[Samba] Samba AD: gidNumber?
Rowland Penny
rowlandpenny241155 at gmail.com
Thu Oct 29 20:35:29 UTC 2015
On 29/10/15 20:22, Viktor Trojanovic wrote:
>
>
> On 29.10.2015 20:52, Rowland Penny wrote:
>> On 29/10/15 19:27, Viktor Trojanovic wrote:
>>>
>>>
>>> On 29.10.2015 18:49, Rowland Penny wrote:
>>>> On 29/10/15 17:27, Viktor Trojanovic wrote:
>>>>>
>>>>>
>>>>> On 29.10.2015 17:54, Rowland Penny wrote:
>>>>>> On 29/10/15 16:21, Viktor Trojanovic wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 27.10.2015 16:16, Rowland Penny wrote:
>>>>>>>> On 27/10/15 14:58, Viktor Trojanovic wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 27.10.2015 13:54, Rowland Penny wrote:
>>>>>>>>>> [...]
>>>>>>>>>>> Yes, I meant the administrator. I did your suggested change
>>>>>>>>>>> on my member server and restarted it. 'getent passwd
>>>>>>>>>>> administrator' is still not returning anything, though. Or
>>>>>>>>>>> is that the wrong way to check if it worked?
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> If you ran the same command on the DC, it will return
>>>>>>>>>> something, but on a member server it won't, because the range
>>>>>>>>>> you set in smb.conf is (if you followed the wiki,
>>>>>>>>>> 10000-99999) above '0' and anything that is outside the range
>>>>>>>>>> is ignored. This is not a problem, remember that
>>>>>>>>>> Administrator is mapped to root on the member server, so if
>>>>>>>>>> you want to log into the member server, you would so as root.
>>>>>>>>>> From windows, Administrator becomes root and carries out any
>>>>>>>>>> changes etc as root.
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Ok, all understood, thank you. But how can I check if it
>>>>>>>>> worked with the users? I manually changed the Nisdomain and
>>>>>>>>> uidNumber for two users using ADUC (to 10001 and 10002,
>>>>>>>>> respectively), I restarted Samba (was this even necessary?),
>>>>>>>>> and getent passwd <username> will still not return anything.
>>>>>>>>>
>>>>>>>>> In other words, what is the quickest way to check if my member
>>>>>>>>> server setup worked out alright?
>>>>>>>>
>>>>>>>> OK, if you compiled samba yourself and you want to test getent
>>>>>>>> on the member server, see this that I posted earlier:
>>>>>>>>
>>>>>>>> https://lists.samba.org/archive/samba/2015-October/195319.html
>>>>>>>>
>>>>>>>> If you are using distro packages, the wiki pages should give
>>>>>>>> you a good idea of what you need.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>
>>>>>>> So, I spent quite some time researching it all a bit more in
>>>>>>> depth but I get stuck at the same point, although I at least
>>>>>>> seem to have a better understanding of how things should be now.
>>>>>>>
>>>>>>> So, my smb.conf on the member server looks exactly like the one
>>>>>>> in the wiki, except that I also added ACL support as suggested
>>>>>>> on the wiki page "Shares with Windows ACLs". My filesystem is
>>>>>>> XFS and has ACL built-in.
>>>>>>>
>>>>>>> I do get proper results for wbinfo -u and wbinfo -g, but the id
>>>>>>> and getent commands just won't work. I'm trying it on users and
>>>>>>> groups that have a uidNumber or gidNumber defined, respectively.
>>>>>>>
>>>>>>> This is how my nsswitch.conf looks like:
>>>>>>>
>>>>>>> passwd: compat winbind
>>>>>>> group: compat winbind
>>>>>>> hosts:compat dns
>>>>>>> networks: compat dns
>>>>>>>
>>>>>>> My Samba came from a package but I verified that
>>>>>>> libnss_winbind.so.2 is properly linked.
>>>>>>>
>>>>>>> smbd, nmbd and winbindd are properly started with no errors in
>>>>>>> the logs, I'm joined to the AD, I can browse the member server
>>>>>>> from my windows machine being logged in as Administrator. But I
>>>>>>> still can't seem to change ACLs on any objects in the share from
>>>>>>> within Windows, I'm getting error messages "Error when applying
>>>>>>> security" (I'm translating freely from German).
>>>>>>>
>>>>>>> Do you have any idea what's going wrong here?
>>>>>>>
>>>>>>> Viktor
>>>>>>
>>>>>> OK, If I remember correctly, we are talking about a domain member
>>>>>> here, not a DC. If you are using the default smb.conf from here:
>>>>>>
>>>>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>>>>>
>>>>> No. I'm using the smb.conf from
>>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>>>
>>>>>> with the 'ad' setup from here:
>>>>>>
>>>>>> https://wiki.samba.org/index.php/Idmap_config_ad
>>>>>>
>>>>> Those lines are already implemented in the smb.conf retrieved from
>>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>>
>>>> OK, what is the difference between a 'domain member' and a 'member
>>>> server', well to be honest, not much. You can think of a 'domain
>>>> member' being the same as a normal windows workstation that a user
>>>> logs into and it doesn't share anything. You can turn a 'domain
>>>> member' into a 'member server' very easily, just make it share
>>>> something :-) if you share printers from it, it becomes a 'Print
>>>> Server' , add data shares and it becomes a 'File Server', I think
>>>> you get the idea here :-)
>>>>
>>>> Your smb.conf from the 'member server' page is equivalent to the
>>>> one you can create from the three pages I posted.
>>>>
>>>>>> with the acl support lines from here:
>>>>>>
>>>>>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#ACL_support_on_domain_members
>>>>>>
>>>>>>
>>>>> Those exact 3 lines, yes.
>>>>>> then getent should work, but they are a few caveats, the users
>>>>>> must have a uidNumber inside the range 10000-99999 and Domain
>>>>>> Users (at least) must have a gidNumber inside the same range. Any
>>>>>> users or groups outside this range will be ignored and *all*
>>>>>> users will be ignored if Domain Users either doesn't have a
>>>>>> gidNumber or it is outside the range.
>>>>>>
>>>>> The user I'm trying to return has a uidNumber of 10002, and Domain
>>>>> Users is set to gidNumber 10000. I have not set those attributes
>>>>> for other groups and did not expect them to show up with getent.
>>>>>
>>>>>> Time must be synchronised between the machines, within 5 mins if
>>>>>> remember correctly.
>>>>> Time is synced and well within 5 mins. Kerberos would fail
>>>>> otherwise and I am able to request k-tickets for any user without
>>>>> issues.
>>>>>> The domain member must be joined to the domain (obviously)
>>>>> Of course.
>>>>>> The domain member must be using the DC has its DNS server
>>>>>>
>>>>>> /etc/resolv.conf
>>>>>> search samdom.example.com
>>>>>> nameserver 192.168.0.3 <-- this is the ip of the DC
>>>>>>
>>>>> My DC has a fixed IP and that's exactly how my resolv.conf looks
>>>>> like, no other lines.
>>>>
>>>> Yes but does your 'member server' have a fixed ip ?
>>>>
>>>>>> You only need this in /etc/krb5.conf
>>>>>>
>>>>>> [libdefaults]
>>>>>> default_realm = SAMDOM.EXAMPLE.COM
>>>>>> dns_lookup_realm = false
>>>>>> dns_lookup_kdc = true
>>>>>>
>>>>> That's exactly what I have. As mentioned, Kerberos seems to work
>>>>> properly.
>>>>>
>>>>>> Ideally your domain member should have a fixed ip, but if you are
>>>>>> using dhcp, check that the ipaddress isn't 127.0.0.1 or even
>>>>>> worse 127.0.1.1. If you using Ubuntu with Network Manager, stop
>>>>>> it using dnsmasq.
>>>>>>
>>>>> See above.
>>>>>> Check that pam is setup correctly, on debian you can do this by
>>>>>> running 'pam-auth-update'
>>>>>>
>>>>> I don't have pam setup since I don't need the users to log in to
>>>>> Linux. It is nowhere mentioned, neither on the wiki nor on the
>>>>> book that this is a prerequisite for getent to work.
>>>>
>>>> Applying Hand brake screeching to a halt :-D
>>>>
>>>> If pam is not set up you will not get 'getent' to work. Can you
>>>> please refresh my memory and tell me what OS you are using. Pam is
>>>> not required on a DC unless you require your users to actually log
>>>> into it, but it is definitely needed on a 'domain member' (or as
>>>> you call it, a 'member server')
>>>>
>>>> There is a mention of setting up PAM on the page you referred to:
>>>>
>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Setting_up_PAM_authentication
>>>>
>>>>
>>>> Though it is a bit unclear that it is required to make 'getent'
>>>> work, I will not update this page because there is a very good
>>>> chance it will get a massive overhaul soon, but I will look into
>>>> whether any other Pam info specifies that it is needed on a domain
>>>> member.
>>>>
>>>> Rowland
>>>
>>> Well, I'll be... I really didn't figure out that that was any kind
>>> of necessity. Since the getent checks on the wiki (and in my book)
>>> are performed before the comments about PAM, I thought that's just
>>> for special situations (such as needing users to log in on Linux).
>>> So you're saying I can't set my ACL's with domain users because of
>>> that?
>>
>> getent shows what the OS knows about a user, if it shows nothing,
>> that user is unknown to the OS and as such cannot own anything. On
>> the DC, this is not really a problem because the users are
>> automatically given an xidNumber and this is used instead and most
>> people only use the DC for authentication. You only need the
>> libnss_winbind links and pam (or something in its place) if you want
>> your users to connect to the member server.
>>
>>>
>>> I guess my next project then is to figure out how to configure this
>>> on Alpine Linux which is what I'm using for my member server. While
>>> I can find packages for PAM, it seems that there is no pam_winbind
>>> module so I'm not sure where this leaves me. Any tips?
>>
>> Er, use Debian instead :-D
>> I could give you instructions to set up a basic Samba domain member
>> on Debian that would only take you about 15mins and is guaranteed to
>> work (famous last words).
>>
>> Rowland
>>
> Haha :) I've already spent so much time on getting to know Arch and
> Alpine Linux in and out, with some Ubuntu on the side, just can't
> bother to add Debian to the list. But if I can't get neither to work,
> I'll reconsider. :)
Well, Ubuntu is heavily based on Debian, so what works for one,
generally works for the other with slight mods.
Rowland
>
> I'll report back.. thanks again, and good night.
>
> Viktor
More information about the samba
mailing list