[Samba] moved DM config to new server : gids different etc
Stefan G. Weichinger
lists at xunil.at
Tue Nov 26 17:57:31 UTC 2019
Am 26.11.19 um 18:42 schrieb Rowland penny via samba:
> On 26/11/2019 17:21, Stefan G. Weichinger via samba wrote:
>> Am 26.11.19 um 17:37 schrieb Rowland penny via samba:
>>
>>> How about 'getent group Domain\ Users' ?
>> no result = empty reply
> Then there is something wrong, something isn't set correctly, I take it
> you replaced 'Domain\ Users' with its German equivalent.
I "eye-grepped" for that string as well. Not there. No ADS-groups in
"getent"
>> The "admin" there is able to access stuff and reset his ACLs already.
> How ? if 'getent' isn't working.
>>
>> So ... things work so far. thanks.
>>
>> I will consider the config Louis suggested ... but not now
> No, 'rid' should work as before, all you really need to backup on a Unix
> domain member is the shares and the smb.conf, all the users & groups are
> stored on the DC.
>>
>> (my reply was rejected by some samba-ml-SMTP-server ... another problem)
>
> Strange, it didn't reach moderation.
>
> Can you download this:
>
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
>
> Run it on the Unix domain member and paste the output into a post.
a little bit anonymized (I hope)
That DNS-domain is flaky, I see.
That "gigabit.net" came from the former admin and should be rm-ed, I see
.... !
--
root at samba:~# cat samba-debug-info.txt
Collected config --- 2019-11-26-18:48 -----------
Hostname: samba
DNS Domain: gigabit.net
FQDN: samba.gigabit.net
ipaddress: 192.168.100.4
-----------
Kerberos SRV _kerberos._tcp.gigabit.net record verified ok, sample output:
Server: 192.168.100.1
Address: 192.168.100.1#53
Non-authoritative answer:
*** Can't find _kerberos._tcp.gigabit.net: No answer
Authoritative answers can be found from:
gigabit.net
origin = ns.123-reg.co.uk
mail addr = hostmaster.gigabit.net
serial = 2017030702
refresh = 14400
retry = 0
expire = 604800
minimum = 14400
Samba is running as a Unix domain member
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.2 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 90:b1:1c:a1:1a:a8 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.4/24 brd 192.168.100.255 scope global eno1
inet6 fe80::92b1:1cff:fea1:1aa8/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.100.4 samba.gigabit.net samba
-----------
Checking file: /etc/resolv.conf
domain mydom.de
search mydom.de
nameserver 192.168.100.1
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = mydom.INTRA
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# This file is managed remotely, all changes will be lost
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Samba config file
# from sgw 2018/jun/15
# with help from Rowland
[global]
unix charset = iso8859-15
security = ads
realm = mydom.INTRA
workgroup = mydom
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
netbios aliases = u1mydom
server string = U1mydom
winbind cache time = 10
winbind use default domain = yes
winbind refresh tickets = Yes
template homedir = /mnt/MSA2040/smb/Homes/%D/%U
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
invalid users = root bin daemon adm sync shutdown halt mail news \
uucp
obey pam restrictions = yes
interfaces = 192.168.100.4/24 127.0.0.1
bind interfaces only = Yes
idmap config * : range = 3000-7999
idmap config * : backend = tdb
idmap config mydom : range = 10000-20000
idmap config mydom : backend = rid
# For ACL support on domain member
vfs objects = acl_xattr full_audit
map acl inherit = Yes
store dos attributes = Yes
inherit acls = yes
unix extensions = no
follow symlinks= yes
wide links= yes
load printers = no
printcap name = /dev/null
acl allow execute always = True
# Audit settings
full_audit:prefix = %u|%I|%m|%S
full_audit:failure = connect
full_audit:success = mkdir rmdir read pread write pwrite rename unlink
full_audit:facility = local5
full_audit:priority = notice
log level = 2
[homes]
comment = Home Directories
#path = /mnt/MSA2040/smb/Homes/mydom/%U
#path = /mnt/MSA2040/smb/Homes/mydom/%S
valid users = %S
browseable = yes
read only = no
create mode = 0750
#directory mask = 0700
root preexec = /usr/local/sbin/mkhomedir.sh %U %H
[acltest]
path = /mnt/MSA2040/smb/acltest
read only = No
(rm-ed share defs)
-----------
Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
-----------
Warning, /etc/idmapd.conf does not exist
-----------
Installed packages:
ii acl 2.2.53-4 amd64
access control list - utilities
ii attr 1:2.4.48-4 amd64
utilities for manipulating filesystem extended attributes
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-3 amd64
basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64
access control list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64
extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-3 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3 amd64
MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64
Samba nameservice integration plugins
ii libpam-krb5:amd64 4.8-2 amd64
PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64
Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64
shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64
Samba winbind client library
ii python3-samba 2:4.10.10+dfsg-0.1~buster~1 amd64
Python 3 bindings for Samba
ii samba 2:4.10.10+dfsg-0.1~buster~1 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.10.10+dfsg-0.1~buster~1 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.10.10+dfsg-0.1~buster~1 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64
Samba core libraries
ii samba-vfs-modules:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64
Samba Virtual FileSystem plugins
ii smbclient 2:4.10.10+dfsg-0.1~buster~1 amd64
command-line SMB/CIFS clients for Unix
ii winbind 2:4.10.10+dfsg-0.1~buster~1 amd64
service to resolve user and group information from Windows NT servers
-----------
More information about the samba
mailing list