[Samba] samba / debian 10 / security=ads

Rowland penny rpenny at samba.org
Wed Nov 18 11:46:29 UTC 2020


On 18/11/2020 10:42, Gregory ROCHER via samba wrote:
> Hi all
>
> I'm looking for some help on winbind/idmap for a new host
>
>
> We want to use security=ads so we join this host to the domain
> No problem for windows clients : they can mount shares that are 
> accessible to their primary unix group and secondary unix group(s)
You are using AD now, so the primary group for all your users will be 
Domain Users
>
> But we have a problem with linux clients smbclient refuse to access 
> the shares
>> [grocher: ~ ] 130 $ smbclient //homedir10/ditiric -U IFR\\grocher
>> WARNING: The "syslog" option is deprecated
>> Enter IFR\grocher's password: session setup failed: 
>> NT_STATUS_NO_LOGON_SERVERS
Are the Unix clients joined to the domain and do they use a DC as their 
first nameserver ?
>
> On this host the smb.conf was copied from previous host debian 9 / 
> samba 4.5.16-Debian and the winbind package was not installed.
> On debian9 / samba 4.5.16 both clients work without winbind and idmap 
> parameters in smb.conf
In which case it sounds like you were using something like sssd or 
nslcd, have you removed whatever you were using ?
>
> So I begin to study
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> On a devhost, I installed missing pakages 
> https://wiki.samba.org/index.php/Distribution-specific_Package_Installation#Debian
> in particular winbind, libnss-winbind, libpam-winbind
Add libpam-krb5 if you haven't already installed it.
>
> with this config none of the clients could access to shares
Strange, the rid backend is the easiest to set up.
>
> In /etc/nsswitch.conf I have added winbind as source for passwd and group
>> root at vans-d10-cl:~# grep winbind /etc/nsswitch.conf passwd:         
>> files winbind nis compat
>> group:          files winbind nis compat
I would remove 'nis' and 'compat', you do not need them.
>
> And the host seems to have correct information on both nis and domain 
> users and groups
>
>> root at vans-d10-cl:~# getent passwd grocher
>> grocher:$1$[password hash redacted]:21826:10022:Gregory ROCHER, 
>> Ifremer Brest PDG-IRSI-RIC, 02 29 00 85 
>> 79:/home1/homedir1/perso/grocher:/bin/csh
>> root at vans-d10-cl:~# getent passwd IFR\\grocher
>> IFR\grocher:*:11752:10513:Gregory ROCHER, Ifremer Brest PDG-IRSI-RIC, 
>> 02 2:/home/IFR/grocher:/bin/false

Why do you have a schizophrenic user ?

Do you by any chance have NIS setup ?

If you do have NIS set up, then remove it, you do not need it.

>> root at vans-d10-cl:~# getent group ditiric
>> ditiric:x:10022:ricdba,ricora,bmilo,tina,cotty,gmaudire,dcroizef,clebris,fguesnon 
>>
>> root at vans-d10-cl:~# getent group IFR\\ditiric
>> IFR\ditiric:x:11375:
>
> For id mapping I have studied the three backends mentionned in
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Choose_backend_for_id_mapping_in_winbindd 
>
>
> I don't think we can use the ad backend because of the lack of 
> uidNumber and gidNumber in our Active Directory. For exemple on a 
> domain controller when I study entries of the AD I don't see these 
> attributes
Correct, if you do not have uidNumber & gidNumber attributes in AD, you 
cannot use the 'ad' backend.
>
>
> So in smb.conf I defined these parameters (uid for our nis users goes 
> from 10000 to the infinite)
>> idmap config * : backend = tdb
>> idmap config * : range = 0-999
You didn't read the wikipage correctly, '0-999' is reserved for the Unix 
system users & groups, so change it to '3000-7999' as shown on the wikipage
>> idmap config IFR : backend = rid
>> idmap config IFR : range = 10000-5000000
>
>
>
> Here are the complete smb.conf returned by testparm
>> root at vans-d10-cl:~# testparm -s
>>
>> Loaded services file OK.
>> Invalid combination of parameters for service testsamba. Level II 
>> oplocks can only be set if oplocks are also set.
>>
>> Invalid combination of parameters for service fakedrhrrh. Level II 
>> oplocks can only be set if oplocks are also set.
>>
>> Invalid combination of parameters for service q. Level II oplocks can 
>> only be set if oplocks are also set.
>>
>> Invalid combination of parameters for service winnt. Level II oplocks 
>> can only be set if oplocks are also set.
You have one error (multiple times)
>>
>> Server role: ROLE_DOMAIN_MEMBER
>>
>> # Global parameters
>> [global]
>>     deadtime = 15
>>     dedicated keytab file = /etc/krb5.keytab
>>     kerberos method = secrets and keytab
>>     preferred master = No
>>     realm = IFREMER.FR
>>     security = ADS
>>     server string = Linux
>>     unix extensions = No
>>     wins server = 134.246.155.180
Remove the 'wins server' line, not required in AD, you use DNS
>>     workgroup = IFR
>>     idmap config ifr : range = 10000-5000000
>>     idmap config ifr : backend = rid
>>     idmap config * : range = 0-999
>>     idmap config * : backend = tdb
>>     create mask = 0700
>>     directory mask = 0700
>>     follow symlinks = No
>>     hosts allow = 134.246.
>>     include = /usr/local/samba/etc/smb.conf.global.vans-d10-cl
What is in the 'include' file ?
>>
>>     invalid users = root smtp bin sys mail daemon adm lp uucp nuucp 
>> listen noaccess
Better to set ACL's on the shares instead of using 'invalid users'
>>     map archive = No
>>     oplocks = No
>>     print command = lpr -s -r -P %p %s
>>     printing = bsd
>>
>>
>> [homes]
>>     browseable = No
>>     create mask = 0750
>>     directory mask = 0750
>>     include = /usr/local/samba/etc/smb.conf.vans-d10-cl
Again, what is in the 'include' file ?
>>     oplocks = Yes
>>     path = %H
>>     read only = No
>>
>>
>> [testsamba]
>>     browseable = No
>>     create mask = 0770
>>     directory mask = 0770
>>     force group = ditiric
>>     path = /export/home/testsamba
>>     read only = No
>>     valid users = @ditiric
>>
>>
>> [fakedrhrrh]
>>     browseable = No
>>     create mask = 0770
>>     directory mask = 0770
>>     force group = drhrrh
>>     path = /export/home/fakedrhrrh
Sharing an NFS share by CIFS isn't a good idea.
>>     read only = No
>>     valid users = @drhrrh
>>
>>
>> [q]
>>     comment = Disque personnel de %u
>>     create mask = 0750
>>     directory mask = 0750
>>     path = %H
>>     read only = No
>>
>>
>> [winnt]
>>     browseable = No
>>     comment = Repertoire pour logon winnt
>>     create mask = 0555
>>     directory mask = 0555
>>     path = /home/spool/winnt
>>     preexec = /home/services/systeme/winnt/bin/winnt.pl %u %g %H %M %m
>
Is the 'winnt' share meant for netlogon scripts ?

Rowland





More information about the samba mailing list