[Samba] security = ads parameter not working in samba 4.9.5

Sérgio Basto sergio at serjux.com
Fri Nov 29 18:17:07 UTC 2019 

On Fri, 2019-11-29 at 17:19 +0000, Rowland penny via samba wrote:
> Lets start by removing this: krb5-server-1.15.1-37.el7_7.2.x86_64

ATM I can't, it will remove all samba packages :) 

> And if it is installed on the DCs remove it from them as well.

OK I will try remove krb5-server , Monday I will give you feedback 

> Not sure if I asked this, but where did you get the Samba packages
> from ?

my packages are made by me [1] but they are similar to Nico Kadel-
Garcia rpms [2] 

[1]
https://github.com/sergiomb2/sambaad
The first patch is for disabling MIT Kerberos integration and enabling
optional Heimdal Kerberos with Domain Controller functionality in the
Redhat/Fedora package i.e. with MIT Kerberos we not have a fully
functional PDC.

[2]
https://github.com/nkadel/samba4repo
https://lists.samba.org/archive/samba/2019-October/226703.html

> 
> Can I also point out, when I ask for the output of the script in a
> post 
> here, I mean here, not somewhere on the internet that can and will 
> disappear. If needed, I can then review the output easily, I cannot,
> if 
> it has disappeared, so, to make sure it doesn't disappear, here is
> your 
> latest output:

OK , /var/log/samba/winbindd.log as a lot of messages "Could not
convert sid" NT_STATUS_NONE_MAPPED is very strange 


> Collected config  --- 2019-11-29-16:51 -----------
> 
> Hostname: estagiov2
> DNS Domain: corp.local
> FQDN: estagiov2.corp.local
> ipaddress: 172.27.2.56
> 
> -----------
> 
> Kerberos SRV _kerberos._tcp.corp.local record verified ok, sample
> output:
> Server:		172.27.28.1
> Address:	172.27.28.1#53
> 
> _kerberos._tcp.corp.local	service = 0 100 88 aldc3.corp.local.
> _kerberos._tcp.corp.local	service = 0 100 88 ccdc1.corp.local.
> _kerberos._tcp.corp.local	service = 0 100 88 ccdc2.corp.local.
> Samba is running as a Unix domain member
> 
> -----------
>         Checking file: /etc/os-release
> 
> NAME="CentOS Linux"
> VERSION="7 (Core)"
> ID="centos"
> ID_LIKE="rhel fedora"
> VERSION_ID="7"
> PRETTY_NAME="CentOS Linux 7 (Core)"
> ANSI_COLOR="0;31"
> CPE_NAME="cpe:/o:centos:centos:7"
> HOME_URL="https://www.centos.org/"
> BUG_REPORT_URL="https://bugs.centos.org/"
> 
> CENTOS_MANTISBT_PROJECT="CentOS-7"
> CENTOS_MANTISBT_PROJECT_VERSION="7"
> REDHAT_SUPPORT_PRODUCT="centos"
> REDHAT_SUPPORT_PRODUCT_VERSION="7"
> 
> -----------
> 
> 
> This computer is running an unknown distribution x86_64
> 
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>      inet 127.0.0.1/8 scope host lo
>      inet6 ::1/128 scope host
> 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state
> UP group default qlen 1000
>      link/ether 00:50:56:9c:25:86 brd ff:ff:ff:ff:ff:ff
>      inet 172.27.2.56/22 brd 172.27.3.255 scope global noprefixroute
> ens160
>      inet6 fe80::bbc2:13a4:154:7fb8/64 scope link noprefixroute
> 
> -----------
>         Checking file: /etc/hosts
> 
> 127.0.0.1   localhost localhost.localdomain localhost4
> localhost4.localdomain4
> ::1         localhost localhost.localdomain localhost6
> localhost6.localdomain6
> 172.27.2.56 estagiov2.corp.local estagiov2
> 
> -----------
> 
>         Checking file: /etc/resolv.conf
> 
> # Generated by NetworkManager
> search corp.local
> nameserver 172.27.28.1
> nameserver 172.27.2.5
> 
> -----------
> 
>         Checking file: /etc/krb5.conf
> 
> [libdefaults]
>      default_realm = CORP.LOCAL
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
> 
> -----------
> 
>         Checking file: /etc/nsswitch.conf
> 
> #
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be
> # sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Valid entries include:
> #
> #	nisplus			Use NIS+ (NIS version 3)
> #	nis			Use NIS (NIS version 2), also called
> YP
> #	dns			Use DNS (Domain Name Service)
> #	files			Use the local files
> #	db			Use the local database (.db) files
> #	compat			Use NIS on compat mode
> #	hesiod			Use Hesiod for user lookups
> #	[NOTFOUND=return]	Stop searching if not found so far
> #
> 
> # To use db, put the "db" in front of "files" for entries you want to
> be
> # looked up first in the databases
> #
> # Example:
> #passwd:    db files nisplus nis
> #shadow:    db files nisplus nis
> #group:     db files nisplus nis
> 
> #passwd:     files winbind sss
> #shadow:     files sss
> #group:      files winbind sss
> passwd:     files winbind
> shadow:     files
> group:      files winbind
> #initgroups: files sss
> 
> #hosts:     db files nisplus nis dns
> hosts:	files dns myhostname
> 
> # Example - obey only what nisplus tells us...
> #services:   nisplus [NOTFOUND=return] files
> #networks:   nisplus [NOTFOUND=return] files
> #protocols:  nisplus [NOTFOUND=return] files
> #rpc:        nisplus [NOTFOUND=return] files
> #ethers:     nisplus [NOTFOUND=return] files
> #netmasks:   nisplus [NOTFOUND=return] files
> 
> bootparams: nisplus [NOTFOUND=return] files
> 
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files sss
> 
> netgroup:   nisplus sss
> 
> publickey:  nisplus
> 
> automount:  files nisplus sss
> aliases:    files nisplus
> 
> -----------
> 
>         Checking file: /etc/samba/smb.conf
> 
> # See smb.conf.example for a more detailed config file or
> # read the smb.conf manpage.
> # Run 'testparm' to verify the config is correct after
> # you modified it.
> 
> [global]
> #netbios name = ESTAGIOV2
> workgroup = CORP
> realm = CORP.LOCAL
> security = ADS
> log file = /var/log/samba/%m.log
> log level = 9
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind use default domain = yes
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 1000000-1999999
> 
> # - You must set a DOMAIN backend configuration
> # idmap config for the SAMDOM domain
> idmap config CORP:backend = ad
> idmap config CORP:schema_mode = rfc2307
> idmap config CORP:range = 10000-999999
> idmap config CORP:unix_nss_info = yes
> 
> # Template settings for login shell and home directory
> template shell = /bin/bash
> template homedir = /home/%U
> username map = /var/lib/samba/user.map
> 
> 
> #	printing = cups
> #	printcap name = cups
> #	load printers = yes
> #	cups options = raw
> 
> [homes]
> 	comment = Home Directories
> 	valid users = %S, %D%w%S
> 	browseable = No
> 	read only = No
> 	inherit acls = Yes
> 
> [printers]
> 	comment = All Printers
> 	path = /var/tmp
> 	printable = Yes
> 	create mask = 0600
> 	browseable = No
> 
> [print$]
> 	comment = Printer Drivers
> 	path = /var/lib/samba/drivers
> 	write list = @printadmin root
> 	force group = @printadmin
> 	create mask = 0664
> 	directory mask = 0775
> 
> []
>      path = /srv/samba//
>      read only = no
> 
> -----------
> 
> Running as Unix domain member and user.map detected.
> 
> Contents of /var/lib/samba/user.map
> 
> !root = CORP\Administrator CORP\administrator
> 
> Server Role is set to :  auto
> 
> -----------
> 
> Installed packages:
> samba-common-tools-4.10.10-2.el7.x86_64
> samba-dc-libs-4.10.10-2.el7.x86_64
> samba-dc-bind-dlz-4.10.10-2.el7.x86_64
> samba-python-test-4.10.10-2.el7.x86_64
> pyxattr-0.5.1-5.el7.x86_64
> krb5-workstation-1.15.1-37.el7_7.2.x86_64
> samba-python-4.10.10-2.el7.x86_64
> samba-client-4.10.10-2.el7.x86_64
> samba-4.10.10-2.el7.x86_64
> samba-dc-4.10.10-2.el7.x86_64
> samba-test-4.10.10-2.el7.x86_64
> samba-winbind-krb5-locator-4.10.10-2.el7.x86_64
> samba-winbind-clients-4.10.10-2.el7.x86_64
> samba-pidl-4.10.10-2.el7.noarch
> krb5-server-1.15.1-37.el7_7.2.x86_64
> samba-winbind-modules-4.10.10-2.el7.x86_64
> samba-common-libs-4.10.10-2.el7.x86_64
> samba-python-dc-4.10.10-2.el7.x86_64
> libsmbclient-4.10.10-2.el7.x86_64
> libacl-2.2.51-14.el7.x86_64
> samba-libs-4.10.10-2.el7.x86_64
> samba-test-libs-4.10.10-2.el7.x86_64
> samba-krb5-printing-4.10.10-2.el7.x86_64
> libattr-2.4.46-13.el7.x86_64
> krb5-libs-1.15.1-37.el7_7.2.x86_64
> acl-2.2.51-14.el7.x86_64
> samba-common-4.10.10-2.el7.noarch
> samba-client-libs-4.10.10-2.el7.x86_64
> samba-winbind-4.10.10-2.el7.x86_64
> 
> -----------
> 
> Rowland
>   
> 
> 
-- 
Sérgio M. B.

More information about the samba mailing list