[Samba] security = ads parameter not working in samba 4.9.5

Sérgio Basto sergio at serjux.com
Tue Nov 26 14:26:31 UTC 2019 

On Tue, 2019-11-26 at 15:07 +0100, L.P.H. van Belle via samba wrote:
> Hai, 
> 
> Please read : 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 
> And adjust your smb.conf, start with a minimal smb.conf then join and
> then add optional extra settings. 

BTW , unfortunately I hadn't time to write about but see man idmap.ad ,
it have the right instructions ... 


> You current config is incomplete. 
> I suggest you carefully read this chapter.: Choose backend for id
> mapping in winbindd 
> 
> 
> > Host is not configured as a member server.
> > Invalid configuration.  Exiting....
> ^^^ as it is saying, invalid config. 
> 
> A sample config for a domain member, with backend AD.. 
> You might want RID as backend, to read above links that tell more.
> 
> 
> Config 
> [global]
> 
>     log level = 1 auth_audit:3
> 
>     # 
> https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
>     # 
> https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
>  
>     # Obey the above rules from the links and avoid problems. 
>     workgroup = NTDOM
>     security = ADS
>     realm = YOUR.REALM.HERE_IN_CAPS
>     netbios name = SERVER_HOSTNAME_IN_CAPS_MAX_15CHARS
> 
>     # set master browser for the network.
>     # preffered + domain master = guarantee master browser ( man
> smb.conf )
>     #preferred master = yes
>     #domain master = yes
> 
>     # Optional, set ip/interface names where to run samba.
>     interfaces = 192.168.0.10 127.0.0.1
>     bind interfaces only = yes
> 
>     # Resolve netbios names over DNS. 
>     # Your DNS/Resolving setup MUST be correct to make it work.
>     dns proxy = yes
> 
>     # Add and Update TLS Key
>     # If your having domain member, a correct certificate setup is
> preffered. 
>     #tls enabled = yes
>     #tls keyfile = /etc/ssl/private/host.key.pem
>     #tls certfile = /etc/sslcerts/host.cert.pem
>     #tls cafile = /etc/ssl/certs/ca.pem
> 
>     ## map id's outside to domain to tdb files.
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
> 
>     ## map ids from the domain and (*) the range may not overlap !
>     # choose the back end that fits your setup. 
>     # https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends 
>     idmap config NTDOM : backend = ad
>     idmap config NTDOM : range = 10000-3999999
>     # Backend AD uses often, one or more of these 3 settings
>     idmap config NTDOM : schema_mode = rfc2307
>     # optional
>     #idmap config NTDOM : unix_nss_info = yes
>     #idmap config NTDOM : unix_primary_group = yes
> 
>     # Most compatible setup.
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
> 
>     # Renew the kerberos ticket its lifetime.
>     winbind refresh tickets = yes
> 
>     # remove NTDOM\ from the username
>     winbind use default domain = yes
> 
>     # Default = no, only set yes while testing.
>     winbind enum users  = no
>     winbind enum groups = no
> 
>     # Enable offline logins
>     winbind offline logon = yes
> 
>     # The user Administrator workaround, without it you are unable to
> set privileges
>     # Format in the file: !root = NTDOM\Administrator
> NTDOM\administrator
>     username map = /etc/samba/samba_usermapping
> 
>     # Disable option to allow usershares to be created, when set
> empty no error log messages.
>     usershare path =
> 
>     # Disable printing completely
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
> 
>     # For Windows ACL support on member file server, enabled globaly,
> OBLIGATED
>     # For a mixed setup of rights, put this per share!
>     vfs objects = acl_xattr
>     map acl inherit = yes
>     store dos attributes = yes
> 
>     # Share Setting Globally
>     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>     hide unreadable = yes
> 
> ######## SHARE DEFINITIONS ################
> .. 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sac 
> > Isilia via samba
> > Verzonden: dinsdag 26 november 2019 14:41
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] security = ads parameter not working in samba
> > 4.9.5
> > 
> > Hi Team,
> > 
> > I need to join the server in AD domain using winbind . Below are
> > the
> > package version for reference. The server runs Debian 10 and 
> > the default
> > install of samba is 4.9.5.
> > 
> > ii  samba                                 2:4.9.5+dfsg-5+deb10u1
> >     amd64        SMB/CIFS file, print, and login server for Unix
> > ii  samba-common                          2:4.9.5+dfsg-5+deb10u1
> >     all          common files used by both the Samba server and
> > client
> > 
> > ii  winbind                               2:4.9.5+dfsg-5+deb10u1
> >     amd64        service to resolve user and group 
> > information from Windows
> > NT servers
> > 
> >    I searched the internet and few samba mailing list and 
> > found that it was
> > a bug and security = ads will produce error if you start winbind .
> > The
> > moment i put in smb.conf  "security = user" the winbind starts
> > successfully but the server is not joined to domain when i 
> > run the command
> > net ads join -U xxx I get the below error.
> > 
> > Host is not configured as a member server.
> > Invalid configuration.  Exiting....
> > Failed to join domain: This operation is only allowed for the 
> > PDC of the
> > domain.
> > 
> > I just couldn't find any solution to the above if samba runs on
> > 4.9.5.
> > Please help me so that I can join the server to AD domain.
> > 
> > Below is my smb.conf
> > ------------------------------------
> > [global]
> > 
> > 
> > 
> >         passdb backend = tdbsam
> > security = user
> >         password server = 10.34.54.46
> >         idmap config EMEA-MEDIA : backend = ad
> >         idmap config EMEA-MEDIA : range = 16777216-33554431
> >         kerberos method = secrets and keytab
> >         client use spnego = yes
> >         client signing = yes
> >         winbind enum users = yes
> >         winbind enum groups = yes
> >         template homedir = /home/%D/%U
> >         template shell = /bin/bash
> >         client use spnego = yes
> >         client ntlmv2 auth = yes
> >         encrypt passwords = yes
> >         winbind use default domain = yes
> >         restrict anonymous = 2
> >         domain master = no
> >         local master = no
> >         preferred master = no
> >         os level = 0
> >         allow trusted domains = yes
> >         winbind nested groups = yes
> > 
> > 
> > ;   interfaces = 127.0.0.0/8 eth0
> > 
> > ;   bind interfaces only = yes
> > 
> > 
> > 
> > 
> >    log file = /var/log/samba/log.%m
> > 
> >    max log size = 1000
> > 
> >    logging = file
> > 
> >    panic action = /usr/share/samba/panic-action %d
> > 
> > 
> > 
> >    server role = standalone server
> > 
> >    obey pam restrictions = yes
> > 
> >    unix password sync = yes
> > 
> >    passwd program = /usr/bin/passwd %u
> >    passwd chat = *Enter\snew\s*\spassword:* %n\n
> > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*
> > .
> > 
> >    pam password change = yes
> > 
> >    map to guest = bad user
> > 
> > 
> > 
> > ;   logon path = \\%N\profiles\%U
> > 
> > ;   logon drive = H:
> > 
> > ;   logon script = logon.cmd
> > 
> > ; add user script = /usr/sbin/adduser --quiet 
> > --disabled-password --gecos
> > "" %u
> > 
> > ; add machine script  = /usr/sbin/useradd -g machines -c "%u
> > machine
> > account" -d /var/lib/samba -s /bin/false %u
> > 
> > ; add group script = /usr/sbin/addgroup --force-badname %g
> > 
> > 
> > ;   include = /home/samba/etc/smb.conf.%m
> > 
> > ;   idmap config * :              backend = tdb
> > ;   idmap config * :              range   = 3000-7999
> > ;   idmap config YOURDOMAINHERE : backend = tdb
> > ;   idmap config YOURDOMAINHERE : range   = 100000-999999
> > ;   template shell = /bin/bash
> > 
> > 
> > 
> >    usershare allow guests = yes
> > 
> > 
> > [homes]
> >    comment = Home Directories
> >    browseable = no
> > 
> >    read only = yes
> > 
> >    create mask = 0700
> > 
> >    directory mask = 0700
> > 
> >    valid users = %S
> > 
> > ;[netlogon]
> > ;   comment = Network Logon Service
> > ;   path = /home/samba/netlogon
> > ;   guest ok = yes
> > ;   read only = yes
> > 
> > ;[profiles]
> > ;   comment = Users profiles
> > ;   path = /home/samba/profiles
> > ;   guest ok = no
> > ;   browseable = no
> > ;   create mask = 0600
> > ;   directory mask = 0700
> > 
> > [printers]
> >    comment = All Printers
> >    browseable = no
> >    path = /var/spool/samba
> >    printable = yes
> >    guest ok = no
> >    read only = yes
> >    create mask = 0700
> > 
> > [print$]
> >    comment = Printer Drivers
> >    path = /var/lib/samba/printers
> >    browseable = yes
> >    read only = yes
> >    guest ok = no
> > ;   write list = root, @lpadmin
> > 
> > 
> > Regards
> > Sachin Kumar
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> > 
> 
> 
-- 
Sérgio M. B.

More information about the samba mailing list