[Samba] Samba as AD member can not validate domain user
jd at ionica.lv
jd at ionica.lv
Mon Apr 6 13:31:36 MDT 2015
correction (see below)
Citēju jd at ionica.lv:
> Citēju jd at ionica.lv:
>
>> Citēju Rowland Penny <rowlandpenny at googlemail.com>:
>>
>>>> CFG files from fileserver:
>>>> ============
>>>> krb5.conf
>>>> [libdefaults]
>>>> default = INTERNAL.DOMAIN.LV
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>>
>>>> ===========
>>>> nsswitch.conf
>>>> passwd: compat winbind
>>>> group: compat winbind
>>>> shadow: compat files
>>>>
>>>> hosts: files dns
>>>> networks: files
>>>>
>>>> services: files
>>>> protocols: files
>>>> rpc: files
>>>> ethers: files
>>>> netmasks: files
>>>> netgroup: files
>>>> bootparams: files
>>>>
>>>> automount: files
>>>> aliases: files nisplus
>>>> publickey: nisplus
>>>> =============
>>>> SMB.conf on fileserver
>>>> [global]
>>>> security = ADS
>>>> workgroup = INTERNAL
>>>> acl group control = yes
>>>> inherit acls = Yes
>>>> map acl inherit = Yes
>>>> realm = INTERNAL.DOMAIN.LV
>>>> kerberos method = secrets and keytab
>>>> idmap config internal:backend = ad
>>>> idmap config internal:range = 10000-3001000
>>>> idmap config internal:schema_mode = rfc2307
>>>> idmap config *:range = 2000-9999
>>>> idmap config *:backend = tdb
>>>> dedicated keytab file = /etc/krb5.keytab
>>>> winbind enum users = Yes
>>>> winbind enum groups = Yes
>>>> winbind separator = \
>>>> winbind refresh tickets = Yes
>>>> winbind nss info = rfc2307
>>>> winbind use default domain = yes
>>>> winbind trusted domains only = yes
>>>> utmp = yes
>>>> wins server = sambadc.DOMAIN.lv
>>>> wins support = yes
>>>> dns proxy = no
>>>> wins proxy = no
>>>> wtmp directory = /var/log/wtmp
>>>> preferred master = no
>>>> log level = 4
>>>> bind interfaces only = Yes
>>>> interfaces = lo, eth1
>>>> netbios name = FS2
>>>> os level = 33
>>>> ======================
>>> Firstly, please put the smb.conf on the AD DC back to what it was
>>> just after the provision. You do not need the extra lines you have
>>> added.
>>
>> now smb.conf is rather short:
>> [global]
>> workgroup = INTERNAL
>> realm = INTERNAL.DOMAIN.LV
>> netbios name = SAMBADC
>> server role = active directory domain controller
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>> idmap_ldb:use rfc2307 = yes
>> log level = 4
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/internal.domain.lv/scripts
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>>> You have posted what is probably your problem:
>>>
>>> 3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)'
>>> objectSID gidNumber
>>> gives onlyObjectSID without gidNumber;
>>>
>>> You are using the winbind 'ad' backend on the member server, for
>>> this to work, your users need a 'uidNumber' attribute and 'Domain
>>> Users' (at least) *NEEDS* a 'gidNumber'
>>
>> after assigning UNIX attributes to users and domain groups all of them have
>> uidNUmbers and gidNumbers starting from 10000,
>> ldbsearch gives:
>> dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv
>> objectSid: S-1-5-21-216404829-505555237-127066545-513
>> gidNumber: 10000
>>
>>> If you use the 'ad' backend, then giving your users a 'uidNumber'
>>> is not enough, you must give their primarygroup (Domain Users) a
>>> 'gidNumber' attribute.
>>
>> all of the AD users are members of the Domain Users group now.
>>
>> Now on DC getent passwd gives just list of local users;
>> getent passwd INTERNAL\\username gives domain user info with
>> uid/gid 100xx:10000
>>
>> still no changes on fileserver, getent passwd INTERNAL\\username
>> finishes without any msg;
>> in log.winbindd there is notion:
>> 2015/04/06 21:42:37.714639, 3]
>> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>> getpwnam INTERNAL\username
>>
>>
>> joining to the AD DC ends with joined server and such messages:
>> DNS Update for mail.domain.lv failed: ERROR_DNS_INVALID_MESSAGE
>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>
>> (mail.domain.lv being the hostname of the server where samba
>> fileserver with netbios name FS2 resides)
>>
>> I do not see anything in capital letters in the logs
>
> just wanted to add :
>
> log.smbd on fileserver get such msg after unsuccessful attempt to
> browse shares:
>
> [2015/04/06 22:12:41.553353, 3]
> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
> Found account name from PAC: username []
> [2015/04/06 22:12:41.553372, 3]
> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
> Kerberos ticket principal name is [username at INTERNAL.DOMAIN.LV]
> [2015/04/06 22:12:41.554105, 1]
> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> Username INTERNALwusername is invalid on this system
[2015/04/06 22:26:05.829369, 1]
../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
(??? the couldn't be such local user as I understood)
More information about the samba
mailing list