[Samba] I want a Fedora 20 system to be a member server and offer a share in a Windows 2008R2 Active Directory domain
Davor Vusir
davortvusir at gmail.com
Sun Aug 31 13:56:00 MDT 2014
** Skickat från mobilusken! **
Den 30 aug 2014 21:20 skrev "Greg Scott" <GregScott at infrasupport.com>:
>
> I'm close to making this work. The goal is to make this Fedora 20 system
pretend to be a Windows member server in my Windows 2008R2 Active Directory
domain and then I'll use it as a backup target. When I run ADUC from my
domain controller, I see my F20 system named nfsa. But from Windows, when
I do Start...\\nfsa, I get an Access Denied error and it prompts for
credentials. When I do Start...\\nfsa\backups, it just fails with an
Access Denied error.
>
> I will paste in the output from testparms below, which has everything in
my smb.conf. This should all be OK. I've gotta be missing the piece that
sets up my F20 system to trust A/D for authentication for F20 can advertise
this share. The guidance on how to do that is contradictory and thin and
I'm hopelessly confused. I'm supposed to do some editing to some pam .conf
files and nsswitch.conf, but everyone has different guidance. And the
edits look elaborate and prone to mistakes.
>
> So Red Hat includes a tool named authconfig that claims to handle this
for me. It is supposed to set up all the .conf files to make this work.
Pass authconfig the correct parameters and it all just happens. In fact,
it's all documented right here in the RHEL 7 Windows Integration Guide:
>
>
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/winbind-auth.html
>
> The example in section 4.3.2, step 4 uses a parameter named
--enablewinbindkrb5 that doesn't exist. And a couple of the parameters in
the example need equal signs (parameter=value instead of parameter [space]
value). In fairness, that book above is part of RHEL 7 and I'm doing this
from Fedora 20 so maybe they are different. Working around that and based
on the example, I put this little script together:
>
> [root at nfsa gregs]# more test.sh
> #!/bin/sh
>
> authconfig \
> --enablewinbind \
> --enablewins \
> --enablewinbindauth \
> --smbsecurity=ads \
> --smbworkgroup=EHAC \
> --smbrealm=EHAC.LOCAL \
> --smbservers=ehcserver1.ehac.local \
> --krb5realm=EHAC.LOCAL \
> --enablewinbindoffline \
> --enablekrb5 \
> --winbindtemplateshell=/bin/sh \
> --winbindjoin=administrator \
> --update \
> --enablelocauthorize \
> --savebackup=/home/gregs/backups
> [root at nfsa gregs]#
>
> When I run it, it makes copies of a bunch of config files and saves them
in my /home/gregs/backups directory. But it never updates any of the real
.conf files - just one big no-op.
>
> So how do I do this? Surely there's nice, clean, easily reproducible way
to make a Linux system offer a share as a member server in a modern A/D
domain.
>
> F20 can reach into the domain, but the domain cannot reach out to F20.
>
> wbinfo -g and wbinfo -u show me the groups and users I expect to see.
And getent passwd domain\\user returns what I expect after I finally
learned I need to escape that "\" character. So F20 can reach into the
domain, but the domain can't reach back to F20. That's my problem.
>
> [root at nfsa gregs]# getent passwd ehac\\gregs
> gregs at ehac.local:*:762201118:762200513:Greg
Scott:/home/ehac.local/gregs:/bin/bash
>
> Finally, here is a copy of my smb.conf and krb5.conf.
>
> [root at nfsa gregs]# testparm
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[backups]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>
> [global]
> workgroup = EHAC
> realm = ehac.local
> server string = Samba Server nfsa Version %v
> security = ADS
> log file = /var/log/samba/log.%m
> max log size = 50
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind nss info = rfc2307
> idmap config SAMDOM:range = 500-40000
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:backend = ad
SAMDOM -> EHAC? Is the defined orange correct?
Regards
Davor
> idmap config *:range = 70001-80000
> idmap config * : backend = tdb
> cups options = raw
>
> [backups]
> comment = backups
> path = /data/nfsa
> read only = No
> guest ok = Yes
> [root at nfsa gregs]#
> [root at nfsa gregs]#
> [root at nfsa gregs]# more /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> dns_lookup_realm = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> # default_realm = EXAMPLE.COM
> default_realm = EHAC.LOCAL
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> # EXAMPLE.COM = {
> # kdc = kerberos.example.com
> # admin_server = kerberos.example.com
> # }
>
> EHAC.LOCAL = {
> kdc = ehcserver1.ehac.local
> admin_server = ehcserver1.ehac.local
> }
>
> [domain_realm]
> # .example.com = EXAMPLE.COM
> # example.com = EXAMPLE.COM
>
> .ehac.local = EHAC.LOCAL
> ehac.local = EHAC.LOCAL
> [root at nfsa gregs]#
>
> Oh yes - I have no idea if this is relevant or not but I see these errors
about printers in /var/log/messages when I restart smb. I don't care about
printing here and would be fine with just turning off all printing if
there's a way to do it. But maybe these printer errors contribute to my
real problem.
>
> [root at nfsa gregs]# tail /var/log/messages
> Aug 30 13:42:36 nfsa smbd[7353]: [2014/08/30 13:42:36.137682, 0]
../source3/printing/print_cups.c:151(cups_connect)
> Aug 30 13:42:36 nfsa smbd[7353]: Unable to connect to CUPS server
localhost:631 - Bad file descriptor
> Aug 30 13:42:36 nfsa smbd[7010]: [2014/08/30 13:42:36.137938, 0]
../source3/printing/print_cups.c:528(cups_async_callback)
> Aug 30 13:42:36 nfsa smbd[7010]: failed to retrieve printer list:
NT_STATUS_UNSUCCESSFUL
> Aug 30 13:50:01 nfsa systemd: Starting Session 271 of user root.
> Aug 30 13:50:02 nfsa systemd: Started Session 271 of user root.
> Aug 30 13:55:36 nfsa smbd[7380]: [2014/08/30 13:55:36.883693, 0]
../source3/printing/print_cups.c:151(cups_connect)
> Aug 30 13:55:36 nfsa smbd[7380]: Unable to connect to CUPS server
localhost:631 - Bad file descriptor
> Aug 30 13:55:36 nfsa smbd[7010]: [2014/08/30 13:55:36.883950, 0]
../source3/printing/print_cups.c:528(cups_async_callback)
> Aug 30 13:55:36 nfsa smbd[7010]: failed to retrieve printer list:
NT_STATUS_UNSUCCESSFUL
> [root at nfsa gregs]#
>
> I've installed winbind and winbind and smb are running. SElinux is set
to permissive. I don't think I need nmb anymore but I can try turning it
on.
>
> [root at nfsa gregs]# systemctl list-unit-files | grep smb
> smb.service enabled
> [root at nfsa gregs]# systemctl list-unit-files | grep nmb
> nmb.service disabled
> [root at nfsa gregs]# systemctl list-unit-files | grep winbind
> winbind.service enabled
> [root at nfsa gregs]#
>
> Oh - versions - everything came from Red Hat binaries a few days ago:
>
> [root at nfsa gregs]# more /etc/issue
> Fedora release 20 (Heisenbug)
> Kernel \r on an \m (\l)
>
> [root at nfsa gregs]# rpm -qa | grep samba
> samba-winbind-modules-4.1.9-4.fc20.x86_64
> samba-common-4.1.9-4.fc20.x86_64
> samba-4.1.9-4.fc20.x86_64
> samba-winbind-4.1.9-4.fc20.x86_64
> samba-libs-4.1.9-4.fc20.x86_64
> samba-winbind-clients-4.1.9-4.fc20.x86_64
> [root at nfsa gregs]#
> [root at nfsa gregs]# rpm -qa | grep krb5
> pam_krb5-2.4.8-1.fc20.x86_64
> sssd-krb5-common-1.11.6-1.fc20.x86_64
> sssd-krb5-1.11.6-1.fc20.x86_64
> krb5-workstation-1.11.5-11.fc20.x86_64
> krb5-libs-1.11.5-11.fc20.x86_64
> [root at nfsa gregs]#
>
> Thanks
>
> - Greg Scott
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list