[Samba] Samba AD: gidNumber?

Rowland Penny rowlandpenny241155 at gmail.com
Thu Oct 29 19:52:31 UTC 2015


On 29/10/15 19:27, Viktor Trojanovic wrote:
>
>
> On 29.10.2015 18:49, Rowland Penny wrote:
>> On 29/10/15 17:27, Viktor Trojanovic wrote:
>>>
>>>
>>> On 29.10.2015 17:54, Rowland Penny wrote:
>>>> On 29/10/15 16:21, Viktor Trojanovic wrote:
>>>>>
>>>>>
>>>>> On 27.10.2015 16:16, Rowland Penny wrote:
>>>>>> On 27/10/15 14:58, Viktor Trojanovic wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 27.10.2015 13:54, Rowland Penny wrote:
>>>>>>>> [...]
>>>>>>>>> Yes, I meant the administrator. I did your suggested change on 
>>>>>>>>> my member server and restarted it. 'getent passwd 
>>>>>>>>> administrator' is still not returning anything, though. Or is 
>>>>>>>>> that the wrong way to check if it worked?
>>>>>>>>>
>>>>>>>>
>>>>>>>> If you ran the same command on the DC, it will return 
>>>>>>>> something, but on a member server it won't, because the range 
>>>>>>>> you set in smb.conf is (if you followed the wiki, 10000-99999) 
>>>>>>>> above '0' and anything that is outside the range is ignored. 
>>>>>>>> This is not a problem, remember that Administrator is mapped to 
>>>>>>>> root on the member server, so if you want to log into the 
>>>>>>>> member server, you would so as root. From windows, 
>>>>>>>> Administrator becomes root and carries out any changes etc as 
>>>>>>>> root.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> Ok, all understood, thank you. But how can I check if it worked 
>>>>>>> with the users? I manually changed the Nisdomain and uidNumber 
>>>>>>> for two users using ADUC (to 10001 and 10002, respectively), I 
>>>>>>> restarted Samba (was this even necessary?), and getent passwd 
>>>>>>> <username> will still not return anything.
>>>>>>>
>>>>>>> In other words, what is the quickest way to check if my member 
>>>>>>> server setup worked out alright?
>>>>>>
>>>>>> OK, if you compiled samba yourself and you want to test getent on 
>>>>>> the member server, see this that I posted earlier:
>>>>>>
>>>>>> https://lists.samba.org/archive/samba/2015-October/195319.html
>>>>>>
>>>>>> If you are using distro packages, the wiki pages should give you 
>>>>>> a good idea of what you need.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>> So, I spent quite some time researching it all a bit more in depth 
>>>>> but I get stuck at the same point, although I at least seem to 
>>>>> have a better understanding of how things should be now.
>>>>>
>>>>> So, my smb.conf on the member server looks exactly like the one in 
>>>>> the wiki, except that I also added ACL support as suggested on the 
>>>>> wiki page "Shares with Windows ACLs". My filesystem is XFS and has 
>>>>> ACL built-in.
>>>>>
>>>>> I do get proper results for wbinfo -u and wbinfo -g, but the id 
>>>>> and getent commands just won't work. I'm trying it on users and 
>>>>> groups that have a uidNumber or gidNumber defined, respectively.
>>>>>
>>>>> This is how my nsswitch.conf looks like:
>>>>>
>>>>> passwd: compat winbind
>>>>> group: compat winbind
>>>>> hosts:compat dns
>>>>> networks: compat dns
>>>>>
>>>>> My Samba came from a package but I verified that 
>>>>> libnss_winbind.so.2 is properly linked.
>>>>>
>>>>> smbd, nmbd and winbindd are properly started with no errors in the 
>>>>> logs, I'm joined to the AD, I can browse the member server from my 
>>>>> windows machine being logged in as Administrator. But I still 
>>>>> can't seem to change ACLs on any objects in the share from within 
>>>>> Windows, I'm getting error messages "Error when applying security" 
>>>>> (I'm translating freely from German).
>>>>>
>>>>> Do you have any idea what's going wrong here?
>>>>>
>>>>> Viktor
>>>>
>>>> OK, If I remember correctly, we are talking about a domain member 
>>>> here, not a DC. If you are using the default smb.conf from here:
>>>>
>>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>>>
>>> No. I'm using the smb.conf from 
>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>
>>>> with the 'ad' setup from here:
>>>>
>>>> https://wiki.samba.org/index.php/Idmap_config_ad
>>>>
>>> Those lines are already implemented in the smb.conf retrieved from 
>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>
>> OK, what is the difference between a 'domain member' and a 'member 
>> server', well to be honest, not much. You can think of a 'domain 
>> member' being the same as a normal windows workstation that a user 
>> logs into and it doesn't share anything. You can turn a 'domain 
>> member' into a 'member server' very easily, just make it share 
>> something :-) if you share printers from it, it becomes a 'Print 
>> Server' , add data shares and it becomes a 'File Server', I think you 
>> get the idea here :-)
>>
>> Your smb.conf from the 'member server' page is equivalent to the one 
>> you can create from the three pages I posted.
>>
>>>> with the acl support lines from here:
>>>>
>>>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#ACL_support_on_domain_members 
>>>>
>>>>
>>> Those exact 3 lines, yes.
>>>> then getent should work, but they are a few caveats, the users must 
>>>> have a uidNumber inside the range 10000-99999 and Domain Users (at 
>>>> least) must have a gidNumber inside the same range. Any users or 
>>>> groups outside this range will be ignored and *all* users will be 
>>>> ignored if Domain Users either doesn't have a gidNumber or it is 
>>>> outside the range.
>>>>
>>> The user I'm trying to return has a uidNumber of 10002, and Domain 
>>> Users is set to gidNumber 10000. I have not set those attributes for 
>>> other groups and did not expect them to show up with getent.
>>>
>>>> Time must be synchronised between the machines, within 5 mins if 
>>>> remember correctly.
>>> Time is synced and well within 5 mins. Kerberos would fail otherwise 
>>> and I am able to request k-tickets for any user without issues.
>>>> The domain member must be joined to the domain (obviously)
>>> Of course.
>>>> The domain member must be using the DC has its DNS server
>>>>
>>>> /etc/resolv.conf
>>>> search samdom.example.com
>>>> nameserver 192.168.0.3 <-- this is the ip of the DC
>>>>
>>> My DC has a fixed IP and that's exactly how my resolv.conf looks 
>>> like, no other lines.
>>
>> Yes but does your 'member server' have a fixed ip ?
>>
>>>> You only need this in /etc/krb5.conf
>>>>
>>>> [libdefaults]
>>>>         default_realm = SAMDOM.EXAMPLE.COM
>>>>         dns_lookup_realm = false
>>>>         dns_lookup_kdc = true
>>>>
>>> That's exactly what I have. As mentioned, Kerberos seems to work 
>>> properly.
>>>
>>>> Ideally your domain member should have a fixed ip, but if you are 
>>>> using dhcp, check that the ipaddress isn't 127.0.0.1 or even worse 
>>>> 127.0.1.1. If you using Ubuntu with Network Manager, stop it using 
>>>> dnsmasq.
>>>>
>>> See above.
>>>> Check that pam is setup correctly, on debian you can do this by 
>>>> running 'pam-auth-update'
>>>>
>>> I don't have pam setup since I don't need the users to log in to 
>>> Linux. It is nowhere mentioned, neither on the wiki nor on the book 
>>> that this is a prerequisite for getent to work.
>>
>> Applying Hand brake screeching to a halt :-D
>>
>> If pam is not set up you will not get 'getent' to work. Can you 
>> please refresh my memory and tell me what OS you are using. Pam is 
>> not required on a DC unless you require your users to actually log 
>> into it, but it is definitely needed on a 'domain member' (or as you 
>> call it, a 'member server')
>>
>> There is a mention of setting up PAM on the page you referred to:
>>
>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Setting_up_PAM_authentication 
>>
>>
>> Though it is a bit unclear that it is required to make 'getent' work, 
>> I will not update this page because there is a very good chance it 
>> will get a massive overhaul soon, but I will look into whether any 
>> other Pam info specifies that it is needed on a domain member.
>>
>> Rowland
>
> Well, I'll be... I really didn't figure out that that was any kind of 
> necessity. Since the getent checks on the wiki (and in my book) are 
> performed before the comments about PAM, I thought that's just for 
> special situations (such as needing users to log in on Linux). So 
> you're saying I can't set my ACL's with domain users because of that?

getent shows what the OS knows about a user, if it shows nothing, that 
user is unknown to the OS and as such cannot own anything. On the DC, 
this is not really a problem because the users are automatically given 
an xidNumber and this is used instead and most people only use the DC 
for authentication. You only need the libnss_winbind links and pam (or 
something in its place) if you want your users to connect to the member 
server.

>
> I guess my next project then is to figure out how to configure this on 
> Alpine Linux which is what I'm using for my member server. While I can 
> find packages for PAM, it seems that there is no pam_winbind module so 
> I'm not sure where this leaves me. Any tips?

Er, use Debian instead :-D
I could give you instructions to set up a basic Samba domain member on 
Debian that would only take you about 15mins and is guaranteed to work 
(famous last words).

Rowland

>
> Even if not, at least I know now where the problem is. I really 
> appreciate all your help.
>
> Viktor




More information about the samba mailing list