[Samba] Domain member?
L.P.H. van Belle
belle at bazuin.nl
Tue Oct 26 10:27:06 UTC 2021
This looks good to me, only few small pointers.
On the resolv.conf question, reboot, are you changes still there..
-> yes, fine, keep as is.
-> no, configure it "conform" how ubuntu wants.
>> no user.map detected.
In smb.conf add :
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping
And add in the file:
!root = SAMBA\Administrator SAMBA\administrator
It looks like you copied the samba-ad-dc its smb.conf.
Thats missing still some parts.
Read and You must set one of these
https://wiki.samba.org/index.php/Idmap_config_ad
https://wiki.samba.org/index.php/Idmap_config_rid
Basicly your here : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
At : Setting up a Basic smb.conf File
.. + what Rowland posted ;-)
Remember, in the smb.conf file, less is better in general.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Joachim Lindenberg via samba
> Verzonden: dinsdag 26 oktober 2021 11:59
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain member?
>
> Hello Louis,
> sure. I know I configured /etc/resolv.conf during join,
> pointing to a DC manually. Is the local resolver the culprit?
> Thanks,
> Joachim
>
> root at le:/tmp# cat samba-debug-info.txt
> Collected config --- 2021-10-26-09:12 -----------
>
> Hostname: le
> DNS Domain: samba.lindenberg.one
> FQDN: le.samba.lindenberg.one
> ipaddress: 192.168.176.9
>
> -----------
>
> Kerberos SRV _kerberos._tcp.samba.lindenberg.one record
> verified ok, sample output:
> Server: 127.0.0.53
> Address: 127.0.0.53#53
>
> Non-authoritative answer:
> _kerberos._tcp.samba.lindenberg.one service = 0 100 88
> boa.samba.lindenberg.one.
> _kerberos._tcp.samba.lindenberg.one service = 0 100 88
> mamba.samba.lindenberg.one.
> _kerberos._tcp.samba.lindenberg.one service = 0 100 88
> cobra.samba.lindenberg.one.
>
> Authoritative answers can be found from:
> Samba is running as a Unix domain member
> Checking file: /etc/os-release
>
> NAME="Ubuntu"
> VERSION="20.04.3 LTS (Focal Fossa)"
> ID=ubuntu
> ID_LIKE=debian
> PRETTY_NAME="Ubuntu 20.04.3 LTS"
> VERSION_ID="20.04"
> HOME_URL="https://www.ubuntu.com/"
> SUPPORT_URL="https://help.ubuntu.com/"
> BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
> PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol
> icies/privacy-policy"
> VERSION_CODENAME=focal
> UBUNTU_CODENAME=focal
>
> -----------
>
>
> This computer is running Ubuntu 20.04.3 LTS x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
> UNKNOWN group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1420 qdisc mq
> state UP group default qlen 1000
> link/ether 00:15:5d:b1:0c:70 brd ff:ff:ff:ff:ff:ff
> inet 192.168.176.9/24 brd 192.168.176.255 scope global eth0
> inet6 fe80::215:5dff:feb1:c70/64 scope link
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
>
> # The following lines are desirable for IPv6 capable hosts
> 192.168.176.9 le.samba.lindenberg.one le
> ::1 ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> # This file is managed by man:systemd-resolved(8). Do not edit.
> #
> # This is a dynamic resolv.conf file for connecting local
> clients to the
> # internal DNS stub resolver of systemd-resolved. This file lists all
> # configured search domains.
> #
> # Run "resolvectl status" to see details about the uplink DNS servers
> # currently in use.
> #
> # Third party programs must not access this file directly,
> but only through the
> # symlink at /etc/resolv.conf. To manage man:resolv.conf(5)
> in a different way,
> # replace this symlink by a static file or a different symlink.
> #
> # See man:systemd-resolved.service(8) for details about the
> supported modes of
> # operation for /etc/resolv.conf.
>
> nameserver 127.0.0.53
> options edns0 trust-ad
> search samba.lindenberg.one
>
> -----------
>
> systemd stub resolver detected, running command :
> systemd-resolve --status
> -----------
> Global
> LLMNR setting: no
> MulticastDNS setting: no
> DNSOverTLS setting: no
> DNSSEC setting: no
> DNSSEC supported: no
> DNSSEC NTA: 10.in-addr.arpa
> 16.172.in-addr.arpa
> 168.192.in-addr.arpa
> 17.172.in-addr.arpa
> 18.172.in-addr.arpa
> 19.172.in-addr.arpa
> 20.172.in-addr.arpa
> 21.172.in-addr.arpa
> 22.172.in-addr.arpa
> 23.172.in-addr.arpa
> 24.172.in-addr.arpa
> 25.172.in-addr.arpa
> 26.172.in-addr.arpa
> 27.172.in-addr.arpa
> 28.172.in-addr.arpa
> 29.172.in-addr.arpa
> 30.172.in-addr.arpa
> 31.172.in-addr.arpa
> corp
> d.f.ip6.arpa
> home
> internal
> intranet
> lan
> local
> private
> test
>
> Link 2 (eth0)
> Current Scopes: DNS
> DefaultRoute setting: yes
> LLMNR setting: yes
> MulticastDNS setting: no
> DNSOverTLS setting: no
> DNSSEC setting: no
> DNSSEC supported: no
> Current DNS Server: 192.168.177.19
> DNS Servers: 192.168.177.18
> 192.168.177.19
> DNS Domain: samba.lindenberg.one
>
> -------resolv.conf end----
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = SAMBA.LINDENBERG.ONE
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files systemd winbind
> group: files systemd winbind
> shadow: files
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> # Global parameters
> [global]
> netbios name = LE
> realm = SAMBA.LINDENBERG.ONE
> workgroup = SAMBA
> security = ADS
> # dns update command = /usr/sbin/samba_dnsupdate
> --use-samba-tool
> # idmap_ldb:use rfc2307 = yes
> disable netbios = yes
> smb encrypt = mandatory
> kerberos method = secrets and keytab
> # winbind refresh tickets = yes
> template shell = /bin/bash
> template homedir = /home/%U
> winbind use default domain = yes
>
> -----------
>
> Running as Unix domain member and no user.map detected.
> This is possible with an auth-only setup, checking also for NFS parts
> -----------
> Warning, /etc/idmapd.conf does not exist
>
> -----------
>
>
> Installed packages:
> ii acl 2.2.53-6
> amd64 access control list - utilities
> ii attr 1:2.4.48-5
> amd64 utilities for manipulating
> filesystem extended attributes
> ii krb5-config 2.6ubuntu1
> all Configuration files for
> Kerberos Version 5
> ii krb5-locales 1.17-6ubuntu4.1
> all internationalization support
> for MIT Kerberos
> ii krb5-user 1.17-6ubuntu4.1
> amd64 basic programs to authenticate
> using MIT Kerberos
> ii libacl1:amd64 2.2.53-6
> amd64 access control list - shared library
> ii libattr1:amd64 1:2.4.48-5
> amd64 extended attribute handling -
> shared library
> ii libgssapi-krb5-2:amd64 1.17-6ubuntu4.1
> amd64 MIT Kerberos runtime libraries
> - krb5 GSS-API Mechanism
> ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-1ubuntu1
> amd64 Heimdal Kerberos - libraries
> ii libkrb5-3:amd64 1.17-6ubuntu4.1
> amd64 MIT Kerberos runtime libraries
> ii libkrb5support0:amd64 1.17-6ubuntu4.1
> amd64 MIT Kerberos runtime libraries
> - Support library
> ii libnss-winbind:amd64
> 2:4.14.8+dfsg-0.1focal1 amd64 Samba
> nameservice integration plugins
> ii libpam-krb5:amd64 4.8-2ubuntu1
> amd64 PAM module for MIT Kerberos
> ii libpam-winbind:amd64
> 2:4.14.8+dfsg-0.1focal1 amd64 Windows
> domain authentication integration plugin
> ii libwbclient0:amd64
> 2:4.14.8+dfsg-0.1focal1 amd64 Samba
> winbind client library
> ii python3-attr 19.3.0-2
> all Attributes without boilerplate
> (Python 3)
> ii python3-nacl 1.3.0-5
> amd64 Python bindings to libsodium (Python 3)
> ii python3-samba
> 2:4.14.8+dfsg-0.1focal1 amd64 Python 3
> bindings for Samba
> ii samba
> 2:4.14.8+dfsg-0.1focal1 amd64 SMB/CIFS
> file, print, and login server for Unix
> ii samba-common
> 2:4.14.8+dfsg-0.1focal1 all common
> files used by both the Samba server and client
> ii samba-common-bin
> 2:4.14.8+dfsg-0.1focal1 amd64 Samba
> common files used by both the server and the client
> ii samba-dsdb-modules:amd64
> 2:4.14.8+dfsg-0.1focal1 amd64 Samba
> Directory Services Database
> ii samba-libs:amd64
> 2:4.14.8+dfsg-0.1focal1 amd64 Samba core
> libraries
> ii samba-vfs-modules:amd64
> 2:4.14.8+dfsg-0.1focal1 amd64 Samba
> Virtual FileSystem plugins
> ii winbind
> 2:4.14.8+dfsg-0.1focal1 amd64 service to
> resolve user and group information from Windows NT servers
>
> -----------
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: samba <samba-bounces at lists.samba.org> Im Auftrag von
> L.P.H. van Belle via samba
> Gesendet: Tuesday, 26 October 2021 09:37
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Domain member?
>
> This is something in your setup.
>
> Can you run this one and post the output.
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
> ollect-debug-info.sh
>
> If needed, anonymize where needed.
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Joachim
> > Lindenberg via samba
> > Verzonden: dinsdag 26 oktober 2021 8:45
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Domain member?
> >
> > Hello Rowland,
> > I read
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_
> > Member, and I specifically read "If your users will only
> use the Samba
> > AD DC for authentication and will not store data on it or
> log into it,
> > you can use the the winbind 'rid' backend, this calculates the user
> > and group IDs from the Windows RID, if you use the same [global]
> > section of the smb.conf on every Unix domain member, you
> will get the
> > same IDs." - that´s the reason I started with a smb.conf of
> a DC and
> > removed stuff that was apparently irrelevant. Is this section of
> > documentation also wrong?
> >
> > > sudo dpkg -l winbind
> > Desired=Unknown/Install/Remove/Purge/Hold
> > |
> > Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-a
> > Wait/Trig-pend
> > |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> > ||/ Name Version Architecture Description
> > +++-==============-=======================-============-======
> > =======================================>
> > ii winbind 2:4.14.8+dfsg-0.1focal1 amd64
> > service to resolve user and group information>
> >
> > in fact winbind is running after yet another system
> restart, i.e. it
> > looks like some initialization issue during or after installation.
> > However it reports:
> > Oct 26 06:25:46 le winbindd[832]: [2021/10/26 06:25:46.806438, 0]
> > ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)
> > Oct 26 06:25:46 le winbindd[832]:
> > gse_get_client_auth_token: gss_init_sec_context failed with [
> > Miscellaneous failure (see text): Client (L> Oct 26 06:25:52 le
> > winbindd[832]: [2021/10/26 06:25:52.951201, 0]
> > ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)
> > Oct 26 06:25:52 le winbindd[832]:
> > gse_get_client_auth_token: gss_init_sec_context failed with [
> > Miscellaneous failure (see text): Client (L> Oct 26 06:26:32 le
> > winbindd[832]: [2021/10/26 06:26:32.079056, 0]
> > ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)
> > Oct 26 06:26:32 le winbindd[832]:
> > gse_get_client_auth_token: gss_init_sec_context failed with [
> > Miscellaneous failure (see text): Client (L> Oct 26 06:26:38 le
> > winbindd[832]: [2021/10/26 06:26:38.202614, 0]
> > ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)
> >
> > On the right: gse_get_client_auth_token:
> gss_init_sec_context failed
> > with [ Miscellaneous failure (see text): Client
> > (LE$@SAMBA.LINDENBERG.ONE) unknown]
> >
> > I searched for that error, but only M$ or ancient stuff..
> > Thanks, Joachim
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland
> > Penny via samba
> > Gesendet: Monday, 25 October 2021 22:28
> > An: samba at lists.samba.org
> > Betreff: Re: [Samba] Domain member?
> >
> > On Mon, 2021-10-25 at 22:06 +0200, Joachim Lindenberg via
> samba wrote:
> > > > How did you join the domain ?
> > > I joined using net ads join -U Joachim (which happens to
> be domain
> > > admin). No error (after fixing a hostname setup issue).
> >
> > OK.
> >
> > >
> > > > The line above is only used on a DC
> > > I excerpted this from an existing DC. Removed it. No change.
> > > Is there a consistency check I can run?
> >
> > Yes, but you probably don't need it (more on this later)
> >
> > >
> > > > Are you using sssd ?
> > > I don´t (yet) know what sssd is about.
> >
> > As this is Ubuntu, you may have it installed.
> > You can check with:
> > sudo dpkg -l winbind
> >
> > The last line will look like this if it isn't installed:
> >
> > un sssd <none> <none> (no description
> > available)
> >
> > >
> > > > Have you installed winbind ?
> > > I followed
> > >
> >
> https://wiki.samba.org/index.php/Distribution-specific_Package_Install
> > > ation#Ubuntu
> > > , and yes, winbind is installed.
> > >
> > > > You have only stopped Samba using nmbd, you need to stop
> > it and then
> > > > disable it.
> > > I didn´t enable it at all. Some magic? If smb.conf asks for no
> > > netbios, shouldn´t the process exit?
> >
> > Debian based distros start packages when they are installed, so no
> > magic is involved.
> >
> > I suggest you go and read this:
> >
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >
> > and one of these:
> > https://wiki.samba.org/index.php/Idmap_config_ad
> > https://wiki.samba.org/index.php/Idmap_config_rid
> > https://wiki.samba.org/index.php/Idmap_config_autorid
> >
> > You need to add 'idmap config' lines to your smb.conf (if you don't
> > know what they are, you will once you have read the above
> wiki pages).
> > You also need to find out why 'systemctl start winbind'
> doesn't work.
> >
> > Rowland
> >
> >
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list