[Samba] Samba with AD : SID rejected
L.P.H. van Belle
belle at bazuin.nl
Fri May 3 14:20:41 UTC 2019
Hai,
wbinfo -Y S-1-5-21-2816186202-4468957523-2022743653-513
Does this resolve?
You should see "domain users"
And your missing your primary dnsdomain. (search)
Go here.
https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt
Your missing, ( see line 370 ) search: [ internal.example.com ]
Add it..
Also i missed 2 other points.
smb.conf add: bind interfaces only = yes
And for readness, add it below you interace line.
The user map file
> !root = FOO\\administrateur change to
!root = FOO\administrateur
Then.
netplan --debug generate
systemctl daemon-reload
systemctl restart systemd-resolved
systemctl restart smbd winbind (optional nmbd, if running)
And try again.
Get users. ..
getent passwd username
id username
getent group "somegroup"
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Vincent Ducot [mailto:vincent.ducot at rubycat-labs.com]
> Verzonden: vrijdag 3 mei 2019 15:57
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba with AD : SID rejected
>
> Thanks for your time.
>
> Now, wbinfo -G 13010 and wbinfo -Y work.
>
> But I still don't see any domain users in getent passwd, and wbinfo
> --user-sids=S-1-5-21-2816186202-4468957523-2022743653-4403
> still fails with
>
> getusersids S-1-5-21-2816186202-4468957523-2022743653-4403
> [2019/05/03 15:50:51.978858, 3, pid=910, effective(0, 0), real(0, 0),
> class=winbind]
> ../source3/winbindd/wb_queryuser.c:59(wb_queryuser_send)
> wb_queryuser_send: My domain -- rejecting
> S-1-5-21-2816186202-4468957523-2022743653-4403
> [2019/05/03 15:50:51.978871, 5, pid=910, effective(0, 0), real(0, 0),
> class=winbind]
> ../source3/winbindd/winbindd_getusersids.c:94(winbindd_getuser
> sids_recv)
> Could not convert sid
> S-1-5-21-2816186202-4468957523-2022743653-4403:
> NT_STATUS_NO_SUCH_USER
>
>
> The output of systemd-resolve --status is
>
> Global
> DNSSEC NTA: 10.in-addr.arpa
> <many others>
>
> Link 2 (ens18)
> Current Scopes: DNS
> LLMNR setting: yes
> MulticastDNS setting: no
> DNSSEC setting: no
> DNSSEC supported: no
> DNS Servers: 10.0.0.2
>
> and my interface's configuration is
>
> ens18:
> addresses: [ 10.0.0.3/24 ]
> gateway4: 10.0.0.1
> nameservers:
> addresses:
> - "10.0.0.2"
>
> I don't use the other network interface (10.1.0.3), it's not connected
> to the same network.
>
> Regards,
>
> Vincent
>
> Le 03/05/2019 à 15:13, L.P.H. van Belle a écrit :
> > Hai Vincent,
> >
> > Ok, Here it comes.
> > In order of the debug log.
> >
> > Hostname: share < possible, so not wrong.
> > DNS Domain: < wrong, you need the dnsdomain here. (
> as in dom.tld)
> > FQDN: share < wrong, FQDN = should be share.foo.lab
> > ipaddress: 10.0.0.3 10.1.0.3 < possible.
> >
> > /etc/hosts, add
> >
> > 10.0.0.3 share.foo.lab share
> > 10.1.0.3 share.foo.lab share
> >
> > Extra check.
> > dig a share.foo.lab
> > dig a share ( should fail, that is correct )
> > dig -x 10.0.0.3
> > dig -x 10.1.0.3
> > Should both give the correct hostname +dns zone back.
> >
> >
> >
> > /etc/resolv.conf, thats possible,, ( on hold more later on ).
> >
> >
> > Krb5.conf
> > default_realm = FOO.LAB
> >
> > So based on REALM FOO.LAB i would have expected that.
> > DNS Domain : foo.lab
> > FQDN: share.foo.lab
> >
> > Would be set.
> >
> > Remove this part.
> > FOO.LAB = {
> > kdc = dc.foo.lab
> > }
> > and later in domain_realm
> > Remove : .foo.lab = FOO.LAB
> >
> > This setting is doing that already for you.
> > dns_lookup_kdc = true
> >
> > Change /etc/nsswitch.conf
> > passwd: compat winbind systemd
> > group: compat winbind systemd
> >
> > So enable the ones on the top and remove them on the bottom
> of nsswitch.conf
> >
> > Smb.conf
> > netbios name= SHARE
> >
> > Run : hostname -s
> > hostname -a
> > -a and -s might be the same, but your real hostname = "hostname -s"
> > Hostname -f
> > hostname -A
> > Same, might be the same, but your real hostname = "hostname -f"
> >
> > The outputs of -s and -f are the values you need.
> >
> > Lower in smb.conf i see :
> > interfaces = ens18
> >
> > So this is your primary interface, correct ? That is often
> the interface with the default route. ( route -n |grep default )
> >
> > ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> fq_codel state UP group default qlen 1000
> > link/ether 86:ba:b4:9e:2b:5c brd ff:ff:ff:ff:ff:ff
> > inet 10.0.0.3/24 brd 10.0.0.255 scope global ens18
> > inet6 fe80::84ba:b4ff:fe9e:2b5c/64 scope link
> >
> > So if you check the output of hostname -s an hostname -i (
> and -f for the full name. )
> > You should see the correct hostname and ip
> > If not then that needs correcting first in /etc/hosts
> >
> >
> > The default smb.conf is based on a stand alone server and
> is not correct for you use.
> >
> > So review this again, this is cleaned-up.
> > # --- SMB.CONF BEGIN
> > [global]
> >
> > log level = 10
> >
> > security = ADS
> > workgroup = FOO
> > realm = FOO.LAB
> > netbios name = SHARE
> > server string = %h server (Samba, Ubuntu)
> > server role = member server
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> >
> > idmap config FOO:backend = ad
> > idmap config FOO:schema_mode = rfc2307
> > idmap config FOO:range = 10000-999999
> > idmap config FOO:unix_nss_info = yes
> > idmap config FOO:unix_primary_group = yes
> >
> > dns proxy = no
> > interfaces = lo ens18
> > # optional you might want to change that to the ipnumbers.
> > # and do add lo.
> >
> > username map = /etc/samba/user.map
> >
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> >
> > winbind refresh tickets = yes
> > winbind offline logon = yes
> >
> > winbind use default domain = yes
> > winbind trusted domains only = yes
> > winbind expand groups = 4
> >
> > template shell = /bin/bash
> > template homedir = /home/%U
> >
> > preferred master = no
> > domain master = no
> >
> > vfs objects = acl_xattr
> > map acl inherit = yes
> > store dos attributes = yes
> >
> > [homes]
> > comment = Home Directories
> > browseable = no
> > valid users = %U
> >
> > [printers]
> > comment = All Printers
> > browseable = no
> > path = /var/spool/samba
> > printable = yes
> > guest ok = no
> > read only = yes
> > create mask = 0700
> >
> > [print$]
> > comment = Printer Drivers
> > path = /var/lib/samba/printers
> > browseable = yes
> > read only = yes
> > guest ok = no
> > # --- SMB.CONF END
> >
> >
> > The installed packages are ok.
> >
> >
> > Im missing only one thing here.
> > The exact resolving.
> > Run this:
> > systemd-resolve --status
> > I'll add that to my script later on.
> >
> > You should see in the Global part something like this
> >
> > root at rtd-dc1:~# systemd-resolve --status
> > Global
> > DNS Servers: 192.168.0.1
> > 192.168.0.2
> > DNS Domain: primary.dnsdomain.tld
> > dnsdomain.tld
> > site2.dnsdomain.tld
> > site3.dnsdomain.tld
> > ... ( more here.)
> >
> > And on the Per interface part.
> > Link 2 (eth0)
> > Current Scopes: LLMNR/IPv4
> > LLMNR setting: yes
> > MulticastDNS setting: no
> > DNSSEC setting: no
> > DNSSEC supported: no
> > And the above part, that depends on how its configured.
> >
> > Now, the DNS server ipnumbers ( the example ) as shown above,
> > are these pointing to your AD-DC server?
> >
> > If not, then i need to know how you configured your ip/interface.
> > Through netplan, systemd or /etc/network/interfaces.
> >
> >
> > Greetz,
> >
> > Louis
> > P.s responces please to the list, im finishing some work here also.
> > If im not responding, Rowland will.
> >
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: Vincent Ducot [mailto:vincent.ducot at rubycat-labs.com]
> >> Verzonden: vrijdag 3 mei 2019 14:34
> >> Aan: L.P.H. van Belle
> >> Onderwerp: Re: [Samba] Samba with AD : SID rejected
> >>
> >> Hi, thanks for your answer.
> >>
> >> I attached the debug script result.
> >>
> >> I already tried to flush the cache and restart samba, but no
> >> more luck.
> >>
> >> wbinfo -G 13010 give me also "failed to call wbcGidToSid:
> >> WBC_ERR_DOMAIN_NOT_FOUND
> >> Could not convert gid 13010 to sid"
> >>
> >> but wbinfo -Y S-1-5-21-2816186202-4468957523-2022743653-513
> >> give me 13010
> >>
> >> Thanks,
> >>
> >> Vincent
> >>
> >> Le 03/05/2019 à 13:29, L.P.H. van Belle via samba a écrit :
> >>> Hai,
> >>>
> >>>> @Louis
> >>>> All packages were installed.
> >>>> I change my config file following your advices, the
> >> problem is still here.
> >>>> I already followed guides from thctlo's github.
> >>> Yes, great, but please get the debug script i use/pointed
> >> on my github.
> >>> You can pm it to me, if you dont want to show to much, or
> >> anonymize it and send it to the list.
> >>> Ps. Dont anonymize for example a dnsdomain my.domain.tld to
> >> MYDNSDOMAIN because i need these to be in the same format.
> >>> host.dom.tld or im seeing strange things and then is even
> >> harder to debug it.
> >>> I would start with 2 things.
> >>> krb5.conf, only this, if everything is in the same domain.
> >>>
> >>> [libdefaults]
> >>> default_realm = YOUR.REALM.HERE
> >>> dns_lookup_kdc = true
> >>> dns_lookup_realm = false
> >>>
> >>>
> >>> Did you run
> >>> run net cache flush
> >>> No, then do it and restart samba
> >>>
> >>> This :
> >>>>> Getting SID from name (wbinfo -n) and name from SID (wbinfo -s)
> >>>>> works . Commands with UID involved (wbinfo --sid-to-uid, wbinfo
> >>>>> --uid-to-sid) work for my user vincent but not for the groups.
> >>> Does not show how to tested the group.
> >>> Try this.
> >>> wbinfo -G 13010
> >>>
> >>> And use the output in
> >>> wbinfo -Y ...Output of above00
> >>>
> >>> And whats the result. ( after the net cache flush and restart )
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >>>> Rowland Penny via samba
> >>>> Verzonden: vrijdag 3 mei 2019 13:10
> >>>> Aan: samba at lists.samba.org
> >>>> Onderwerp: Re: [Samba] Samba with AD : SID rejected
> >>>>
> >>>> On Fri, 3 May 2019 12:06:38 +0200
> >>>> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:
> >>>>
> >>>>> Hi,
> >>>>> Louis, Rowland, thanks for you answer.
> >>>>>
> >>>>> @Louis
> >>>>> All packages were installed.
> >>>>> I change my config file following your advices, the
> >> problem is still
> >>>>> here. I already followed guides from thctlo's github.
> >>>>>
> >>>>> @Rowland
> >>>>> Yes, my dns domain was different, but answered also to
> >>>> test.lan. It's
> >>>>> now set to 'kdc=dc.foo.lab'
> >>>>> I have my user vincent with uidNumber 10010 and gidNumber 13010
> >>>>> (corresponding to Domain Users group).
> >>>>>
> >>>>>
> >>>>> Getting SID from name (wbinfo -n) and name from SID (wbinfo -s)
> >>>>> works . Commands with UID involved (wbinfo --sid-to-uid, wbinfo
> >>>>> --uid-to-sid) work for my user vincent but not for the groups.
> >>>>>
> >>>>> Could it be a Windows problem ? Is there any changes in
> attributes
> >>>>> between 2016 and 2019 ? (I use evaluation version of
> >> 2019, not yet a
> >>>>> licence)
> >>>>>
> >>>> Whilst I think that there are attribute changes between
> >> 2016 & 2019,
> >>>> they will have been additions rather than removal. Samba,
> >>>> when using the
> >>>> winbind 'ad' on Unix domain members, relies on RFC2307
> >> attributes and
> >>>> if you can add them to AD, you shouldn't have a problem.
> >>>>
> >>>> I think your problem is more likely to be dns related. I
> note that
> >>>> Louis pointed out that your kdc domain didn't seem to
> >> match your Samba
> >>>> domain, so are all the machines in the same dns domain ?
> >>>>
> >>>> Rowland
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL
> and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>
> >>>>
>
>
More information about the samba
mailing list