Windows AD user not creating files with correct UID on Samb4 DC/AD
Mostly, Samba4 works just fine as Active Directory/Domain Controller, but I'm having several problems. I'll post these one at a time. Hopefully there are some experts out there who can help.
We replaced our SBS 2008 server about 6 months ago with Linux/Samba4. The Linux distro is Slackware 64 14.1, kernet 3.10.17. I have 2 WIN7 workstation users who are getting the message: "Protected View. This file came from the Internet ..." when opening Word documents. These documents are not on the Internet but are in their 'My Documents' folder meaning they reside on the redirected folders directory on the DC. Upon further examination, it appears that new documents are created (for both users) with the UID 3000000 whereas the user's actual UID is 3000045. Example: Code:
-rwxrwx---+ 1 3000045 100 27648 2015-07-30 07:17 Accounts\ 7-1-2015.docx* All the directories under /redirectedFolder/Users/matkeson are owned by 3000045. wbinfo -i returns: HPRS\matkeson:*:3000045:100:Mark Atkeson:/home/HPRS/matkeson:/bin/false This problem seems to have started after upgrading from Samba samba-4.1.0 to samba-4.1.17 a week or so ago, but I can't be sure as the odd UIDs are all over date-wise (the user has been "enabling editing" as he goes). I have "idmap_ldb:use rfc2307 = yes" set in smb.conf. Why is the DC not using the assigned UIDs for these two users (other users seem to have no problem) and instead creating all new files for both users with UID 3000000? How do I fix this? |
hello
I had similar problem and range of user UID did not match the range in samba config file. There is also one thing you have to pay aftention that samba DC caanot be used as file server it is written in official documentation. |
Quote:
Quote:
[Users] path = /redirectedFolders/Users comment = user folders for redirection read only = No in smb.conf. But, I can't really see Active Directory being used in a non-Windows environment (why bother?) and Redirected Folders seem like an absolute must if replacing the functionality of MS Small Business Server. In any case, seems like a serious bug. If Samba assigns the UID, and wbinfo retrieves the same UID for a given user, then why isn't Samba creating the file with that user's UID? And why for some users but not all? Smells like a bug to me. Seems like the "issues with the winbind internal to the Domain Controller" should have been addressed at least to this extent by now. Did you ever solve the problem? |
I use serner samba when install AD https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
that is how uid ranges look in config file [global] workgroup = yourdomain server string = File Server security = ads realm = yourdomain netbios name = store domain master = no local master = no preferred master = no socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 use sendfile = true idmap config * : backend = tdb idmap config * : range = 100000-299999 idmap config TEST : backend = rid idmap config TEST : range = 10000-99999 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = /data/home/D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba/log.%m max log size = 50 |
My samba-tool provisioned initial smb.conf was:
Code:
[global] Code:
[Users] Did you find a solution to your problem? You wrote "I had similar problem and range of user UID did not match the range in samba config file." What "range of user UID" did not match samba config? I don't know where any range is specified. Also note that this only happens for some, but not all, users. |
I am running one dc and one file server (samba). my problem was that i had no range in config file. I have added this range in which my user ids are.
idmap config * : backend = tdb idmap config * : range = 100000-299999 After you upgrade samba may be you added users after upgrade and they have new range of uid. for me it was solution. I have checked from windows machine with ad users and computer snap-in unix mappings and defined starting range of users in config file. I remember my first user I created and checked it's uid. it will not be problem if you check any user you will see range there. may be this will help you. |
OK, I've figured this out thanks to the experts at samba@lists.samba.org. The problem is that these users were in the Administrators Group and therefore their files were created with the Administrators UID of 3000000, not their own ID. The Administrators Group is a special case. Posters to that maillist questioned the correctness of that behavior, but a sort-of explanation is here: http://serverfault.com/questions/193...g-ownership-to. Short version: another Windows security hack to try and shore-up a fundamentally unsecure OS.
Removing the member from the Administrators Group did the trick: samba-tool group removemembers Administrators theuser |
testparm -s -v does not show mapping parameters
I have provisioned a Samba 4.3.11-Ubuntu as an AD DC and cannot see mappings into the 3000000 range defined anywhere. Running testparm -s -v shows nothing relevant. Where do those mapping parameters come from, and is their absence from testparm an error?
|
The 3000000 GID is only defined in idmap.mdb. Here's Roland Penny's (Samba) reply to my query along those lines:
Quote:
Code:
$ ldbsearch -H /var/lib/samba/private/idmap.ldb | grep -B 1 -A 9 S-1-5-32-544 Quote:
Hope this helps --Mark |
All times are GMT -5. The time now is 08:11 AM. |