[Samba] security = ads parameter not working in samba 4.9.5
L.P.H. van Belle
belle at bazuin.nl
Tue Nov 26 14:07:16 UTC 2019
Hai,
Please read : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
And adjust your smb.conf, start with a minimal smb.conf then join and then add optional extra settings.
You current config is incomplete.
I suggest you carefully read this chapter.: Choose backend for id mapping in winbindd
> Host is not configured as a member server.
> Invalid configuration. Exiting....
^^^ as it is saying, invalid config.
A sample config for a domain member, with backend AD..
You might want RID as backend, to read above links that tell more.
Config
[global]
log level = 1 auth_audit:3
# https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
# https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
# Obey the above rules from the links and avoid problems.
workgroup = NTDOM
security = ADS
realm = YOUR.REALM.HERE_IN_CAPS
netbios name = SERVER_HOSTNAME_IN_CAPS_MAX_15CHARS
# set master browser for the network.
# preffered + domain master = guarantee master browser ( man smb.conf )
#preferred master = yes
#domain master = yes
# Optional, set ip/interface names where to run samba.
interfaces = 192.168.0.10 127.0.0.1
bind interfaces only = yes
# Resolve netbios names over DNS.
# Your DNS/Resolving setup MUST be correct to make it work.
dns proxy = yes
# Add and Update TLS Key
# If your having domain member, a correct certificate setup is preffered.
#tls enabled = yes
#tls keyfile = /etc/ssl/private/host.key.pem
#tls certfile = /etc/sslcerts/host.cert.pem
#tls cafile = /etc/ssl/certs/ca.pem
## map id's outside to domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain and (*) the range may not overlap !
# choose the back end that fits your setup.
# https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
idmap config NTDOM : backend = ad
idmap config NTDOM : range = 10000-3999999
# Backend AD uses often, one or more of these 3 settings
idmap config NTDOM : schema_mode = rfc2307
# optional
#idmap config NTDOM : unix_nss_info = yes
#idmap config NTDOM : unix_primary_group = yes
# Most compatible setup.
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# Renew the kerberos ticket its lifetime.
winbind refresh tickets = yes
# remove NTDOM\ from the username
winbind use default domain = yes
# Default = no, only set yes while testing.
winbind enum users = no
winbind enum groups = no
# Enable offline logins
winbind offline logon = yes
# The user Administrator workaround, without it you are unable to set privileges
# Format in the file: !root = NTDOM\Administrator NTDOM\administrator
username map = /etc/samba/samba_usermapping
# Disable option to allow usershares to be created, when set empty no error log messages.
usershare path =
# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Share Setting Globally
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
######## SHARE DEFINITIONS ################
..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sac
> Isilia via samba
> Verzonden: dinsdag 26 november 2019 14:41
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] security = ads parameter not working in samba 4.9.5
>
> Hi Team,
>
> I need to join the server in AD domain using winbind . Below are the
> package version for reference. The server runs Debian 10 and
> the default
> install of samba is 4.9.5.
>
> ii samba 2:4.9.5+dfsg-5+deb10u1
> amd64 SMB/CIFS file, print, and login server for Unix
> ii samba-common 2:4.9.5+dfsg-5+deb10u1
> all common files used by both the Samba server and client
>
> ii winbind 2:4.9.5+dfsg-5+deb10u1
> amd64 service to resolve user and group
> information from Windows
> NT servers
>
> I searched the internet and few samba mailing list and
> found that it was
> a bug and security = ads will produce error if you start winbind . The
> moment i put in smb.conf "security = user" the winbind starts
> successfully but the server is not joined to domain when i
> run the command
> net ads join -U xxx I get the below error.
>
> Host is not configured as a member server.
> Invalid configuration. Exiting....
> Failed to join domain: This operation is only allowed for the
> PDC of the
> domain.
>
> I just couldn't find any solution to the above if samba runs on 4.9.5.
> Please help me so that I can join the server to AD domain.
>
> Below is my smb.conf
> ------------------------------------
> [global]
>
>
>
> passdb backend = tdbsam
> security = user
> password server = 10.34.54.46
> idmap config EMEA-MEDIA : backend = ad
> idmap config EMEA-MEDIA : range = 16777216-33554431
> kerberos method = secrets and keytab
> client use spnego = yes
> client signing = yes
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /home/%D/%U
> template shell = /bin/bash
> client use spnego = yes
> client ntlmv2 auth = yes
> encrypt passwords = yes
> winbind use default domain = yes
> restrict anonymous = 2
> domain master = no
> local master = no
> preferred master = no
> os level = 0
> allow trusted domains = yes
> winbind nested groups = yes
>
>
> ; interfaces = 127.0.0.0/8 eth0
>
> ; bind interfaces only = yes
>
>
>
>
> log file = /var/log/samba/log.%m
>
> max log size = 1000
>
> logging = file
>
> panic action = /usr/share/samba/panic-action %d
>
>
>
> server role = standalone server
>
> obey pam restrictions = yes
>
> unix password sync = yes
>
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>
> pam password change = yes
>
> map to guest = bad user
>
>
>
> ; logon path = \\%N\profiles\%U
>
> ; logon drive = H:
>
> ; logon script = logon.cmd
>
> ; add user script = /usr/sbin/adduser --quiet
> --disabled-password --gecos
> "" %u
>
> ; add machine script = /usr/sbin/useradd -g machines -c "%u machine
> account" -d /var/lib/samba -s /bin/false %u
>
> ; add group script = /usr/sbin/addgroup --force-badname %g
>
>
> ; include = /home/samba/etc/smb.conf.%m
>
> ; idmap config * : backend = tdb
> ; idmap config * : range = 3000-7999
> ; idmap config YOURDOMAINHERE : backend = tdb
> ; idmap config YOURDOMAINHERE : range = 100000-999999
> ; template shell = /bin/bash
>
>
>
> usershare allow guests = yes
>
>
> [homes]
> comment = Home Directories
> browseable = no
>
> read only = yes
>
> create mask = 0700
>
> directory mask = 0700
>
> valid users = %S
>
> ;[netlogon]
> ; comment = Network Logon Service
> ; path = /home/samba/netlogon
> ; guest ok = yes
> ; read only = yes
>
> ;[profiles]
> ; comment = Users profiles
> ; path = /home/samba/profiles
> ; guest ok = no
> ; browseable = no
> ; create mask = 0600
> ; directory mask = 0700
>
> [printers]
> comment = All Printers
> browseable = no
> path = /var/spool/samba
> printable = yes
> guest ok = no
> read only = yes
> create mask = 0700
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
> browseable = yes
> read only = yes
> guest ok = no
> ; write list = root, @lpadmin
>
>
> Regards
> Sachin Kumar
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list