LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Windows AD user not creating files with correct UID on Samb4 DC/AD (https://www.linuxquestions.org/questions/linux-server-73/windows-ad-user-not-creating-files-with-correct-uid-on-samb4-dc-ad-4175551047/)

mfoley 08-18-2015 11:07 AM
Windows AD user not creating files with correct UID on Samb4 DC/AD
 
Mostly, Samba4 works just fine as Active Directory/Domain Controller, but I'm having several problems. I'll post these one at a time. Hopefully there are some experts out there who can help.

We replaced our SBS 2008 server about 6 months ago with Linux/Samba4. The Linux distro is Slackware 64 14.1, kernet 3.10.17.

I have 2 WIN7 workstation users who are getting the message: "Protected View. This file came from the Internet ..." when opening Word documents. These documents are not on the Internet but are in their 'My Documents' folder meaning they reside on the redirected folders directory on the DC.

Upon further examination, it appears that new documents are created (for both users) with the UID 3000000 whereas the user's actual UID is 3000045. Example:

Code:
-rwxrwx---+ 1 3000045 100  27648 2015-07-30 07:17 Accounts\ 7-1-2015.docx*
drwxrwx---+ 2 3000045 100  4096 2015-08-11 09:27 Correspondence/
-rwxrwx---+ 1 3000000 100  11423 2015-08-18 11:04 testMark.docx*
The 1st file is older, the 2nd file was just created. When the user accesses the new file, no issues. When the user accesses an older file with the 3000045 UID he gets the "Protected View" message and has to click the "Enable Editing" button.

All the directories under /redirectedFolder/Users/matkeson are owned by 3000045.

wbinfo -i returns:

HPRS\matkeson:*:3000045:100:Mark Atkeson:/home/HPRS/matkeson:/bin/false

This problem seems to have started after upgrading from Samba samba-4.1.0 to samba-4.1.17 a week or so ago, but I can't be sure as the odd UIDs are all over date-wise (the user has been "enabling editing" as he goes).

I have "idmap_ldb:use rfc2307 = yes" set in smb.conf.

Why is the DC not using the assigned UIDs for these two users (other users seem to have no problem) and instead creating all new files for both users with UID 3000000?

How do I fix this?

paul2015 08-19-2015 12:34 AM
hello

I had similar problem and range of user UID did not match the range in samba config file. There is also one thing you have to pay aftention that samba DC caanot be used as file server it is written in official documentation.

mfoley 08-20-2015 12:02 AM
Quote:
Originally Posted by paul2015 (Post 5407765)
hello

I had similar problem and range of user UID did not match the range in samba config file.
Actually, I don't have a range specified in smb.conf. What would that look like? In fact, I don't know where samba gets the UIDs from. When I added users via RSAT Samba just apparently assigned UIDs -- which are still consistent with wbinfo.

Quote:
There is also one thing you have to pay aftention that samba DC caanot be used as file server it is written in official documentation.
Yes, here: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO, and it's more of a "not recommended" than a "cannot". But, are Redirected Folders really the same as a file server? I supposed it could be considered as such since it has e.g.:

[Users]
path = /redirectedFolders/Users
comment = user folders for redirection
read only = No

in smb.conf. But, I can't really see Active Directory being used in a non-Windows environment (why bother?) and Redirected Folders seem like an absolute must if replacing the functionality of MS Small Business Server.

In any case, seems like a serious bug. If Samba assigns the UID, and wbinfo retrieves the same UID for a given user, then why isn't Samba creating the file with that user's UID? And why for some users but not all? Smells like a bug to me. Seems like the "issues with the winbind internal to the Domain Controller" should have been addressed at least to this extent by now.

Did you ever solve the problem?

paul2015 08-20-2015 12:53 AM
I use serner samba when install AD https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

that is how uid ranges look in config file

[global]
workgroup = yourdomain
server string = File Server
security = ads
realm = yourdomain
netbios name = store
domain master = no
local master = no
preferred master = no
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
use sendfile = true
idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config TEST : backend = rid
idmap config TEST : range = 10000-99999
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
template homedir = /data/home/D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
log file = /var/log/samba/log.%m
max log size = 50

mfoley 08-20-2015 10:08 AM
My samba-tool provisioned initial smb.conf was:

Code:
[global]
        workgroup = HPRS
        realm = hprs.local
        netbios name = MAIL
        interfaces = lo, eth1
        bind interfaces only = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/hprs.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
Basically all I've done is add the following based on http://www.alexwyn.com/computer-tips...ain-controller

Code:
[Users]
    path = /redirectedFolders/Users
    comment = user folders for redirection
    read only = No
https://www.samba.org/samba/docs/man.../idmapper.html says, "The IDMAP facility is of concern where more than one Samba server (or Samba network client) is installed in a domain." I have only the one Samba DC in the network, so not sure the IDMAP thing applies here.

Did you find a solution to your problem? You wrote "I had similar problem and range of user UID did not match the range in samba config file." What "range of user UID" did not match samba config? I don't know where any range is specified.

Also note that this only happens for some, but not all, users.

paul2015 08-21-2015 02:30 AM
I am running one dc and one file server (samba). my problem was that i had no range in config file. I have added this range in which my user ids are.

idmap config * : backend = tdb
idmap config * : range = 100000-299999

After you upgrade samba may be you added users after upgrade and they have new range of uid. for me it was solution. I have checked from windows machine with ad users and computer snap-in unix mappings and defined starting range of users in config file. I remember my first user I created and checked it's uid. it will not be problem if you check any user you will see range there. may be this will help you.

mfoley 08-25-2015 01:00 PM
OK, I've figured this out thanks to the experts at samba@lists.samba.org. The problem is that these users were in the Administrators Group and therefore their files were created with the Administrators UID of 3000000, not their own ID. The Administrators Group is a special case. Posters to that maillist questioned the correctness of that behavior, but a sort-of explanation is here: http://serverfault.com/questions/193...g-ownership-to. Short version: another Windows security hack to try and shore-up a fundamentally unsecure OS.

Removing the member from the Administrators Group did the trick:

samba-tool group removemembers Administrators theuser

fthynne 01-29-2018 11:35 AM
testparm -s -v does not show mapping parameters
 
I have provisioned a Samba 4.3.11-Ubuntu as an AD DC and cannot see mappings into the 3000000 range defined anywhere. Running testparm -s -v shows nothing relevant. Where do those mapping parameters come from, and is their absence from testparm an error?

mfoley 01-31-2018 09:44 AM
The 3000000 GID is only defined in idmap.mdb. Here's Roland Penny's (Samba) reply to my query along those lines:
Quote:
> btw - how did you know 3000000 is the Administrators group? Where is that and
> the 'S-1-5-32-544' thing defined.

From experience '3000000' is the only UID/GID number you can rely on to
always be the same on Samba 4 DCs. They are stored in idmap.ldb, you can
find this in /var/lib/samba/private (on debian at least), you can read
it with 'ldbedit -e nano -H /var/lib/samba/private/idmap.ldb

The 'S-1-5-32-544' thing is also known as a 'well known RID'

Rowland
So, it's not defined in smb.conf, nor in sam.ldb. It is defined in idmap.ldb, but that's not really helpful:
Code:
$ ldbsearch -H /var/lib/samba/private/idmap.ldb | grep -B 1 -A 9 S-1-5-32-544
# record 64
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544
The problem I described in my OP occurs when a user is a member of the Administrators group. I don't know if samba-tool can identify this easily. I use RSAT on Windows https://wiki.samba.org/index.php/Installing_RSAT. Go to Administrative Tools > Active Directory Computers and Users > Users, then right-click on a user and go to the 'Member of' tab. If the user is a member of Administrators, then files created by that user will belong to the Administrators group.
Quote:
The problem is that on windows a group can own files, this is something
that cannot happen on Unix, also a group can be a member of another
group. So, as in this case, a user who is a member of 'Domain Admins'
ends up creating a file belonging to the 'Administrators' group because
windows decided it was a good idea!

Rowland
Explanation: http://serverfault.com/questions/193...g-ownership-to

Hope this helps --Mark


All times are GMT -5. The time now is 08:11 AM.