[Samba] samba / debian 10 / security=ads

Gregory ROCHER Gregory.Rocher at ifremer.fr
Wed Nov 18 10:42:48 UTC 2020


Hi all

I'm looking for some help on winbind/idmap for a new host

The debian version is new on this host : debian 10 buster so samba is
> root at homedir10:~# samba --version
> Version 4.9.5-Debian

We want to use security=ads so we join this host to the domain
No problem for windows clients : they can mount shares that are 
accessible to their primary unix group and secondary unix group(s)

But we have a problem with linux clients smbclient refuse to access the 
shares
> [grocher: ~ ] 130 $ smbclient //homedir10/ditiric -U IFR\\grocher
> WARNING: The "syslog" option is deprecated
> Enter IFR\grocher's password: 
> session setup failed: NT_STATUS_NO_LOGON_SERVERS

On this host the smb.conf was copied from previous host debian 9 / samba 
4.5.16-Debian and the winbind package was not installed.
On debian9 / samba 4.5.16 both clients work without winbind and idmap 
parameters in smb.conf

So I begin to study
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

On a devhost, I installed missing pakages 
https://wiki.samba.org/index.php/Distribution-specific_Package_Installation#Debian
in particular winbind, libnss-winbind, libpam-winbind

with this config none of the clients could access to shares

Some diagnostic I could perform

winbind seems working and samba can access to the service
> root at vans-d10-cl:~# wbinfo -p
> Ping to winbindd succeeded

AD domain parameters seems correct and the seems to have correctly 
joined the domain (our domain is IFR)
> root at vans-d10-cl:~# wbinfo --domain-info=IFR
> Name              : IFR
> Alt_Name          : ifremer.fr
> SID               : S-1-5-21-500109986-1412980772-1848903544
> Active Directory  : Yes
> Native            : Yes
> Primary           : Yes

We can ping Domain Controllers
> root at vans-d10-cl:~# wbinfo --getdcname=IFR
> VDC2016
> root at vans-d10-cl:~# wbinfo --ping-dc
> checking the NETLOGON for domain[IFR] dc connection to "vdc2016.ifremer.fr" succeeded

Users and groups of the domain are seen by samba
> root at vans-d10-cl:~# wbinfo --domain-users | head
> IFR\peronm
> IFR\pgermane
> IFR\galviset
> IFR\cbontemp
> IFR\ldecubbe
> IFR\mmeloni
> IFR\ssaunier
> IFR\gkorchag
> IFR\clemeu
> IFR\tlebreto
> root at vans-d10-cl:~# wbinfo --domain-groups | head
> IFR\administrateurs du schéma
> IFR\administrateurs de l'entreprise
> IFR\contrôleurs de domaine d’entreprise en lecture seule
> IFR\exchangelegacyinterop
> IFR\exchange windows permissions
> IFR\managed availability servers
> IFR\exchange trusted subsystem
> IFR\exchange servers
> IFR\compliance management
> IFR\hygiene management
> root at vans-d10-cl:~# wbinfo --domain-groups | tail
> IFR\sgc
> IFR\hdfstest
> IFR\ofseair
> IFR\rhldcm
> IFR\gcelimer
> IFR\gpacl
> IFR\metocean
> IFR\drhdajf
> IFR\grotor
> IFR\workflowums

In /etc/nsswitch.conf I have added winbind as source for passwd and group
> root at vans-d10-cl:~# grep winbind /etc/nsswitch.conf 
> passwd:         files winbind nis compat
> group:          files winbind nis compat

And the host seems to have correct information on both nis and domain 
users and groups

> root at vans-d10-cl:~# getent passwd grocher
> grocher:$1$[password hash redacted]:21826:10022:Gregory ROCHER, Ifremer Brest PDG-IRSI-RIC, 02 29 00 85 79:/home1/homedir1/perso/grocher:/bin/csh
> root at vans-d10-cl:~# getent passwd IFR\\grocher
> IFR\grocher:*:11752:10513:Gregory ROCHER, Ifremer Brest PDG-IRSI-RIC, 02 2:/home/IFR/grocher:/bin/false
> root at vans-d10-cl:~# getent group ditiric
> ditiric:x:10022:ricdba,ricora,bmilo,tina,cotty,gmaudire,dcroizef,clebris,fguesnon
> root at vans-d10-cl:~# getent group IFR\\ditiric
> IFR\ditiric:x:11375:

For id mapping I have studied the three backends mentionned in
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Choose_backend_for_id_mapping_in_winbindd

I don't think we can use the ad backend because of the lack of uidNumber 
and gidNumber in our Active Directory. For exemple on a domain 
controller when I study entries of the AD I don't see these attributes

> PS C:\Users\rootifr> Get-ADUser grocher
> 
> DistinguishedName : CN=grocher,CN=Users,DC=ifremer,DC=fr
> Enabled           : True
> GivenName         : 
> Name              : grocher
> ObjectClass       : user
> ObjectGUID        : 7c29e837-e6b0-4228-b4a6-5f9d40f9fbe9
> SamAccountName    : grocher
> SID               : S-1-5-21-500109986-1412980772-1848903544-1752
> Surname           : 
> UserPrincipalName : 
> 
> PS C:\Users\rootifr> Get-ADGroup ditiric
> 
> DistinguishedName : CN=ditiric,CN=Users,DC=ifremer,DC=fr
> GroupCategory     : Security
> GroupScope        : Global
> Name              : ditiric
> ObjectClass       : group
> ObjectGUID        : a37a82ac-f190-463a-a251-c639f9d36a33
> SamAccountName    : ditiric
> SID               : S-1-5-21-500109986-1412980772-1848903544-1375


So in smb.conf I defined these parameters (uid for our nis users goes 
from 10000 to the infinite)
> idmap config * : backend = tdb
> idmap config * : range = 0-999
> idmap config IFR : backend = rid
> idmap config IFR : range = 10000-5000000

I verified SIDs calculated by this config dans this seems coherent
both nis users and domain users have the same SID and it's also the same 
that de AD Domain Controller show
> root at vans-d10-cl:~# wbinfo --name-to-sid=grocher
> S-1-5-21-500109986-1412980772-1848903544-1752 SID_USER (1)
> root at vans-d10-cl:~# wbinfo --name-to-sid=IFR\\grocher
> S-1-5-21-500109986-1412980772-1848903544-1752 SID_USER (1)

If I verify the groups of a SID it seems coherent too
> root at vans-d10-cl:~# wbinfo --user-sids=S-1-5-21-500109986-1412980772-1848903544-1752
> S-1-5-21-500109986-1412980772-1848903544-1752
> S-1-5-21-500109986-1412980772-1848903544-513
> S-1-5-21-500109986-1412980772-1848903544-3215561
> S-1-5-21-500109986-1412980772-1848903544-1632
> S-1-5-21-500109986-1412980772-1848903544-3206726
> S-1-5-21-500109986-1412980772-1848903544-1375

The  S-1-5-21-500109986-1412980772-1848903544-1375 is both seen on my 
SID and it's the SID of the groups
> root at vans-d10-cl:~# wbinfo --name-to-sid=ditiric
> S-1-5-21-500109986-1412980772-1848903544-1375 SID_DOM_GROUP (2)
> root at vans-d10-cl:~# wbinfo --name-to-sid=IFR\\ditiric
> S-1-5-21-500109986-1412980772-1848903544-1375 SID_DOM_GROUP (2)



Finally kerberos
I had installed packages and configured
> root at vans-d10-cl:~# head /etc/krb5.conf 
> [libdefaults]
> 	default_realm = IFREMER.FR
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true

Ticket list before auth
> root at vans-d10-cl:~# klist 
> klist: No credentials cache found (filename: /tmp/krb5cc_0)

Auth with a volontary bad password : incorrect
> root at vans-d10-cl:~# kinit grocher
> Password for grocher at IFREMER.FR: 
> kinit: Password incorrect while getting initial credentials

Auth with a good password succeeded
> root at vans-d10-cl:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: grocher at IFREMER.FR
> 
> Valid starting       Expires              Service principal
> 18/11/2020 07:18:21  18/11/2020 17:18:21  krbtgt/IFREMER.FR at IFREMER.FR
> 	renew until 19/11/2020 07:18:15

Are my id mappings incorrects ?
What can I test to debug this configuration ?

Thanks in advance

Here are the complete smb.conf returned by testparm
> root at vans-d10-cl:~# testparm -s
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[homes]"
> Processing section "[testsamba]"
> Processing section "[fakedrhrrh]"
> Processing section "[q]"
> Processing section "[winnt]"
> Loaded services file OK.
> Invalid combination of parameters for service testsamba. Level II oplocks can only be set if oplocks are also set.
> 
> Invalid combination of parameters for service fakedrhrrh. Level II oplocks can only be set if oplocks are also set.
> 
> Invalid combination of parameters for service q. Level II oplocks can only be set if oplocks are also set.
> 
> Invalid combination of parameters for service winnt. Level II oplocks can only be set if oplocks are also set.
> 
> Server role: ROLE_DOMAIN_MEMBER
> 
> # Global parameters
> [global]
> 	deadtime = 15
> 	dedicated keytab file = /etc/krb5.keytab
> 	kerberos method = secrets and keytab
> 	preferred master = No
> 	realm = IFREMER.FR
> 	security = ADS
> 	server string = Linux
> 	unix extensions = No
> 	wins server = 134.246.155.180
> 	workgroup = IFR
> 	idmap config ifr : range = 10000-5000000
> 	idmap config ifr : backend = rid
> 	idmap config * : range = 0-999
> 	idmap config * : backend = tdb
> 	create mask = 0700
> 	directory mask = 0700
> 	follow symlinks = No
> 	hosts allow = 134.246.
> 	include = /usr/local/samba/etc/smb.conf.global.vans-d10-cl
> 	invalid users = root smtp bin sys mail daemon adm lp uucp nuucp listen noaccess
> 	map archive = No
> 	oplocks = No
> 	print command = lpr -s -r -P %p %s
> 	printing = bsd
> 
> 
> [homes]
> 	browseable = No
> 	create mask = 0750
> 	directory mask = 0750
> 	include = /usr/local/samba/etc/smb.conf.vans-d10-cl
> 	oplocks = Yes
> 	path = %H
> 	read only = No
> 
> 
> [testsamba]
> 	browseable = No
> 	create mask = 0770
> 	directory mask = 0770
> 	force group = ditiric
> 	path = /export/home/testsamba
> 	read only = No
> 	valid users = @ditiric
> 
> 
> [fakedrhrrh]
> 	browseable = No
> 	create mask = 0770
> 	directory mask = 0770
> 	force group = drhrrh
> 	path = /export/home/fakedrhrrh
> 	read only = No
> 	valid users = @drhrrh
> 
> 
> [q]
> 	comment = Disque personnel de %u
> 	create mask = 0750
> 	directory mask = 0750
> 	path = %H
> 	read only = No
> 
> 
> [winnt]
> 	browseable = No
> 	comment = Repertoire pour logon winnt
> 	create mask = 0555
> 	directory mask = 0555
> 	path = /home/spool/winnt
> 	preexec = /home/services/systeme/winnt/bin/winnt.pl %u %g %H %M %m

-- 
Grégory Rocher
02 29 00 85 79 (8579)



More information about the samba mailing list