[Samba] samba / debian 10 / security=ads

Gregory ROCHER Gregory.Rocher at ifremer.fr
Wed Nov 18 13:12:58 UTC 2020 

Many Thanks Rowland to have read and respond to this very long mail

Le 18/11/2020 à 12:46, Rowland penny via samba a écrit :
>>> NT_STATUS_NO_LOGON_SERVERS
> Are the Unix clients joined to the domain and do they use a DC as their 
> first nameserver ?

No linux clients aren't binded by any mean to the AD
Their name servers in /etc/resolv.conf are standards bind resolvers


>> On debian9 / samba 4.5.16 both clients work without winbind and idmap 
>> parameters in smb.conf
> In which case it sounds like you were using something like sssd or 
> nslcd, have you removed whatever you were using ?

No I've just verified in the debian 9 server. We don't use sssd nor nscd 
but yes nis are used on the host.


> Add libpam-krb5 if you haven't already installed it.
The package is installed/configured and seems to work on the debian 10 
server. Not on the linux clients


>>> root at vans-d10-cl:~# getent passwd grocher
>>> grocher:$1$[password hash redacted]:21826:10022:Gregory ROCHER, 
>>> Ifremer Brest PDG-IRSI-RIC, 02 29 00 85 
>>> 79:/home1/homedir1/perso/grocher:/bin/csh
>>> root at vans-d10-cl:~# getent passwd IFR\\grocher
>>> IFR\grocher:*:11752:10513:Gregory ROCHER, Ifremer Brest PDG-IRSI-RIC, 
>>> 02 2:/home/IFR/grocher:/bin/false
> 
> Why do you have a schizophrenic user ?
> 
> Do you by any chance have NIS setup ?
> 
> If you do have NIS set up, then remove it, you do not need it.


We use nis to authenticate users by ssh by example. That may be the root 
cause of our problem

grocher : is the "unix user" via nis, used in the unix world we have a 
mixed environment here
IFR\grocher is the corresponding user in the IFR domain

Do you mean that security=ads and nis completly incompatible for the 
samba use case ?


>>>     include = /usr/local/samba/etc/smb.conf.global.vans-d10-cl
> What is in the 'include' file ?
>>>     include = /usr/local/samba/etc/smb.conf.vans-d10-cl
> Again, what is in the 'include' file ?

specific config files + shares definition on the host
> root at vans-d10-cl:~# cat /usr/local/samba/etc/smb.conf.global.vans-d10-cl /usr/local/samba/etc/smb.conf.vans-d10-cl
> preferred master= no
> print command   = lpr -s -r -P %p %s
> printing        = bsd
> server string   = Linux
> wins server     = 134.246.155.180
> 
> [homes]
> browseable      = no
> create mask     = 0750
> directory mask  = 0750
> oplocks         = yes
> path            = %H
> writable        = yes
> 
> [testsamba]
> browseable	= no	
> create mask	= 0770
> directory mask	= 0770
> force group	= ditiric
> path		= /export/home/testsamba
> valid users	= @ditiric
> writable	= yes
> 
> [fakedrhrrh]
> browseable	= no	
> create mask	= 0770
> directory mask	= 0770
> force group	= drhrrh
> path		= /export/home/fakedrhrrh
> valid users	= @drhrrh
> writable	= yes


>>>     preexec = /home/services/systeme/winnt/bin/winnt.pl %u %g %H %M %m
>>
> Is the 'winnt' share meant for netlogon scripts ?

It's an home made perl script that produces log file of logins by our 
users and pre-mount some of the shares at the login in the domain. For 
windows users only.

-- 
Grégory Rocher
02 29 00 85 79 (8579)

More information about the samba mailing list