How to Get The User's Domain Information in Samba

how to get the user's domain information in samba

User name shown by smbstatus is the name of the local user, not the user which connected to the share. The original name might have already been transformed with the help of 'username map' option in smb.conf.

Supposedly, you have one-to-one name mapping between incoming users and local POSIX users. In this case you can use 'wbinfo --uid-to-sid leon' to get Security Identifier (SID) of the user 'leon', and as next step do 'wbinfo --sid-to-fullname sid' to convert SID to fully qualified user name (DOMAIN\user).

Samba authentication and linux user mapping

There Are two ways to have 1:1 mapping of accounts between computers. The first is synchronization. This is where you copy accounts by hand or by script between machines. I think this is what you tried to do, but windows does not work well when trying to do this. (there are other problems with this approach which has led to the second approach)

The second way is a directory server. There are lots of directory servers out there. Sun came out with NIS, There is DAP and LDAP which have multiple implementations including folks like SAP, Red Hat, Oracle and Novel. But in a windows environment the dominant Directory server is Microsoft's Active Directory which is part of windows server. (Prior to windows 2000 there was a simpler service that is called NT domain login, which still can be used in some cases.)

Now If you don't want to shell out the big bucks for windows server samba has a protocol compatible directory server. samba 3 uses NT domain logins to serve account information, and samba 4 is compatible with active directory. The general way you use samba 3 to provide accounts to windows is to make samba a primary domain controller, and then join windows to the domain you just created. The accounts are then drawn from your passwd file (or wherever NSS maps your account information), but your passwords have to be stored in samba. Samba 4 is a similar process, but newer and all account information must be stored in samba and you must also join your linux box (Raspberry PI in your case) to the domain with winbind.

On the other hand if you have windows server just laying around you could also create your domain there and join all your machines to that domain, again using winbind for linux.

One of the complications of using winbind is assigning or mapping UIDs for linux. It is not complicated, but you have to pay attention.

If you noticed that I have skipped some details, you have a gift for understatement. There are books on this subject that miss important details. You have some reading to do.

authenticate against with Active Directory via samba

FIXED. It seems there is something wrong with winbind separator = /. I comment out this line(this will take the default MS AD separator ) or set winbind separator = + and login with the format: domain\aduser or domain+aduser. It works. Hope this helpful.

Windows client connecting to UCS / Samba server - The join operation was not successful

Greetings from Univention,

this might not be the best Site to ask for solutions for these kind of problems, as Jeff already mention.

We would like to invite you to Univention Help where a lot of greatly experienced Community members and our Staff would love to help you.

Beside that, did you try to join your domain with your myuser user? This won't work as your user doesn't have the proper rights to add Machines to your Domain. Have you tried it with the User Administrator as shown in this image?

You also want to make sure, that there isn't already a Machine with the name DELL-INSIPRON existent in your domain, but I assume that this won't be the case.

How to get user password expiration date from Active Directory?

This depends on the configuration of the domaincontroller. You can try:

net ads user info USERNAME@DOMAIN.COM -S DC_SERVER_NAME -U USERNAME

where USERNAME@DOMAIN.COM is the account to gather info from, DC_SERVER_NAME is the hostname of your domain controller and USERNAME is your username.

You will be prompted for your domain password.

Now you get either information to your account, including expiry date of your password or you get

ads_pull_uint32 failed

in this case, your domain controller is not configured to provide account information to UNIX like systems.

You may contact your domain administrator to convince him to install and configure Microsoft Windows Services for UNIX so that this command gives you the needed information.

This answer might be frustrating. It is for me as I am in the same situation and researched the topic a lot.

My workaround: I set a calendar reminder 80 days in the future, when I set my domain password (smbpasswd -U USERNAME -r DC_SERVER_NAME), since it expires every 90 days. Not perfect, but workable.

[UPDATE]
I found a way to determine the expiration date of your domain password with rpcclient, here is my script:

#!/bin/bash
# author: Tim Wahrendorff 2016
# licence: Public Domain - https://wiki.creativecommons.org/wiki/Public_domain
# 
# To use this script you need at least: 
# sudo apt-get install libnotify-bin rpcclient
#
# Please set your account, password and domaincontroller to use this script

USER="username" # Domain accountname
PASS="Pa$$W0rd" # Domain password
DC="vmdc01"     # Domaincontroller

### START RPCCLIENT query
if [ "x$USERDCID" == "x" ]; then
    RPCLOOKUPID=$(rpcclient -U $USER%$PASS -c "lookupnames $USER" $DC 2> ./rpc_errFile)

    USERDCID=$(echo "$RPCLOOKUPID" | grep -e '[0-9]\{4,9\} ' -o)
fi

QUERYUSER=$(rpcclient -U $USER%$PASS -c "queryuser $USERDCID" $DC 2> ./rpc_errFile)

EXPDATE=$(echo "$QUERYUSER" | grep 'Password must change Time' | grep -e '[a-Z]\{2\}, [0-9]\{2\} [a-Z]\{3\} [0-9]\{4\} [0-9]\{2\}:[0-9]\{2\}' -o)

## Load rpc error Message
RPCERR=$(<./rpc_errFile)

## send notifications to Unity Desktop
if [ "x$RPCERR" != "x" ]; then
    notify-send -i /usr/share/icons/gnome/48x48/status/dialog-error.png "Error while fetching expiration date of your domain password" "$RPCERR"    
else
    notify-send -i /usr/share/icons/gnome/48x48/status/dialog-information.png "your domain password expires at " "$EXPDATE h"
fi

### END RPCCLIENT query

I configured this script to run on autostart, I shows me when my domain password will expire in a Unity notification. Feel free to extend, improve and republish this script, it is public domain.

[/UPDATE]


Related Topics

How to Include Debug Information with Nasm

How to Limit CPU and Ram Resources for Mongodump

Linux: Triggering Shell Command on File Save

How to Do Simple Arithmetic in Sed Addresses

Make for Compiling - All *.C Files in Folders & Subfolders in Project

How to Inject a Raw L2 Packet as an Incoming Packet to an Interface on Linux

Forcing a Context Switch from The Userland on Linux

How Convert Address in Elf to Physical Address

Kernel Module Build Fails: Sys/Types.H: No Such File or Directory

Why Does The Stack Have to Be Page Aligned

Use "Git Revert" to Back-Out a Change Adding a Line

What Is The Side Effect of Setting Tcp_Max_Tw_Buckets to a Very Small Value

How to Read a File Using Shellcode Without Explicitly Mentioning Syscall (0X0F05) with Write Permissions Disabled

Why Cannot I Directly Compare 2 Thread Ids Instead of Using Pthread_Equal

Dialog in Bash Is Not Grabbing Variables Correctly

Nohup Failing with Anaconda Ipython

Documentation About Device Driver Programming on Kernel 3.X

Munin Dynamic Graph Zoom (Dynazoom) Not Working (Centos6,Nginx,PHP-Fpm)


Leave a reply



Submit