[Samba] Samba as AD member can not validate domain user
Rowland Penny
rowlandpenny at googlemail.com
Mon Apr 6 13:49:32 MDT 2015
On 06/04/15 19:49, jd at ionica.lv wrote:
>
> Citēju Rowland Penny <rowlandpenny at googlemail.com>:
>
>>> CFG files from fileserver:
>>> ============
>>> krb5.conf
>>> [libdefaults]
>>> default = INTERNAL.DOMAIN.LV
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>>
>>> ===========
>>> nsswitch.conf
>>> passwd: compat winbind
>>> group: compat winbind
>>> shadow: compat files
>>>
>>> hosts: files dns
>>> networks: files
>>>
>>> services: files
>>> protocols: files
>>> rpc: files
>>> ethers: files
>>> netmasks: files
>>> netgroup: files
>>> bootparams: files
>>>
>>> automount: files
>>> aliases: files nisplus
>>> publickey: nisplus
>>> =============
>>> SMB.conf on fileserver
>>> [global]
>>> security = ADS
>>> workgroup = INTERNAL
>>> acl group control = yes
>>> inherit acls = Yes
>>> map acl inherit = Yes
>>> realm = INTERNAL.DOMAIN.LV
>>> kerberos method = secrets and keytab
>>> idmap config internal:backend = ad
>>> idmap config internal:range = 10000-3001000
>>> idmap config internal:schema_mode = rfc2307
>>> idmap config *:range = 2000-9999
>>> idmap config *:backend = tdb
>>> dedicated keytab file = /etc/krb5.keytab
>>> winbind enum users = Yes
>>> winbind enum groups = Yes
>>> winbind separator = \
>>> winbind refresh tickets = Yes
>>> winbind nss info = rfc2307
>>> winbind use default domain = yes
>>> winbind trusted domains only = yes
>>> utmp = yes
>>> wins server = sambadc.DOMAIN.lv
>>> wins support = yes
>>> dns proxy = no
>>> wins proxy = no
>>> wtmp directory = /var/log/wtmp
>>> preferred master = no
>>> log level = 4
>>> bind interfaces only = Yes
>>> interfaces = lo, eth1
>>> netbios name = FS2
>>> os level = 33
>>> ======================
>> Firstly, please put the smb.conf on the AD DC back to what it was
>> just after the provision. You do not need the extra lines you have
>> added.
>
> now smb.conf is rather short:
> [global]
> workgroup = INTERNAL
> realm = INTERNAL.DOMAIN.LV
> netbios name = SAMBADC
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
> log level = 4
>
> [netlogon]
> path = /var/lib/samba/sysvol/internal.domain.lv/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>> You have posted what is probably your problem:
>>
>> 3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)' objectSID
>> gidNumber
>> gives onlyObjectSID without gidNumber;
>>
>> You are using the winbind 'ad' backend on the member server, for this
>> to work, your users need a 'uidNumber' attribute and 'Domain Users'
>> (at least) *NEEDS* a 'gidNumber'
>
> after assigning UNIX attributes to users and domain groups all of them
> have
> uidNUmbers and gidNumbers starting from 10000,
> ldbsearch gives:
> dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv
> objectSid: S-1-5-21-216404829-505555237-127066545-513
> gidNumber: 10000
>
>> If you use the 'ad' backend, then giving your users a 'uidNumber' is
>> not enough, you must give their primarygroup (Domain Users) a
>> 'gidNumber' attribute.
>
> all of the AD users are members of the Domain Users group now.
what do you mean 'all of the AD users are members of the Domain Users
group now.' ??
I hope you haven't changed the users primaryGroupID attribute.
>
> Now on DC getent passwd gives just list of local users;
> getent passwd INTERNAL\\username gives domain user info with uid/gid
> 100xx:10000
This is what I get when I run getent on one of my DCs:
root at dc01:~# getent passwd rowland
EXAMPLE\rowland:*:10000:10000:Rowland Penny:/home/EXAMPLE/rowland:/bin/bash
NOTE: I also have this line in smb.conf:
template shell = /bin/bash
> still no changes on fileserver, getent passwd INTERNAL\\username
> finishes without any msg;
Hmm, if I run (on a member server):
getent passwd EXAMPLE\\rowland
I get:
rowland:*:10000:10000::/home/rowland:/bin/bash
> in log.winbindd there is notion:
> 2015/04/06 21:42:37.714639, 3]
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> getpwnam INTERNAL\username
>
>
> joining to the AD DC ends with joined server and such messages:
> DNS Update for mail.domain.lv failed: ERROR_DNS_INVALID_MESSAGE
> DNS update failed: NT_STATUS_UNSUCCESSFUL
>
> (mail.domain.lv being the hostname of the server where samba
> fileserver with netbios name FS2 resides)
>
> I do not see anything in capital letters in the logs
>
> Janis
>
Try changing smb.conf on the fileserver to this:
[global]
workgroup = INTERNAL
security = ADS
realm = INTERNAL.DOMAIN.LV
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = yes
winbind normalize names = Yes
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config INTERNAL:backend = ad
idmap config INTERNAL:range = 10000-3001000
idmap config INTERNAL:schema_mode = rfc2307
dns proxy = no
preferred master = no
log level = 4
bind interfaces only = Yes
interfaces = lo, eth1
os level = 33
domain master = no
local master = no
map to guest = bad user
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
Rowland
More information about the samba
mailing list