[Samba] Samba AD: gidNumber?
Rowland Penny
rowlandpenny241155 at gmail.com
Thu Oct 29 19:52:31 UTC 2015
On 29/10/15 19:27, Viktor Trojanovic wrote:
>
>
> On 29.10.2015 18:49, Rowland Penny wrote:
>> On 29/10/15 17:27, Viktor Trojanovic wrote:
>>>
>>>
>>> On 29.10.2015 17:54, Rowland Penny wrote:
>>>> On 29/10/15 16:21, Viktor Trojanovic wrote:
>>>>>
>>>>>
>>>>> On 27.10.2015 16:16, Rowland Penny wrote:
>>>>>> On 27/10/15 14:58, Viktor Trojanovic wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 27.10.2015 13:54, Rowland Penny wrote:
>>>>>>>> [...]
>>>>>>>>> Yes, I meant the administrator. I did your suggested change on
>>>>>>>>> my member server and restarted it. 'getent passwd
>>>>>>>>> administrator' is still not returning anything, though. Or is
>>>>>>>>> that the wrong way to check if it worked?
>>>>>>>>>
>>>>>>>>
>>>>>>>> If you ran the same command on the DC, it will return
>>>>>>>> something, but on a member server it won't, because the range
>>>>>>>> you set in smb.conf is (if you followed the wiki, 10000-99999)
>>>>>>>> above '0' and anything that is outside the range is ignored.
>>>>>>>> This is not a problem, remember that Administrator is mapped to
>>>>>>>> root on the member server, so if you want to log into the
>>>>>>>> member server, you would so as root. From windows,
>>>>>>>> Administrator becomes root and carries out any changes etc as
>>>>>>>> root.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> Ok, all understood, thank you. But how can I check if it worked
>>>>>>> with the users? I manually changed the Nisdomain and uidNumber
>>>>>>> for two users using ADUC (to 10001 and 10002, respectively), I
>>>>>>> restarted Samba (was this even necessary?), and getent passwd
>>>>>>> <username> will still not return anything.
>>>>>>>
>>>>>>> In other words, what is the quickest way to check if my member
>>>>>>> server setup worked out alright?
>>>>>>
>>>>>> OK, if you compiled samba yourself and you want to test getent on
>>>>>> the member server, see this that I posted earlier:
>>>>>>
>>>>>> https://lists.samba.org/archive/samba/2015-October/195319.html
>>>>>>
>>>>>> If you are using distro packages, the wiki pages should give you
>>>>>> a good idea of what you need.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>> So, I spent quite some time researching it all a bit more in depth
>>>>> but I get stuck at the same point, although I at least seem to
>>>>> have a better understanding of how things should be now.
>>>>>
>>>>> So, my smb.conf on the member server looks exactly like the one in
>>>>> the wiki, except that I also added ACL support as suggested on the
>>>>> wiki page "Shares with Windows ACLs". My filesystem is XFS and has
>>>>> ACL built-in.
>>>>>
>>>>> I do get proper results for wbinfo -u and wbinfo -g, but the id
>>>>> and getent commands just won't work. I'm trying it on users and
>>>>> groups that have a uidNumber or gidNumber defined, respectively.
>>>>>
>>>>> This is how my nsswitch.conf looks like:
>>>>>
>>>>> passwd: compat winbind
>>>>> group: compat winbind
>>>>> hosts:compat dns
>>>>> networks: compat dns
>>>>>
>>>>> My Samba came from a package but I verified that
>>>>> libnss_winbind.so.2 is properly linked.
>>>>>
>>>>> smbd, nmbd and winbindd are properly started with no errors in the
>>>>> logs, I'm joined to the AD, I can browse the member server from my
>>>>> windows machine being logged in as Administrator. But I still
>>>>> can't seem to change ACLs on any objects in the share from within
>>>>> Windows, I'm getting error messages "Error when applying security"
>>>>> (I'm translating freely from German).
>>>>>
>>>>> Do you have any idea what's going wrong here?
>>>>>
>>>>> Viktor
>>>>
>>>> OK, If I remember correctly, we are talking about a domain member
>>>> here, not a DC. If you are using the default smb.conf from here:
>>>>
>>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>>>
>>> No. I'm using the smb.conf from
>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>
>>>> with the 'ad' setup from here:
>>>>
>>>> https://wiki.samba.org/index.php/Idmap_config_ad
>>>>
>>> Those lines are already implemented in the smb.conf retrieved from
>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>
>> OK, what is the difference between a 'domain member' and a 'member
>> server', well to be honest, not much. You can think of a 'domain
>> member' being the same as a normal windows workstation that a user
>> logs into and it doesn't share anything. You can turn a 'domain
>> member' into a 'member server' very easily, just make it share
>> something :-) if you share printers from it, it becomes a 'Print
>> Server' , add data shares and it becomes a 'File Server', I think you
>> get the idea here :-)
>>
>> Your smb.conf from the 'member server' page is equivalent to the one
>> you can create from the three pages I posted.
>>
>>>> with the acl support lines from here:
>>>>
>>>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#ACL_support_on_domain_members
>>>>
>>>>
>>> Those exact 3 lines, yes.
>>>> then getent should work, but they are a few caveats, the users must
>>>> have a uidNumber inside the range 10000-99999 and Domain Users (at
>>>> least) must have a gidNumber inside the same range. Any users or
>>>> groups outside this range will be ignored and *all* users will be
>>>> ignored if Domain Users either doesn't have a gidNumber or it is
>>>> outside the range.
>>>>
>>> The user I'm trying to return has a uidNumber of 10002, and Domain
>>> Users is set to gidNumber 10000. I have not set those attributes for
>>> other groups and did not expect them to show up with getent.
>>>
>>>> Time must be synchronised between the machines, within 5 mins if
>>>> remember correctly.
>>> Time is synced and well within 5 mins. Kerberos would fail otherwise
>>> and I am able to request k-tickets for any user without issues.
>>>> The domain member must be joined to the domain (obviously)
>>> Of course.
>>>> The domain member must be using the DC has its DNS server
>>>>
>>>> /etc/resolv.conf
>>>> search samdom.example.com
>>>> nameserver 192.168.0.3 <-- this is the ip of the DC
>>>>
>>> My DC has a fixed IP and that's exactly how my resolv.conf looks
>>> like, no other lines.
>>
>> Yes but does your 'member server' have a fixed ip ?
>>
>>>> You only need this in /etc/krb5.conf
>>>>
>>>> [libdefaults]
>>>> default_realm = SAMDOM.EXAMPLE.COM
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>>
>>> That's exactly what I have. As mentioned, Kerberos seems to work
>>> properly.
>>>
>>>> Ideally your domain member should have a fixed ip, but if you are
>>>> using dhcp, check that the ipaddress isn't 127.0.0.1 or even worse
>>>> 127.0.1.1. If you using Ubuntu with Network Manager, stop it using
>>>> dnsmasq.
>>>>
>>> See above.
>>>> Check that pam is setup correctly, on debian you can do this by
>>>> running 'pam-auth-update'
>>>>
>>> I don't have pam setup since I don't need the users to log in to
>>> Linux. It is nowhere mentioned, neither on the wiki nor on the book
>>> that this is a prerequisite for getent to work.
>>
>> Applying Hand brake screeching to a halt :-D
>>
>> If pam is not set up you will not get 'getent' to work. Can you
>> please refresh my memory and tell me what OS you are using. Pam is
>> not required on a DC unless you require your users to actually log
>> into it, but it is definitely needed on a 'domain member' (or as you
>> call it, a 'member server')
>>
>> There is a mention of setting up PAM on the page you referred to:
>>
>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Setting_up_PAM_authentication
>>
>>
>> Though it is a bit unclear that it is required to make 'getent' work,
>> I will not update this page because there is a very good chance it
>> will get a massive overhaul soon, but I will look into whether any
>> other Pam info specifies that it is needed on a domain member.
>>
>> Rowland
>
> Well, I'll be... I really didn't figure out that that was any kind of
> necessity. Since the getent checks on the wiki (and in my book) are
> performed before the comments about PAM, I thought that's just for
> special situations (such as needing users to log in on Linux). So
> you're saying I can't set my ACL's with domain users because of that?
getent shows what the OS knows about a user, if it shows nothing, that
user is unknown to the OS and as such cannot own anything. On the DC,
this is not really a problem because the users are automatically given
an xidNumber and this is used instead and most people only use the DC
for authentication. You only need the libnss_winbind links and pam (or
something in its place) if you want your users to connect to the member
server.
>
> I guess my next project then is to figure out how to configure this on
> Alpine Linux which is what I'm using for my member server. While I can
> find packages for PAM, it seems that there is no pam_winbind module so
> I'm not sure where this leaves me. Any tips?
Er, use Debian instead :-D
I could give you instructions to set up a basic Samba domain member on
Debian that would only take you about 15mins and is guaranteed to work
(famous last words).
Rowland
>
> Even if not, at least I know now where the problem is. I really
> appreciate all your help.
>
> Viktor
More information about the samba
mailing list