[Samba] Samba 4 AD share: Access denied
Rowland Penny
rowlandpenny at googlemail.com
Tue Jul 29 09:40:51 MDT 2014
On 29/07/14 16:17, Ryan Ashley wrote:
> I just checked and I only have */etc/krb5.conf* in */etc*. No keytab.
> I am pasting the provision information from my history as root on the DC.
>
> samba-tool domain provision --use-rfc2307 --interactive
>
> I gave the domain the name "truevine.lan". I also noted that there is
> no Kerberos keytab on the DC. I followed the guides to the letter in
> both cases, and neither mention what you are telling me. I am not
> disputing you, but if this stuff is required, it needs to be in the
> guide/wiki. That is why I started asking questions. I understand the
> guides and have been a Windows admin for years, but doing it with
> Samba is still new, and I love it, though I must learn a standard way
> to do this so it will always work.
If you require the keytab on the Samba4 AD server (if you want to use
sssd for instance) you have to export it with
'samba-tool domain exportkeytab /etc/krb5.keytab'
This will put the keytab in /etc/krb5.keytab and you will then be able
to list the keytab with ktutil.
On a client or member server, the keytab should be created when you join
the domain.
This is the global part of the smb.conf on the laptop I am writing this on:
[global]
workgroup = EXAMPLE
security = ADS
realm = EXAMPLE.COM
#client signing = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 Client %h
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = yes
winbind normalize names = Yes
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config EXAMPLE : backend = ad
idmap config EXAMPLE : range = 10000-999999
idmap config EXAMPLE : schema_mode = rfc2307
printcap name = cups
cups options = raw
usershare allow guests = yes
domain master = no
local master = no
preferred master = no
os level = 20
map to guest = bad user
username map = /etc/samba/smbmap
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
The laptop runs samba4 in classic mode with users and groups having
uidNumber's & gidNumber's etc stored in AD, both ranges starting at 10000.
With the above smb.conf and all samba daemons stopped, if you now run
'net ads join -U Administrator at EXAMPLE.COM'
The machine should join the domain and /etc/krb5.keytab should be created.
You can read this with ktutil
sudo ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 5 host/thinkpad.example.com at EXAMPLE.COM
2 5 host/thinkpad.example.com at EXAMPLE.COM
3 5 host/thinkpad.example.com at EXAMPLE.COM
4 5 host/thinkpad.example.com at EXAMPLE.COM
5 5 host/thinkpad.example.com at EXAMPLE.COM
6 5 host/thinkpad at EXAMPLE.COM
7 5 host/thinkpad at EXAMPLE.COM
8 5 host/thinkpad at EXAMPLE.COM
9 5 host/thinkpad at EXAMPLE.COM
10 5 host/thinkpad at EXAMPLE.COM
11 5 THINKPAD$@EXAMPLE.COM
12 5 THINKPAD$@EXAMPLE.COM
13 5 THINKPAD$@EXAMPLE.COM
14 5 THINKPAD$@EXAMPLE.COM
15 5 THINKPAD$@EXAMPLE.COM
ktutil: q
You should now restart the samba daemons.
Rowland
>
> On 07/29/2014 10:51 AM, Rowland Penny wrote:
>> On 29/07/14 15:33, Ryan Ashley wrote:
>>> I will checkout the module later. Working is my top priority as you
>>> stated. However, you have me curious now. If this keytab is created,
>>> where the heck is it created? I am looking for it in /var/lib/samba,
>>> /etc, and other places. None of my member servers have it and they
>>> all seem to work, minus this stubborn one of course.
>>
>> If you set smb.conf up correctly and the run 'net ads join -U
>> Administrator at EXAMPLE.COM' , you should find that /etc/krb5.keytab is
>> created.
>>
>>>
>>> Also, I did a test earlier and wanted to share the results. This
>>> thing keeps complaining about an idmap ad backend not being found,
>>> and I honestly believe that is the issue, not Kerberos. I am trying
>>> your suggestion because maybe this backend is stored in Kerberos,
>>> who knows. Either way, I am being flooded with errors about this
>>> "idmap backend ad" not being found.
>>
>> The 'idmap backend ad' is part of winbind, and as such, should be
>> available. If I remember correctly you are using a S4 AD DC, can you
>> remember how you provisioned it ?
>>
>>>
>>>
>>> Anyway, I had already added winbind to nsswitch.conf for users and
>>> groups, so I wanted to verify the same UID/GID was being pulled. I
>>> wiped the winbind idmap tdb files and rebooted. Got the same IDs
>>> after it rebooted and created the files again, so no issue there.
>>> For example, the "Domain Users" group always has an ID of 70001.
>>> That much is working. So what in the heck does the missing backend
>>> do? Something is already mapping domain users and groups to IDs, so
>>> I am scratching my head on this one.
>>
>> The 'idmap backend ad' is one that pulls all the user and group info
>> from RFC2307 attributes on the AD server.
>>
>> Rowland
>>
>>>
>>> On 07/29/2014 10:22 AM, Rowland Penny wrote:
>>>> On 29/07/14 15:00, Ryan Ashley wrote:
>>>>> I understand the basics of Kerberos, but the reason that I am
>>>>> asking is because I have dozens of S4 servers in production
>>>>> environments and have never had to create the keytab you
>>>>> mentioned. They all just worked.
>>>>
>>>> If, when you talk about S4 servers, you mean as an AD DC, then yes
>>>> you do not require the keytab, but on a member server (or client)
>>>> when you you join the domain with the net command, the keytab is
>>>> created.
>>>>>
>>>>> Now, I do not mind modifying my pam settings as I have done on
>>>>> loads of Linux workstations which are joined to an AD domain, but
>>>>> how would I prevent the login of users? I have a home directory
>>>>> and cannot remove it, so there is technically a place for their
>>>>> home directories. In Windows I would simply modify group policy to
>>>>> deny logon, but we both know Linux knows nothing of a GPO. So
>>>>> without removing "/home", how would I prevent login?
>>>>>
>>>>> My plan now is to modify pam first, then if needed, do the keytab.
>>>>
>>>> I would do it the other way, get everything to work and then if
>>>> need be, stop user login with PAM. If you install
>>>> the packages I suggested, PAM will do all the work for you
>>>> initially. You could also investigate a PAM module called
>>>> 'pam_nologin' , you should be able to guess what this does ;-)
>>>>
>>>> Rowland
>>>>
>>>
>>
>
More information about the samba
mailing list