Hello all,
Im having a win server 2012 with AD and centos 7.2 with samba4 as client. On the centos client I want to do a cifs share with active directory authentication. I configured all and "id" and "getent" are working.
I raed that I have to configure permission on the samba share with windows explorer. I can do that but after closing the security tab and reopen it in win explorer only win SID are shown in security tab. Please have a look to attached screenshot.
sssd.conf:
[sssd] services = nss, pam config_file_version = 2 domains = samba debug_level = 9
[nss] filter_users = root filter_groups = root
[pam]
[domain/samba] ad_hostname = centi.samba.dance ad_server = dc.samba.dance ad_domain = samba default_shell = /bin/bash override_homedir = /home/%u ldap_schema = ad id_provider = ad access_provider = ad # on large directories, you may want to disable enumeration for performance reasons enumerate = true cache_credentials = true auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = GSSAPI ldap_sasl_authid = centi$@SAMBA.DANCE krb5_realm = SAMBA.DANCE krb5_server = dc.samba.dance krb5_kpasswd = dc.samba.dance krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true ldap_referrals = false ldap_uri = ldap://dc.samba.dance ldap_search_base = dc=samba,dc=dance dyndns_update=false ldap_id_mapping=true
I searched the web, books... play around with ID- mapping.... Also asking on samba mailinglist was no one who can help. Nothing helps.
How to get the windows usernames in security tab? Can someone help?
Tia Stefan
On Tue, May 03, 2016 at 07:04:42PM +0200, Stefan Fuhrmann wrote:
Hello all,
Im having a win server 2012 with AD and centos 7.2 with samba4 as client. On the centos client I want to do a cifs share with active directory authentication. I configured all and "id" and "getent" are working.
I raed that I have to configure permission on the samba share with windows explorer. I can do that but after closing the security tab and reopen it in win explorer only win SID are shown in security tab. Please have a look to attached screenshot.
Please try to install the sssd-libwbclient package. This provides a library which sends some of the request Samba would typically send to winbbind to SSSD.
HTH
bye, Sumit
sssd.conf:
[sssd] services = nss, pam config_file_version = 2 domains = samba debug_level = 9
[nss] filter_users = root filter_groups = root
[pam]
[domain/samba] ad_hostname = centi.samba.dance ad_server = dc.samba.dance ad_domain = samba default_shell = /bin/bash override_homedir = /home/%u ldap_schema = ad id_provider = ad access_provider = ad # on large directories, you may want to disable enumeration for performance reasons enumerate = true cache_credentials = true auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = GSSAPI ldap_sasl_authid = centi$@SAMBA.DANCE krb5_realm = SAMBA.DANCE krb5_server = dc.samba.dance krb5_kpasswd = dc.samba.dance krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true ldap_referrals = false ldap_uri = ldap://dc.samba.dance ldap_search_base = dc=samba,dc=dance dyndns_update=false ldap_id_mapping=true
I searched the web, books... play around with ID- mapping.... Also asking on samba mailinglist was no one who can help. Nothing helps.
How to get the windows usernames in security tab? Can someone help?
Tia Stefan
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Hello Sumit,
Am Wednesday 04 May 2016, 09:46:00 schrieb Sumit Bose:
Please try to install the sssd-libwbclient package. This provides a library which sends some of the request Samba would typically send to winbbind to SSSD.
There is no winbind installed. As I write sssd is running I can do id and getent successfully. This package is installed.
Here is my correct conf version: [sssd] services = nss, pam, pac, ssh config_file_version = 2 domains = samba debug_level = 9
[nss] filter_users = root filter_groups = root
[ssh]
[pam]
[domain/samba] ad_hostname = centi.samba.dance ad_server = dc.samba.dance ad_domain = samba default_shell = /bin/bash override_homedir = /home/%u ldap_schema = ad #ldap_schema = rfc2307bis
id_provider = ad access_provider = ad #ldap_id_mapping = False #ldap_id_mapping = true
# on large directories, you may want to disable enumeration for performance reasons enumerate = true cache_credentials = true
#auth_provider = krb5 auth_provider = ad #chpass_provider = krb5 chpass_provider = ad
ldap_sasl_mech = GSSAPI ldap_sasl_authid = centi$@SAMBA.DANCE krb5_realm = SAMBA.DANCE krb5_server = dc.samba.dance krb5_kpasswd = dc.samba.dance krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true ldap_referrals = false ldap_uri = ldap://dc.samba.dance ldap_search_base = dc=samba,dc=dance
dyndns_update = false #ldap_id_mapping=false
I played also around with id mapping but setting ldap_id_mapping=false sssd does not start. What is the default setting if I commenting it out?
I dont know what I can try else? Someone know how to resolve correct user shown in win explorer sec tab?
thanks for help!! Stefan
On Wed, May 04, 2016 at 04:57:38PM +0200, Stefan Fuhrmann wrote:
Hello Sumit,
Am Wednesday 04 May 2016, 09:46:00 schrieb Sumit Bose:
Please try to install the sssd-libwbclient package. This provides a library which sends some of the request Samba would typically send to winbbind to SSSD.
There is no winbind installed. As I write sssd is running I can do id and getent successfully. This package is installed.
If the sssd-libwbclient package is installed please check with
alternatives --display libwbclient.so.0.12
if it is configured correctly.
HTH
bye, Sumit
Here is my correct conf version: [sssd] services = nss, pam, pac, ssh config_file_version = 2 domains = samba debug_level = 9
[nss] filter_users = root filter_groups = root
[ssh]
[pam]
[domain/samba] ad_hostname = centi.samba.dance ad_server = dc.samba.dance ad_domain = samba default_shell = /bin/bash override_homedir = /home/%u ldap_schema = ad #ldap_schema = rfc2307bis
id_provider = ad access_provider = ad #ldap_id_mapping = False #ldap_id_mapping = true
# on large directories, you may want to disable enumeration for performance reasons enumerate = true cache_credentials = true
#auth_provider = krb5 auth_provider = ad #chpass_provider = krb5 chpass_provider = ad
ldap_sasl_mech = GSSAPI ldap_sasl_authid = centi$@SAMBA.DANCE krb5_realm = SAMBA.DANCE krb5_server = dc.samba.dance krb5_kpasswd = dc.samba.dance krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true ldap_referrals = false ldap_uri = ldap://dc.samba.dance ldap_search_base = dc=samba,dc=dance
dyndns_update = false #ldap_id_mapping=false
I played also around with id mapping but setting ldap_id_mapping=false sssd does not start. What is the default setting if I commenting it out?
I dont know what I can try else? Someone know how to resolve correct user shown in win explorer sec tab?
thanks for help!! Stefan _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Hello Sumit Am Wednesday 04 May 2016, 17:47:16 schrieb Sumit Bose:
If the sssd-libwbclient package is installed please check with
alternatives --display libwbclient.so.0.12
if it is configured correctly.
alternatives --display libwbclient.so.0.12-64 libwbclient.so.0.12-64 - status is auto. link currently points to /usr/lib64/sssd/modules/libwbclient.so.0.12.0 /usr/lib64/sssd/modules/libwbclient.so.0.12.0 - priority 20 /usr/lib64/samba/wbclient/libwbclient.so.0.12 - priority 10 Current `best' version is /usr/lib64/sssd/modules/libwbclient.so.0.12.0.
Tia Stefan
On Wed, May 04, 2016 at 09:14:24PM +0200, Stefan Fuhrmann wrote:
Hello Sumit Am Wednesday 04 May 2016, 17:47:16 schrieb Sumit Bose:
If the sssd-libwbclient package is installed please check with
alternatives --display libwbclient.so.0.12
if it is configured correctly.
alternatives --display libwbclient.so.0.12-64 libwbclient.so.0.12-64 - status is auto. link currently points to /usr/lib64/sssd/modules/libwbclient.so.0.12.0 /usr/lib64/sssd/modules/libwbclient.so.0.12.0 - priority 20 /usr/lib64/samba/wbclient/libwbclient.so.0.12 - priority 10 Current `best' version is /usr/lib64/sssd/modules/libwbclient.so.0.12.0.
this looks ok. Can you check if a SID can be translated to a proper name by calling:
wbinfo -s S-1-5-21-.........
this should return the matching user name. If the right name is returned the next step would be looking at the samba logs. For this you should set 'log level = 10' in /etc/smb.conf and then connect to the share from Windows and open the Security tab to trigger the lookup of the user names by SID.
Please switch 'log level' to the original value back after the test to avoid filling up the disk with samba logs.
HTH
bye, Sumit
Tia Stefan _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Hello Sumit,
Am Friday 06 May 2016, 10:18:56 schrieb Sumit Bose:
this looks ok. Can you check if a SID can be translated to a proper name by calling:
wbinfo -s S-1-5-21-.........
wbinfo isnt working. As I wrote there is no winbind installed: "failed to call wbcLookupSid: WBC_ERR_UNKNOWN_FAILURE"
There is the recomendation to use only sssd now...
this should return the matching user name. If the right name is returned the next step would be looking at the samba logs. For this you should set 'log level = 10' in /etc/smb.conf and then connect to the share from Windows and open the Security tab to trigger the lookup of the user names by SID.
Please switch 'log level' to the original value back after the test to avoid filling up the disk with samba logs.
set samba debug level to 10, restart daemon, accessing the share from windows -> nothing logged (tail -f) only when restarting the daemon
thanks ! Stefan
Hello Sumit,
Am Friday 06 May 2016, 11:10:15 schrieb Stefan Fuhrmann:
Hello Sumit,
Am Friday 06 May 2016, 10:18:56 schrieb Sumit Bose:
this looks ok. Can you check if a SID can be translated to a proper name
by calling: wbinfo -s S-1-5-21-.........
wbinfo isnt working. As I wrote there is no winbind installed: "failed to call wbcLookupSid: WBC_ERR_UNKNOWN_FAILURE"
There is the recomendation to use only sssd now...
sorry, I was wrong. I read there is an implementation in sssd.
wbinfo -n 'SAMBA\Administrator' S-1-5-21-1678445544-3505005498-3200762184-500 SID_USER (1)
getfacl /share2/ getfacl: Removing leading '/' from absolute path names # file: share2/ # owner: administrator # group: domänen-admins user::rwx user:administrator:rwx user:user:r-x group::rwx group:domänen-admins:rwx mask::rwx other::--- default:user::rwx default:user:administrator:rwx default:user:user:r-x default:group::--- default:group:domänen-admins:--- default:mask::rwx default:other::---
[root@centi ~]#
But why the usernames are not shown on cifs-share with win-explorer?
Thanks Stefan
On Fri, May 06, 2016 at 01:47:09PM +0200, Stefan Fuhrmann wrote:
Hello Sumit,
Am Friday 06 May 2016, 11:10:15 schrieb Stefan Fuhrmann:
Hello Sumit,
Am Friday 06 May 2016, 10:18:56 schrieb Sumit Bose:
this looks ok. Can you check if a SID can be translated to a proper name
by calling: wbinfo -s S-1-5-21-.........
wbinfo isnt working. As I wrote there is no winbind installed: "failed to call wbcLookupSid: WBC_ERR_UNKNOWN_FAILURE"
There is the recomendation to use only sssd now...
sorry, I was wrong. I read there is an implementation in sssd.
wbinfo -n 'SAMBA\Administrator' S-1-5-21-1678445544-3505005498-3200762184-500 SID_USER (1)
getfacl /share2/ getfacl: Removing leading '/' from absolute path names # file: share2/ # owner: administrator # group: domänen-admins
ah, can you try to add 'use_fully_qualified_names = True' to the [domain/...] section of sssd.conf, restart SSSD and try again? Now 'wbinfo -s ....' (lower-case s) should return a result as well.
HTH
bye, Sumit
user::rwx user:administrator:rwx user:user:r-x group::rwx group:domänen-admins:rwx mask::rwx other::--- default:user::rwx default:user:administrator:rwx default:user:user:r-x default:group::--- default:group:domänen-admins:--- default:mask::rwx default:other::---
[root@centi ~]#
But why the usernames are not shown on cifs-share with win-explorer?
Thanks Stefan _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Hello Sumit,
you did it! :) great! Many thanks to you!
Am Friday 06 May 2016, 14:53:33 schrieb Sumit Bose:
getfacl /share2/
getfacl: Removing leading '/' from absolute path names # file: share2/ # owner: administrator # group: domänen-admins
do that:
ah, can you try to add 'use_fully_qualified_names = True' to the [domain/...] section of sssd.conf, restart SSSD and try again? Now 'wbinfo -s ....' (lower-case s) should return a result as well.
wbinfo -s S-1-5-21-1678445544-3505005498-3200762184-500 samba\administrator 1
Now the users are shown correctly in win-explorer on samba share!
Cheers!! Stefan
Hello Sumit,
you did it! great! Many thanks to you!
Am Friday 06 May 2016, 14:53:33 schrieb Sumit Bose:
getfacl /share2/
getfacl: Removing leading '/' from absolute path names # file: share2/ # owner: administrator # group: domänen-admins
do that:
ah, can you try to add 'use_fully_qualified_names = True' to the [domain/...] section of sssd.conf, restart SSSD and try again? Now 'wbinfo -s ....' (lower-case s) should return a result as well.
wbinfo -s S-1-5-21-1678445544-3505005498-3200762184-500 samba\administrator 1
Now the users are shown correctly in win-explorer on samba share!
Cheers!! Stefan
On Fri, May 06, 2016 at 11:10:15AM +0200, Stefan Fuhrmann wrote:
Hello Sumit,
Am Friday 06 May 2016, 10:18:56 schrieb Sumit Bose:
this looks ok. Can you check if a SID can be translated to a proper name by calling:
wbinfo -s S-1-5-21-.........
wbinfo isnt working. As I wrote there is no winbind installed: "failed to call wbcLookupSid: WBC_ERR_UNKNOWN_FAILURE"
With /usr/lib64/sssd/modules/libwbclient.so.0.12.0 wbinfo should use SSSD to get the SID resolved.
Please set debug_level=10 in the [nss] section of sssd.conf, restart SSSD, run the wbinfo command again and check if you see a request for the SID in sssd_nss.log.
Additionally running
strace -s 128 -f wbinfo -S S-1-5-21-.........
would show if wbinfo can access the needed socket of SSSD.
HTH
bye, Sumit
There is the recomendation to use only sssd now...
this should return the matching user name. If the right name is returned the next step would be looking at the samba logs. For this you should set 'log level = 10' in /etc/smb.conf and then connect to the share from Windows and open the Security tab to trigger the lookup of the user names by SID.
Please switch 'log level' to the original value back after the test to avoid filling up the disk with samba logs.
set samba debug level to 10, restart daemon, accessing the share from windows -> nothing logged (tail -f) only when restarting the daemon
thanks ! Stefan
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Hello Sumit,
Am Friday 06 May 2016, 13:50:12 schrieb Sumit Bose:
On Fri, May 06, 2016 at 11:10:15AM +0200, Stefan Fuhrmann wrote:
Hello Sumit,
Am Friday 06 May 2016, 10:18:56 schrieb Sumit Bose:
this looks ok. Can you check if a SID can be translated to a proper name
by calling: wbinfo -s S-1-5-21-.........
[root@centi ~]# wbinfo -n 'SAMBA\Administrator' S-1-5-21-1678445544-3505005498-3200762184-500 SID_USER (1) [root@centi ~]# wbinfo -S S-1-5-21-1678445544-3505005498-3200762184-500 1480400500
Thanks!! Stefan
Hello Sumit,
Am Friday 06 May 2016, 13:50:12 schrieb Sumit Bose:
On Fri, May 06, 2016 at 11:10:15AM +0200, Stefan Fuhrmann wrote:
Hello Sumit,
Am Friday 06 May 2016, 10:18:56 schrieb Sumit Bose:
this looks ok. Can you check if a SID can be translated to a proper name
by calling: wbinfo -s S-1-5-21-.........
wbinfo isnt working. As I wrote there is no winbind installed: "failed to call wbcLookupSid: WBC_ERR_UNKNOWN_FAILURE"
With /usr/lib64/sssd/modules/libwbclient.so.0.12.0 wbinfo should use SSSD to get the SID resolved.
Please set debug_level=10 in the [nss] section of sssd.conf, restart SSSD, run the wbinfo command again and check if you see a request for the SID in sssd_nss.log.
(Fri May 6 14:43:26 2016) [sssd[nss]] [nss_cmd_getbysid] (0x0400): Running command [275] with SID [S-1-5-21-1678445544-3505005498-3200762184-500]. (Fri May 6 14:43:26 2016) [sssd[nss]] [nss_check_well_known_sid] (0x4000): SID [S-1-5-21-1678445544-3505005498-3200762184-500] is not a Well-Known SID. (Fri May 6 14:43:26 2016) [sssd[nss]] [nss_cmd_getbysid] (0x0100): Requesting info for [S-1-5-21-1678445544-3505005498-3200762184-500] from [samba] (Fri May 6 14:43:26 2016) [sssd[nss]] [nss_cmd_getbysid_search] (0x0400): Requesting info for [S-1-5-21-1678445544-3505005498-3200762184-500@samba] (Fri May 6 14:43:26 2016) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/SID/ S-1-5-21-1678445544-3505005498-3200762184-500] (Fri May 6 14:43:26 2016) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f2c19598290
(Fri May 6 14:43:26 2016) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f2c19592750
(Fri May 6 14:43:26 2016) [sssd[nss]] [ldb] (0x4000): Running timer event 0x7f2c19598290 "ltdb_callback"
(Fri May 6 14:43:26 2016) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x7f2c19592750 "ltdb_timeout"
(Fri May 6 14:43:26 2016) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x7f2c19598290 "ltdb_callback"
(Fri May 6 14:43:26 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Fri May 6 14:43:26 2016) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Fri May 6 14:43:26 2016) [sssd[nss]] [nss_cmd_getbysid_search] (0x0400): Returning info for sid [S-1-5-21-1678445544-3505005498-3200762184-500@samba] (Fri May 6 14:43:26 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f2c19598430][22] (Fri May 6 14:43:26 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f2c19598430][22] (Fri May 6 14:43:26 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Fri May 6 14:43:26 2016) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0x7f2c19598430][22] (Fri May 6 14:43:34 2016) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x7f2c1958f0c0 (Fri May 6 14:43:34 2016) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. (Fri May 6 14:43:34 2016) [sssd[nss]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/ freedesktop/sssd/service (Fri May 6 14:43:34 2016) [sssd[nss]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit ^C [root@centi sssd]#
Additionally running
strace -s 128 -f wbinfo -S S-1-5-21-.........
at the beginning of the log: strace -s 128 -f wbinfo -S S-1-5-21-1678445544-3505005498-3200762184-500 execve("/usr/bin/wbinfo", ["wbinfo", "-S", "S-1-5-21-1678445544-3505005498-3200762184-500"], [/* 21 vars */]) = 0 brk(0) = 0x7ff478009000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff477060000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/usr/lib64/samba/tls/x86_64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) stat("/usr/lib64/samba/tls/x86_64", 0x7ffe8e036ec0) = -1 ENOENT (No such file or directory) open("/usr/lib64/samba/tls/libpthread.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) stat("/usr/lib64/samba/tls", 0x7ffe8e036ec0) = -1 ENOENT (No such file or directory) open("/usr/lib64/samba/x86_64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) stat("/usr/lib64/samba/x86_64", 0x7ffe8e036ec0) = -1 ENOENT (No such file or directory) open("/usr/lib64/samba/libpthread.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) stat("/usr/lib64/samba", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=23560, ...}) = 0 mmap(NULL, 23560, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ff47705a000 close(3) = 0
There are a lot of "No such file or directory"
open("/usr/lib64/samba/libsss_nss_idmap.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
locate libsss_nss_idmap.so /usr/lib64/libsss_nss_idmap.so.0
it seems it reads in wrong location.
Want to add full log with -o but: strace -o sssd-strace-wbinfo.txt -s 128 -f wbinfo -S S-1-5-21-1678445544-3505005498-3200762184-500 shows 1480400500
Thanks!! Stefan
sssd-users@lists.fedorahosted.org