[Samba] [EXTERNAL] Re: Unable to authenticate to share using UPN
Rowland Penny
rpenny at samba.org
Sat Jun 24 09:16:42 UTC 2023
On 23/06/2023 19:08, Mike Robbert wrote:
> Sorry about that I typed and sent a full message, but it looks like the entire body got swallowed up in transit. Here is the full text again. Let's hope this one works.
>
> I have a server running CentOS 7.9 with the system provided Samba packages (4.10.16-24.el7_9). It is joined to an Active Directory domain and acting as a member server. The active Directory domain has a user object with among others, the following attributes defined
> sAMAccountName = m12345678
> gecos = Zach Detest
> gidNumer = 12345678
> uid = zach_detest
> uidNumer = 12345678
> unixHomeDirectory = /home/m12345678
> userPrincipalName = zach_destest at domain.tld
>
> The smb.conf on the server looks like this:
>
> [global]
> additional dns hostnames = dct-hanas-2.domain.tld
Unless red-hat backported this, 'additional dns hostnames' didn't appear
until Samba 4.11.0 at the earliest (I say that because I cannot find
just when it was added, but it isn't in 'man smb.conf' for 4.10.x, but
it is in 'man smb.conf' for 4.11.x).
> debug class = Yes
> debug pid = Yes
> debug uid = Yes
> disable spoolss = Yes
> kerberos method = secrets and keytab
> load printers = No
> local master = No
> log file = /var/log/samba/log.%I
> max log size = 0
> netbios name = SERVER-DEV
> nt pipe support = No
> printcap name = /dev/null
> realm = ADDOM.DOMAIN.TLD
> security = ADS
> server min protocol = SMB2
> server string = Fileserver %m
> template homedir = /home/%U@%D
> template shell = /bin/bash
> unix extensions = No
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = ADDOM
> fruit:nfs_aces = no
> idmap config * : range = 1-999
> idmap config addom : unix_primary_group = yes
> idmap config addom : unix_nss_info = yes
> idamp config addom : schema_mode = rfc2307
> idmap config addom : backend = ad
> idmap config addom : range = 1000-999999999
> idmap config * : backend = tdb
Do you mind if I ask why you are using such strange (to me) ranges ?
They would seem to preclude having any local users and groups.
> acl group control = Yes
> create mask = 0664
> directory mask = 0775
> dos filemode = Yes
> force create mode = 0664
> force directory mode = 0775
> include = /etc/samba/samba-shares.share
> map acl inherit = Yes
> nt acl support = No
> printing = bsd
> read only = No
> vfs objects = catia fruit streams_xattr
>
>
> [test-open]
> path = /tmp/test-open
>
> Both wbinfo and getent work to resolve this users information using either samaccountname or UPN
>
They are the attributes that work with user searches, however 'uid'
(being a multi value ldap attribute) doesn't, This isn't just a Samba or
Unix thing, Windows works in the same way.
It looks to me (and I could be totally wrong) that sssd must have code
that can use the 'uid' value and then set that as the owner of a file.
If it is doing this, then how does it get around 'uid' being a multi
valued attribute ?
It is strange you have raised this, Stefan Kania raised virtually the
same subject about a week ago and during this week, a bug report was listed:
https://bugzilla.samba.org/show_bug.cgi?id=15399
I replied to Stefan here:
https://lists.samba.org/archive/samba/2023-June/245561.html
Rowland
More information about the samba
mailing list