[Samba] Fwd: Migrating server
L.P.H. van Belle
belle at bazuin.nl
Fri Mar 2 23:27:12 UTC 2018
hai, im still on holiday but i did see some things a bit, also in addition about the smb.conf
in classic mode dns forwarder is predecated, so i suggest avoiding the option.
this part, you set ssl off but also set the ports to the ssl ports.
ldap ssl = off
ldap passwd sync = yes
/etc/ldap/ldap.conf
BASE dc=mydomain
URI ldap://sam3dc.mydomain ldap://sam3dc.mydomain:666
use
URI ldaps://sam3dc.mydomain
or ldaps://sam3dc.mydomain:666
and ldap ssl = on.
long a go i write a classic on a debian sarge, there might be still some parts useable to help you in your setup, if a classic setup is a must.
google, big samba howto debian only. should popup in top 10, it was posted on the samba list, (around 2005-2007), if i recall it right.
i used smbldap-tools also but as Rowland said not really useable.
Now, i missed the part why a classic setup is needed.
but what i would do is, just because it give you the same options, but avoid the a problem when ms removes the classic support from win10, that will happen, just because ms is keeping improving security setting.
just my thought here.
why not.
install a dc with internal dns.
and use the phpldapadmin tools in place of smbldap-tools to manage it.
an other i liked was ldapadmin, small windows tool but with nice plugin, i dont know the current state.
let win 10 use the dc funtions, and other client use ldap where.needed, that part is still the same a classic setup, and preffered ldaps imo.
Again i missed the part why the classics setup here..
but i hope you can use something of it.
Typing without glasses on me phone is not funny... ;-)
The beer is not helping also... :-))
Greetz,
Louis
> Op 2 mrt. 2018 om 20:00 heeft Harry Jede via samba <samba at lists.samba.org> het volgende geschreven:
>
> Hi Rob,
> please stay on list. Otherwise I will charge you :-)
> By the way I have no problem to get payed.
>
>> Hi Harry,
>>
>> The one very obvious difference is the result of this command: #
>> ldapsearch -xLLL -b dc=afrika,dc=xx -s sub -D
>> cn=admin,dc=afrika,dc=xx -w 'sambadomainname=*'
>> dn: sambaDomainName=SCHULE,dc=afrika,dc=xx
>>
>> I get dn: sambaDomainName=MYDOMAIN, dc=mydomain which is different ,
>> should it be MYDOMAIN dc=sam3dc?
> I hope you have got the first line, the second will never work:
> dn: sambaDomainName=MYDOMAIN,dc=mydomain
> dn: sambaDomainName=MYDOMAIN, dc=mydomain
>
> The difference is just one space. Remember ldap is white space sensitive!!!
>
> You may get trouble with some dns resolver libs, because you use only one "domain component". Search for ndots...
> You may also get trouble with certificate name validation for SSL/TLS hosts.
>
>> sambaDomainName: MYDOMAIN
>> sambaSID: S-1-5-21-3936576374-1604338294-181246221
>> sambaAlgorithmicRidBase: 1000
>> objectClass: sambaDomain
> I prefer to add here an auxiliary objectclass: sambaUnixIdPool
> More later on
>
>> sambaNextUserRid: 1000
>> sambaMinPwdLength: 5
>> sambaPwdHistoryLength: 0
>> sambaLogonToChgPwd: 0
>> sambaMaxPwdAge: -1
>> sambaMinPwdAge: 0
>> sambaLockoutDuration: 30
>> sambaLockoutObservationWindow: 30
>> sambaLockoutThreshold: 0
>> sambaForceLogoff: -1
>> sambaRefuseMachinePwdChange: 0
>> sambaNextRid: 1002
>>
>>
>>
>>
>> ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config
>> 'olcAttributeTypes=*' dn
>> SASL/EXTERNAL authentication started
>> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>> SASL SSF: 0
>> dn: cn=schema,cn=config
>>
>> dn: cn={0}core,cn=schema,cn=config
>>
>> dn: cn={1}cosine,cn=schema,cn=config
>>
>> dn: cn={2}nis,cn=schema,cn=config
>>
>> dn: cn={3}inetorgperson,cn=schema,cn=config
>>
>> dn: cn={4}samba,cn=schema,cn=config
> That is the minimum you need. So it is OK.
>
>>
>> ldapsearch -xLLL -s base -b dc=mydomain
>> dn: dc=mydomain
>> objectClass: top
>> objectClass: dcObject
>> objectClass: organization
>> o: mydomain
>> dc: mydomain
> OK
>
>>
>>
>>
>> The one thing I found is that when I tried to add a new Win10 machine
>> to the domain, I got wrong password. The login details I entered is
>> for a admin account. I then changed the password using smbpasswd and
>> then I got the machine was joined with another account error message
> OK. But what error message? What command?
> Please post the resulting machine account.
>
> You should first try a win 7 machine. From win 7 to current win 10
> the default settings for smb protocol has changed. Thanks to wanna cry.
> Maybe "max protocol = NT1" will help. But read man smb.conf section:
> client max protocol. Depending on the used clients you should go with
> the highest protocol level!!!
>
>> The other bits are similar to yours. Here is the smb.conf
>>
>>
>> [global]
>> workgroup = MYDOMAIN
>> bind interfaces only = Yes
>> netbios name = sam3DC
>> security = USER
>> dns forwarder = 8.8.8.8
> "dns forwarder" is not required, *but* if you set this entry,
> it should point to a local DNS server.
> Google is not always the best choice.
>
>> passdb backend = ldapsam:ldap://127.0.0.1/
>> obey pam restrictions = no
> That I would change to yes. If yes, pam can create the
> home directorys if you add users from windows tools or
> samba tools. The user dir is created at first logon.
> The template directory is /etc/skel.
>
>> ldap admin dn = cn=admin,dc=mydomain
>> ldap suffix = dc=mydomain
>> ldap group suffix = ou=Group
>> ldap user suffix = ou=People
>> ldap machine suffix = ou=Computers
>> ldap idmap suffix = ou=People
>> ldap passwd sync = No
>> unix password sync = Yes
>> passwd program = /usr/sbin/smbldap-passwd -u %u
>> passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>> ldap ssl= no
>>
>> encrypt passwords = true
>> password server = sam3dc
> What sould be the benefit ???
> At first you setup this host as a PDC and then you delegate
> to an other password server?
>
>> check password script = /usr/local/sbin/crackcheck -d
>> /var/cache/cracklib/cracklib_dict
>>
>> unix password sync = No
> You should add:
> ldap passwd sync = yes
> pam password change = yes
> to sync windows and unix passwords.
>
>> log level = 10 auth:5
> tooooooooooooo high
> log level = 1 auth:5
> makes more sense
>
>> syslog = 0
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>>
>> socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
>> SO_SNDBUF=8192 SO_RCVBUF=8192
> Please remove this line. Do not ask me or any other.
> Just do it. It is mystic.
>
>> local master = No
>> domain master = No
>> preferred master = No
> If this host should be a domain controler ( primary or secondary )
> change all to yes
>
> Test it with nmblookup i.e.
> # nmblookup SCHULE
> querying SCHULE on 127.255.255.255
> 10.100.0.1 SCHULE<00>
>
> # nmblookup -M SCHULE
> querying SCHULE on 127.255.255.255
> 10.100.0.1 SCHULE<1d>
>
> # nmblookup ALIX
> querying ALIX on 127.255.255.255
> 10.100.0.1 ALIX<00>
>
> # nmblookup -M ALIX
> querying ALIX on 127.255.255.255
> querying ALIX on 10.100.255.255
> name_query failed to find name ALIX#1d
>
> Where SCHULE is the netbios domain name and
> ALIX is the PDC name.
>
>> invalid users =
>> hosts deny = ALL
> Fine, you deny all hosts on your network. What are you doing here?
>
>> load printers = Yes
>> printcap name = cups
>> printing = cups
>> add machine script = /usr/sbin/useradd -d /dev/null -g
>> machines -s /bin/false %u
> This will *not* add windows hosts to the ldap backend. So do not
> expect working windows machines.
>
> A common script is:
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
>
>> # Logon Options
>> logon script = %U.bat
>> logon drive = n:
>> domain logons = Yes
>>
>> logon home = \\%L\%u\%a\.profiles
>> logon home = \\%L\%U\profile
> Overwriting entrys in this way seems bad practice, surely it works.
>
>> logon path =
>>
>> # Browse Options
>> os level = 65
>> preferred master = Yes
>> local master = Yes
>> domain master = Yes
> Fine you will setup the Netbios stuff. Please remove the
> other lines. This one wins, because they comes later in this file.
>
>> # WINS Options
>> dns proxy = No
>> wins proxy = No
>> wins support = Yes
>>
>>
>> # Getting symlinks working for the OCEs
>> unix extensions = no
>>
>> # Audit settings
>> full_audit:prefix = %u|%I|%S
>> full_audit:failure = none
>> full_audit:success = mkdir rmdir read pread write pwrite
>> rename unlink
>> full_audit:facility = local5
>> full_audit:priority = notice
>>
>> [homes]
>> comment = Home Directories
>> create mask = 0700
>> directory mask = 0700
>> browseable = No
>> read only = No
>> path = %H/samba
> unusual, but if it works for you
>
>> vfs objects = full_audit
> you have silently disabled acl handling!
> vfs objects = acl_xattr full_audit
>
>> follow symlinks = yes
> risky. Remove it if possible. Otherwise change symlinks to real dirs
> and remove then.
>
>
>
>
> Check if you have a machine account for your server:
> # ldapsearch -xLLL 'uid=hostname$'
> I assume you have none.
>
> Now, the unixidpool:
>
> Add the attached ldif with:
> ldapmodify -x -D cn=admin,dc=mydomain -W -f unixidpool.ldif
>
> check if it is OK
> # ldapsearch -xLLL objectclass=sambaunixidpool
>
> Restart samba and reapply the admin password. This should add the machine account:
> smbpasswd -w <ldap admin password>
>
> If the machine account is not their, restart both samba and winbind and wait some seconds.
>
> The next useable uidnumber in smabaDomainName should change from 10000 to 10001.
> # ldapsearch -xLLL uidnumber=10001
> dn: sambaDomainName=SCHULE,dc=afrika,dc=xx
> objectClass: top
> objectClass: sambaDomain
> objectClass: sambaUnixIdPool
> sambaDomainName: SCHULE
> sambaSID: S-1-5-21-1507708399-2130971284-2230424465
> sambaAlgorithmicRidBase: 1000
> sambaNextRid: 100000
> sambaNextUserRid: 2000
> sambaNextGroupRid: 100000
> uidNumber: 10001
> gidNumber: 2000
> sambaPwdHistoryLength: 0
> sambaLogonToChgPwd: 0
> sambaMaxPwdAge: -1
> sambaMinPwdAge: 0
> sambaLockoutDuration: 30
> sambaLockoutObservationWindow: 30
> sambaLockoutThreshold: 0
> sambaForceLogoff: -1
>
> have fun
>
> # cat unixidpool.ldif
> dn: sambaDomainName=MYDOMAIN,dc=mydomain
> changetype: modify
> add: objectclass
> objectclass: sambaUnixIdPool
> -
> add: uidnumber
> uidnumber: 10000
> -
> add: gidnumber
> gidnumber: 10000
> -
>
> --
>
> Gruss
> Harry Jede
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list