Samba 4 userid mapping

Complete new user here. Setting up my first samba configuration, using samba 4.0.6 as a primary domain controller. I have user profiles, network shares, active directory, and domain controller working. But I can not understand how to map windows userid to linux userid (and map groupid as well). I am struggling because much of the documentation is outdated and meant for samba 3.x or targetted for samba as a domain member. I followed some documentation to try the userid mapping through active directory, but that required Microsoft services for Unix 3.5, which will not install on 64 versions of MS. I find myself without any orientation of how to proceed.

I am suffering from documentation overload, much of it contradictory or not applicable. I am not even sure how to use winbind, or if that is required for my situation. I really need a simple step by step howto that is specific to samba 4 as a PDC. If you want to reference documentation, great, but please reference specific sections instead of whole general chapters. Any help greatly appreciated. Thank you.

Configuration information follows:

Server

OS: OpenSuSE 12.1, 64 bit
Samba: Samba 4.0.6
Configuration: Primary domain controller with active directory support
Using BIND 9 DNS server

Client

OS: Windows 7 Professional, 64 bit

Samba configuration file


# Global parameters

 [global]
     workgroup = MYDOMAIN
     realm = [MYDOMAIN.ORG](http://MYDOMAIN.ORG)
     netbios name = SERVER
     wins support = Yes
     server role = active directory domain controller
     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
     encrypt passwords = yes
  # Setup user maps
     idmap config * : backend = tdb
     idmap config * : range = 100000-199999
     idmap config MYDOMAIN : backend = ad
     idmap config MYDOMAIN : schema_mode = rfc2307
     idmap config MYDOMAIN : range = 50000-99999
      winbind nss info = rfc2307
     winbind trusted domains only = No
     winbind use default domain = Yes
     winbind enum users = Yes
     winbind enum groups = Yes
# Logon path tells samba where to put Windows roaming profiles
     logon path = \\%h\profiles\%u
   # Logon home is used to specify home directory and 
     # Windows 95/98/ME roaming profile location
     logon home = \\%h\%u\.win_profiles
      # Allow Samba to send correct time to windows
     time server = Yes

      # Set logging options
     log file = /var/log/samba/log.odeon
# Shares configurations follows.  Not included for brevity . . . 
--------------------------------

On 7/10/2013 8:26 AM, nickninevah wrote:
>
> Complete new user here. Setting up my first samba configuration, using
> samba 4.0.6 as a primary domain controller. I have user profiles,
> network shares, active directory, and domain controller working. But I
> can not understand how to map windows userid to linux userid (and map
> groupid as well). I am struggling because much of the documentation is
> outdated and meant for samba 3.x or targetted for samba as a domain
> member. I followed some documentation to try the userid mapping
> through active directory, but that required Microsoft services for Unix
> 3.5, which will not install on 64 versions of MS. I find myself
> without any orientation of how to proceed.
>
> I am suffering from documentation overload, much of it contradictory
> or not applicable. I am not even sure how to use winbind, or if that
> is required for my situation. I really need a simple step by step
> howto that is specific to samba 4 as a PDC. If you want to reference
> documentation, great, but please reference specific sections instead of
> whole general chapters. Any help greatly appreciated. Thank you.

>
nickninevah;

AFAIK, unlike Samba3, there is no need to map Windows GID to Unix UID with Samba4. See:

http://wiki.samba.org/index.php/Adding_users_with_samba_tool

I don’t think there are very many on this forum that have a lot of experience with setting up a Samba 4 AD. So although you appear
to dislike reading, you would still benefit from reading:

http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO


P.V.
“We’re all in this together, I’m pulling for you” Red Green

Dislike reading? I will ignore the insult and instead choose to post what I have learned to make userid mapping work successfully and get roaming profiles to work.

The two references I found most helpful were:

https://lists.samba.org/archive/samba/2011-January/160518.html

https://wiki.samba.org/index.php/Adding_users_with_samba_tool

As the wiki articles pointed out, id mapping is now handled as part of Samba’s internal LDAP database. To access the entry for the user, you need the user’s sid under windows.


$installdir = wherever you installed samba, probably /usr/local/samba
$username = the name of the user you have already created in active directory.

$installdir/bin/wbinfo -n $username

This will return the user’s sid. Now use that to change the userid map. I created a custom script called usermap for this and added it to the samba/bin directory


EDITOR_BIN=/usr/bin/nano
SAMBA_DB=/usr/local/samba/private/idmap.ldb
LDBPATH=/usr/local/samba/bin/ldbedit

${LDBPATH} -e ${EDITOR_BIN} -H ${SAMBA_DB} objectsid=${1}

You would execute this script as:


$installdir/bin/usermap *users_sid*

Where users_sid is the sid you just got from wbinfo.

You job isn’t done yet. Now you need to also map the group for the user. Easiest way to do this is:


$installdir/bin/wbinfo --user-sids *users_sid*

That will give you two sids. The first one belongs to the user. The second one is the user’s group. Repeat the usermap exercise with the group sid and map that to an appropriate group on your linux domain.

Now to discuss how to do all of this and get roaming profiles to work.

On the linux side, create a directory that will store your roaming profiles. Directory should be owned by root:root and have permissions 770. Setup your samba config to share this out as the [profiles] share.

First, you will need to go through the entire mapping process with all groups on the windows domain. Ensure they all have matching groups on the linux domain with useful permissions to create profiles in wherever you store the profile directory.

You can learn how to use wbinfo for this from the samba help file

wbinfo

I’ll just use wbinfo as a shortened alias. But wbinfo is actually


INSTALL_DIR=wherever you installed samba 4
$INSTALL_DIR/bin/wbinfo

To get groups, use


wbinfo --group-info *group*

That gives you group id’s on the linux side. Then convert those to windows sids with


wbinfo --gid-to-sid

Once you have the sid, use the usermap function I defined in the previous post to map the account to an appropriate linux group id. Repeat this for every windows group.

Now the fun part begins. Follow this exact sequence to ensure roaming profiles work.

1.) Create the user in active directory. DO NOT ASSIGN A PROFILE PATH YET.
2.) Login that user once. I found this necessary to create the initial user entry for id-mapping in linux.
3.) Logout the user.
4.) Go to linux side and map the user sid to the linux uid as described in the previous post.
5.) Login to windows and domain admin, use active directory to assign the user a roaming profile directory.
6.) Logout of domain admin.
7.) Now login as the user. It should automatically create a directory for the users profile using the linux username and group name from the id-mapping you setup.

Hope that helps someone.

On 7/18/2013 12:46 AM, nickninevah wrote:
>
> Dislike reading? I will ignore the insult and instead choose to post
> what I have learned to make userid mapping work successfully and get
> roaming profiles to work.
>
> The two references I found most helpful were:
>
> https://lists.samba.org/archive/samba/2011-January/160518.html
>
> https://wiki.samba.org/index.php/Adding_users_with_samba_tool
>
<snip>
>
Thank you for posting this information. I did not intend to insult you just give you the “Samba AD DC HOWTO”, which was counter
to your explicit request.


P.V.
“We’re all in this together, I’m pulling for you” Red Green

My mistake. Sorry for the rude reply. Hopefully we can do a little more knowledge sharing. Mostly, I’m frustrated because all the guides I have found so far are for samba 3, not samba 4. And much of the reading material I come across (such as the official samba guide) provides extensive descriptions about how impressive the features for samba are. And plenty of description on the configuration file options. But the organization and description for the utilities (such as net groupmap) left me confused.

Which leads me to my latest problem. With my user id mapping now successful, I can see my samba shares. But I don’t have write permission to every folder in the share. First, the details of the setup.

Samba configuration file


[global]
        # Domain Controller Options
        # ============================================================
        workgroup = VAHALLA
        realm = VAHALLA.ORG
        netbios name = ODEON
        wins support = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
        encrypt passwords = yes

        # Security Options
        # ============================================================
        hosts allow = 127.0.0.1 192.168.1.0/24
        hosts deny = 0.0.0.0/0
        security = user

        # WinBind Options
        # ============================================================
        #winbind nss info = rfc2307
        #winbind trusted domains only = No
        #winbind use default domain = Yes
        #winbind enum users = Yes
        #winbind enum groups = Yes

        # Logon path tells samba where to put Windows roaming profiles
        logon path = \\%h\profiles\%u

        # logon drive = H:

        # Logon home is used to specify home directory and 
        # Windows 95/98/ME roaming profile location
        logon home = \\%h\%u\.win_profiles

        # Allow Samba to send correct time to windows
        time server = Yes

        # Set logging options
        log file = /var/log/samba/log.odeon

        # Other Global Options
        # ===========================================================
        hide dot files = Yes

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/vahalla.org/scripts
        # read only = No
        writeable = Yes
        comment = Logon Scripts
        volume = LOGON SCRIPTS

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        # read only = No
        writeable = Yes
        comment = SysAdmin Scripts
        volume = SYSADMIN SCRIPTS

[homes]
        path = /export/home/%u
        # read only = No
        writeable = Yes
        comment = User Home Directory
        volume = USER DIRECTORY
        browsable = no
        inherit acls = Yes
        # valid users = %u
        # valid users = VAHALLA\%U

[profiles]
        path = /export/win_profiles/
        browsable = No
        read only = No
        profile acls = Yes
        create mask = 0600
        directory mask = 0700
        comment = User Profiles
        volume = PROFILES

[Shared]
        path = /export/home
        read only = No
        comment = User Home Directories
        volume = HOME DIRECTORIES
        browseable = Yes
        hide files = /*.ini/
        inherit acls = Yes
        # valid users = @ntuser
        # write list = @ntuser

[Public]
        path = /export/home/public
        read only = No
        comment = Share information
        volume = PUBLIC
        browseable = Yes
        hide files = /*.ini/
        inherit acls = Yes

[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No

From the commented out options, you can see I have experimented with a few things. I also setup group mapping. Here are my current group maps.


odeon:/etc/samba # net groupmap list
Domain Guests (S-1-5-21-1480406318-1800422186-3920511979-1004) -> nobody
Domain Users (S-1-5-21-1480406318-1800422186-3920511979-1000) -> ntusers
Domain Admins (S-1-5-21-1480406318-1800422186-3920511979-1003) -> root

The group* ntusers* is an LDAP group that I use on the linux side for network wide permissions of all users. (It’s a home network with 2 users. No need for fine segregation.)

And here is my nsswitch.conf


odeon:/etc # cat nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       compat                  Use compatibility setup
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       [NOTFOUND=return]       Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#

# passwd: files nis
# shadow: files nis
# group:  files nis

passwd: compat sss
group:  files sss

hosts:  files mdns4_minimal [NOTFOUND=return] dns wins
networks:       files dns

services:       files
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files nis ldap
aliases:        files

Now here is the problem: When I examine the shares on the windows side, I can see that the top level folder has the group “Domain Users” with full control permissions, which is what I wanted. But those permissions do not propagate down to any subfolders. All the subfolders and files do not have any permissions entry for “Domain Users”. I know some will tell me that samba only sets permission for the top level folders. But I set the linux permissions so that all subfolders should be readable, if I understand correctly.

Folder permissions of the share [public]


odeon:/export/home/public # l
total 44
drwxrwxr-x+   7 root ntusers  4096 Jul 24 16:45 ./
drwxr-xr-x+   6 root root     4096 Jul 23 22:08 ../
drwxrwx---   12 root ntusers  4096 Jun 15 12:28 Documents/
drwxrwxr-x  187 root ntusers 12288 May 29 06:34 Music/
drwxrwxr-x   16 root ntusers  4096 Apr 21 17:00 Pictures/
drwxrwxr-x   10 root ntusers  4096 Nov 11  2012 System Software/
drwxrwxr-x    3 root ntusers  4096 Mar 18  2012 Videos/

From what I understand, since all folders are owned by group ntusers*, *and the group *Domain Users *maps to ntusers, then any windows user which is a member of Domain Users should have full control over the files in this share. But it is only the root folder that even registers Domain Users as a group.

The one hint I have to this is that when I examine the share permissions on the windows side, there are some unresolved SID account numbers. My permissions look like this:

|**Group or Username
|
**|**Full Control
**|**Modify
**|**Read &Execute
**|**List Contents
**|**Read
**|**Write
**|Special Permissions|
|Everyone|||X|X|X|||
|S-1-22-1-1001|||||||X|
|S-1-22-2-1000|||||||X|
|CREATOR OWNER|||||||X|
|CREATOR GROUP|||||||X|

The file is owned by S-1-22-1-1001. The odd part is the SID. I don’t recognize those SID numbers. They aren’t even from the samba domain, because they are completely different at the beginning of the string. My best guess has been that these SID’s relate to the local linux system. All my users on windows (through samba) system mapp to LDAP users on the linux system. I have two LDAP servers running. Samba’s internal AD LDAP runs on ports 389 and 636. Linux LDAP runs on ports 390 and 637. So far they haven’t interfered with each other. But I wonder if windows is somehow reading from the linux LDAP. Or if it is somehow related to the problem that my LDAP users are not local user accounts.

I’ll take any ideas. I’d settle just for an explanation of tools that I can use to track down these mystery SID numbers and do something about them.

On 7/24/2013 9:16 PM, nickninevah wrote:
>
> My mistake. Sorry for the rude reply. Hopefully we can do a little
> more knowledge sharing. Mostly, I’m frustrated because all the guides I
> have found so far are for samba 3, not samba 4. And much of the reading
> material I come across (such as the official samba guide) provides
> extensive descriptions about how impressive the features for samba are.
> And plenty of description on the configuration file options. But the
> organization and description for the utilities (such as net groupmap)
> left me confused.
>
> Which leads me to my latest problem. With my user id mapping now
> successful, I can see my samba shares. But I don’t have write
> permission to every folder in the share. First, the details of the
> setup.
<snip>
>
> The file is owned by S-1-22-1-1001. The odd part is the SID. I don’t
> recognize those SID numbers. They aren’t even from the samba domain,
> because they are completely different at the beginning of the string.
> My best guess has been that these SID’s relate to the local linux
> system. All my users on windows (through samba) system mapp to LDAP
> users on the linux system. I have two LDAP servers running. Samba’s
> internal AD LDAP runs on ports 389 and 636. Linux LDAP runs on ports
> 390 and 637. So far they haven’t interfered with each other. But I
> wonder if windows is somehow reading from the linux LDAP. Or if it is
> somehow related to the problem that my LDAP users are not local user
> accounts.
>
> I’ll take any ideas. I’d settle just for an explanation of tools that
> I can use to track down these mystery SID numbers and do something about
> them.
>
>
nickninevah;

Let me start by saying that I do not have a great deal of experience with Samba4. With that in mind let me comment on the share
permissions. AFAIK Samba4 uses ACLs for permission and recommends setting the permissions from a Windows machine using a user
with “SeDiskOperatorPrivilege”. See:

http://wiki.samba.org/index.php/Setup_and_configure_file_shares

I’m not sure about Samba4, but in later Samba3 releases the SID S-1-22-1-X was assigned to unmapped users where X is the NIX UID.

As you are one of the pioneers on this forum using Samba4, please keep us posted.


P.V.
“We’re all in this together, I’m pulling for you” Red Green

On 7/24/2013 11:35 PM, PV wrote:

EDIT:

Have you set the setgid bit on the directories?


su -
chmod g+s <path to directory>
exit


P.V.
“We’re all in this together, I’m pulling for you” Red Green

Thanks for the info. I’ll give it a try and let you know what happens. Once I get samba up and running, I do plan to write a full howto guide with a full list of references that I used. I am at the point right now where I can get a fully functional samba 4 server that only serves windows clients and users. Right now I’m working on the user mapping between samba and linux.

I finished working on Samba 4.0. I wrote all my experiences into a single document. Since I can’t add attachments to this post, I uploaded the files to a github repository. You can access it here:

https://github.com/nickninevah/Samba4Doc.git

It turns out that POSIX to ACL mapping is not possible in Samba 4.0 right now. They made a major shift in the underlying architecture for Samba 4.0, and the new architecture doesn’t quite work yet.

If you don’t need to share files between windows and linux, Samba 4.0 works great. It maintains an independent set of file permissions strictly for the windows side. If you have an all windows user environment, Samba 4.0 can be a great replacement for WIndows Server 2008. I’m sure it misses some of the more advanced features. But it definitely supports active directory and group policies.

Although, I would wait at least another 6 months before starting any work on Samba 4.0. Much of the documentation that I used for the install was still being re-written in the last few days. And there are a few added pieces that I wish I knew when I started. My advice: waiting until things stabilize more. Hopefully by then, they will have also implemented POSIX to ACL mapping. And Samba 4.0 will be absolutely awesome!

I have to say that I’m extremely appreciative and humble that you took the time and effort to write a thorough Samba4 Guide. What I am looking for however is getting this done automatically during user creation. Just to add that there is a Wiki article on the Samba wiki discussing this.