[Samba] security = ads parameter not working in samba 4.9.5
Sérgio Basto
sergio at serjux.com
Tue Nov 26 14:26:31 UTC 2019
On Tue, 2019-11-26 at 15:07 +0100, L.P.H. van Belle via samba wrote:
> Hai,
>
> Please read :
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> And adjust your smb.conf, start with a minimal smb.conf then join and
> then add optional extra settings.
BTW , unfortunately I hadn't time to write about but see man idmap.ad ,
it have the right instructions ...
> You current config is incomplete.
> I suggest you carefully read this chapter.: Choose backend for id
> mapping in winbindd
>
>
> > Host is not configured as a member server.
> > Invalid configuration. Exiting....
> ^^^ as it is saying, invalid config.
>
> A sample config for a domain member, with backend AD..
> You might want RID as backend, to read above links that tell more.
>
>
> Config
> [global]
>
> log level = 1 auth_audit:3
>
> #
> https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
> #
> https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
>
> # Obey the above rules from the links and avoid problems.
> workgroup = NTDOM
> security = ADS
> realm = YOUR.REALM.HERE_IN_CAPS
> netbios name = SERVER_HOSTNAME_IN_CAPS_MAX_15CHARS
>
> # set master browser for the network.
> # preffered + domain master = guarantee master browser ( man
> smb.conf )
> #preferred master = yes
> #domain master = yes
>
> # Optional, set ip/interface names where to run samba.
> interfaces = 192.168.0.10 127.0.0.1
> bind interfaces only = yes
>
> # Resolve netbios names over DNS.
> # Your DNS/Resolving setup MUST be correct to make it work.
> dns proxy = yes
>
> # Add and Update TLS Key
> # If your having domain member, a correct certificate setup is
> preffered.
> #tls enabled = yes
> #tls keyfile = /etc/ssl/private/host.key.pem
> #tls certfile = /etc/sslcerts/host.cert.pem
> #tls cafile = /etc/ssl/certs/ca.pem
>
> ## map id's outside to domain to tdb files.
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> ## map ids from the domain and (*) the range may not overlap !
> # choose the back end that fits your setup.
> # https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
> idmap config NTDOM : backend = ad
> idmap config NTDOM : range = 10000-3999999
> # Backend AD uses often, one or more of these 3 settings
> idmap config NTDOM : schema_mode = rfc2307
> # optional
> #idmap config NTDOM : unix_nss_info = yes
> #idmap config NTDOM : unix_primary_group = yes
>
> # Most compatible setup.
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> # Renew the kerberos ticket its lifetime.
> winbind refresh tickets = yes
>
> # remove NTDOM\ from the username
> winbind use default domain = yes
>
> # Default = no, only set yes while testing.
> winbind enum users = no
> winbind enum groups = no
>
> # Enable offline logins
> winbind offline logon = yes
>
> # The user Administrator workaround, without it you are unable to
> set privileges
> # Format in the file: !root = NTDOM\Administrator
> NTDOM\administrator
> username map = /etc/samba/samba_usermapping
>
> # Disable option to allow usershares to be created, when set
> empty no error log messages.
> usershare path =
>
> # Disable printing completely
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> # For Windows ACL support on member file server, enabled globaly,
> OBLIGATED
> # For a mixed setup of rights, put this per share!
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> # Share Setting Globally
> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
> hide unreadable = yes
>
> ######## SHARE DEFINITIONS ################
> ..
>
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sac
> > Isilia via samba
> > Verzonden: dinsdag 26 november 2019 14:41
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] security = ads parameter not working in samba
> > 4.9.5
> >
> > Hi Team,
> >
> > I need to join the server in AD domain using winbind . Below are
> > the
> > package version for reference. The server runs Debian 10 and
> > the default
> > install of samba is 4.9.5.
> >
> > ii samba 2:4.9.5+dfsg-5+deb10u1
> > amd64 SMB/CIFS file, print, and login server for Unix
> > ii samba-common 2:4.9.5+dfsg-5+deb10u1
> > all common files used by both the Samba server and
> > client
> >
> > ii winbind 2:4.9.5+dfsg-5+deb10u1
> > amd64 service to resolve user and group
> > information from Windows
> > NT servers
> >
> > I searched the internet and few samba mailing list and
> > found that it was
> > a bug and security = ads will produce error if you start winbind .
> > The
> > moment i put in smb.conf "security = user" the winbind starts
> > successfully but the server is not joined to domain when i
> > run the command
> > net ads join -U xxx I get the below error.
> >
> > Host is not configured as a member server.
> > Invalid configuration. Exiting....
> > Failed to join domain: This operation is only allowed for the
> > PDC of the
> > domain.
> >
> > I just couldn't find any solution to the above if samba runs on
> > 4.9.5.
> > Please help me so that I can join the server to AD domain.
> >
> > Below is my smb.conf
> > ------------------------------------
> > [global]
> >
> >
> >
> > passdb backend = tdbsam
> > security = user
> > password server = 10.34.54.46
> > idmap config EMEA-MEDIA : backend = ad
> > idmap config EMEA-MEDIA : range = 16777216-33554431
> > kerberos method = secrets and keytab
> > client use spnego = yes
> > client signing = yes
> > winbind enum users = yes
> > winbind enum groups = yes
> > template homedir = /home/%D/%U
> > template shell = /bin/bash
> > client use spnego = yes
> > client ntlmv2 auth = yes
> > encrypt passwords = yes
> > winbind use default domain = yes
> > restrict anonymous = 2
> > domain master = no
> > local master = no
> > preferred master = no
> > os level = 0
> > allow trusted domains = yes
> > winbind nested groups = yes
> >
> >
> > ; interfaces = 127.0.0.0/8 eth0
> >
> > ; bind interfaces only = yes
> >
> >
> >
> >
> > log file = /var/log/samba/log.%m
> >
> > max log size = 1000
> >
> > logging = file
> >
> > panic action = /usr/share/samba/panic-action %d
> >
> >
> >
> > server role = standalone server
> >
> > obey pam restrictions = yes
> >
> > unix password sync = yes
> >
> > passwd program = /usr/bin/passwd %u
> > passwd chat = *Enter\snew\s*\spassword:* %n\n
> > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*
> > .
> >
> > pam password change = yes
> >
> > map to guest = bad user
> >
> >
> >
> > ; logon path = \\%N\profiles\%U
> >
> > ; logon drive = H:
> >
> > ; logon script = logon.cmd
> >
> > ; add user script = /usr/sbin/adduser --quiet
> > --disabled-password --gecos
> > "" %u
> >
> > ; add machine script = /usr/sbin/useradd -g machines -c "%u
> > machine
> > account" -d /var/lib/samba -s /bin/false %u
> >
> > ; add group script = /usr/sbin/addgroup --force-badname %g
> >
> >
> > ; include = /home/samba/etc/smb.conf.%m
> >
> > ; idmap config * : backend = tdb
> > ; idmap config * : range = 3000-7999
> > ; idmap config YOURDOMAINHERE : backend = tdb
> > ; idmap config YOURDOMAINHERE : range = 100000-999999
> > ; template shell = /bin/bash
> >
> >
> >
> > usershare allow guests = yes
> >
> >
> > [homes]
> > comment = Home Directories
> > browseable = no
> >
> > read only = yes
> >
> > create mask = 0700
> >
> > directory mask = 0700
> >
> > valid users = %S
> >
> > ;[netlogon]
> > ; comment = Network Logon Service
> > ; path = /home/samba/netlogon
> > ; guest ok = yes
> > ; read only = yes
> >
> > ;[profiles]
> > ; comment = Users profiles
> > ; path = /home/samba/profiles
> > ; guest ok = no
> > ; browseable = no
> > ; create mask = 0600
> > ; directory mask = 0700
> >
> > [printers]
> > comment = All Printers
> > browseable = no
> > path = /var/spool/samba
> > printable = yes
> > guest ok = no
> > read only = yes
> > create mask = 0700
> >
> > [print$]
> > comment = Printer Drivers
> > path = /var/lib/samba/printers
> > browseable = yes
> > read only = yes
> > guest ok = no
> > ; write list = root, @lpadmin
> >
> >
> > Regards
> > Sachin Kumar
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
--
Sérgio M. B.
More information about the samba
mailing list