[Samba] I can't login into my Linux client with Samba DC users.
Rowland Penny
rpenny at samba.org
Mon Jul 19 09:18:36 UTC 2021
On Mon, 2021-07-19 at 09:08 +0000, Jason Long via samba wrote:
> Hello,
> Thank you so much.
> I removed all sss entries from the server and client, then I removed
> below line from the "/etc/hosts" file:
> 10.0.3.15 mydc.mydomain.z
>
> After it, I disabled my second NIC (10.0.3.15) from both of server
> and client, then changed "/etc/resolve.conf" file on the Linux client
> as below:
>
> search mydomain.z
> nameserver 192.168.56.7
>
> The date and time are same on both of server and client and "Kinit
> Administrator" command worked on server.
>
> On Linux client, I executed below commands:
>
> # hostname -I
> 192.168.56.9
> # hostname -A
> node3.mydomain.z
> # hostname -f
> node3.localhost.localdomain
>
> Why "node3.localhost.localdomain"? Should I rejoin my Linux client to
> my Samba domain?
>
Your dns is not set up correctly, this has nothing to do with Samba and
all to do with your OS.
I know that Fedora will work as a Unix domain member, as I set up one
on fedora34 yesterday (see attached notes).
Any questions, please ask
Rowland
-------------- next part --------------
Using Fedora 34 as a domain member
Environment used:
Domain Name : SAMDOM
Realm : SAMDOM.EXAMPLE.COM
Client Hostname : fed34server.samdom.example.com
Client ipaddress : 192.168.0.180 via dhcp
DC1 IP : 192.168.0.10
[root at fed34server ~]# dnf -y install samba samba-winbind samba-winbind-clients oddjob-mkhomedir
Last metadata expiration check: 0:00:30 ago on Sun 18 Jul 2021 17:14:19 BST.
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
oddjob-mkhomedir x86_64 0.34.7-2.fc34 fedora 27 k
samba x86_64 2:4.14.6-0.fc34 updates 792 k
samba-winbind x86_64 2:4.14.6-0.fc34 updates 490 k
samba-winbind-clients x86_64 2:4.14.6-0.fc34 updates 79 k
Installing dependencies:
liburing x86_64 0.7-4.fc34 fedora 26 k
oddjob x86_64 0.34.7-2.fc34 fedora 65 k
samba-common-tools x86_64 2:4.14.6-0.fc34 updates 432 k
samba-libs x86_64 2:4.14.6-0.fc34 updates 97 k
samba-winbind-modules x86_64 2:4.14.6-0.fc34 updates 55 k
Transaction Summary
================================================================================
Install 9 Packages
Total download size: 2.0 M
Installed size: 6.2 M
Downloading Packages:
(1/9): oddjob-mkhomedir-0.34.7-2.fc34.x86_64.rp 80 kB/s | 27 kB 00:00
(2/9): oddjob-0.34.7-2.fc34.x86_64.rpm 136 kB/s | 65 kB 00:00
(3/9): liburing-0.7-4.fc34.x86_64.rpm 43 kB/s | 26 kB 00:00
(4/9): samba-libs-4.14.6-0.fc34.x86_64.rpm 320 kB/s | 97 kB 00:00
(5/9): samba-4.14.6-0.fc34.x86_64.rpm 1.0 MB/s | 792 kB 00:00
(6/9): samba-common-tools-4.14.6-0.fc34.x86_64. 592 kB/s | 432 kB 00:00
(7/9): samba-winbind-modules-4.14.6-0.fc34.x86_ 260 kB/s | 55 kB 00:00
(8/9): samba-winbind-clients-4.14.6-0.fc34.x86_ 224 kB/s | 79 kB 00:00
(9/9): samba-winbind-4.14.6-0.fc34.x86_64.rpm 602 kB/s | 490 kB 00:00
--------------------------------------------------------------------------------
Total 714 kB/s | 2.0 MB 00:02
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : samba-libs-2:4.14.6-0.fc34.x86_64 1/9
Installing : samba-common-tools-2:4.14.6-0.fc34.x86_64 2/9
Installing : samba-winbind-modules-2:4.14.6-0.fc34.x86_64 3/9
Running scriptlet: samba-winbind-2:4.14.6-0.fc34.x86_64 4/9
Installing : samba-winbind-2:4.14.6-0.fc34.x86_64 4/9
Running scriptlet: samba-winbind-2:4.14.6-0.fc34.x86_64 4/9
Installing : oddjob-0.34.7-2.fc34.x86_64 5/9
Running scriptlet: oddjob-0.34.7-2.fc34.x86_64 5/9
dbus-daemon: no process found
Installing : liburing-0.7-4.fc34.x86_64 6/9
Installing : samba-2:4.14.6-0.fc34.x86_64 7/9
Running scriptlet: samba-2:4.14.6-0.fc34.x86_64 7/9
Installing : oddjob-mkhomedir-0.34.7-2.fc34.x86_64 8/9
Running scriptlet: oddjob-mkhomedir-0.34.7-2.fc34.x86_64 8/9
dbus-daemon: no process found
Installing : samba-winbind-clients-2:4.14.6-0.fc34.x86_64 9/9
Running scriptlet: samba-winbind-clients-2:4.14.6-0.fc34.x86_64 9/9
Verifying : liburing-0.7-4.fc34.x86_64 1/9
Verifying : oddjob-0.34.7-2.fc34.x86_64 2/9
Verifying : oddjob-mkhomedir-0.34.7-2.fc34.x86_64 3/9
Verifying : samba-2:4.14.6-0.fc34.x86_64 4/9
Verifying : samba-common-tools-2:4.14.6-0.fc34.x86_64 5/9
Verifying : samba-libs-2:4.14.6-0.fc34.x86_64 6/9
Verifying : samba-winbind-2:4.14.6-0.fc34.x86_64 7/9
Verifying : samba-winbind-clients-2:4.14.6-0.fc34.x86_64 8/9
Verifying : samba-winbind-modules-2:4.14.6-0.fc34.x86_64 9/9
Installed:
liburing-0.7-4.fc34.x86_64
oddjob-0.34.7-2.fc34.x86_64
oddjob-mkhomedir-0.34.7-2.fc34.x86_64
samba-2:4.14.6-0.fc34.x86_64
samba-common-tools-2:4.14.6-0.fc34.x86_64
samba-libs-2:4.14.6-0.fc34.x86_64
samba-winbind-2:4.14.6-0.fc34.x86_64
samba-winbind-clients-2:4.14.6-0.fc34.x86_64
samba-winbind-modules-2:4.14.6-0.fc34.x86_64
Complete!
-------------------------------------------------------------------------------------
Setup krb5.conf:
[root at fed34server ~]# rm -f /etc/krb5.conf.d/crypto-policies
[root at fed34server ~]# cp /etc/krb5.conf /etc/krb5.conf.orig
[root at fed34server ~]# nano /etc/krb5.conf
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
-----------------------------------------------------------------------------------------
Create the smb.conf:
[root at fed34server ~]# cp /etc/samba/smb.conf /etc/samba/smb.conf.orig
[root at fed34server ~]# nano /etc/samba/smb.conf
[global]
workgroup = SAMDOM
security = ADS
realm = SAMDOM.EXAMPLE.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba Server Version %v
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
winbind offline logon = yes
idmap config *:backend = tdb
idmap config *:range = 3000-9999
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999
template shell = /bin/bash
template homedir = /home/%U
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/user.map
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
log file = /var/log/samba/log.%m
max log size = 50
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775
[root at fed34server ~]# nano /etc/samba/user.map
!root = SAMDOM\Administrator
-------------------------------------------------------------------------------------
Now join the domain:
[root at fed34server ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- SAMDOM
Joined 'FED34SERVER' to dns domain 'samdom.example.com'
-------------------------------------------------------------------------------------
[root at fed34server ~]# systemctl start smb winbind
[root at fed34server ~]# systemctl mask nmb
Created symlink /etc/systemd/system/nmb.service → /dev/null.
[root at fed34server ~]# systemctl enable smb winbind
Created symlink /etc/systemd/system/multi-user.target.wants/smb.service → /usr/lib/systemd/system/smb.service.
Created symlink /etc/systemd/system/multi-user.target.wants/winbind.service → /usr/lib/systemd/system/winbind.service.
------------------------------------------------------------------------------------
[root at fed34server ~]# pstree
systemd─┬─ModemManager───3*[{ModemManager}]
├─NetworkManager───2*[{NetworkManager}]
├─3*[abrt-dump-journ]
├─abrtd───2*[{abrtd}]
├─anacron
├─atd
├─auditd─┬─sedispatch
│ └─2*[{auditd}]
├─chronyd
├─crond
├─dbus-broker-lau───dbus-broker
├─firewalld───{firewalld}
├─gssproxy───5*[{gssproxy}]
├─login───bash
├─mcelog
├─polkitd───5*[{polkitd}]
├─rsyslogd───2*[{rsyslogd}]
├─smbd─┬─cleanupd
│ ├─lpqd
│ └─smbd-notifyd
├─sshd───sshd───sshd───bash───pstree
├─sssd─┬─sssd_be
│ └─sssd_nss
├─systemd───(sd-pam)
├─systemd-homed
├─systemd-journal
├─systemd-logind
├─systemd-oomd
├─systemd-resolve
├─systemd-udevd
├─systemd-userdbd───3*[systemd-userwor]
└─winbindd───3*[winbindd]
----------------------------------------------------------------------------------
[root at fed34server ~]# dnf remove sssd
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Removing:
sssd x86_64 2.5.1-2.fc34 @updates 34 k
Removing unused dependencies:
adcli x86_64 0.9.1-3.fc34 @fedora 317 k
cyrus-sasl-gssapi x86_64 2.1.27-8.fc34 @fedora 45 k
libipa_hbac x86_64 2.5.1-2.fc34 @updates 62 k
libsmbclient x86_64 2:4.14.6-0.fc34 @updates 173 k
sssd-ad x86_64 2.5.1-2.fc34 @updates 405 k
sssd-common-pac x86_64 2.5.1-2.fc34 @updates 230 k
sssd-ipa x86_64 2.5.1-2.fc34 @updates 691 k
sssd-krb5 x86_64 2.5.1-2.fc34 @updates 86 k
sssd-krb5-common x86_64 2.5.1-2.fc34 @updates 203 k
sssd-ldap x86_64 2.5.1-2.fc34 @updates 151 k
sssd-proxy x86_64 2.5.1-2.fc34 @updates 154 k
Transaction Summary
================================================================================
Remove 12 Packages
Freed space: 2.5 M
Is this ok [y/N]: y
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Erasing : sssd-2.5.1-2.fc34.x86_64 1/12
Erasing : sssd-ipa-2.5.1-2.fc34.x86_64 2/12
Erasing : sssd-ad-2.5.1-2.fc34.x86_64 3/12
Erasing : adcli-0.9.1-3.fc34.x86_64 4/12
Erasing : sssd-krb5-2.5.1-2.fc34.x86_64 5/12
Erasing : sssd-ldap-2.5.1-2.fc34.x86_64 6/12
Erasing : sssd-krb5-common-2.5.1-2.fc34.x86_64 7/12
Erasing : cyrus-sasl-gssapi-2.1.27-8.fc34.x86_64 8/12
Erasing : libsmbclient-2:4.14.6-0.fc34.x86_64 9/12
Erasing : sssd-common-pac-2.5.1-2.fc34.x86_64 10/12
Erasing : libipa_hbac-2.5.1-2.fc34.x86_64 11/12
Erasing : sssd-proxy-2.5.1-2.fc34.x86_64 12/12
Running scriptlet: sssd-proxy-2.5.1-2.fc34.x86_64 12/12
Verifying : adcli-0.9.1-3.fc34.x86_64 1/12
Verifying : cyrus-sasl-gssapi-2.1.27-8.fc34.x86_64 2/12
Verifying : libipa_hbac-2.5.1-2.fc34.x86_64 3/12
Verifying : libsmbclient-2:4.14.6-0.fc34.x86_64 4/12
Verifying : sssd-2.5.1-2.fc34.x86_64 5/12
Verifying : sssd-ad-2.5.1-2.fc34.x86_64 6/12
Verifying : sssd-common-pac-2.5.1-2.fc34.x86_64 7/12
Verifying : sssd-ipa-2.5.1-2.fc34.x86_64 8/12
Verifying : sssd-krb5-2.5.1-2.fc34.x86_64 9/12
Verifying : sssd-krb5-common-2.5.1-2.fc34.x86_64 10/12
Verifying : sssd-ldap-2.5.1-2.fc34.x86_64 11/12
Verifying : sssd-proxy-2.5.1-2.fc34.x86_64 12/12
Removed:
adcli-0.9.1-3.fc34.x86_64 cyrus-sasl-gssapi-2.1.27-8.fc34.x86_64
libipa_hbac-2.5.1-2.fc34.x86_64 libsmbclient-2:4.14.6-0.fc34.x86_64
sssd-2.5.1-2.fc34.x86_64 sssd-ad-2.5.1-2.fc34.x86_64
sssd-common-pac-2.5.1-2.fc34.x86_64 sssd-ipa-2.5.1-2.fc34.x86_64
sssd-krb5-2.5.1-2.fc34.x86_64 sssd-krb5-common-2.5.1-2.fc34.x86_64
sssd-ldap-2.5.1-2.fc34.x86_64 sssd-proxy-2.5.1-2.fc34.x86_64
Complete!
----------------------------------------------------------------------------------
[root at fed34server ~]# nano /etc/nsswitch.conf
Remove any 'sss'
----------------------------------------------------------------------------------
# show AD users
[root at f26 ~]# wbinfo -u
administrator
rowland
dns-member1
dns-dc2
krbtgt
guest
....
...
..
.
---------------------------------------------------------------------------------
[root at fed34server ~]# authselect select winbind
Profile "winbind" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
Make sure that winbind service is configured and enabled. See winbind documentation for more information.
-----------------------------------------------------------------------------------
# Show an AD users info, this also shows that the OS knows your users:
[root at fed34server ~]# getent passwd rowland
rowland:*:11107:10513::/home/rowland:/bin/bash
-----------------------------------------------------------------------------------
Set Selinux to allow home shares (so users can login):
[root at f26 ~]# setsebool -P samba_enable_home_dirs on
If you add any shares, you will need to run this:
chcon -t samba_share_t /path/to/samba/share/
You should now be able to login as an AD user
----------------------------------------------------------------------------------
Show domain info:
[root at fed34server ~]# net ads info
LDAP server: 192.168.0.10
LDAP server name: rpidc1.samdom.example.com
Realm: SAMDOM.EXAMPLE.COM
Bind Path: dc=SAMDOM,dc=EXAMPLE,dc=COM
LDAP port: 389
Server time: Sun, 18 Jul 2021 18:47:12 BST
KDC server: 192.168.0.10
Server time offset: 0
Last machine account password change: Sun, 18 Jul 2021 17:24:25 BST
More information about the samba
mailing list