[Samba] Domain Member server - Domain users don't get access

[Rowland Penny]

On 12/02/14 22:12, Shane Robinson wrote:
> I'll answer in line below (sorry about the top-posting, I blame outlook)
>
> Shane Robinson
> Chief Administrative Officer
> SimpeQ Care
> t. 604.988.3103 ext. 104
> c. 604.506.3311
> f. 604.988.3105
> Please consider the environment before printing this email.
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of steve
> Sent: Wednesday, February 12, 2014 12:10 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Domain Member server - Domain users don't get access
>
> On Tue, 2014-02-11 at 16:15 -0800, Shane Robinson wrote:
>>> Hello list!
>>>
>>>   
>>>
>>> I have a newish Samba 4.1.4 (from git) AD DC running in an Ubuntu
>>> Precise KVM guest. It seems to be running well. Recent list posts have
>>> led me to set up a second instance of samba/ubuntu as a file server.
>>> Like the domain controller, Samba was built from git, but then it was
>>> configured using the "Samba/Domain Member" wiki. I added the sfu
>>> attributes to a few users/groups using ADUC, but I don't see that
>>> mentioned as a requirement (Is it a requirement?).
>> If you want getent to work, you don't _have_ to add the sfu stuff.
>> uidNumber and gidNumber are sufficient.
>>>   
>>>
>>> My domain name is internal.simpeq.ca, the DC's name is Samba2, and the
>>> new file server's name is FS2. I start the services with a script that
>>> runs winbindd, then smbd, then nmbd, in that order.
>>>
>>>   
>>>
>>> Wbinfo -u and wbinfo -g work well, enumerating all domain users and
> groups.
>>>   
>>>
>>> Kinit works.
>>>
>>>   
>>>
>>>
>>>
>>> $ getent passwd INTERNAL\\administrator
>>>
>>> AND
>>>
>>> getent group INTERNAL\\hrall
>>>
>>>   
>>>
>>> . give nothing.
>>>
>>>
>>>
>>> An strace of getent revealed that /lib64 was never queried for
>>> libnss_winbind.so, but /usr/lib/x86_64-linux-gnu was, so I relinked
>>> libnss_winbind.so to that folder.
>>>
>>> (Is this incorrect, or shall I update the Wiki with this information
>>> for Ubuntu users?)
>>>
>>> am
>> The wiki is for 32 bit non-Debian distros only.
>> How did you join FS2?
>> Could you post:
>> The content of its keytab
>> The DN of INTERNAL\administrator
>> Cheers,
>> Steve
>
> Thanks for the reply Steve (et al)!
>
> First, if the uidNumber and ridNumber are required, I'll add that as a note
> to the wiki, once my account is active. Is it as simple as adding them in
> ADUC? Can you leave the default numbers in? For example, my administrator
> account has a uidNumber of 10002 and a gidNumber of 10004, as they were the
> defaults in ADUC.
>
> Second, the wiki makes no mention of being "32-bit non-debian". There is a
> section on linking the libnss_winbind.so in 64bit systems, but it only asks
> the user to link to /lib64, which doesn't appear to be correct for the
> ubuntu situation. If my suggestion is correct, I will add this to the wiki
> as well.
>
>
> The join was as follows: (did it again to be sure)
>
> shane at FS2:/usr/local/samba$ sudo ./bin/net ads join -UAdministrator
> Enter Administrator's password:
> Using short domain name -- INTERNAL
> Joined 'FS2' to dns domain 'internal.simpeq.ca'
> No DNS domain configured for fs2. Unable to perform DNS Update.
> DNS update failed: NT_STATUS_INVALID_PARAMETER
>
> The distinguishedName of Administrator (from ADSI) is:
> CN=Administrator,CN=Users,DC=internal,DC=simpeq,DC=ca
>
>
> As to the keytab file:
>
> shane at FS2:/usr/local/samba$ klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000)
>
> And here's the part of the show where I explain that this is my first and
> only foray into anything Active Directory (LDAP, Kerberos, DNS etc).
>
> There was no mention whatsoever of a keytab file on the wiki, so I didn't do
> anything about it. Should one have been created/retrieved/found/pulled out
> of my... ? If so, what is the procedure for doing so? I'd love to be able to
> make that wiki as complete as possible.
>
> Thank you very much!
>
I think that part of your problem lies in the fact that the example 
smb.conf on the wiki page is only a partial example, it is missing, For 
instance:

kerberos method = secrets and keytab
winbind refresh tickets = Yes

If you add these lines, restart samba and then rejoin, I am sure that 
you will find that /etc/krb5.conf has been created (provided, of course, 
that you have installed krb5-user).

The other problem with the wiki, is that it is written by ordinary 
users, who base what they write, on what they did to their own system 
and Linux being Linux, the way that you do something on rpm based 
systems is different from deb based system, package names is the least 
of the differences. Along came 64bit (well, it didn't really, sun for 
instance had 64bit machines for years before AMD/intel discovered them) 
and of course various distro's did different things, so yes, as you 
found, /lib64 is /usr/lib/x86_64 on Ubuntu.

If you use the ad backend then you need uidNumber's & gidNumber's in AD 
and they need to be within the range that you set in smb.conf, the one 
that you refer to should be fine.

Rowland