[Samba] Windows 2016 RSAT not connect with samba4 DC
Rowland penny
rpenny at samba.org
Tue Dec 1 18:33:15 UTC 2020
On 01/12/2020 10:00, Rowland penny via samba wrote:
> On 30/11/2020 22:25, Rommel Rodriguez Toirac via samba wrote:
>> El 30 de noviembre de 2020 16:27:10 GMT-05:00, Rowland penny via
>> samba <samba at lists.samba.org> escribió:
>>> On 30/11/2020 20:55, Rommel Rodriguez Toirac wrote:
>>>> El 30 de noviembre de 2020 15:43:24 GMT-05:00, Rowland penny via
>>> samba <samba at lists.samba.org> escribió:
>>>>> On 30/11/2020 20:32, Rommel Rodriguez Toirac via samba wrote:
>>>>>> El 30 de noviembre de 2020 14:19:19 GMT-05:00, Rowland penny via
>>>>> samba <samba at lists.samba.org> escribió:
>>>>>>> On 30/11/2020 19:09, Rommel Rodriguez Toirac wrote:
>>>>>>>> El 30 de noviembre de 2020 13:41:09 GMT-05:00, Rowland penny via
>>>>>>> samba <samba at lists.samba.org> escribió:
>>>>>>>>> On 30/11/2020 18:21, Rommel Rodriguez Toirac wrote:
>>>>>>>>>> I do not have installed sssd. I use winbind.
>>>>>>>>>>
>>>>>>>>> in which case, edit /etc/nsswitch.conf and make the passwd,
>>> shadow
>>>>>>> and
>>>>>>>>> group lines look like this:
>>>>>>>>>
>>>>>>>>> passwd: files winbind systemd
>>>>>>>>> shadow: files
>>>>>>>>> group: files winbind systemd
>>>>>>>>>
>>>>>>>>> remove every mention of 'sss'
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>> Done, now look like this:
>>>>>>>>
>>>>>>>>
>>>>>>>> [root at gtmad1 sbin]# cat /etc/nsswitch.conf
>>>>>>>> #
>>>>>>>> # /etc/nsswitch.conf
>>>>>>>> #
>>>>>>>> # An example Name Service Switch config file. This file should be
>>>>>>>> # sorted with the most-used services at the beginning.
>>>>>>>> #
>>>>>>>> # The entry '[NOTFOUND=return]' means that the search for an
>>>>>>>> # entry should stop if the search in the previous entry turned
>>>>>>>> # up nothing. Note that if the search failed due to some other
>>>>> reason
>>>>>>>> # (like no NIS server responding) then the search continues with
>>>>> the
>>>>>>>> # next entry.
>>>>>>>> #
>>>>>>>> # Valid entries include:
>>>>>>>> #
>>>>>>>> # nisplus Use NIS+ (NIS version 3)
>>>>>>>> # nis Use NIS (NIS version 2), also
>>>>> called
>>>>>>> YP
>>>>>>>> # dns Use DNS (Domain Name Service)
>>>>>>>> # files Use the local files in /etc
>>>>>>>> # db Use the pre-processed /var/db
>>> files
>>>>>>>> # compat Use /etc files plus *_compat
>>>>>>> pseudo-databases
>>>>>>>> # hesiod Use Hesiod (DNS) for user lookups
>>>>>>>> # sss Use sssd (System Security
>>> Services
>>>>>>> Daemon)
>>>>>>>> # [NOTFOUND=return] Stop searching if not found so
>>> far
>>>>>>>> #
>>>>>>>> # 'sssd' performs its own 'files'-based caching, so it should
>>>>>>>> # generally come before 'files'.
>>>>>>>>
>>>>>>>> # To use 'db', install the nss_db package, and put the 'db' in
>>>>> front
>>>>>>>> # of 'files' for entries you want to be looked up first in the
>>>>>>>> # databases, like this:
>>>>>>>> #
>>>>>>>> # passwd: db files
>>>>>>>> # shadow: db files
>>>>>>>> # group: db files
>>>>>>>>
>>>>>>>> passwd: files winbind systemd
>>>>>>>> shadow: files
>>>>>>>> group: files winbind systemd
>>>>>>>>
>>>>>>>> hosts: files dns myhostname
>>>>>>>>
>>>>>>>> bootparams: files
>>>>>>>>
>>>>>>>> ethers: files
>>>>>>>> netmasks: files
>>>>>>>> networks: files
>>>>>>>> protocols: files
>>>>>>>> rpc: files
>>>>>>>> services: files sss
>>>>>>>>
>>>>>>>> netgroup: sss
>>>>>>>>
>>>>>>>> publickey: files
>>>>>>>>
>>>>>>>> automount: files sss
>>>>>>>> aliases: files
>>>>>>>>
>>>>>>>>
>>>>>>> You still have 'sss' in the file, you do not need them if you
>>> don't
>>>>>>> have
>>>>>>> sssd installed, I would change 'netgroup: sss' to 'netgroup: nis'
>>>>> and
>>>>>>> remove the other 'sss'
>>>>>>>
>>>>>>> Rowland
>>>>>>
>>>>>> After send the messages I was change the file and lets it like
>>>>> this:
>>>>>> [root at gtmad1 var]# cat /etc/nsswitch.conf
>>>>>> #
>>>>>> # /etc/nsswitch.conf
>>>>>> #
>>>>>> # An example Name Service Switch config file. This file should be
>>>>>> # sorted with the most-used services at the beginning.
>>>>>> #
>>>>>> # The entry '[NOTFOUND=return]' means that the search for an
>>>>>> # entry should stop if the search in the previous entry turned
>>>>>> # up nothing. Note that if the search failed due to some other
>>> reason
>>>>>> # (like no NIS server responding) then the search continues with
>>> the
>>>>>> # next entry.
>>>>>> #
>>>>>> # Valid entries include:
>>>>>> #
>>>>>> # nisplus Use NIS+ (NIS version 3)
>>>>>> # nis Use NIS (NIS version 2), also
>>> called
>>>>> YP
>>>>>> # dns Use DNS (Domain Name Service)
>>>>>> # files Use the local files in /etc
>>>>>> # db Use the pre-processed /var/db files
>>>>>> # compat Use /etc files plus *_compat
>>>>> pseudo-databases
>>>>>> # hesiod Use Hesiod (DNS) for user lookups
>>>>>> # sss Use sssd (System Security Services
>>>>> Daemon)
>>>>>> # [NOTFOUND=return] Stop searching if not found so far
>>>>>> #
>>>>>> # 'sssd' performs its own 'files'-based caching, so it should
>>>>>> # generally come before 'files'.
>>>>>>
>>>>>> # To use 'db', install the nss_db package, and put the 'db' in
>>> front
>>>>>> # of 'files' for entries you want to be looked up first in the
>>>>>> # databases, like this:
>>>>>> #
>>>>>> # passwd: db files
>>>>>> # shadow: db files
>>>>>> # group: db files
>>>>>>
>>>>>> passwd: files winbind
>>>>>> shadow: files
>>>>>> group: files winbind
>>>>>> initgroups files
>>>>>>
>>>>>> hosts: files dns myhostname
>>>>>>
>>>>>> bootparams: nisplus files
>>>>>>
>>>>>> ethers: files
>>>>>> netmasks: files
>>>>>> networks: files
>>>>>> protocols: files
>>>>>> rpc: files
>>>>>> services: files
>>>>>>
>>>>>> netgroup: nis
>>>>>>
>>>>>> publickey: nisplus
>>>>>>
>>>>>>
>>>>>> automount: files nisplus
>>>>>> aliases: files nisplus
>>>>>>
>>>>>> But, it not work when I run getent command:
>>>>>>
>>>>>>
>>>>>> [root at gtmad1 var]# wbinfo -p
>>>>>> Ping to winbindd succeeded
>>>>>>
>>>>>>
>>>>>> [root at gtmad1 var]# getent passwd "ATGTM00\\rommel.rodriguez"
>>>>>>
>>>>>> [root at gtmad1 var]# getent group "ATGTM00\\Domain Users"
>>>>>>
>>>>>>
>>>>>> ... and still do not connect from Windows (7) using RSAT neather
>>> from
>>>>> Windows 2016 Server Admin Tools/Active Directory Users and Computer
>>>>> tool.
>>>>> Do you have these packages installed: samba samba-winbind
>>>>> samba-winbind-clients krb5-workstation
>>>>>
>>>>> Have you run this command: authselect select winbind with-mkhomedir
>>>>>
>>>>> Rowland
>>>> (Sorry for all problems)
>>>>
>>>> Is needed this packeds even I compile from source
>>> samba-4.13.2.tar.gz?
>>>
>>> No, but you will need to create the links, see here:
>>> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>>>
>>> Rowland
>>
>>
>>
>> Thanks, now is working. I made the links:
>>
>>
>> ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/
>>
>> ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
>>
>>
>> Testing command getent:
>>
>>
>> [root at gtmad1 ~]# getent passwd "ATGTM00\\rommel.rodriguez"
>> ATGTM00\rommel.rodriguez:*:3000127:100::/home/ATGTM00/rommel.rodriguez:/bin/false
>>
>> [root at gtmad1 ~]# getent group "ATGTM00\\Domain Users"
>> ATGTM00\domain users:x:100:
> Well that's one thing fixed 😂
>>
>>
>> I still can not to connect using Windows 7 RSAT or Windows 2016
>> Server Admin Tools/Active Directory User and Computers tools to make
>> some task of administrations to this Domain Controller samba 4.13.2.
>>
>> I can do it to samba 4.11.2 (my ADDC)
>>
> Haven't got Windows 2016, but Win7 & win10 ADUC works against 4.13.2
> for me, the only differences are, I use Devuan with Louis's repo and
> pam-krb5.
>
> Unlikely to be the OS (unless it is Selinux), The code in Louis's repo
> will be the same code you used, so that leaves pam-krb5 and the lack
> of that shouldn't cause your your problem, it should fall back to NTLM.
>
> What error message are you getting when you try to use ADUC ?
>
> Rowland
>
>
Just to wrap this up, the OP had his Samba DC running in an unprivileged
container, changing this now allows him to use ADUC.
Rowland
More information about the samba
mailing list