[Samba] Validate Ids Multiple DC

L.P.H. van Belle belle at bazuin.nl
Fri Jan 29 15:52:30 UTC 2016


Here you go. 

 

My setup. 

DC's Debian Wheezy, Sernet Samba 4.2.7.

 

Members: all Debian Jessie: 

Print server : sernet samba 4.2.7  

Proxy server : Debian Samba 4.1.17 

File servers : Debian samba 4.1.17

 

DC Sample. 

cat /etc/samba/smb.conf

# Global parameters

[global]

        workgroup = NTDOMAIN

        realm = INTERNAL.DOMAIN.TLD

        netbios name = DC1

        server role = active directory domain controller

        server services = -dns

        idmap_ldb:use rfc2307 = yes

        ## Dont forget to set the idmap_ldb on ALL DC's if you use it

 

        interfaces = 127.0.0.1 192.168.0.1

        bind interfaces only = yes

        time server = yes

        wins support = yes

 

## KEEP THIS OFF !! Only used for modify-ing the AD Schema

## ONLY DONE ONES ON THE DC WITH THE FSMO Roles

        sdb:schema update allowed = no

## NEEDED FOR ZARAFA SCHEMA UPDATES

 

        ## map id's outside to domain to tdb files.

        idmap config * : backend = tdb

        idmap config * : range = 2000-9999

        ## map ids from the domain and (*) the range may not overlap !

        idmap config NTDOMAIN : backend = ad

        idmap config NTDOMAIN : schema_mode = rfc2307

        idmap config NTDOMAIN : range = 10000-3999999

 

        # Use home directory and shell information from AD

        winbind nss info = rfc2307

 

        winbind trusted domains only = no

        winbind use default domain = yes

        winbind expand groups = 4

 

        template shell = /bin/bash

        template homedir = /home/users/%U

 

        # disable printing completely, no cups errors anymore in your logs. 

        load printers = no

        printing = bsd

        printcap name = /dev/null

        disable spoolss = yes

 

## acl_xattr:ignore system acls = yes, 

## is used for all "windows ONLY" shares. OR any kerberos authenticated .

 

[sysvol]

        path = /home/samba/sysvol

        read only = No

        acl_xattr:ignore system acls = yes

 

[netlogon]

        path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts

        read only = No

        acl_xattr:ignore system acls = yes

 

 

My MOST important member server smb.conf

FILE SERVER Sample.

[global]

    workgroup = NTDOMAIN

    security = ADS

    realm = INTERNAL.DOMAIN.TLD

 

    netbios name = MEMBER1

    # set master browser for the network.

    # preffered + domain master = guarantee master browser ( man smb.conf )

    preferred master = yes

    domain master = yes

    host msdfs = no

 

    dedicated keytab file = /etc/krb5.keytab

    kerberos method = secrets and keytab

    client signing = if_required

 

    ## map id's outside to domain to tdb files.

    idmap config *:backend = tdb

    idmap config *:range = 2000-9999

 

    ## map ids from the domain  the range may not overlap !

    idmap config NTDOMAIN: backend = ad

    idmap config NTDOMAIN: schema_mode = rfc2307

    idmap config NTDOMAIN: range = 10000-3999999

 

    winbind nss info = rfc2307

    winbind trusted domains only = no

    winbind use default domain = yes

    winbind enum users  = yes

    winbind enum groups = yes

    winbind refresh tickets = yes

    winbind offline logon = yes

    winbind expand groups = 4

 

    wins server = 192.168.0.1, 192.168.0.2

 

    # disable printing completely

    load printers = no

    printing = bsd

    printcap name = /dev/null

    disable spoolss = yes

 

    # disable usershares creating, again defined because i dont use it and 

    # this way you dont have log messages about usershares. 

    usershare path =

 

##### only here so we remember how to setup this MUST be the same in the

##### AD and must also exist in the DC's IF you want the login ability 

##### with AD users.

#    template shell = /bin/bash

#    template homedir = /home/users/%ACCOUNTNAME%

 

    # user Administrator workaround, without it you are unable to set 

    # privileges, and you get connect errors to shares as administrator. 

    username map = /etc/samba/samba_usermapping

 

    vfs objects = acl_xattr

    map acl inherit = yes

    store dos attributes = yes

 

    # Share Setting Globally

    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/

    hide unreadable = yes

 

[profiles]

    browseable = yes

    path = /home/samba/profiles

    read only = no

    acl_xattr:ignore system acl = yes

 

[users]

    browseable = yes

    path = /home/samba/users

    read only = no

    acl_xattr:ignore system acl = yes

 

[public]

# use for package distrubution GPO things etc. 

    browseable = yes

    path = /home/samba/public

    read only = no

 

 

--------------------- 

Proxy server sample, well see the FILE server sample, without shares. 

Print server sample see File server sample, remove these shares and add : 

 

   ## Enabling spoolssd

    rpc_server:spoolss = external

    rpc_daemon:spoolssd = fork

 

    spoolssd:prefork_min_children = 5           # Minimum number of child processes

    spoolssd:prefork_max_children = 25          # Maximum number of child processes

    spoolssd:prefork_spawn_rate = 5             # Start (fork) x new childs if one connection comes in (up to prefork_max_children)

    spoolssd:prefork_max_allowed_clients = 100  # Number of clients, a child process should be responsible for

    spoolssd:prefork_child_min_life = 60        # Minimum lifetime of a child process (60 seconds

                                                # is the minimum, even a lower value has been configured)

 

## Cups auth problems : adduser USERNAME lpadmin

 

[printers]

   comment = All Printers

   path = /home/samba/printing/spool

   browseable = no

   printable = yes

   printing = CUPS

   acl_xattr:ignore system acl = yes

 

# Windows clients look for this share name as a source of downloadable

# printer drivers

[print$]

   comment = Printer Drivers

#   path = /var/lib/samba/printers

   path = /home/samba/printing/drivers

   browseable = yes

   read only = yes

   guest ok = no

# Uncomment to allow remote administration of Windows print drivers.

# You may need to replace 'lpadmin' with the name of the group your

# admin users are members of.

# Please note that you also need to set appropriate Unix permissions

# to the drivers directory for these users to have write rights in it

   write list = root, @"Domain Admins"

   acl_xattr:ignore system acl = yes

 

 

I?m out of the office in 10 min, so question, ask in the list. 

Monday im back here 

 

Greetz and have a nice weekend everybody..  

 

Louis

 

 

 

> -----Oorspronkelijk bericht-----

> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Carlos A. P.

> Cunha

> Verzonden: vrijdag 29 januari 2016 16:27

> Aan: samba at lists.samba.org

> Onderwerp: Re: [Samba] Validate Ids Multiple DC

> 

> At first no, but I find it strange tere different ids...

> 

> Please if you can have your sm.conf would help.

> 

> Em 29-01-2016 13:10, L.P.H. van Belle escreveu:

> > Hello Carlos.

> >

> > Fist please post to the list, this way everybody can help.

> >

> > The ids like : 3000036  are i think from a samba DC with RID setup.

> > If you want to login also on the DC with for example SSH.

> >

> > Add also the template lines.

> >

> > Fix the idmap.

> >

> > net getdomainsid

> > net idmap delete ranges YOURDOMAIN_SID

> >

> > restart the DC.

> >

> > And check again.

> >

> > Greetz,

> >

> > Louis

> >

> >

> >> -----Oorspronkelijk bericht-----

> >> Van: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com]

> >> Verzonden: vrijdag 29 januari 2016 15:14

> >> Aan: L.P.H. van Belle

> >> Onderwerp: Re: [Samba] Validate Ids Multiple DC

> >>

> >> Hello!

> >> Obrgado the answers.

> >>

> >> My smb.conf now this well in both DC, but is still giving different

> IDs:

> >>

> >>

> >> smb.conf

> >>

> >> # Global parameters

> >> [global]

> >>           workgroup = SERVERAD

> >>           realm = mydomain

> >>           netbios name = DC-LINUX1(e DC-LINUX2)

> >>           server role = active directory domain controller

> >>           passdb backend = samba_dsdb

> >>           server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,

> >> drepl, winbindd, ntp_signd, kcc, dnsupdate

> >>

> >>           map archive = No

> >>           map readonly = no

> >>           store dos attributes = Yes

> >>           vfs objects = dfs_samba4 acl_xattr

> >>           idmap_ldb:use rfc2307 = yes

> >>           kerberos method = system keytab

> >>           client ldap sasl wrapping = sign

> >>           allow dns updates = nonsecure and secure

> >>           nsupdate command =  /usr/bin/nsupdate -g

> >>

> >>           ## map id's outside to domain to tdb files.

> >>           idmap config * : backend = tdb

> >>           idmap config * : range = 2000-9999

> >>           ### map ids from the domain and (*) the range may not overlap

> !

> >>           idmap config SERVERAD : backend = ad

> >>           idmap config SERVERAD : schema_mode = rfc2307

> >>           idmap config SERVERAD : range = 10000-3999999

> >>

> >>           ## Use home directory and shell information from AD

> >>           winbind nss info = rfc2307

> >>

> >>           winbind trusted domains only = no

> >>           winbind use default domain = yes

> >>           winbind expand groups = 4

> >>

> >>           # Disable Cups

> >>           load printers = no

> >>           printing = bsd

> >>           printcap name = /dev/null

> >>           disable spoolss = yes

> >>

> >> DC-LINUX1

> >>

> >> id userproxy01

> >> uid=3000370(SERVERAD\userproxy01) gid=100(users)

> >> grupos=100(users),3000370(SERVERAD\userproxy01),3000001(BUILTIN\users)

> >>

> >> getent passwd userproxy01

> >>

> SERVERAD\userproxy01:*:3000370:100:userproxy01:/home/SERVERAD/userproxy01:

> >> /bin/false

> >>

> >> DC-LINUX2

> >>

> >> id userproxy01

> >> uid=3000036(SERVERAD\userproxy01) gid=100(users)

> >> grupos=100(users),3000036(SERVERAD\userproxy01),3000001(BUILTIN\users)

> >>

> >> getent passwd userproxy01

> >>

> SERVERAD\userproxy01:*:3000036:100:userproxy01:/home/SERVERAD/userproxy01:

> >> /bin/false

> >>

> >>

> >> Thanks.

> >>

> >> Em 29-01-2016 10:07, L.P.H. van Belle escreveu:

> >>> Hai Rowland.

> >>>

> >>> What you tried is ok, or im misunderstanding you.

> >>>

> >>> For me :

> >>> All members give me.

> >>> getent passwd myuser

> >>> myuser:*:10002:10000::/home/users/myuser:/bin/bash

> >>>

> >>> id myuser

> >>> uid=10002(myuser) gid=10000(domain users)

> >>>

> >>> the memberservers are or sernet samba 4.2.7 or debian samba 4.1.17

> >>>

> >>> and on the DCs.  ( only sernet samba 4.2.7 )

> >>>

> >>> getent passwd myuser

> >>> myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash

> >>>

> >>> id myuser

> >>> uid=10002(myuser) gid=10000(domain users)

> >>>

> >>> forgot to mention 1 restriction.

> >>>

> >>> In the DC's i also have

> >>>           template shell = /bin/bash

> >>>           template homedir = /home/users/%U

> >>>

> >>> The restriction is that you must use above shell and homedirs for all

> >> you users and must be the same in the AD unix tab.

> >>> The GECOS is different, but who uses that..

> >>>

> >>>

> >>> Greetz,

> >>>

> >>> Louis

> >>>

> >>>

> >>>> -----Oorspronkelijk bericht-----

> >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland

> penny

> >>>> Verzonden: vrijdag 29 januari 2016 12:42

> >>>> Aan: samba at lists.samba.org

> >>>> Onderwerp: Re: [Samba] Validate Ids Multiple DC

> >>>>

> >>>> On 29/01/16 08:59, L.P.H. van Belle wrote:

> >>>>> If you add the "not" supported winbind options from the member also

> to

> >>>> the DCs, then you will have the same resulting uid on all servers.

> >>>>> Official not supported, but works now for more then a year here.

> >>>>> ( sernet samba 4.2.7 on debian wheezy )

> >>>>>

> >>>>> This is my addition to the smb.conf on the DC.

> >>>>>            ## map id's outside to domain to tdb files.

> >>>>>            idmap config * : backend = tdb

> >>>>>            idmap config * : range = 2000-9999

> >>>>>            ## map ids from the domain and (*) the range may not

> overlap

> >> !

> >>>>>            idmap config NTDOMAIN : backend = ad

> >>>>>            idmap config NTDOMAIN : schema_mode = rfc2307

> >>>>>            idmap config NTDOMAIN : range = 10000-3999999

> >>>>>

> >>>>>            # Use home directory and shell information from AD

> >>>>>            winbind nss info = rfc2307

> >>>>>

> >>>>>            winbind trusted domains only = no

> >>>>>            winbind use default domain = yes

> >>>>>            winbind expand groups = 4

> >>>>>

> >>>>>

> >>>>> Greetz,

> >>>>>

> >>>>> Louis

> >>>>>

> >>>>>

> >>>>>

> >>>>>> -----Oorspronkelijk bericht-----

> >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mueller

> >>>>>> Verzonden: vrijdag 29 januari 2016 9:21

> >>>>>> Aan: 'Carlos A. P. Cunha'; samba at lists.samba.org

> >>>>>> Onderwerp: Re: [Samba] Validate Ids Multiple DC

> >>>>>>

> >>>>>> You can try to do it with the unix tab in rsat on the master dc (as

> I

> >>>> did)

> >>>>>> .  Both DCs have the same ids.

> >>>>>> On your memberservers this will be mapped by winbind(d)

> >>>>>> EX:

> >>>>>>

> >>>>>> [root at s4master ~]# id tester

> >>>>>> uid=90000(TPLK\tester) gid=100(users)

> >>>>>> Gruppen=100(users),3000051(TPLK\TerminalServer

> >>>>>>

> >>

> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre

> >>

> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(

> >>>>>> TPLK\HS3)

> >>>>>>

> >>>>>> [root at s4slave ~]# id tester

> >>>>>> uid=90000(TPLK\tester) gid=100(users)

> >>>>>> Gruppen=100(users),3000051(TPLK\TerminalServer

> >>>>>>

> >>

> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre

> >>

> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(

> >>>>>> TPLK\HS3)

> >>>>>>

> >>>>>> winbind(d)  mapping the same ids on 2 memberservers:

> >>>>>> [root at centclust1 ~]# id tester

> >>>>>> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain

> >>>>>>

> >>

> users),1619(dienstplan),1625(hs3),1640(schreiben),1615(agfa),1637(pflege),

> >>>>>> 1643(terminalserver

> >>>>>> user),1630(orbis),1620(direktionv),4000001(BUILTIN\users)

> >>>>>>

> >>>>>>

> >>>>>> [root at centclust2 ~]# id tester

> >>>>>> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain

> >>>>>>

> >>

> users),1615(agfa),1619(dienstplan),1625(hs3),1630(orbis),1637(pflege),1640

> >>>>>> (schreiben),1643(terminalserver

> >>>>>> user),1620(direktionv),100001(BUILTIN\users)

> >>>>>>

> >>>>>>

> >>>>>> EDV Daniel Müller

> >>>>>>

> >>>>>> Leitung EDV

> >>>>>> Tropenklinik Paul-Lechler-Krankenhaus

> >>>>>> Paul-Lechler-Str. 24

> >>>>>> 72076 Tübingen

> >>>>>> Tel.: 07071/206-463, Fax: 07071/206-499

> >>>>>> eMail: mueller at tropenklinik.de

> >>>>>> Internet: www.tropenklinik.de

> >>>>>>

> >>>>>>

> >>>>>>

> >>>>>>

> >>>>>> -----Ursprüngliche Nachricht-----

> >>>>>> Von: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com]

> >>>>>> Gesendet: Freitag, 29. Januar 2016 00:43

> >>>>>> An: samba at lists.samba.org

> >>>>>> Betreff: [Samba] Validate Ids Multiple DC

> >>>>>>

> >>>>>> Hello!

> >>>>>> I have 2 Samba 4 server (4.3.3) as VC and other Samba 4 (4.3) as

> >>>>>> Fileserver, until now all ok, but I'm one doubts, how to validate

> >> that

> >>>> in

> >>>>>> both servers the domain IDs of the users of this identical, a

> simple

> >>>> way

> >>>>>> to do this validation?

> >>>>>> I wanted to make sure it is a DC die fileserver has to go 100%.

> >>>>>> thank you

> >>>>>>

> >>>>>> --

> >>>>>> To unsubscribe from this list go to the following URL and read the

> >>>>>> instructions:  https://lists.samba.org/mailman/options/samba

> >>>>>>

> >>>>>>

> >>>>>> --

> >>>>>> To unsubscribe from this list go to the following URL and read the

> >>>>>> instructions:  https://lists.samba.org/mailman/options/samba

> >>>> Hi Louis, you keep saying adding the domain member lines to a DC

> works

> >>>> for you, so I thought it was time I tried them again.

> >>>>

> >>>> This is before adding the lines:

> >>>>

> >>>> root at testdc1:~# getent passwd rowland

> >>>> HOME\rowland:*:10000:10000:Rowland

> Penny:/home/HOME/rowland:/bin/false

> >>>>

> >>>> Now add the lines to smb.conf:

> >>>>

> >>>>            ## map id's outside to domain to tdb files.

> >>>>            idmap config * : backend = tdb

> >>>>            idmap config * : range = 2000-9999

> >>>>            ## map ids from the domain and (*) the range may not

> overlap

> >> !

> >>>>            idmap config HOME : backend = ad

> >>>>            idmap config HOME : schema_mode = rfc2307

> >>>>            idmap config HOME : range = 10000-3999999

> >>>>

> >>>>            # Use home directory and shell information from AD

> >>>>            winbind nss info = rfc2307

> >>>>

> >>>>            winbind trusted domains only = no

> >>>>            winbind use default domain = yes

> >>>>            winbind expand groups = 4

> >>>>

> >>>> Ran 'net cache flush' and then 'service samba-ad-dc restart'

> >>>>

> >>>> Checked again:

> >>>>

> >>>> root at testdc1:~# getent passwd rowland

> >>>> HOME\rowland:*:10000:10000:Rowland

> Penny:/home/HOME/rowland:/bin/false

> >>>>

> >>>> Absolutely no difference, this is with Samba 4.3.3

> >>>>

> >>>> Rowland

> >>>>

> >>>>

> >>>> --

> >>>> To unsubscribe from this list go to the following URL and read the

> >>>> instructions:  https://lists.samba.org/mailman/options/samba

> >>>

> >

> 

> 

> --

> To unsubscribe from this list go to the following URL and read the

> instructions:  https://lists.samba.org/mailman/options/samba

 



More information about the samba mailing list