[Samba] Samba4 ad dc with Centos7

Marcio Costa marciofoz at gmail.com
Tue Dec 8 16:03:46 UTC 2015


The "troubleshoot Note" in Samba Wiki (
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#Using_domain_accounts.2Fgroups_in_OS_commands)
must be performed only when setup Samba as an AD Member, not when setup as
an AD/DC ??


2015-12-08 12:54 GMT-02:00 L.P.H. van Belle <belle at bazuin.nl>:

> I dont see the difference, i think its all how you interper it.
> ( sorry about the spelling errors.. )
>
> For example
> > wbinfo can get a whole list of all Samba users (I believe it can do that
> > with AD or NT4 or standalone
> Which is exact what i want.
>
> > wbinfo does not show system users..
> which is also exact what i want.
>
> > wbinfo does not show system users, it
> > shows Samba users which can become system users once they are transformed
> > (with pam tools as winbind, sssd or nslcd).
> Again exact what i want.
>
> > I feel
> > confusion (for me and for some users of that mailing list) between
> Samba's
> > system users (users from Samba usable on system side, here the system it
> > the one hosting Samba, the server system), Samba users (Samba internal
> > users) and client system users (system users which access to the share).
> > With domains there is also system users built from the domain (Windows
> > system users SAMDOM\my-user or Linux user from AD/NT4 built with winbind
>
> Yeah, that sucks.. wel, dont think in samba system users.
>
> > Samba's system users (users from Samba usable on system side,
> >here the system it
> >the one hosting Samba, the server system),
> >Samba users (Samba internal users) and
> >client system users (system users which access to the share).
>
> You have "local" users/groups, per server/client (adduser username)
> You have "Domain" users/groups, per domain
> You have "mapped users"  i call them.
> And last, you have "local system users". ( UID lower than 1000 )
>
> Based on this example :
>
>         ## map id's outside to domain to tdb files.
>         idmap config * : backend = tdb
>         idmap config * : range = 2000-9999
>         ## map ids from the domain and (*) the range may not overlap !
>         idmap config DOMAINNAME: backend = ad
>         idmap config DOMAINNAME: schema_mode = rfc2307
>         idmap config DOMAINNAME: range = 10000-3999999
>
>
> A local user, any user UID lower than 2000
>
> A domain user
> idmap config DOMAINNAME : range = 10000-3999999
>
> A mapped user, is a local user with its UID in the * range.
> (idmap config * : range = 2000-9999 )
>
> if you want any local users to be mapped to samba, change :
> (idmap config * : range = 1000-9999 )
>
> And i dont advice to map "local system users" to be mapped.
>
> Any can access shares, but all depending on your setup.
> I think you make an easy thing a hard one and probely due to the setup
> your having. I'm not saying you setup is bad or wrong, but maybe to complex
> or not well thought about. I spent about a year testing and configureing
> and testing for a good base setup, and here it all starts, i started at
> least 10 times over, because i forgot a "thing/process" running on a server
> and which users and/group should be able to access it.
>
> Its pretty simple, only use "domain users" when when you have a domain.
> And only use local users for local needs.
> I only have 1 user on my linux server for administring the server.
> And i gave also some of domain users access to a local server.
> You can add an domain user to a local group if you setup is working
> correct.
>
> System users are just to run processes/services on the server, and/or for
> Administering the server.
>
> So sorry, but i dont see the problem your having.
>
> I do the same in samba 4 as i did in samba 3 and more.
> And this all looks to me normal.
>
> But ...
> i do agree, there should be more examples how things work with these users.
> And some examples when you for example use a "mapped" user, of a local
> users etc.
>
>
>
> Greetz,
>
> Louis
>
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias
> dufresne
> > Verzonden: dinsdag 8 december 2015 14:56
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7
> >
> > That's what I thought, and why I told there is no enumeration for system
> > users.
> > wbinfo can get a whole list of all Samba users (I believe it can do that
> > with AD or NT4 or standalone). But wbinfo does not show system users, it
> > shows Samba users which can become system users once they are transformed
> > (with pam tools as winbind, sssd or nslcd).
> >
> > I insist because after months spent here and years with Samba I feel
> > confusion (for me and for some users of that mailing list) between
> Samba's
> > system users (users from Samba usable on system side, here the system it
> > the one hosting Samba, the server system), Samba users (Samba internal
> > users) and client system users (system users which access to the share).
> > With domains there is also system users built from the domain (Windows
> > system users SAMDOM\my-user or Linux user from AD/NT4 built with winbind
> > or
> > sssd or nslcd).
> >
> > Just my 2 cents, best regards,
> >
> > mathias
> >
> >
> > 2015-12-08 14:37 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>:
> >
> > > On the DC, when i run
> > >
> > > getent passwd                         i only see my linux users.
> > >
> > > getent passwd username          shows the ad user.
> > >
> > >
> > >
> > > Same for the groups
> > >
> > >
> > >
> > > Greetz,
> > >
> > >
> > >
> > > Louis
> > >
> > >
> > >
> > >
> > >
> > >
> > > Van: Marcio Costa [mailto:marciofoz at gmail.com]
> > > Verzonden: dinsdag 8 december 2015 14:35
> > > Aan: L.P.H. van Belle
> > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7
> > >
> > >
> > >
> > >
> > > Hi!
> > > If you run 'getent passwd', do you see all the users (ad+local) or only
> > > local users ?
> > >
> > >
> > >
> > >
> > > 2015-12-08 11:15 GMT-02:00 L.P.H. van Belle <belle at bazuin.nl>:
> > >
> > > Wel, thats wrong, when i to the following.
> > >
> > >
> > >
> > > wbinfo –u  i get all my users.
> > >
> > > wbinfo –g i get all my groups
> > >
> > > getent passwd username   i get my user:UID:GID:NAME:homedir:shel
> > >
> > > id username  gives also the correct info.. (uid= .. gid= ) groups =
> > etc..
> > >
> > >
> > >
> > > And i use winbind on a DC. ( samba 4.2.5 sernet  on debian wheezy )
> > >
> > >
> > >
> > >
> > >
> > > Greetz,
> > >
> > >
> > >
> > > Louis
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Van: mathias dufresne [mailto:infractory at gmail.com]
> > > Verzonden: dinsdag 8 december 2015 14:11
> > > Aan: L.P.H. van Belle
> > > CC: samba at lists.samba.org
> > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7
> > >
> > >
> > >
> > >
> > >
> > > I believe there is no enumeration allowed by default whatever you use
> to
> > > generate system users from AD (winbind, sssd or nslcd).
> > >
> > >
> > >
> > >
> > > Cheers,
> > >
> > >
> > >
> > >
> > >
> > > mathias
> > >
> > >
> > >
> > >
> > >
> > > 2015-12-08 13:42 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>:
> > >
> > > Hai,
> > >
> > > Few things.
> > >
> > > > idmap gid = 1000-9999999
> > > did you also change the start GID in the AD?
> > >
> > >
> >
> https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC
> > #Defining_the_next_UID.2FGID_to_use
> > >
> > > > "getent group" and "getent passwd"
> > > On a DC, use  : getent group "domain users"
> > > shows only the group name + GID.
> > >
> > > You setup looks almost good, im only missing something like :
> > >
> > >       ## map id's outside to domain to tdb files.
> > >         ## map ids from the domain and (*) the range may not overlap !
> > >       idmap config * : backend = tdb
> > >       idmap config * : range = 2000-9999
> > >
> > >
> > > Greetz,
> > >
> > > Louis
> > >
> > >
> > > > -----Oorspronkelijk bericht-----
> > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio
> Costa
> > > > Verzonden: dinsdag 8 december 2015 13:28
> > > > Aan: samba at lists.samba.org
> > > > Onderwerp: [Samba] Samba4 ad dc with Centos7
> > >
> > > >
> > > > Hello, I may have a problem with winbind setup.
> > > >
> > > > -with wbinfo -g and wbinfo -u I get all group/user from AD/DC.
> > > > -with getent group "Domain Users" and getent passwd "remote_user" I
> > can
> > > > see
> > > > the info about the specific group and specific user.
> > > > -with getent group and getent passwd I only see my local group/users.
> > > >
> > > > -I believe that using "getent group" and "getent passwd" I must see
> > all
> > > > users, right ?
> > > >
> > > >
> > > > -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7;
> > > > -ps auxf show me:
> > > > root     24519  0.0  4.5 578196 45700 ?        Ss   09:59   0:00
> > > > /usr/sbin/samba -D
> > > > root     24527  0.0  3.2 578196 32812 ?        S    09:59   0:00  \_
> > > > /usr/sbin/samba -D
> > > > root     24529  0.0  4.7 617856 48016 ?        Ss   09:59   0:00  |
> > \_
> > > > /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> > > > root     24546  0.0  3.2 617856 32936 ?        S    09:59   0:00  |
> > > > \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --
> > foreground
> > > >
> > > > root     24536  0.0  3.2 578196 32788 ?        S    09:59   0:00  \_
> > > > /usr/sbin/samba -D
> > > > root     24541  0.0  4.5 587664 46480 ?        Ss   09:59   0:00  |
> > \_
> > > > /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> > foreground
> > > > root     24545  0.0  3.5 605676 36492 ?        S    09:59   0:00  |
> > > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> > > > foreground
> > > > root     24555  0.0  3.6 605992 36680 ?        S    10:00   0:00  |
> > > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> > > > foreground
> > > >
> > > > -ls /lib64
> > > > lrwxrwxrwx. 1 root root  19 Dez  3 11:09 /lib64/libnss_winbind.so ->
> > > > libnss_winbind.so.2
> > > > -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2
> > > >
> > > > -/etc/nsswitch.conf
> > > > passwd:     files winbind
> > > > shadow:     files winbind
> > > > group:      files winbind
> > > >
> > > > -smb.conf
> > > > [global]
> > > >         workgroup = INTRANET
> > > >         realm = INTRANET.UNV
> > > >         netbios name = ITU
> > > >         server role = active directory domain controller
> > > >         dns forwarder = 10.2.3.4
> > > >         idmap_ldb:use rfc2307 = yes
> > > >
> > > >         idmap config INTRANET:backend = ad
> > > >         idmap config INTRANET:schema_mode = rfc2307
> > > >         idmap config INTRANET:range = 10000-9999999
> > > >
> > > >         idmap uid = 10000-9999999
> > > >         idmap gid = 1000-9999999
> > > >
> > > >         # Use settings from AD for login shell and home directory
> > > >         winbind nss info = rfc2307
> > > >
> > > >         winbind use default domain = yes
> > > >         winbind enum users = yes
> > > >         winbind enum groups = yes
> > > >
> > > > I appreciate any help about this issue.
> > > > Thank you.
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list