[Samba] Samba with AD : SID rejected
Vincent Ducot
vincent.ducot at rubycat-labs.com
Fri May 3 15:16:41 UTC 2019
Le 03/05/2019 à 16:20, L.P.H. van Belle a écrit :
> Hai,
>
> wbinfo -Y S-1-5-21-2816186202-4468957523-2022743653-513
> Does this resolve?
> You should see "domain users"
I see 13010 (that's normal according to the doc)
but wbinfo --sid-to-fullname
S-1-5-21-2816186202-4468957523-2022743653-513 give me "domain users"
>
> And your missing your primary dnsdomain. (search)
>
> Go here.
>
> https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt
>
> Your missing, ( see line 370 ) search: [ internal.example.com ]
> Add it..
Ok, added, thanks.
>
> Also i missed 2 other points.
>
> smb.conf add: bind interfaces only = yes
> And for readness, add it below you interace line.
>
> The user map file
> > !root = FOO\\administrateur change to
> !root = FOO\administrateur
>
> Then.
>
> netplan --debug generate
>
> systemctl daemon-reload
> systemctl restart systemd-resolved
>
> systemctl restart smbd winbind (optional nmbd, if running)
>
> And try again.
>
> Get users. ..
> getent passwd username
> id username
> getent group "somegroup"
>
>
> Greetz,
>
> Louis
getent passwd still only shows local unix accounts, and I got the error
"getpwent failed: NT_STATUS_NO_MORE_ENTRIES" in log.winbindd.
getent passwd vincent shows nothing and I got in the log file:
winbindd_getpwnam: My domain -- rejecting getpwnam() for RC\vducot.
[2019/05/03 17:14:52.447645, 5, pid=1380, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid S-0-0: NT_STATUS_NO_SUCH_USER
Regards,
Vincent
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: Vincent Ducot [mailto:vincent.ducot at rubycat-labs.com]
>> Verzonden: vrijdag 3 mei 2019 15:57
>> Aan: L.P.H. van Belle; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Samba with AD : SID rejected
>>
>> Thanks for your time.
>>
>> Now, wbinfo -G 13010 and wbinfo -Y work.
>>
>> But I still don't see any domain users in getent passwd, and wbinfo
>> --user-sids=S-1-5-21-2816186202-4468957523-2022743653-4403
>> still fails with
>>
>> getusersids S-1-5-21-2816186202-4468957523-2022743653-4403
>> [2019/05/03 15:50:51.978858, 3, pid=910, effective(0, 0), real(0, 0),
>> class=winbind]
>> ../source3/winbindd/wb_queryuser.c:59(wb_queryuser_send)
>> wb_queryuser_send: My domain -- rejecting
>> S-1-5-21-2816186202-4468957523-2022743653-4403
>> [2019/05/03 15:50:51.978871, 5, pid=910, effective(0, 0), real(0, 0),
>> class=winbind]
>> ../source3/winbindd/winbindd_getusersids.c:94(winbindd_getuser
>> sids_recv)
>> Could not convert sid
>> S-1-5-21-2816186202-4468957523-2022743653-4403:
>> NT_STATUS_NO_SUCH_USER
>>
>>
>> The output of systemd-resolve --status is
>>
>> Global
>> DNSSEC NTA: 10.in-addr.arpa
>> <many others>
>>
>> Link 2 (ens18)
>> Current Scopes: DNS
>> LLMNR setting: yes
>> MulticastDNS setting: no
>> DNSSEC setting: no
>> DNSSEC supported: no
>> DNS Servers: 10.0.0.2
>>
>> and my interface's configuration is
>>
>> ens18:
>> addresses: [ 10.0.0.3/24 ]
>> gateway4: 10.0.0.1
>> nameservers:
>> addresses:
>> - "10.0.0.2"
>>
>> I don't use the other network interface (10.1.0.3), it's not connected
>> to the same network.
>>
>> Regards,
>>
>> Vincent
>>
>> Le 03/05/2019 à 15:13, L.P.H. van Belle a écrit :
>>> Hai Vincent,
>>>
>>> Ok, Here it comes.
>>> In order of the debug log.
>>>
>>> Hostname: share < possible, so not wrong.
>>> DNS Domain: < wrong, you need the dnsdomain here. (
>> as in dom.tld)
>>> FQDN: share < wrong, FQDN = should be share.foo.lab
>>> ipaddress: 10.0.0.3 10.1.0.3 < possible.
>>>
>>> /etc/hosts, add
>>>
>>> 10.0.0.3 share.foo.lab share
>>> 10.1.0.3 share.foo.lab share
>>>
>>> Extra check.
>>> dig a share.foo.lab
>>> dig a share ( should fail, that is correct )
>>> dig -x 10.0.0.3
>>> dig -x 10.1.0.3
>>> Should both give the correct hostname +dns zone back.
>>>
>>>
>>>
>>> /etc/resolv.conf, thats possible,, ( on hold more later on ).
>>>
>>>
>>> Krb5.conf
>>> default_realm = FOO.LAB
>>>
>>> So based on REALM FOO.LAB i would have expected that.
>>> DNS Domain : foo.lab
>>> FQDN: share.foo.lab
>>>
>>> Would be set.
>>>
>>> Remove this part.
>>> FOO.LAB = {
>>> kdc = dc.foo.lab
>>> }
>>> and later in domain_realm
>>> Remove : .foo.lab = FOO.LAB
>>>
>>> This setting is doing that already for you.
>>> dns_lookup_kdc = true
>>>
>>> Change /etc/nsswitch.conf
>>> passwd: compat winbind systemd
>>> group: compat winbind systemd
>>>
>>> So enable the ones on the top and remove them on the bottom
>> of nsswitch.conf
>>> Smb.conf
>>> netbios name= SHARE
>>>
>>> Run : hostname -s
>>> hostname -a
>>> -a and -s might be the same, but your real hostname = "hostname -s"
>>> Hostname -f
>>> hostname -A
>>> Same, might be the same, but your real hostname = "hostname -f"
>>>
>>> The outputs of -s and -f are the values you need.
>>>
>>> Lower in smb.conf i see :
>>> interfaces = ens18
>>>
>>> So this is your primary interface, correct ? That is often
>> the interface with the default route. ( route -n |grep default )
>>> ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
>> fq_codel state UP group default qlen 1000
>>> link/ether 86:ba:b4:9e:2b:5c brd ff:ff:ff:ff:ff:ff
>>> inet 10.0.0.3/24 brd 10.0.0.255 scope global ens18
>>> inet6 fe80::84ba:b4ff:fe9e:2b5c/64 scope link
>>>
>>> So if you check the output of hostname -s an hostname -i (
>> and -f for the full name. )
>>> You should see the correct hostname and ip
>>> If not then that needs correcting first in /etc/hosts
>>>
>>>
>>> The default smb.conf is based on a stand alone server and
>> is not correct for you use.
>>> So review this again, this is cleaned-up.
>>> # --- SMB.CONF BEGIN
>>> [global]
>>>
>>> log level = 10
>>>
>>> security = ADS
>>> workgroup = FOO
>>> realm = FOO.LAB
>>> netbios name = SHARE
>>> server string = %h server (Samba, Ubuntu)
>>> server role = member server
>>>
>>> idmap config * : backend = tdb
>>> idmap config * : range = 3000-7999
>>>
>>> idmap config FOO:backend = ad
>>> idmap config FOO:schema_mode = rfc2307
>>> idmap config FOO:range = 10000-999999
>>> idmap config FOO:unix_nss_info = yes
>>> idmap config FOO:unix_primary_group = yes
>>>
>>> dns proxy = no
>>> interfaces = lo ens18
>>> # optional you might want to change that to the ipnumbers.
>>> # and do add lo.
>>>
>>> username map = /etc/samba/user.map
>>>
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>>
>>> winbind refresh tickets = yes
>>> winbind offline logon = yes
>>>
>>> winbind use default domain = yes
>>> winbind trusted domains only = yes
>>> winbind expand groups = 4
>>>
>>> template shell = /bin/bash
>>> template homedir = /home/%U
>>>
>>> preferred master = no
>>> domain master = no
>>>
>>> vfs objects = acl_xattr
>>> map acl inherit = yes
>>> store dos attributes = yes
>>>
>>> [homes]
>>> comment = Home Directories
>>> browseable = no
>>> valid users = %U
>>>
>>> [printers]
>>> comment = All Printers
>>> browseable = no
>>> path = /var/spool/samba
>>> printable = yes
>>> guest ok = no
>>> read only = yes
>>> create mask = 0700
>>>
>>> [print$]
>>> comment = Printer Drivers
>>> path = /var/lib/samba/printers
>>> browseable = yes
>>> read only = yes
>>> guest ok = no
>>> # --- SMB.CONF END
>>>
>>>
>>> The installed packages are ok.
>>>
>>>
>>> Im missing only one thing here.
>>> The exact resolving.
>>> Run this:
>>> systemd-resolve --status
>>> I'll add that to my script later on.
>>>
>>> You should see in the Global part something like this
>>>
>>> root at rtd-dc1:~# systemd-resolve --status
>>> Global
>>> DNS Servers: 192.168.0.1
>>> 192.168.0.2
>>> DNS Domain: primary.dnsdomain.tld
>>> dnsdomain.tld
>>> site2.dnsdomain.tld
>>> site3.dnsdomain.tld
>>> ... ( more here.)
>>>
>>> And on the Per interface part.
>>> Link 2 (eth0)
>>> Current Scopes: LLMNR/IPv4
>>> LLMNR setting: yes
>>> MulticastDNS setting: no
>>> DNSSEC setting: no
>>> DNSSEC supported: no
>>> And the above part, that depends on how its configured.
>>>
>>> Now, the DNS server ipnumbers ( the example ) as shown above,
>>> are these pointing to your AD-DC server?
>>>
>>> If not, then i need to know how you configured your ip/interface.
>>> Through netplan, systemd or /etc/network/interfaces.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>> P.s responces please to the list, im finishing some work here also.
>>> If im not responding, Rowland will.
>>>
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: Vincent Ducot [mailto:vincent.ducot at rubycat-labs.com]
>>>> Verzonden: vrijdag 3 mei 2019 14:34
>>>> Aan: L.P.H. van Belle
>>>> Onderwerp: Re: [Samba] Samba with AD : SID rejected
>>>>
>>>> Hi, thanks for your answer.
>>>>
>>>> I attached the debug script result.
>>>>
>>>> I already tried to flush the cache and restart samba, but no
>>>> more luck.
>>>>
>>>> wbinfo -G 13010 give me also "failed to call wbcGidToSid:
>>>> WBC_ERR_DOMAIN_NOT_FOUND
>>>> Could not convert gid 13010 to sid"
>>>>
>>>> but wbinfo -Y S-1-5-21-2816186202-4468957523-2022743653-513
>>>> give me 13010
>>>>
>>>> Thanks,
>>>>
>>>> Vincent
>>>>
>>>> Le 03/05/2019 à 13:29, L.P.H. van Belle via samba a écrit :
>>>>> Hai,
>>>>>
>>>>>> @Louis
>>>>>> All packages were installed.
>>>>>> I change my config file following your advices, the
>>>> problem is still here.
>>>>>> I already followed guides from thctlo's github.
>>>>> Yes, great, but please get the debug script i use/pointed
>>>> on my github.
>>>>> You can pm it to me, if you dont want to show to much, or
>>>> anonymize it and send it to the list.
>>>>> Ps. Dont anonymize for example a dnsdomain my.domain.tld to
>>>> MYDNSDOMAIN because i need these to be in the same format.
>>>>> host.dom.tld or im seeing strange things and then is even
>>>> harder to debug it.
>>>>> I would start with 2 things.
>>>>> krb5.conf, only this, if everything is in the same domain.
>>>>>
>>>>> [libdefaults]
>>>>> default_realm = YOUR.REALM.HERE
>>>>> dns_lookup_kdc = true
>>>>> dns_lookup_realm = false
>>>>>
>>>>>
>>>>> Did you run
>>>>> run net cache flush
>>>>> No, then do it and restart samba
>>>>>
>>>>> This :
>>>>>>> Getting SID from name (wbinfo -n) and name from SID (wbinfo -s)
>>>>>>> works . Commands with UID involved (wbinfo --sid-to-uid, wbinfo
>>>>>>> --uid-to-sid) work for my user vincent but not for the groups.
>>>>> Does not show how to tested the group.
>>>>> Try this.
>>>>> wbinfo -G 13010
>>>>>
>>>>> And use the output in
>>>>> wbinfo -Y ...Output of above00
>>>>>
>>>>> And whats the result. ( after the net cache flush and restart )
>>>>>
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>>>> Rowland Penny via samba
>>>>>> Verzonden: vrijdag 3 mei 2019 13:10
>>>>>> Aan: samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] Samba with AD : SID rejected
>>>>>>
>>>>>> On Fri, 3 May 2019 12:06:38 +0200
>>>>>> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>> Louis, Rowland, thanks for you answer.
>>>>>>>
>>>>>>> @Louis
>>>>>>> All packages were installed.
>>>>>>> I change my config file following your advices, the
>>>> problem is still
>>>>>>> here. I already followed guides from thctlo's github.
>>>>>>>
>>>>>>> @Rowland
>>>>>>> Yes, my dns domain was different, but answered also to
>>>>>> test.lan. It's
>>>>>>> now set to 'kdc=dc.foo.lab'
>>>>>>> I have my user vincent with uidNumber 10010 and gidNumber 13010
>>>>>>> (corresponding to Domain Users group).
>>>>>>>
>>>>>>>
>>>>>>> Getting SID from name (wbinfo -n) and name from SID (wbinfo -s)
>>>>>>> works . Commands with UID involved (wbinfo --sid-to-uid, wbinfo
>>>>>>> --uid-to-sid) work for my user vincent but not for the groups.
>>>>>>>
>>>>>>> Could it be a Windows problem ? Is there any changes in
>> attributes
>>>>>>> between 2016 and 2019 ? (I use evaluation version of
>>>> 2019, not yet a
>>>>>>> licence)
>>>>>>>
>>>>>> Whilst I think that there are attribute changes between
>>>> 2016 & 2019,
>>>>>> they will have been additions rather than removal. Samba,
>>>>>> when using the
>>>>>> winbind 'ad' on Unix domain members, relies on RFC2307
>>>> attributes and
>>>>>> if you can add them to AD, you shouldn't have a problem.
>>>>>>
>>>>>> I think your problem is more likely to be dns related. I
>> note that
>>>>>> Louis pointed out that your kdc domain didn't seem to
>>>> match your Samba
>>>>>> domain, so are all the machines in the same dns domain ?
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL
>> and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>>
>>
More information about the samba
mailing list