[SOLVED] Windows AD user not creating files with correct UID on Samb4 DC/AD
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Windows AD user not creating files with correct UID on Samb4 DC/AD
Mostly, Samba4 works just fine as Active Directory/Domain Controller, but I'm having several problems. I'll post these one at a time. Hopefully there are some experts out there who can help.
We replaced our SBS 2008 server about 6 months ago with Linux/Samba4. The Linux distro is Slackware 64 14.1, kernet 3.10.17.
I have 2 WIN7 workstation users who are getting the message: "Protected View. This file came from the Internet ..." when opening Word documents. These documents are not on the Internet but are in their 'My Documents' folder meaning they reside on the redirected folders directory on the DC.
Upon further examination, it appears that new documents are created (for both users) with the UID 3000000 whereas the user's actual UID is 3000045. Example:
The 1st file is older, the 2nd file was just created. When the user accesses the new file, no issues. When the user accesses an older file with the 3000045 UID he gets the "Protected View" message and has to click the "Enable Editing" button.
All the directories under /redirectedFolder/Users/matkeson are owned by 3000045.
This problem seems to have started after upgrading from Samba samba-4.1.0 to samba-4.1.17 a week or so ago, but I can't be sure as the odd UIDs are all over date-wise (the user has been "enabling editing" as he goes).
I have "idmap_ldb:use rfc2307 = yes" set in smb.conf.
Why is the DC not using the assigned UIDs for these two users (other users seem to have no problem) and instead creating all new files for both users with UID 3000000?
I had similar problem and range of user UID did not match the range in samba config file. There is also one thing you have to pay aftention that samba DC caanot be used as file server it is written in official documentation.
I had similar problem and range of user UID did not match the range in samba config file.
Actually, I don't have a range specified in smb.conf. What would that look like? In fact, I don't know where samba gets the UIDs from. When I added users via RSAT Samba just apparently assigned UIDs -- which are still consistent with wbinfo.
Quote:
There is also one thing you have to pay aftention that samba DC caanot be used as file server it is written in official documentation.
Yes, here: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO, and it's more of a "not recommended" than a "cannot". But, are Redirected Folders really the same as a file server? I supposed it could be considered as such since it has e.g.:
[Users]
path = /redirectedFolders/Users
comment = user folders for redirection
read only = No
in smb.conf. But, I can't really see Active Directory being used in a non-Windows environment (why bother?) and Redirected Folders seem like an absolute must if replacing the functionality of MS Small Business Server.
In any case, seems like a serious bug. If Samba assigns the UID, and wbinfo retrieves the same UID for a given user, then why isn't Samba creating the file with that user's UID? And why for some users but not all? Smells like a bug to me. Seems like the "issues with the winbind internal to the Domain Controller" should have been addressed at least to this extent by now.
[Users]
path = /redirectedFolders/Users
comment = user folders for redirection
read only = No
https://www.samba.org/samba/docs/man.../idmapper.html says, "The IDMAP facility is of concern where more than one Samba server (or Samba network client) is installed in a domain." I have only the one Samba DC in the network, so not sure the IDMAP thing applies here.
Did you find a solution to your problem? You wrote "I had similar problem and range of user UID did not match the range in samba config file." What "range of user UID" did not match samba config? I don't know where any range is specified.
Also note that this only happens for some, but not all, users.
After you upgrade samba may be you added users after upgrade and they have new range of uid. for me it was solution. I have checked from windows machine with ad users and computer snap-in unix mappings and defined starting range of users in config file. I remember my first user I created and checked it's uid. it will not be problem if you check any user you will see range there. may be this will help you.
OK, I've figured this out thanks to the experts at samba@lists.samba.org. The problem is that these users were in the Administrators Group and therefore their files were created with the Administrators UID of 3000000, not their own ID. The Administrators Group is a special case. Posters to that maillist questioned the correctness of that behavior, but a sort-of explanation is here: http://serverfault.com/questions/193...g-ownership-to. Short version: another Windows security hack to try and shore-up a fundamentally unsecure OS.
Removing the member from the Administrators Group did the trick:
samba-tool group removemembers Administrators theuser
I have provisioned a Samba 4.3.11-Ubuntu as an AD DC and cannot see mappings into the 3000000 range defined anywhere. Running testparm -s -v shows nothing relevant. Where do those mapping parameters come from, and is their absence from testparm an error?
The 3000000 GID is only defined in idmap.mdb. Here's Roland Penny's (Samba) reply to my query along those lines:
Quote:
> btw - how did you know 3000000 is the Administrators group? Where is that and
> the 'S-1-5-32-544' thing defined.
From experience '3000000' is the only UID/GID number you can rely on to
always be the same on Samba 4 DCs. They are stored in idmap.ldb, you can
find this in /var/lib/samba/private (on debian at least), you can read
it with 'ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
The 'S-1-5-32-544' thing is also known as a 'well known RID'
Rowland
So, it's not defined in smb.conf, nor in sam.ldb. It is defined in idmap.ldb, but that's not really helpful:
The problem I described in my OP occurs when a user is a member of the Administrators group. I don't know if samba-tool can identify this easily. I use RSAT on Windows https://wiki.samba.org/index.php/Installing_RSAT. Go to Administrative Tools > Active Directory Computers and Users > Users, then right-click on a user and go to the 'Member of' tab. If the user is a member of Administrators, then files created by that user will belong to the Administrators group.
Quote:
The problem is that on windows a group can own files, this is something
that cannot happen on Unix, also a group can be a member of another
group. So, as in this case, a user who is a member of 'Domain Admins'
ends up creating a file belonging to the 'Administrators' group because
windows decided it was a good idea!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.