[Samba] samba / debian 10 / security=ads
Gregory ROCHER
Gregory.Rocher at ifremer.fr
Wed Nov 18 10:42:48 UTC 2020
Hi all
I'm looking for some help on winbind/idmap for a new host
The debian version is new on this host : debian 10 buster so samba is
> root at homedir10:~# samba --version
> Version 4.9.5-Debian
We want to use security=ads so we join this host to the domain
No problem for windows clients : they can mount shares that are
accessible to their primary unix group and secondary unix group(s)
But we have a problem with linux clients smbclient refuse to access the
shares
> [grocher: ~ ] 130 $ smbclient //homedir10/ditiric -U IFR\\grocher
> WARNING: The "syslog" option is deprecated
> Enter IFR\grocher's password:
> session setup failed: NT_STATUS_NO_LOGON_SERVERS
On this host the smb.conf was copied from previous host debian 9 / samba
4.5.16-Debian and the winbind package was not installed.
On debian9 / samba 4.5.16 both clients work without winbind and idmap
parameters in smb.conf
So I begin to study
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
On a devhost, I installed missing pakages
https://wiki.samba.org/index.php/Distribution-specific_Package_Installation#Debian
in particular winbind, libnss-winbind, libpam-winbind
with this config none of the clients could access to shares
Some diagnostic I could perform
winbind seems working and samba can access to the service
> root at vans-d10-cl:~# wbinfo -p
> Ping to winbindd succeeded
AD domain parameters seems correct and the seems to have correctly
joined the domain (our domain is IFR)
> root at vans-d10-cl:~# wbinfo --domain-info=IFR
> Name : IFR
> Alt_Name : ifremer.fr
> SID : S-1-5-21-500109986-1412980772-1848903544
> Active Directory : Yes
> Native : Yes
> Primary : Yes
We can ping Domain Controllers
> root at vans-d10-cl:~# wbinfo --getdcname=IFR
> VDC2016
> root at vans-d10-cl:~# wbinfo --ping-dc
> checking the NETLOGON for domain[IFR] dc connection to "vdc2016.ifremer.fr" succeeded
Users and groups of the domain are seen by samba
> root at vans-d10-cl:~# wbinfo --domain-users | head
> IFR\peronm
> IFR\pgermane
> IFR\galviset
> IFR\cbontemp
> IFR\ldecubbe
> IFR\mmeloni
> IFR\ssaunier
> IFR\gkorchag
> IFR\clemeu
> IFR\tlebreto
> root at vans-d10-cl:~# wbinfo --domain-groups | head
> IFR\administrateurs du schéma
> IFR\administrateurs de l'entreprise
> IFR\contrôleurs de domaine d’entreprise en lecture seule
> IFR\exchangelegacyinterop
> IFR\exchange windows permissions
> IFR\managed availability servers
> IFR\exchange trusted subsystem
> IFR\exchange servers
> IFR\compliance management
> IFR\hygiene management
> root at vans-d10-cl:~# wbinfo --domain-groups | tail
> IFR\sgc
> IFR\hdfstest
> IFR\ofseair
> IFR\rhldcm
> IFR\gcelimer
> IFR\gpacl
> IFR\metocean
> IFR\drhdajf
> IFR\grotor
> IFR\workflowums
In /etc/nsswitch.conf I have added winbind as source for passwd and group
> root at vans-d10-cl:~# grep winbind /etc/nsswitch.conf
> passwd: files winbind nis compat
> group: files winbind nis compat
And the host seems to have correct information on both nis and domain
users and groups
> root at vans-d10-cl:~# getent passwd grocher
> grocher:$1$[password hash redacted]:21826:10022:Gregory ROCHER, Ifremer Brest PDG-IRSI-RIC, 02 29 00 85 79:/home1/homedir1/perso/grocher:/bin/csh
> root at vans-d10-cl:~# getent passwd IFR\\grocher
> IFR\grocher:*:11752:10513:Gregory ROCHER, Ifremer Brest PDG-IRSI-RIC, 02 2:/home/IFR/grocher:/bin/false
> root at vans-d10-cl:~# getent group ditiric
> ditiric:x:10022:ricdba,ricora,bmilo,tina,cotty,gmaudire,dcroizef,clebris,fguesnon
> root at vans-d10-cl:~# getent group IFR\\ditiric
> IFR\ditiric:x:11375:
For id mapping I have studied the three backends mentionned in
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Choose_backend_for_id_mapping_in_winbindd
I don't think we can use the ad backend because of the lack of uidNumber
and gidNumber in our Active Directory. For exemple on a domain
controller when I study entries of the AD I don't see these attributes
> PS C:\Users\rootifr> Get-ADUser grocher
>
> DistinguishedName : CN=grocher,CN=Users,DC=ifremer,DC=fr
> Enabled : True
> GivenName :
> Name : grocher
> ObjectClass : user
> ObjectGUID : 7c29e837-e6b0-4228-b4a6-5f9d40f9fbe9
> SamAccountName : grocher
> SID : S-1-5-21-500109986-1412980772-1848903544-1752
> Surname :
> UserPrincipalName :
>
> PS C:\Users\rootifr> Get-ADGroup ditiric
>
> DistinguishedName : CN=ditiric,CN=Users,DC=ifremer,DC=fr
> GroupCategory : Security
> GroupScope : Global
> Name : ditiric
> ObjectClass : group
> ObjectGUID : a37a82ac-f190-463a-a251-c639f9d36a33
> SamAccountName : ditiric
> SID : S-1-5-21-500109986-1412980772-1848903544-1375
So in smb.conf I defined these parameters (uid for our nis users goes
from 10000 to the infinite)
> idmap config * : backend = tdb
> idmap config * : range = 0-999
> idmap config IFR : backend = rid
> idmap config IFR : range = 10000-5000000
I verified SIDs calculated by this config dans this seems coherent
both nis users and domain users have the same SID and it's also the same
that de AD Domain Controller show
> root at vans-d10-cl:~# wbinfo --name-to-sid=grocher
> S-1-5-21-500109986-1412980772-1848903544-1752 SID_USER (1)
> root at vans-d10-cl:~# wbinfo --name-to-sid=IFR\\grocher
> S-1-5-21-500109986-1412980772-1848903544-1752 SID_USER (1)
If I verify the groups of a SID it seems coherent too
> root at vans-d10-cl:~# wbinfo --user-sids=S-1-5-21-500109986-1412980772-1848903544-1752
> S-1-5-21-500109986-1412980772-1848903544-1752
> S-1-5-21-500109986-1412980772-1848903544-513
> S-1-5-21-500109986-1412980772-1848903544-3215561
> S-1-5-21-500109986-1412980772-1848903544-1632
> S-1-5-21-500109986-1412980772-1848903544-3206726
> S-1-5-21-500109986-1412980772-1848903544-1375
The S-1-5-21-500109986-1412980772-1848903544-1375 is both seen on my
SID and it's the SID of the groups
> root at vans-d10-cl:~# wbinfo --name-to-sid=ditiric
> S-1-5-21-500109986-1412980772-1848903544-1375 SID_DOM_GROUP (2)
> root at vans-d10-cl:~# wbinfo --name-to-sid=IFR\\ditiric
> S-1-5-21-500109986-1412980772-1848903544-1375 SID_DOM_GROUP (2)
Finally kerberos
I had installed packages and configured
> root at vans-d10-cl:~# head /etc/krb5.conf
> [libdefaults]
> default_realm = IFREMER.FR
> dns_lookup_realm = false
> dns_lookup_kdc = true
Ticket list before auth
> root at vans-d10-cl:~# klist
> klist: No credentials cache found (filename: /tmp/krb5cc_0)
Auth with a volontary bad password : incorrect
> root at vans-d10-cl:~# kinit grocher
> Password for grocher at IFREMER.FR:
> kinit: Password incorrect while getting initial credentials
Auth with a good password succeeded
> root at vans-d10-cl:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: grocher at IFREMER.FR
>
> Valid starting Expires Service principal
> 18/11/2020 07:18:21 18/11/2020 17:18:21 krbtgt/IFREMER.FR at IFREMER.FR
> renew until 19/11/2020 07:18:15
Are my id mappings incorrects ?
What can I test to debug this configuration ?
Thanks in advance
Here are the complete smb.conf returned by testparm
> root at vans-d10-cl:~# testparm -s
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[homes]"
> Processing section "[testsamba]"
> Processing section "[fakedrhrrh]"
> Processing section "[q]"
> Processing section "[winnt]"
> Loaded services file OK.
> Invalid combination of parameters for service testsamba. Level II oplocks can only be set if oplocks are also set.
>
> Invalid combination of parameters for service fakedrhrrh. Level II oplocks can only be set if oplocks are also set.
>
> Invalid combination of parameters for service q. Level II oplocks can only be set if oplocks are also set.
>
> Invalid combination of parameters for service winnt. Level II oplocks can only be set if oplocks are also set.
>
> Server role: ROLE_DOMAIN_MEMBER
>
> # Global parameters
> [global]
> deadtime = 15
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> preferred master = No
> realm = IFREMER.FR
> security = ADS
> server string = Linux
> unix extensions = No
> wins server = 134.246.155.180
> workgroup = IFR
> idmap config ifr : range = 10000-5000000
> idmap config ifr : backend = rid
> idmap config * : range = 0-999
> idmap config * : backend = tdb
> create mask = 0700
> directory mask = 0700
> follow symlinks = No
> hosts allow = 134.246.
> include = /usr/local/samba/etc/smb.conf.global.vans-d10-cl
> invalid users = root smtp bin sys mail daemon adm lp uucp nuucp listen noaccess
> map archive = No
> oplocks = No
> print command = lpr -s -r -P %p %s
> printing = bsd
>
>
> [homes]
> browseable = No
> create mask = 0750
> directory mask = 0750
> include = /usr/local/samba/etc/smb.conf.vans-d10-cl
> oplocks = Yes
> path = %H
> read only = No
>
>
> [testsamba]
> browseable = No
> create mask = 0770
> directory mask = 0770
> force group = ditiric
> path = /export/home/testsamba
> read only = No
> valid users = @ditiric
>
>
> [fakedrhrrh]
> browseable = No
> create mask = 0770
> directory mask = 0770
> force group = drhrrh
> path = /export/home/fakedrhrrh
> read only = No
> valid users = @drhrrh
>
>
> [q]
> comment = Disque personnel de %u
> create mask = 0750
> directory mask = 0750
> path = %H
> read only = No
>
>
> [winnt]
> browseable = No
> comment = Repertoire pour logon winnt
> create mask = 0555
> directory mask = 0555
> path = /home/spool/winnt
> preexec = /home/services/systeme/winnt/bin/winnt.pl %u %g %H %M %m
--
Grégory Rocher
02 29 00 85 79 (8579)
More information about the samba
mailing list