[Samba] security = ads parameter not working in samba 4.9.5
Sérgio Basto
sergio at serjux.com
Fri Nov 29 18:17:07 UTC 2019
On Fri, 2019-11-29 at 17:19 +0000, Rowland penny via samba wrote:
> Lets start by removing this: krb5-server-1.15.1-37.el7_7.2.x86_64
ATM I can't, it will remove all samba packages :)
> And if it is installed on the DCs remove it from them as well.
OK I will try remove krb5-server , Monday I will give you feedback
> Not sure if I asked this, but where did you get the Samba packages
> from ?
my packages are made by me [1] but they are similar to Nico Kadel-
Garcia rpms [2]
[1]
https://github.com/sergiomb2/sambaad
The first patch is for disabling MIT Kerberos integration and enabling
optional Heimdal Kerberos with Domain Controller functionality in the
Redhat/Fedora package i.e. with MIT Kerberos we not have a fully
functional PDC.
[2]
https://github.com/nkadel/samba4repo
https://lists.samba.org/archive/samba/2019-October/226703.html
>
> Can I also point out, when I ask for the output of the script in a
> post
> here, I mean here, not somewhere on the internet that can and will
> disappear. If needed, I can then review the output easily, I cannot,
> if
> it has disappeared, so, to make sure it doesn't disappear, here is
> your
> latest output:
OK , /var/log/samba/winbindd.log as a lot of messages "Could not
convert sid" NT_STATUS_NONE_MAPPED is very strange
> Collected config --- 2019-11-29-16:51 -----------
>
> Hostname: estagiov2
> DNS Domain: corp.local
> FQDN: estagiov2.corp.local
> ipaddress: 172.27.2.56
>
> -----------
>
> Kerberos SRV _kerberos._tcp.corp.local record verified ok, sample
> output:
> Server: 172.27.28.1
> Address: 172.27.28.1#53
>
> _kerberos._tcp.corp.local service = 0 100 88 aldc3.corp.local.
> _kerberos._tcp.corp.local service = 0 100 88 ccdc1.corp.local.
> _kerberos._tcp.corp.local service = 0 100 88 ccdc2.corp.local.
> Samba is running as a Unix domain member
>
> -----------
> Checking file: /etc/os-release
>
> NAME="CentOS Linux"
> VERSION="7 (Core)"
> ID="centos"
> ID_LIKE="rhel fedora"
> VERSION_ID="7"
> PRETTY_NAME="CentOS Linux 7 (Core)"
> ANSI_COLOR="0;31"
> CPE_NAME="cpe:/o:centos:centos:7"
> HOME_URL="https://www.centos.org/"
> BUG_REPORT_URL="https://bugs.centos.org/"
>
> CENTOS_MANTISBT_PROJECT="CentOS-7"
> CENTOS_MANTISBT_PROJECT_VERSION="7"
> REDHAT_SUPPORT_PRODUCT="centos"
> REDHAT_SUPPORT_PRODUCT_VERSION="7"
>
> -----------
>
>
> This computer is running an unknown distribution x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state
> UP group default qlen 1000
> link/ether 00:50:56:9c:25:86 brd ff:ff:ff:ff:ff:ff
> inet 172.27.2.56/22 brd 172.27.3.255 scope global noprefixroute
> ens160
> inet6 fe80::bbc2:13a4:154:7fb8/64 scope link noprefixroute
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost localhost.localdomain localhost4
> localhost4.localdomain4
> ::1 localhost localhost.localdomain localhost6
> localhost6.localdomain6
> 172.27.2.56 estagiov2.corp.local estagiov2
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> # Generated by NetworkManager
> search corp.local
> nameserver 172.27.28.1
> nameserver 172.27.2.5
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = CORP.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> #
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be
> # sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Valid entries include:
> #
> # nisplus Use NIS+ (NIS version 3)
> # nis Use NIS (NIS version 2), also called
> YP
> # dns Use DNS (Domain Name Service)
> # files Use the local files
> # db Use the local database (.db) files
> # compat Use NIS on compat mode
> # hesiod Use Hesiod for user lookups
> # [NOTFOUND=return] Stop searching if not found so far
> #
>
> # To use db, put the "db" in front of "files" for entries you want to
> be
> # looked up first in the databases
> #
> # Example:
> #passwd: db files nisplus nis
> #shadow: db files nisplus nis
> #group: db files nisplus nis
>
> #passwd: files winbind sss
> #shadow: files sss
> #group: files winbind sss
> passwd: files winbind
> shadow: files
> group: files winbind
> #initgroups: files sss
>
> #hosts: db files nisplus nis dns
> hosts: files dns myhostname
>
> # Example - obey only what nisplus tells us...
> #services: nisplus [NOTFOUND=return] files
> #networks: nisplus [NOTFOUND=return] files
> #protocols: nisplus [NOTFOUND=return] files
> #rpc: nisplus [NOTFOUND=return] files
> #ethers: nisplus [NOTFOUND=return] files
> #netmasks: nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files sss
>
> netgroup: nisplus sss
>
> publickey: nisplus
>
> automount: files nisplus sss
> aliases: files nisplus
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> # See smb.conf.example for a more detailed config file or
> # read the smb.conf manpage.
> # Run 'testparm' to verify the config is correct after
> # you modified it.
>
> [global]
> #netbios name = ESTAGIOV2
> workgroup = CORP
> realm = CORP.LOCAL
> security = ADS
> log file = /var/log/samba/%m.log
> log level = 9
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind use default domain = yes
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 1000000-1999999
>
> # - You must set a DOMAIN backend configuration
> # idmap config for the SAMDOM domain
> idmap config CORP:backend = ad
> idmap config CORP:schema_mode = rfc2307
> idmap config CORP:range = 10000-999999
> idmap config CORP:unix_nss_info = yes
>
> # Template settings for login shell and home directory
> template shell = /bin/bash
> template homedir = /home/%U
> username map = /var/lib/samba/user.map
>
>
> # printing = cups
> # printcap name = cups
> # load printers = yes
> # cups options = raw
>
> [homes]
> comment = Home Directories
> valid users = %S, %D%w%S
> browseable = No
> read only = No
> inherit acls = Yes
>
> [printers]
> comment = All Printers
> path = /var/tmp
> printable = Yes
> create mask = 0600
> browseable = No
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/drivers
> write list = @printadmin root
> force group = @printadmin
> create mask = 0664
> directory mask = 0775
>
> []
> path = /srv/samba//
> read only = no
>
> -----------
>
> Running as Unix domain member and user.map detected.
>
> Contents of /var/lib/samba/user.map
>
> !root = CORP\Administrator CORP\administrator
>
> Server Role is set to : auto
>
> -----------
>
> Installed packages:
> samba-common-tools-4.10.10-2.el7.x86_64
> samba-dc-libs-4.10.10-2.el7.x86_64
> samba-dc-bind-dlz-4.10.10-2.el7.x86_64
> samba-python-test-4.10.10-2.el7.x86_64
> pyxattr-0.5.1-5.el7.x86_64
> krb5-workstation-1.15.1-37.el7_7.2.x86_64
> samba-python-4.10.10-2.el7.x86_64
> samba-client-4.10.10-2.el7.x86_64
> samba-4.10.10-2.el7.x86_64
> samba-dc-4.10.10-2.el7.x86_64
> samba-test-4.10.10-2.el7.x86_64
> samba-winbind-krb5-locator-4.10.10-2.el7.x86_64
> samba-winbind-clients-4.10.10-2.el7.x86_64
> samba-pidl-4.10.10-2.el7.noarch
> krb5-server-1.15.1-37.el7_7.2.x86_64
> samba-winbind-modules-4.10.10-2.el7.x86_64
> samba-common-libs-4.10.10-2.el7.x86_64
> samba-python-dc-4.10.10-2.el7.x86_64
> libsmbclient-4.10.10-2.el7.x86_64
> libacl-2.2.51-14.el7.x86_64
> samba-libs-4.10.10-2.el7.x86_64
> samba-test-libs-4.10.10-2.el7.x86_64
> samba-krb5-printing-4.10.10-2.el7.x86_64
> libattr-2.4.46-13.el7.x86_64
> krb5-libs-1.15.1-37.el7_7.2.x86_64
> acl-2.2.51-14.el7.x86_64
> samba-common-4.10.10-2.el7.noarch
> samba-client-libs-4.10.10-2.el7.x86_64
> samba-winbind-4.10.10-2.el7.x86_64
>
> -----------
>
> Rowland
>
>
>
--
Sérgio M. B.
More information about the samba
mailing list