[Samba] Samba with AD : SID rejected
Vincent Ducot
vincent.ducot at rubycat-labs.com
Fri May 3 13:57:04 UTC 2019
Thanks for your time.
Now, wbinfo -G 13010 and wbinfo -Y work.
But I still don't see any domain users in getent passwd, and wbinfo
--user-sids=S-1-5-21-2816186202-4468957523-2022743653-4403 still fails with
getusersids S-1-5-21-2816186202-4468957523-2022743653-4403
[2019/05/03 15:50:51.978858, 3, pid=910, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/wb_queryuser.c:59(wb_queryuser_send)
wb_queryuser_send: My domain -- rejecting
S-1-5-21-2816186202-4468957523-2022743653-4403
[2019/05/03 15:50:51.978871, 5, pid=910, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_getusersids.c:94(winbindd_getusersids_recv)
Could not convert sid S-1-5-21-2816186202-4468957523-2022743653-4403:
NT_STATUS_NO_SUCH_USER
The output of systemd-resolve --status is
Global
DNSSEC NTA: 10.in-addr.arpa
<many others>
Link 2 (ens18)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.0.0.2
and my interface's configuration is
ens18:
addresses: [ 10.0.0.3/24 ]
gateway4: 10.0.0.1
nameservers:
addresses:
- "10.0.0.2"
I don't use the other network interface (10.1.0.3), it's not connected
to the same network.
Regards,
Vincent
Le 03/05/2019 à 15:13, L.P.H. van Belle a écrit :
> Hai Vincent,
>
> Ok, Here it comes.
> In order of the debug log.
>
> Hostname: share < possible, so not wrong.
> DNS Domain: < wrong, you need the dnsdomain here. ( as in dom.tld)
> FQDN: share < wrong, FQDN = should be share.foo.lab
> ipaddress: 10.0.0.3 10.1.0.3 < possible.
>
> /etc/hosts, add
>
> 10.0.0.3 share.foo.lab share
> 10.1.0.3 share.foo.lab share
>
> Extra check.
> dig a share.foo.lab
> dig a share ( should fail, that is correct )
> dig -x 10.0.0.3
> dig -x 10.1.0.3
> Should both give the correct hostname +dns zone back.
>
>
>
> /etc/resolv.conf, thats possible,, ( on hold more later on ).
>
>
> Krb5.conf
> default_realm = FOO.LAB
>
> So based on REALM FOO.LAB i would have expected that.
> DNS Domain : foo.lab
> FQDN: share.foo.lab
>
> Would be set.
>
> Remove this part.
> FOO.LAB = {
> kdc = dc.foo.lab
> }
> and later in domain_realm
> Remove : .foo.lab = FOO.LAB
>
> This setting is doing that already for you.
> dns_lookup_kdc = true
>
> Change /etc/nsswitch.conf
> passwd: compat winbind systemd
> group: compat winbind systemd
>
> So enable the ones on the top and remove them on the bottom of nsswitch.conf
>
> Smb.conf
> netbios name= SHARE
>
> Run : hostname -s
> hostname -a
> -a and -s might be the same, but your real hostname = "hostname -s"
> Hostname -f
> hostname -A
> Same, might be the same, but your real hostname = "hostname -f"
>
> The outputs of -s and -f are the values you need.
>
> Lower in smb.conf i see :
> interfaces = ens18
>
> So this is your primary interface, correct ? That is often the interface with the default route. ( route -n |grep default )
>
> ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
> link/ether 86:ba:b4:9e:2b:5c brd ff:ff:ff:ff:ff:ff
> inet 10.0.0.3/24 brd 10.0.0.255 scope global ens18
> inet6 fe80::84ba:b4ff:fe9e:2b5c/64 scope link
>
> So if you check the output of hostname -s an hostname -i ( and -f for the full name. )
> You should see the correct hostname and ip
> If not then that needs correcting first in /etc/hosts
>
>
> The default smb.conf is based on a stand alone server and is not correct for you use.
>
> So review this again, this is cleaned-up.
> # --- SMB.CONF BEGIN
> [global]
>
> log level = 10
>
> security = ADS
> workgroup = FOO
> realm = FOO.LAB
> netbios name = SHARE
> server string = %h server (Samba, Ubuntu)
> server role = member server
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
>
> idmap config FOO:backend = ad
> idmap config FOO:schema_mode = rfc2307
> idmap config FOO:range = 10000-999999
> idmap config FOO:unix_nss_info = yes
> idmap config FOO:unix_primary_group = yes
>
> dns proxy = no
> interfaces = lo ens18
> # optional you might want to change that to the ipnumbers.
> # and do add lo.
>
> username map = /etc/samba/user.map
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> winbind refresh tickets = yes
> winbind offline logon = yes
>
> winbind use default domain = yes
> winbind trusted domains only = yes
> winbind expand groups = 4
>
> template shell = /bin/bash
> template homedir = /home/%U
>
> preferred master = no
> domain master = no
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> [homes]
> comment = Home Directories
> browseable = no
> valid users = %U
>
> [printers]
> comment = All Printers
> browseable = no
> path = /var/spool/samba
> printable = yes
> guest ok = no
> read only = yes
> create mask = 0700
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
> browseable = yes
> read only = yes
> guest ok = no
> # --- SMB.CONF END
>
>
> The installed packages are ok.
>
>
> Im missing only one thing here.
> The exact resolving.
> Run this:
> systemd-resolve --status
> I'll add that to my script later on.
>
> You should see in the Global part something like this
>
> root at rtd-dc1:~# systemd-resolve --status
> Global
> DNS Servers: 192.168.0.1
> 192.168.0.2
> DNS Domain: primary.dnsdomain.tld
> dnsdomain.tld
> site2.dnsdomain.tld
> site3.dnsdomain.tld
> ... ( more here.)
>
> And on the Per interface part.
> Link 2 (eth0)
> Current Scopes: LLMNR/IPv4
> LLMNR setting: yes
> MulticastDNS setting: no
> DNSSEC setting: no
> DNSSEC supported: no
> And the above part, that depends on how its configured.
>
> Now, the DNS server ipnumbers ( the example ) as shown above,
> are these pointing to your AD-DC server?
>
> If not, then i need to know how you configured your ip/interface.
> Through netplan, systemd or /etc/network/interfaces.
>
>
> Greetz,
>
> Louis
> P.s responces please to the list, im finishing some work here also.
> If im not responding, Rowland will.
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: Vincent Ducot [mailto:vincent.ducot at rubycat-labs.com]
>> Verzonden: vrijdag 3 mei 2019 14:34
>> Aan: L.P.H. van Belle
>> Onderwerp: Re: [Samba] Samba with AD : SID rejected
>>
>> Hi, thanks for your answer.
>>
>> I attached the debug script result.
>>
>> I already tried to flush the cache and restart samba, but no
>> more luck.
>>
>> wbinfo -G 13010 give me also "failed to call wbcGidToSid:
>> WBC_ERR_DOMAIN_NOT_FOUND
>> Could not convert gid 13010 to sid"
>>
>> but wbinfo -Y S-1-5-21-2816186202-4468957523-2022743653-513
>> give me 13010
>>
>> Thanks,
>>
>> Vincent
>>
>> Le 03/05/2019 à 13:29, L.P.H. van Belle via samba a écrit :
>>> Hai,
>>>
>>>> @Louis
>>>> All packages were installed.
>>>> I change my config file following your advices, the
>> problem is still here.
>>>> I already followed guides from thctlo's github.
>>> Yes, great, but please get the debug script i use/pointed
>> on my github.
>>> You can pm it to me, if you dont want to show to much, or
>> anonymize it and send it to the list.
>>> Ps. Dont anonymize for example a dnsdomain my.domain.tld to
>> MYDNSDOMAIN because i need these to be in the same format.
>>> host.dom.tld or im seeing strange things and then is even
>> harder to debug it.
>>> I would start with 2 things.
>>> krb5.conf, only this, if everything is in the same domain.
>>>
>>> [libdefaults]
>>> default_realm = YOUR.REALM.HERE
>>> dns_lookup_kdc = true
>>> dns_lookup_realm = false
>>>
>>>
>>> Did you run
>>> run net cache flush
>>> No, then do it and restart samba
>>>
>>> This :
>>>>> Getting SID from name (wbinfo -n) and name from SID (wbinfo -s)
>>>>> works . Commands with UID involved (wbinfo --sid-to-uid, wbinfo
>>>>> --uid-to-sid) work for my user vincent but not for the groups.
>>> Does not show how to tested the group.
>>> Try this.
>>> wbinfo -G 13010
>>>
>>> And use the output in
>>> wbinfo -Y ...Output of above00
>>>
>>> And whats the result. ( after the net cache flush and restart )
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>> Rowland Penny via samba
>>>> Verzonden: vrijdag 3 mei 2019 13:10
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Samba with AD : SID rejected
>>>>
>>>> On Fri, 3 May 2019 12:06:38 +0200
>>>> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:
>>>>
>>>>> Hi,
>>>>> Louis, Rowland, thanks for you answer.
>>>>>
>>>>> @Louis
>>>>> All packages were installed.
>>>>> I change my config file following your advices, the
>> problem is still
>>>>> here. I already followed guides from thctlo's github.
>>>>>
>>>>> @Rowland
>>>>> Yes, my dns domain was different, but answered also to
>>>> test.lan. It's
>>>>> now set to 'kdc=dc.foo.lab'
>>>>> I have my user vincent with uidNumber 10010 and gidNumber 13010
>>>>> (corresponding to Domain Users group).
>>>>>
>>>>>
>>>>> Getting SID from name (wbinfo -n) and name from SID (wbinfo -s)
>>>>> works . Commands with UID involved (wbinfo --sid-to-uid, wbinfo
>>>>> --uid-to-sid) work for my user vincent but not for the groups.
>>>>>
>>>>> Could it be a Windows problem ? Is there any changes in attributes
>>>>> between 2016 and 2019 ? (I use evaluation version of
>> 2019, not yet a
>>>>> licence)
>>>>>
>>>> Whilst I think that there are attribute changes between
>> 2016 & 2019,
>>>> they will have been additions rather than removal. Samba,
>>>> when using the
>>>> winbind 'ad' on Unix domain members, relies on RFC2307
>> attributes and
>>>> if you can add them to AD, you shouldn't have a problem.
>>>>
>>>> I think your problem is more likely to be dns related. I note that
>>>> Louis pointed out that your kdc domain didn't seem to
>> match your Samba
>>>> domain, so are all the machines in the same dns domain ?
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
More information about the samba
mailing list