[Samba] samba / debian 10 / security=ads
Rowland penny
rpenny at samba.org
Wed Nov 18 11:46:29 UTC 2020
On 18/11/2020 10:42, Gregory ROCHER via samba wrote:
> Hi all
>
> I'm looking for some help on winbind/idmap for a new host
>
>
> We want to use security=ads so we join this host to the domain
> No problem for windows clients : they can mount shares that are
> accessible to their primary unix group and secondary unix group(s)
You are using AD now, so the primary group for all your users will be
Domain Users
>
> But we have a problem with linux clients smbclient refuse to access
> the shares
>> [grocher: ~ ] 130 $ smbclient //homedir10/ditiric -U IFR\\grocher
>> WARNING: The "syslog" option is deprecated
>> Enter IFR\grocher's password: session setup failed:
>> NT_STATUS_NO_LOGON_SERVERS
Are the Unix clients joined to the domain and do they use a DC as their
first nameserver ?
>
> On this host the smb.conf was copied from previous host debian 9 /
> samba 4.5.16-Debian and the winbind package was not installed.
> On debian9 / samba 4.5.16 both clients work without winbind and idmap
> parameters in smb.conf
In which case it sounds like you were using something like sssd or
nslcd, have you removed whatever you were using ?
>
> So I begin to study
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> On a devhost, I installed missing pakages
> https://wiki.samba.org/index.php/Distribution-specific_Package_Installation#Debian
> in particular winbind, libnss-winbind, libpam-winbind
Add libpam-krb5 if you haven't already installed it.
>
> with this config none of the clients could access to shares
Strange, the rid backend is the easiest to set up.
>
> In /etc/nsswitch.conf I have added winbind as source for passwd and group
>> root at vans-d10-cl:~# grep winbind /etc/nsswitch.conf passwd:
>> files winbind nis compat
>> group: files winbind nis compat
I would remove 'nis' and 'compat', you do not need them.
>
> And the host seems to have correct information on both nis and domain
> users and groups
>
>> root at vans-d10-cl:~# getent passwd grocher
>> grocher:$1$[password hash redacted]:21826:10022:Gregory ROCHER,
>> Ifremer Brest PDG-IRSI-RIC, 02 29 00 85
>> 79:/home1/homedir1/perso/grocher:/bin/csh
>> root at vans-d10-cl:~# getent passwd IFR\\grocher
>> IFR\grocher:*:11752:10513:Gregory ROCHER, Ifremer Brest PDG-IRSI-RIC,
>> 02 2:/home/IFR/grocher:/bin/false
Why do you have a schizophrenic user ?
Do you by any chance have NIS setup ?
If you do have NIS set up, then remove it, you do not need it.
>> root at vans-d10-cl:~# getent group ditiric
>> ditiric:x:10022:ricdba,ricora,bmilo,tina,cotty,gmaudire,dcroizef,clebris,fguesnon
>>
>> root at vans-d10-cl:~# getent group IFR\\ditiric
>> IFR\ditiric:x:11375:
>
> For id mapping I have studied the three backends mentionned in
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Choose_backend_for_id_mapping_in_winbindd
>
>
> I don't think we can use the ad backend because of the lack of
> uidNumber and gidNumber in our Active Directory. For exemple on a
> domain controller when I study entries of the AD I don't see these
> attributes
Correct, if you do not have uidNumber & gidNumber attributes in AD, you
cannot use the 'ad' backend.
>
>
> So in smb.conf I defined these parameters (uid for our nis users goes
> from 10000 to the infinite)
>> idmap config * : backend = tdb
>> idmap config * : range = 0-999
You didn't read the wikipage correctly, '0-999' is reserved for the Unix
system users & groups, so change it to '3000-7999' as shown on the wikipage
>> idmap config IFR : backend = rid
>> idmap config IFR : range = 10000-5000000
>
>
>
> Here are the complete smb.conf returned by testparm
>> root at vans-d10-cl:~# testparm -s
>>
>> Loaded services file OK.
>> Invalid combination of parameters for service testsamba. Level II
>> oplocks can only be set if oplocks are also set.
>>
>> Invalid combination of parameters for service fakedrhrrh. Level II
>> oplocks can only be set if oplocks are also set.
>>
>> Invalid combination of parameters for service q. Level II oplocks can
>> only be set if oplocks are also set.
>>
>> Invalid combination of parameters for service winnt. Level II oplocks
>> can only be set if oplocks are also set.
You have one error (multiple times)
>>
>> Server role: ROLE_DOMAIN_MEMBER
>>
>> # Global parameters
>> [global]
>> deadtime = 15
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> preferred master = No
>> realm = IFREMER.FR
>> security = ADS
>> server string = Linux
>> unix extensions = No
>> wins server = 134.246.155.180
Remove the 'wins server' line, not required in AD, you use DNS
>> workgroup = IFR
>> idmap config ifr : range = 10000-5000000
>> idmap config ifr : backend = rid
>> idmap config * : range = 0-999
>> idmap config * : backend = tdb
>> create mask = 0700
>> directory mask = 0700
>> follow symlinks = No
>> hosts allow = 134.246.
>> include = /usr/local/samba/etc/smb.conf.global.vans-d10-cl
What is in the 'include' file ?
>>
>> invalid users = root smtp bin sys mail daemon adm lp uucp nuucp
>> listen noaccess
Better to set ACL's on the shares instead of using 'invalid users'
>> map archive = No
>> oplocks = No
>> print command = lpr -s -r -P %p %s
>> printing = bsd
>>
>>
>> [homes]
>> browseable = No
>> create mask = 0750
>> directory mask = 0750
>> include = /usr/local/samba/etc/smb.conf.vans-d10-cl
Again, what is in the 'include' file ?
>> oplocks = Yes
>> path = %H
>> read only = No
>>
>>
>> [testsamba]
>> browseable = No
>> create mask = 0770
>> directory mask = 0770
>> force group = ditiric
>> path = /export/home/testsamba
>> read only = No
>> valid users = @ditiric
>>
>>
>> [fakedrhrrh]
>> browseable = No
>> create mask = 0770
>> directory mask = 0770
>> force group = drhrrh
>> path = /export/home/fakedrhrrh
Sharing an NFS share by CIFS isn't a good idea.
>> read only = No
>> valid users = @drhrrh
>>
>>
>> [q]
>> comment = Disque personnel de %u
>> create mask = 0750
>> directory mask = 0750
>> path = %H
>> read only = No
>>
>>
>> [winnt]
>> browseable = No
>> comment = Repertoire pour logon winnt
>> create mask = 0555
>> directory mask = 0555
>> path = /home/spool/winnt
>> preexec = /home/services/systeme/winnt/bin/winnt.pl %u %g %H %M %m
>
Is the 'winnt' share meant for netlogon scripts ?
Rowland
More information about the samba
mailing list