[Samba] Samba4 ad dc with Centos7
mathias dufresne
infractory at gmail.com
Tue Dec 8 16:26:28 UTC 2015
AD DC do not need AD users available from system side. Make "getent" able
to retrieve AD users is to make AD users available from system side.
By "make AD users available from system side" I mean you can use AD users
as system users locally declared into /etc/passwd.
AD DC can be fully managed using root account. When a Samba command need to
authenticate (obviously with some AD user having access to Samba AD
resource aimed) these commands should come with authentication switch
(--user or -U or --kerberos...) to authenticate these commands with some AD
user rather than local root account (which is unknown from AD, it's local).
With my little experience of Samba AD I'd say the only bad point not having
getent working on AD DC is ACLs in your Sysvol won't be showing user names
and group names but UID and GID.
2015-12-08 17:03 GMT+01:00 Marcio Costa <marciofoz at gmail.com>:
> The "troubleshoot Note" in Samba Wiki (
>
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#Using_domain_accounts.2Fgroups_in_OS_commands
> )
> must be performed only when setup Samba as an AD Member, not when setup as
> an AD/DC ??
>
>
> 2015-12-08 12:54 GMT-02:00 L.P.H. van Belle <belle at bazuin.nl>:
>
> > I dont see the difference, i think its all how you interper it.
> > ( sorry about the spelling errors.. )
> >
> > For example
> > > wbinfo can get a whole list of all Samba users (I believe it can do
> that
> > > with AD or NT4 or standalone
> > Which is exact what i want.
> >
> > > wbinfo does not show system users..
> > which is also exact what i want.
> >
> > > wbinfo does not show system users, it
> > > shows Samba users which can become system users once they are
> transformed
> > > (with pam tools as winbind, sssd or nslcd).
> > Again exact what i want.
> >
> > > I feel
> > > confusion (for me and for some users of that mailing list) between
> > Samba's
> > > system users (users from Samba usable on system side, here the system
> it
> > > the one hosting Samba, the server system), Samba users (Samba internal
> > > users) and client system users (system users which access to the
> share).
> > > With domains there is also system users built from the domain (Windows
> > > system users SAMDOM\my-user or Linux user from AD/NT4 built with
> winbind
> >
> > Yeah, that sucks.. wel, dont think in samba system users.
> >
> > > Samba's system users (users from Samba usable on system side,
> > >here the system it
> > >the one hosting Samba, the server system),
> > >Samba users (Samba internal users) and
> > >client system users (system users which access to the share).
> >
> > You have "local" users/groups, per server/client (adduser username)
> > You have "Domain" users/groups, per domain
> > You have "mapped users" i call them.
> > And last, you have "local system users". ( UID lower than 1000 )
> >
> > Based on this example :
> >
> > ## map id's outside to domain to tdb files.
> > idmap config * : backend = tdb
> > idmap config * : range = 2000-9999
> > ## map ids from the domain and (*) the range may not overlap !
> > idmap config DOMAINNAME: backend = ad
> > idmap config DOMAINNAME: schema_mode = rfc2307
> > idmap config DOMAINNAME: range = 10000-3999999
> >
> >
> > A local user, any user UID lower than 2000
> >
> > A domain user
> > idmap config DOMAINNAME : range = 10000-3999999
> >
> > A mapped user, is a local user with its UID in the * range.
> > (idmap config * : range = 2000-9999 )
> >
> > if you want any local users to be mapped to samba, change :
> > (idmap config * : range = 1000-9999 )
> >
> > And i dont advice to map "local system users" to be mapped.
> >
> > Any can access shares, but all depending on your setup.
> > I think you make an easy thing a hard one and probely due to the setup
> > your having. I'm not saying you setup is bad or wrong, but maybe to
> complex
> > or not well thought about. I spent about a year testing and configureing
> > and testing for a good base setup, and here it all starts, i started at
> > least 10 times over, because i forgot a "thing/process" running on a
> server
> > and which users and/group should be able to access it.
> >
> > Its pretty simple, only use "domain users" when when you have a domain.
> > And only use local users for local needs.
> > I only have 1 user on my linux server for administring the server.
> > And i gave also some of domain users access to a local server.
> > You can add an domain user to a local group if you setup is working
> > correct.
> >
> > System users are just to run processes/services on the server, and/or for
> > Administering the server.
> >
> > So sorry, but i dont see the problem your having.
> >
> > I do the same in samba 4 as i did in samba 3 and more.
> > And this all looks to me normal.
> >
> > But ...
> > i do agree, there should be more examples how things work with these
> users.
> > And some examples when you for example use a "mapped" user, of a local
> > users etc.
> >
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias
> > dufresne
> > > Verzonden: dinsdag 8 december 2015 14:56
> > > Aan: samba at lists.samba.org
> > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7
> > >
> > > That's what I thought, and why I told there is no enumeration for
> system
> > > users.
> > > wbinfo can get a whole list of all Samba users (I believe it can do
> that
> > > with AD or NT4 or standalone). But wbinfo does not show system users,
> it
> > > shows Samba users which can become system users once they are
> transformed
> > > (with pam tools as winbind, sssd or nslcd).
> > >
> > > I insist because after months spent here and years with Samba I feel
> > > confusion (for me and for some users of that mailing list) between
> > Samba's
> > > system users (users from Samba usable on system side, here the system
> it
> > > the one hosting Samba, the server system), Samba users (Samba internal
> > > users) and client system users (system users which access to the
> share).
> > > With domains there is also system users built from the domain (Windows
> > > system users SAMDOM\my-user or Linux user from AD/NT4 built with
> winbind
> > > or
> > > sssd or nslcd).
> > >
> > > Just my 2 cents, best regards,
> > >
> > > mathias
> > >
> > >
> > > 2015-12-08 14:37 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>:
> > >
> > > > On the DC, when i run
> > > >
> > > > getent passwd i only see my linux users.
> > > >
> > > > getent passwd username shows the ad user.
> > > >
> > > >
> > > >
> > > > Same for the groups
> > > >
> > > >
> > > >
> > > > Greetz,
> > > >
> > > >
> > > >
> > > > Louis
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Van: Marcio Costa [mailto:marciofoz at gmail.com]
> > > > Verzonden: dinsdag 8 december 2015 14:35
> > > > Aan: L.P.H. van Belle
> > > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7
> > > >
> > > >
> > > >
> > > >
> > > > Hi!
> > > > If you run 'getent passwd', do you see all the users (ad+local) or
> only
> > > > local users ?
> > > >
> > > >
> > > >
> > > >
> > > > 2015-12-08 11:15 GMT-02:00 L.P.H. van Belle <belle at bazuin.nl>:
> > > >
> > > > Wel, thats wrong, when i to the following.
> > > >
> > > >
> > > >
> > > > wbinfo –u i get all my users.
> > > >
> > > > wbinfo –g i get all my groups
> > > >
> > > > getent passwd username i get my user:UID:GID:NAME:homedir:shel
> > > >
> > > > id username gives also the correct info.. (uid= .. gid= ) groups =
> > > etc..
> > > >
> > > >
> > > >
> > > > And i use winbind on a DC. ( samba 4.2.5 sernet on debian wheezy )
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Greetz,
> > > >
> > > >
> > > >
> > > > Louis
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Van: mathias dufresne [mailto:infractory at gmail.com]
> > > > Verzonden: dinsdag 8 december 2015 14:11
> > > > Aan: L.P.H. van Belle
> > > > CC: samba at lists.samba.org
> > > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > I believe there is no enumeration allowed by default whatever you use
> > to
> > > > generate system users from AD (winbind, sssd or nslcd).
> > > >
> > > >
> > > >
> > > >
> > > > Cheers,
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > mathias
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > 2015-12-08 13:42 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>:
> > > >
> > > > Hai,
> > > >
> > > > Few things.
> > > >
> > > > > idmap gid = 1000-9999999
> > > > did you also change the start GID in the AD?
> > > >
> > > >
> > >
> >
> https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC
> > > #Defining_the_next_UID.2FGID_to_use
> > > >
> > > > > "getent group" and "getent passwd"
> > > > On a DC, use : getent group "domain users"
> > > > shows only the group name + GID.
> > > >
> > > > You setup looks almost good, im only missing something like :
> > > >
> > > > ## map id's outside to domain to tdb files.
> > > > ## map ids from the domain and (*) the range may not overlap
> !
> > > > idmap config * : backend = tdb
> > > > idmap config * : range = 2000-9999
> > > >
> > > >
> > > > Greetz,
> > > >
> > > > Louis
> > > >
> > > >
> > > > > -----Oorspronkelijk bericht-----
> > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio
> > Costa
> > > > > Verzonden: dinsdag 8 december 2015 13:28
> > > > > Aan: samba at lists.samba.org
> > > > > Onderwerp: [Samba] Samba4 ad dc with Centos7
> > > >
> > > > >
> > > > > Hello, I may have a problem with winbind setup.
> > > > >
> > > > > -with wbinfo -g and wbinfo -u I get all group/user from AD/DC.
> > > > > -with getent group "Domain Users" and getent passwd "remote_user" I
> > > can
> > > > > see
> > > > > the info about the specific group and specific user.
> > > > > -with getent group and getent passwd I only see my local
> group/users.
> > > > >
> > > > > -I believe that using "getent group" and "getent passwd" I must see
> > > all
> > > > > users, right ?
> > > > >
> > > > >
> > > > > -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7;
> > > > > -ps auxf show me:
> > > > > root 24519 0.0 4.5 578196 45700 ? Ss 09:59 0:00
> > > > > /usr/sbin/samba -D
> > > > > root 24527 0.0 3.2 578196 32812 ? S 09:59 0:00
> \_
> > > > > /usr/sbin/samba -D
> > > > > root 24529 0.0 4.7 617856 48016 ? Ss 09:59 0:00 |
> > > \_
> > > > > /usr/sbin/smbd -D --option=server role check:inhibit=yes
> --foreground
> > > > > root 24546 0.0 3.2 617856 32936 ? S 09:59 0:00 |
> > > > > \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --
> > > foreground
> > > > >
> > > > > root 24536 0.0 3.2 578196 32788 ? S 09:59 0:00
> \_
> > > > > /usr/sbin/samba -D
> > > > > root 24541 0.0 4.5 587664 46480 ? Ss 09:59 0:00 |
> > > \_
> > > > > /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> > > foreground
> > > > > root 24545 0.0 3.5 605676 36492 ? S 09:59 0:00 |
> > > > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> > > > > foreground
> > > > > root 24555 0.0 3.6 605992 36680 ? S 10:00 0:00 |
> > > > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> > > > > foreground
> > > > >
> > > > > -ls /lib64
> > > > > lrwxrwxrwx. 1 root root 19 Dez 3 11:09 /lib64/libnss_winbind.so
> ->
> > > > > libnss_winbind.so.2
> > > > > -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2
> > > > >
> > > > > -/etc/nsswitch.conf
> > > > > passwd: files winbind
> > > > > shadow: files winbind
> > > > > group: files winbind
> > > > >
> > > > > -smb.conf
> > > > > [global]
> > > > > workgroup = INTRANET
> > > > > realm = INTRANET.UNV
> > > > > netbios name = ITU
> > > > > server role = active directory domain controller
> > > > > dns forwarder = 10.2.3.4
> > > > > idmap_ldb:use rfc2307 = yes
> > > > >
> > > > > idmap config INTRANET:backend = ad
> > > > > idmap config INTRANET:schema_mode = rfc2307
> > > > > idmap config INTRANET:range = 10000-9999999
> > > > >
> > > > > idmap uid = 10000-9999999
> > > > > idmap gid = 1000-9999999
> > > > >
> > > > > # Use settings from AD for login shell and home directory
> > > > > winbind nss info = rfc2307
> > > > >
> > > > > winbind use default domain = yes
> > > > > winbind enum users = yes
> > > > > winbind enum groups = yes
> > > > >
> > > > > I appreciate any help about this issue.
> > > > > Thank you.
> > > > > --
> > > > > To unsubscribe from this list go to the following URL and read the
> > > > > instructions: https://lists.samba.org/mailman/options/samba
> > > >
> > > >
> > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions: https://lists.samba.org/mailman/options/samba
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions: https://lists.samba.org/mailman/options/samba
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions: https://lists.samba.org/mailman/options/samba
> > > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list