LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 08-18-2015, 11:07 AM   #1
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,539

Rep: Reputation: 177Reputation: 177
Windows AD user not creating files with correct UID on Samb4 DC/AD


Mostly, Samba4 works just fine as Active Directory/Domain Controller, but I'm having several problems. I'll post these one at a time. Hopefully there are some experts out there who can help.

We replaced our SBS 2008 server about 6 months ago with Linux/Samba4. The Linux distro is Slackware 64 14.1, kernet 3.10.17.

I have 2 WIN7 workstation users who are getting the message: "Protected View. This file came from the Internet ..." when opening Word documents. These documents are not on the Internet but are in their 'My Documents' folder meaning they reside on the redirected folders directory on the DC.

Upon further examination, it appears that new documents are created (for both users) with the UID 3000000 whereas the user's actual UID is 3000045. Example:

Code:
-rwxrwx---+ 1 3000045 100  27648 2015-07-30 07:17 Accounts\ 7-1-2015.docx*
drwxrwx---+ 2 3000045 100   4096 2015-08-11 09:27 Correspondence/
-rwxrwx---+ 1 3000000 100  11423 2015-08-18 11:04 testMark.docx*
The 1st file is older, the 2nd file was just created. When the user accesses the new file, no issues. When the user accesses an older file with the 3000045 UID he gets the "Protected View" message and has to click the "Enable Editing" button.

All the directories under /redirectedFolder/Users/matkeson are owned by 3000045.

wbinfo -i returns:

HPRS\matkeson:*:3000045:100:Mark Atkeson:/home/HPRS/matkeson:/bin/false

This problem seems to have started after upgrading from Samba samba-4.1.0 to samba-4.1.17 a week or so ago, but I can't be sure as the odd UIDs are all over date-wise (the user has been "enabling editing" as he goes).

I have "idmap_ldb:use rfc2307 = yes" set in smb.conf.

Why is the DC not using the assigned UIDs for these two users (other users seem to have no problem) and instead creating all new files for both users with UID 3000000?

How do I fix this?

Last edited by mfoley; 08-18-2015 at 11:10 AM.
 
Old 08-19-2015, 12:34 AM   #2
paul2015
Member
 
Registered: Apr 2015
Distribution: CentOS Fedora
Posts: 149

Rep: Reputation: 4
hello

I had similar problem and range of user UID did not match the range in samba config file. There is also one thing you have to pay aftention that samba DC caanot be used as file server it is written in official documentation.
 
Old 08-20-2015, 12:02 AM   #3
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,539

Original Poster
Rep: Reputation: 177Reputation: 177
Quote:
Originally Posted by paul2015 View Post
hello

I had similar problem and range of user UID did not match the range in samba config file.
Actually, I don't have a range specified in smb.conf. What would that look like? In fact, I don't know where samba gets the UIDs from. When I added users via RSAT Samba just apparently assigned UIDs -- which are still consistent with wbinfo.

Quote:
There is also one thing you have to pay aftention that samba DC caanot be used as file server it is written in official documentation.
Yes, here: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO, and it's more of a "not recommended" than a "cannot". But, are Redirected Folders really the same as a file server? I supposed it could be considered as such since it has e.g.:

[Users]
path = /redirectedFolders/Users
comment = user folders for redirection
read only = No

in smb.conf. But, I can't really see Active Directory being used in a non-Windows environment (why bother?) and Redirected Folders seem like an absolute must if replacing the functionality of MS Small Business Server.

In any case, seems like a serious bug. If Samba assigns the UID, and wbinfo retrieves the same UID for a given user, then why isn't Samba creating the file with that user's UID? And why for some users but not all? Smells like a bug to me. Seems like the "issues with the winbind internal to the Domain Controller" should have been addressed at least to this extent by now.

Did you ever solve the problem?

Last edited by mfoley; 08-20-2015 at 12:04 AM.
 
Old 08-20-2015, 12:53 AM   #4
paul2015
Member
 
Registered: Apr 2015
Distribution: CentOS Fedora
Posts: 149

Rep: Reputation: 4
I use serner samba when install AD https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

that is how uid ranges look in config file

[global]
workgroup = yourdomain
server string = File Server
security = ads
realm = yourdomain
netbios name = store
domain master = no
local master = no
preferred master = no
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
use sendfile = true
idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config TEST : backend = rid
idmap config TEST : range = 10000-99999
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
template homedir = /data/home/D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
log file = /var/log/samba/log.%m
max log size = 50
 
Old 08-20-2015, 10:08 AM   #5
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,539

Original Poster
Rep: Reputation: 177Reputation: 177
My samba-tool provisioned initial smb.conf was:

Code:
[global]
        workgroup = HPRS
        realm = hprs.local
        netbios name = MAIL
        interfaces = lo, eth1
        bind interfaces only = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/hprs.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
Basically all I've done is add the following based on http://www.alexwyn.com/computer-tips...ain-controller

Code:
[Users]
    path = /redirectedFolders/Users
    comment = user folders for redirection
    read only = No
https://www.samba.org/samba/docs/man.../idmapper.html says, "The IDMAP facility is of concern where more than one Samba server (or Samba network client) is installed in a domain." I have only the one Samba DC in the network, so not sure the IDMAP thing applies here.

Did you find a solution to your problem? You wrote "I had similar problem and range of user UID did not match the range in samba config file." What "range of user UID" did not match samba config? I don't know where any range is specified.

Also note that this only happens for some, but not all, users.

Last edited by mfoley; 08-20-2015 at 10:18 AM.
 
Old 08-21-2015, 02:30 AM   #6
paul2015
Member
 
Registered: Apr 2015
Distribution: CentOS Fedora
Posts: 149

Rep: Reputation: 4
I am running one dc and one file server (samba). my problem was that i had no range in config file. I have added this range in which my user ids are.

idmap config * : backend = tdb
idmap config * : range = 100000-299999

After you upgrade samba may be you added users after upgrade and they have new range of uid. for me it was solution. I have checked from windows machine with ad users and computer snap-in unix mappings and defined starting range of users in config file. I remember my first user I created and checked it's uid. it will not be problem if you check any user you will see range there. may be this will help you.
 
Old 08-25-2015, 01:00 PM   #7
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,539

Original Poster
Rep: Reputation: 177Reputation: 177
OK, I've figured this out thanks to the experts at samba@lists.samba.org. The problem is that these users were in the Administrators Group and therefore their files were created with the Administrators UID of 3000000, not their own ID. The Administrators Group is a special case. Posters to that maillist questioned the correctness of that behavior, but a sort-of explanation is here: http://serverfault.com/questions/193...g-ownership-to. Short version: another Windows security hack to try and shore-up a fundamentally unsecure OS.

Removing the member from the Administrators Group did the trick:

samba-tool group removemembers Administrators theuser
 
1 members found this post helpful.
Old 01-29-2018, 11:35 AM   #8
fthynne
LQ Newbie
 
Registered: Apr 2010
Posts: 9

Rep: Reputation: 1
testparm -s -v does not show mapping parameters

I have provisioned a Samba 4.3.11-Ubuntu as an AD DC and cannot see mappings into the 3000000 range defined anywhere. Running testparm -s -v shows nothing relevant. Where do those mapping parameters come from, and is their absence from testparm an error?
 
Old 01-31-2018, 09:44 AM   #9
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,539

Original Poster
Rep: Reputation: 177Reputation: 177
The 3000000 GID is only defined in idmap.mdb. Here's Roland Penny's (Samba) reply to my query along those lines:
Quote:
> btw - how did you know 3000000 is the Administrators group? Where is that and
> the 'S-1-5-32-544' thing defined.

From experience '3000000' is the only UID/GID number you can rely on to
always be the same on Samba 4 DCs. They are stored in idmap.ldb, you can
find this in /var/lib/samba/private (on debian at least), you can read
it with 'ldbedit -e nano -H /var/lib/samba/private/idmap.ldb

The 'S-1-5-32-544' thing is also known as a 'well known RID'

Rowland
So, it's not defined in smb.conf, nor in sam.ldb. It is defined in idmap.ldb, but that's not really helpful:
Code:
$ ldbsearch -H /var/lib/samba/private/idmap.ldb | grep -B 1 -A 9 S-1-5-32-544
# record 64
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544
The problem I described in my OP occurs when a user is a member of the Administrators group. I don't know if samba-tool can identify this easily. I use RSAT on Windows https://wiki.samba.org/index.php/Installing_RSAT. Go to Administrative Tools > Active Directory Computers and Users > Users, then right-click on a user and go to the 'Member of' tab. If the user is a member of Administrators, then files created by that user will belong to the Administrators group.
Quote:
The problem is that on windows a group can own files, this is something
that cannot happen on Unix, also a group can be a member of another
group. So, as in this case, a user who is a member of 'Domain Admins'
ends up creating a file belonging to the 'Administrators' group because
windows decided it was a good idea!

Rowland
Explanation: http://serverfault.com/questions/193...g-ownership-to

Hope this helps --Mark

Last edited by mfoley; 01-31-2018 at 09:47 AM.
 
  


Reply

Tags
active directory, samba4


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Creating files in nfs mount as different user sahana12 Linux - Newbie 6 08-24-2012 07:41 AM
Prevent programs from creating users within a specific UID range martindl Linux - Security 2 07-22-2011 09:07 PM
set uid helper is not correct nnjond Linux - Newbie 1 02-15-2011 09:03 PM
NFS write problem, UID correct, rw in /etc/exports -but still cannot write polgard Linux - Networking 2 09-19-2008 03:14 AM
is it legitimate and allowed and can be done to make another user account set uid and gid to null 0 to make another root account with different name and possibly not damage the debian system creating and using that new account BenJoBoy Linux - Newbie 12 01-29-2006 10:02 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 07:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration