[Samba] security = ads parameter not working in samba 4.9.5

Sérgio Basto sergio at serjux.com
Wed Nov 27 11:03:28 UTC 2019


On Tue, 2019-11-26 at 14:26 +0000, Sérgio Basto wrote:
> On Tue, 2019-11-26 at 15:07 +0100, L.P.H. van Belle via samba wrote:
> > Hai, 
> > 
> > Please read : 
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 
> > And adjust your smb.conf, start with a minimal smb.conf then join
> > and
> > then add optional extra settings. 
> 
> BTW , unfortunately I hadn't time to write about but see man idmap.ad
> ,
> it have the right instructions ... 

Sorry I meant man idmap_ad. But checking again man is equal of 
https://wiki.samba.org/index.php/Idmap_config_ad in EXAMPLES of man
page [1]
 
Examples don't mention netbios name ... I did [2] which instead use
workgroup I used netbios name and it is working but still don't know
why or even if it correct .



[2]
[global]
    netbios name = REPO
    security = ADS
    workgroup = SAMDOM
    realm = SAMDOM.EXAMPLE.COM

    winbind use default domain = yes

    idmap config * : backend = tdb
    idmap config * : range = 1000000-1999999
   
    idmap config REPO : backend = ad
    idmap config REPO : schema_mode = rfc2307
    idmap config REPO : range = 10000-999999
    idmap config REPO : unix_nss_info = yes
    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes

    template shell = /bin/false
    template homedir = /srv/samba/users/%U
    username map = /var/lib/samba/user.map



[1]
EXAMPLES
       The following example shows how to retrieve idmappings from our
principal and trusted AD domains. If trusted domains are present id
       conflicts must be resolved beforehand, there is no guarantee on
the order conflicting mappings would be resolved at this point.
       This example also shows how to leave a small non conflicting
range for local id allocation that may be used in internal backends
       like BUILTIN.

                [global]
                workgroup = CORP

                idmap config * : backend = tdb
                idmap config * : range = 1000000-1999999

                idmap config CORP : backend  = ad
                idmap config CORP : range = 1000-999999



> > You current config is incomplete. 
> > I suggest you carefully read this chapter.: Choose backend for id
> > mapping in winbindd 
> > 
> > 
> > > Host is not configured as a member server.
> > > Invalid configuration.  Exiting....
> > ^^^ as it is saying, invalid config. 
> > 
> > A sample config for a domain member, with backend AD.. 
> > You might want RID as backend, to read above links that tell more.
> > 
> > 
> > Config 
> > [global]
> > 
> >     log level = 1 auth_audit:3
> > 
> >     # 
> > https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
> >     # 
> > https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
> >  
> >     # Obey the above rules from the links and avoid problems. 
> >     workgroup = NTDOM
> >     security = ADS
> >     realm = YOUR.REALM.HERE_IN_CAPS
> >     netbios name = SERVER_HOSTNAME_IN_CAPS_MAX_15CHARS
> > 
> >     # set master browser for the network.
> >     # preffered + domain master = guarantee master browser ( man
> > smb.conf )
> >     #preferred master = yes
> >     #domain master = yes
> > 
> >     # Optional, set ip/interface names where to run samba.
> >     interfaces = 192.168.0.10 127.0.0.1
> >     bind interfaces only = yes
> > 
> >     # Resolve netbios names over DNS. 
> >     # Your DNS/Resolving setup MUST be correct to make it work.
> >     dns proxy = yes
> > 
> >     # Add and Update TLS Key
> >     # If your having domain member, a correct certificate setup is
> > preffered. 
> >     #tls enabled = yes
> >     #tls keyfile = /etc/ssl/private/host.key.pem
> >     #tls certfile = /etc/sslcerts/host.cert.pem
> >     #tls cafile = /etc/ssl/certs/ca.pem
> > 
> >     ## map id's outside to domain to tdb files.
> >     idmap config *:backend = tdb
> >     idmap config *:range = 2000-9999
> > 
> >     ## map ids from the domain and (*) the range may not overlap !
> >     # choose the back end that fits your setup. 
> >     # https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends 
> >     idmap config NTDOM : backend = ad
> >     idmap config NTDOM : range = 10000-3999999
> >     # Backend AD uses often, one or more of these 3 settings
> >     idmap config NTDOM : schema_mode = rfc2307
> >     # optional
> >     #idmap config NTDOM : unix_nss_info = yes
> >     #idmap config NTDOM : unix_primary_group = yes
> > 
> >     # Most compatible setup.
> >     dedicated keytab file = /etc/krb5.keytab
> >     kerberos method = secrets and keytab
> > 
> >     # Renew the kerberos ticket its lifetime.
> >     winbind refresh tickets = yes
> > 
> >     # remove NTDOM\ from the username
> >     winbind use default domain = yes
> > 
> >     # Default = no, only set yes while testing.
> >     winbind enum users  = no
> >     winbind enum groups = no
> > 
> >     # Enable offline logins
> >     winbind offline logon = yes
> > 
> >     # The user Administrator workaround, without it you are unable
> > to
> > set privileges
> >     # Format in the file: !root = NTDOM\Administrator
> > NTDOM\administrator
> >     username map = /etc/samba/samba_usermapping
> > 
> >     # Disable option to allow usershares to be created, when set
> > empty no error log messages.
> >     usershare path =
> > 
> >     # Disable printing completely
> >     load printers = no
> >     printing = bsd
> >     printcap name = /dev/null
> >     disable spoolss = yes
> > 
> >     # For Windows ACL support on member file server, enabled
> > globaly,
> > OBLIGATED
> >     # For a mixed setup of rights, put this per share!
> >     vfs objects = acl_xattr
> >     map acl inherit = yes
> >     store dos attributes = yes
> > 
> >     # Share Setting Globally
> >     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
> >     hide unreadable = yes
> > 
> > ######## SHARE DEFINITIONS ################
> > .. 
> > 
> > 
> > Greetz, 
> > 
> > Louis
> > 
> > 
> > 
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sac 
> > > Isilia via samba
> > > Verzonden: dinsdag 26 november 2019 14:41
> > > Aan: samba at lists.samba.org
> > > Onderwerp: [Samba] security = ads parameter not working in samba
> > > 4.9.5
> > > 
> > > Hi Team,
> > > 
> > > I need to join the server in AD domain using winbind . Below are
> > > the
> > > package version for reference. The server runs Debian 10 and 
> > > the default
> > > install of samba is 4.9.5.
> > > 
> > > ii  samba                                 2:4.9.5+dfsg-5+deb10u1
> > >     amd64        SMB/CIFS file, print, and login server for Unix
> > > ii  samba-common                          2:4.9.5+dfsg-5+deb10u1
> > >     all          common files used by both the Samba server and
> > > client
> > > 
> > > ii  winbind                               2:4.9.5+dfsg-5+deb10u1
> > >     amd64        service to resolve user and group 
> > > information from Windows
> > > NT servers
> > > 
> > >    I searched the internet and few samba mailing list and 
> > > found that it was
> > > a bug and security = ads will produce error if you start winbind
> > > .
> > > The
> > > moment i put in smb.conf  "security = user" the winbind starts
> > > successfully but the server is not joined to domain when i 
> > > run the command
> > > net ads join -U xxx I get the below error.
> > > 
> > > Host is not configured as a member server.
> > > Invalid configuration.  Exiting....
> > > Failed to join domain: This operation is only allowed for the 
> > > PDC of the
> > > domain.
> > > 
> > > I just couldn't find any solution to the above if samba runs on
> > > 4.9.5.
> > > Please help me so that I can join the server to AD domain.
> > > 
> > > Below is my smb.conf
> > > ------------------------------------
> > > [global]
> > > 
> > > 
> > > 
> > >         passdb backend = tdbsam
> > > security = user
> > >         password server = 10.34.54.46
> > >         idmap config EMEA-MEDIA : backend = ad
> > >         idmap config EMEA-MEDIA : range = 16777216-33554431
> > >         kerberos method = secrets and keytab
> > >         client use spnego = yes
> > >         client signing = yes
> > >         winbind enum users = yes
> > >         winbind enum groups = yes
> > >         template homedir = /home/%D/%U
> > >         template shell = /bin/bash
> > >         client use spnego = yes
> > >         client ntlmv2 auth = yes
> > >         encrypt passwords = yes
> > >         winbind use default domain = yes
> > >         restrict anonymous = 2
> > >         domain master = no
> > >         local master = no
> > >         preferred master = no
> > >         os level = 0
> > >         allow trusted domains = yes
> > >         winbind nested groups = yes
> > > 
> > > 
> > > ;   interfaces = 127.0.0.0/8 eth0
> > > 
> > > ;   bind interfaces only = yes
> > > 
> > > 
> > > 
> > > 
> > >    log file = /var/log/samba/log.%m
> > > 
> > >    max log size = 1000
> > > 
> > >    logging = file
> > > 
> > >    panic action = /usr/share/samba/panic-action %d
> > > 
> > > 
> > > 
> > >    server role = standalone server
> > > 
> > >    obey pam restrictions = yes
> > > 
> > >    unix password sync = yes
> > > 
> > >    passwd program = /usr/bin/passwd %u
> > >    passwd chat = *Enter\snew\s*\spassword:* %n\n
> > > *Retype\snew\s*\spassword:* %n\n
> > > *password\supdated\ssuccessfully*
> > > .
> > > 
> > >    pam password change = yes
> > > 
> > >    map to guest = bad user
> > > 
> > > 
> > > 
> > > ;   logon path = \\%N\profiles\%U
> > > 
> > > ;   logon drive = H:
> > > 
> > > ;   logon script = logon.cmd
> > > 
> > > ; add user script = /usr/sbin/adduser --quiet 
> > > --disabled-password --gecos
> > > "" %u
> > > 
> > > ; add machine script  = /usr/sbin/useradd -g machines -c "%u
> > > machine
> > > account" -d /var/lib/samba -s /bin/false %u
> > > 
> > > ; add group script = /usr/sbin/addgroup --force-badname %g
> > > 
> > > 
> > > ;   include = /home/samba/etc/smb.conf.%m
> > > 
> > > ;   idmap config * :              backend = tdb
> > > ;   idmap config * :              range   = 3000-7999
> > > ;   idmap config YOURDOMAINHERE : backend = tdb
> > > ;   idmap config YOURDOMAINHERE : range   = 100000-999999
> > > ;   template shell = /bin/bash
> > > 
> > > 
> > > 
> > >    usershare allow guests = yes
> > > 
> > > 
> > > [homes]
> > >    comment = Home Directories
> > >    browseable = no
> > > 
> > >    read only = yes
> > > 
> > >    create mask = 0700
> > > 
> > >    directory mask = 0700
> > > 
> > >    valid users = %S
> > > 
> > > ;[netlogon]
> > > ;   comment = Network Logon Service
> > > ;   path = /home/samba/netlogon
> > > ;   guest ok = yes
> > > ;   read only = yes
> > > 
> > > ;[profiles]
> > > ;   comment = Users profiles
> > > ;   path = /home/samba/profiles
> > > ;   guest ok = no
> > > ;   browseable = no
> > > ;   create mask = 0600
> > > ;   directory mask = 0700
> > > 
> > > [printers]
> > >    comment = All Printers
> > >    browseable = no
> > >    path = /var/spool/samba
> > >    printable = yes
> > >    guest ok = no
> > >    read only = yes
> > >    create mask = 0700
> > > 
> > > [print$]
> > >    comment = Printer Drivers
> > >    path = /var/lib/samba/printers
> > >    browseable = yes
> > >    read only = yes
> > >    guest ok = no
> > > ;   write list = root, @lpadmin
> > > 
> > > 
> > > Regards
> > > Sachin Kumar
> > > -- 
> > > To unsubscribe from this list go to the following URL and read
> > > the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > > 
> > > 
-- 
Sérgio M. B.




More information about the samba mailing list