[Samba] (no subject)

[Rowland Penny]

On Sat, 2 Mar 2019 17:57:41 -0500
Jonathon Reinhart via samba <samba at lists.samba.org> wrote:


> On Fri, Mar 1, 2019 at 9:04 AM L.P.H. van Belle via samba
> <samba at lists.samba.org> wrote:
> [snip]
> > few minor points.
> >
> > REALM="ad.onthefive.com"
> > Realm always in CAPS, this prevens problems with other programs.
> > Most program's expect REALM in CAPS. For example postfix expect
> > REALM in CAPS.
> 
> I agree with you, however:
> 
> 1) The Samba Wiki [1] uses lowercase:

It doesn't any more.

> 
> > I suggest you add a note here that the DNS-domain and REALM are 2
> > differnt things. And the other sidenote on this is, often the
> > dns-domain == REALM ( but in caps )

Whilst a REALM and a dns domain are different things, one relies on the
other and to look at the only difference is the case.

> 
> Yes, this is a great point. Does the term "REALM" apply to anything
> besides Kerberos?

Not to my knowledge.

> > I also suggest, add a check if the reverse zone exists.
> 
> Can you elaborate? Are you suggesting to check for a reverse DNS entry
> for the IP address of the DC?

Yes, I think he does.
 
> 
> [snip]
> > apt install ssh-krb5 libpam-krb5 libnss-winbind libpam-winbind
> >
> > That configures 1-2 paramaters in sshd_config and gives you direct
> > the ability to login with kerberos. Note, not accounting for the
> > missing "templates" paramters.
> >
> > Default: template homedir = /home/%D/%U
> > Default: template shell = /bin/false
> > (man smb.conf)
> > And how are the homedirs created, through ADUC or mk_homedir
> >
> > Needed on the DC's with logins and members that used RID setup also
> > set in /etc/nsswitch.conf passwd:         compat winbind
> > group:          compat winbind
> 
> I actually wrote a subsequent blog post, where I set up all of the
> winbind configuration:
> https://jonathonreinhart.com/posts/blog/2019/02/26/configuring-winbind-on-a-samba-ad-dc-on-debian-9

I will go and read it.

> 
> I did not include kerberos login, however, so thank you for that!
> 
> Setting uidNumber, gidNumber, etc. from Microsoft tools is
> deprecated, so I plan to put together some solution to automatically
> assign them during/after user creation, e.g.
> 
> - https://serverfault.com/q/764185/55544
> - https://serverfault.com/q/484908/55544

Adding RFC2307 to a user was never automatic on ADUC, you had to use
the 'Unix Attributes' tab and it is this that has been removed.

> 
> I used  pam_mkhomedir to create the home directory on the DC.
> 
> Correct me if I'm wrong, but winbind (on a Samba DC) can **only** use
> "template homedir" and "template shell", and will not respect the RFC
> 2307 attributes in LDAP. Is that correct?

Yes and no ;-)

If you use the 'rid' backend, you must use the template lines. If you
use the 'ad' backend, then the RFC2307 attributes in AD will be used.
  

> In general, I prefer DHCP reservations over static IP addresses, and
> in fact, that's how my current DC is running. But if it's safer, I
> will change to use a static IP address, and update /etc/hosts, etc.

Provided your DC's always have the same ipaddress, it doesn't matter
how they are set, static settings just ensures this.

> 
> [snip]
> > > Is what I'm attempting to do a valid operation? Or is it weird
> > > that realmd is trying to "join" the DC to the domain?
> >
> > No, not strange, but realmd is "joining" the AD-DC and its trying
> > that with member settings. That wont work on the DC itself ofcourse.
> 
> I abandoned the idea of using Realmd on the DC itself. I'm still
> hoping to use Realmd + SSSD on my other Linux servers, like I have
> with Microsoft Active Directory.

This is your decision, but be aware that Samba does not provide them,
so cannot support them.

Rowland