo -u and beware the first time
it is _slow_
Matthieu.
Hi Matthieu
Thanks for your patience. Yes, your clear explanation is excellent. I'm
going to try it as soon as I get Samba 4 running again.
I reinstalled from nothing to get a clean slate. Now, DNS isn't working.
The method of configuring as outlined in the wiki doesn't work anymore.
The dns files in /usr/local/samba/private have changed since my first
install last week:( I've another thread open on this.
Thanks again
Steve.
Almost there at the command line. Permissions are respected. Following
your method to create a user and allocate them a home folder:
cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
server role = domain controller
workgroup = HH1
realm = hh3.site
netbios name = HH3
passdb backend = samba4
[home]
path = /home
read only = No
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
samba-tool user add lynn 123@456
User 'lynn' created successfully
wbinfo -i lynn
HH1\lynn:*:3000009:100::/home/HH1/lynn:/bin/false
mkdir /home/HH1
mkdir /home/HH1/lynn
chown 3000009:100 /home/HH1/lynn
ls -la /home/HH1/lynn
total 8
drwxr-xr-x 2 3000009 users 4096 Dec 4 18:24 .
drwxr-xr-x 3 root root 4096 Dec 4 18:24 ..
wbinfo -u
Administrator
Guest
krbtgt
dns-hh3
lynn
smbclient //hh3/home/HH1/lynn -Ulynn
Password for [HH1\lynn]:
:
smb: \> ls
. D 0 Sun Dec 4 18:23:31 2011
.. D 0 Sun Dec 4 16:31:38 2011
HH1 D 0 Sun Dec 4 18:24:
mkdir h
NT_STATUS_ACCESS_DENIED making remote directory \h
smb: \HH1\> cd lynn
smb: \HH1\lynn\> mkdir h
smb: \HH1\lynn\> ls
. D 0 Sun Dec 4 18:40:36 2011
.. D 0 Sun Dec 4 18:24:28 2011
h D 0 Sun Dec 4 18:40:36 2011
29284192 blocks of size 512. 10467776 blocks available
ls -la /home/HH1
total 12
drwxr-xr-x 3 root root 4096 Dec 4 18:24 .
drwxr-xr-x 4 root root 4096 Dec 4 18:23 ..
drwxr-xr-x 3 3000009 users 4096 Dec 4 18:40 lynn
Notes:
This only works at the command line.
In konqueror smb://hh3/home/HH1/lynn
lynn is NOT prompted for a password, is allowed entry to her folder but
can neither create nor delete files.
It seems as though lynn would still need a linux account if she wanted
to work on a linux computer. If I nfs'd her /home over to the linux
boxes, is here any way lynn could authenticate against the Samba AD?
Would the linux client have to join the AD? Can linux clients join AD?
Thanks so much for getting me this far.
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba