[Samba] Samba as AD member can not validate domain user

jd at ionica.lv jd at ionica.lv
Mon Apr 6 13:17:48 MDT 2015 

Citēju jd at ionica.lv:

> Citēju Rowland Penny <rowlandpenny at googlemail.com>:
>
>>> CFG files from fileserver:
>>> ============
>>> krb5.conf
>>> [libdefaults]
>>> default = INTERNAL.DOMAIN.LV
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>>
>>> ===========
>>> nsswitch.conf
>>> passwd:         compat winbind
>>> group:          compat winbind
>>> shadow:         compat files
>>>
>>> hosts:          files dns
>>> networks:       files
>>>
>>> services:       files
>>> protocols:      files
>>> rpc:            files
>>> ethers:         files
>>> netmasks:       files
>>> netgroup:       files
>>> bootparams:     files
>>>
>>> automount:      files
>>> aliases:        files nisplus
>>> publickey:      nisplus
>>> =============
>>> SMB.conf on fileserver
>>> [global]
>>>       security = ADS
>>>       workgroup = INTERNAL
>>>       acl group control = yes
>>>       inherit acls = Yes
>>>       map acl inherit = Yes
>>>       realm = INTERNAL.DOMAIN.LV
>>>       kerberos method = secrets and keytab
>>>       idmap config internal:backend = ad
>>>       idmap config internal:range = 10000-3001000
>>>       idmap config internal:schema_mode = rfc2307
>>>       idmap config *:range = 2000-9999
>>>       idmap config *:backend = tdb
>>>       dedicated keytab file = /etc/krb5.keytab
>>>       winbind enum users = Yes
>>>       winbind enum groups = Yes
>>>       winbind separator = \
>>>       winbind refresh tickets = Yes
>>>       winbind nss info = rfc2307
>>>       winbind use default domain = yes
>>>       winbind trusted domains only = yes
>>>       utmp = yes
>>>       wins server = sambadc.DOMAIN.lv
>>>       wins support = yes
>>>       dns proxy = no
>>>       wins proxy = no
>>>       wtmp directory = /var/log/wtmp
>>>       preferred master = no
>>>       log level = 4
>>>       bind interfaces only = Yes
>>>       interfaces = lo, eth1
>>>       netbios name = FS2
>>>       os level = 33
>>> ======================
>> Firstly, please put the smb.conf on the AD DC back to what it was  
>> just after the provision. You do not need the extra lines you have  
>> added.
>
> now smb.conf is rather short:
> [global]
>         workgroup = INTERNAL
>         realm = INTERNAL.DOMAIN.LV
>         netbios name = SAMBADC
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,  
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         idmap_ldb:use rfc2307 = yes
>         log level = 4
>
> [netlogon]
>         path = /var/lib/samba/sysvol/internal.domain.lv/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
>> You have posted what is probably your problem:
>>
>> 3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)'  
>> objectSID gidNumber
>> gives onlyObjectSID without gidNumber;
>>
>> You are using the winbind 'ad' backend on the member server, for  
>> this to work, your users need a 'uidNumber' attribute and 'Domain  
>> Users' (at least) *NEEDS* a 'gidNumber'
>
> after assigning UNIX attributes to users and domain groups all of them have
> uidNUmbers and gidNumbers starting from 10000,
> ldbsearch gives:
> dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv
> objectSid: S-1-5-21-216404829-505555237-127066545-513
> gidNumber: 10000
>
>> If you use the 'ad' backend, then giving your users a 'uidNumber'  
>> is not enough, you must give their primarygroup (Domain Users) a  
>> 'gidNumber' attribute.
>
> all of the AD users are members of the Domain Users group now.
>
> Now on DC getent passwd gives just list of local users;
> getent passwd INTERNAL\\username gives domain user info with uid/gid  
> 100xx:10000
>
> still no changes on fileserver, getent passwd INTERNAL\\username  
> finishes without any msg;
> in log.winbindd there is notion:
> 2015/04/06 21:42:37.714639,  3]  
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>   getpwnam INTERNAL\username
>
>
> joining to the AD DC ends with joined server and such messages:
> DNS Update for mail.domain.lv failed: ERROR_DNS_INVALID_MESSAGE
> DNS update failed: NT_STATUS_UNSUCCESSFUL
>
> (mail.domain.lv being the hostname of the server where samba  
> fileserver with netbios name FS2 resides)
>
> I do not see anything in capital letters in the logs

just wanted to add :

log.smbd on fileserver get such msg after unsuccessful attempt to  
browse shares:

[2015/04/06 22:12:41.553353,  3]  
../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
   Found account name from PAC: username []
[2015/04/06 22:12:41.553372,  3]  
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
   Kerberos ticket principal name is [username at INTERNAL.DOMAIN.LV]
[2015/04/06 22:12:41.554105,  1]  
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
   Username INTERNALwusername is invalid on this system

Janis

More information about the samba mailing list