[Samba] I want a Fedora 20 system to be a member server and offer a share in a Windows 2008R2 Active Directory domain
Rowland Penny
rowlandpenny at googlemail.com
Sat Aug 30 14:51:29 MDT 2014
On 30/08/14 20:14, Greg Scott wrote:
> I'm close to making this work. The goal is to make this Fedora 20 system pretend to be a Windows member server in my Windows 2008R2 Active Directory domain and then I'll use it as a backup target. When I run ADUC from my domain controller, I see my F20 system named nfsa. But from Windows, when I do Start...\\nfsa, I get an Access Denied error and it prompts for credentials. When I do Start...\\nfsa\backups, it just fails with an Access Denied error.
>
> I will paste in the output from testparms below, which has everything in my smb.conf. This should all be OK. I've gotta be missing the piece that sets up my F20 system to trust A/D for authentication for F20 can advertise this share. The guidance on how to do that is contradictory and thin and I'm hopelessly confused. I'm supposed to do some editing to some pam .conf files and nsswitch.conf, but everyone has different guidance. And the edits look elaborate and prone to mistakes.
>
> So Red Hat includes a tool named authconfig that claims to handle this for me. It is supposed to set up all the .conf files to make this work. Pass authconfig the correct parameters and it all just happens. In fact, it's all documented right here in the RHEL 7 Windows Integration Guide:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/winbind-auth.html
>
> The example in section 4.3.2, step 4 uses a parameter named --enablewinbindkrb5 that doesn't exist. And a couple of the parameters in the example need equal signs (parameter=value instead of parameter [space] value). In fairness, that book above is part of RHEL 7 and I'm doing this from Fedora 20 so maybe they are different. Working around that and based on the example, I put this little script together:
>
> [root at nfsa gregs]# more test.sh
> #!/bin/sh
>
> authconfig \
> --enablewinbind \
> --enablewins \
> --enablewinbindauth \
> --smbsecurity=ads \
> --smbworkgroup=EHAC \
> --smbrealm=EHAC.LOCAL \
> --smbservers=ehcserver1.ehac.local \
> --krb5realm=EHAC.LOCAL \
> --enablewinbindoffline \
> --enablekrb5 \
> --winbindtemplateshell=/bin/sh \
> --winbindjoin=administrator \
> --update \
> --enablelocauthorize \
> --savebackup=/home/gregs/backups
> [root at nfsa gregs]#
Have you tried typing the above in a terminal and running it, if you do,
it may print an error message.
Rowland
> When I run it, it makes copies of a bunch of config files and saves them in my /home/gregs/backups directory. But it never updates any of the real .conf files - just one big no-op.
>
> So how do I do this? Surely there's nice, clean, easily reproducible way to make a Linux system offer a share as a member server in a modern A/D domain.
>
> F20 can reach into the domain, but the domain cannot reach out to F20.
>
> wbinfo -g and wbinfo -u show me the groups and users I expect to see. And getent passwd domain\\user returns what I expect after I finally learned I need to escape that "\" character. So F20 can reach into the domain, but the domain can't reach back to F20. That's my problem.
>
> [root at nfsa gregs]# getent passwd ehac\\gregs
> gregs at ehac.local:*:762201118:762200513:Greg Scott:/home/ehac.local/gregs:/bin/bash
>
> Finally, here is a copy of my smb.conf and krb5.conf.
>
> [root at nfsa gregs]# testparm
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[backups]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>
> [global]
> workgroup = EHAC
> realm = ehac.local
> server string = Samba Server nfsa Version %v
> security = ADS
> log file = /var/log/samba/log.%m
> max log size = 50
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind nss info = rfc2307
> idmap config SAMDOM:range = 500-40000
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:backend = ad
> idmap config *:range = 70001-80000
> idmap config * : backend = tdb
> cups options = raw
>
> [backups]
> comment = backups
> path = /data/nfsa
> read only = No
> guest ok = Yes
> [root at nfsa gregs]#
> [root at nfsa gregs]#
> [root at nfsa gregs]# more /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> dns_lookup_realm = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> # default_realm = EXAMPLE.COM
> default_realm = EHAC.LOCAL
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> # EXAMPLE.COM = {
> # kdc = kerberos.example.com
> # admin_server = kerberos.example.com
> # }
>
> EHAC.LOCAL = {
> kdc = ehcserver1.ehac.local
> admin_server = ehcserver1.ehac.local
> }
>
> [domain_realm]
> # .example.com = EXAMPLE.COM
> # example.com = EXAMPLE.COM
>
> .ehac.local = EHAC.LOCAL
> ehac.local = EHAC.LOCAL
> [root at nfsa gregs]#
>
> Oh yes - I have no idea if this is relevant or not but I see these errors about printers in /var/log/messages when I restart smb. I don't care about printing here and would be fine with just turning off all printing if there's a way to do it. But maybe these printer errors contribute to my real problem.
>
> [root at nfsa gregs]# tail /var/log/messages
> Aug 30 13:42:36 nfsa smbd[7353]: [2014/08/30 13:42:36.137682, 0] ../source3/printing/print_cups.c:151(cups_connect)
> Aug 30 13:42:36 nfsa smbd[7353]: Unable to connect to CUPS server localhost:631 - Bad file descriptor
> Aug 30 13:42:36 nfsa smbd[7010]: [2014/08/30 13:42:36.137938, 0] ../source3/printing/print_cups.c:528(cups_async_callback)
> Aug 30 13:42:36 nfsa smbd[7010]: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
> Aug 30 13:50:01 nfsa systemd: Starting Session 271 of user root.
> Aug 30 13:50:02 nfsa systemd: Started Session 271 of user root.
> Aug 30 13:55:36 nfsa smbd[7380]: [2014/08/30 13:55:36.883693, 0] ../source3/printing/print_cups.c:151(cups_connect)
> Aug 30 13:55:36 nfsa smbd[7380]: Unable to connect to CUPS server localhost:631 - Bad file descriptor
> Aug 30 13:55:36 nfsa smbd[7010]: [2014/08/30 13:55:36.883950, 0] ../source3/printing/print_cups.c:528(cups_async_callback)
> Aug 30 13:55:36 nfsa smbd[7010]: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
> [root at nfsa gregs]#
>
> I've installed winbind and winbind and smb are running. SElinux is set to permissive. I don't think I need nmb anymore but I can try turning it on.
>
> [root at nfsa gregs]# systemctl list-unit-files | grep smb
> smb.service enabled
> [root at nfsa gregs]# systemctl list-unit-files | grep nmb
> nmb.service disabled
> [root at nfsa gregs]# systemctl list-unit-files | grep winbind
> winbind.service enabled
> [root at nfsa gregs]#
>
> Oh - versions - everything came from Red Hat binaries a few days ago:
>
> [root at nfsa gregs]# more /etc/issue
> Fedora release 20 (Heisenbug)
> Kernel \r on an \m (\l)
>
> [root at nfsa gregs]# rpm -qa | grep samba
> samba-winbind-modules-4.1.9-4.fc20.x86_64
> samba-common-4.1.9-4.fc20.x86_64
> samba-4.1.9-4.fc20.x86_64
> samba-winbind-4.1.9-4.fc20.x86_64
> samba-libs-4.1.9-4.fc20.x86_64
> samba-winbind-clients-4.1.9-4.fc20.x86_64
> [root at nfsa gregs]#
> [root at nfsa gregs]# rpm -qa | grep krb5
> pam_krb5-2.4.8-1.fc20.x86_64
> sssd-krb5-common-1.11.6-1.fc20.x86_64
> sssd-krb5-1.11.6-1.fc20.x86_64
> krb5-workstation-1.11.5-11.fc20.x86_64
> krb5-libs-1.11.5-11.fc20.x86_64
> [root at nfsa gregs]#
>
> Thanks
>
> - Greg Scott
More information about the samba
mailing list