[Samba] Domain member?

Joachim Lindenberg samba at lindenberg.one
Tue Oct 26 12:05:16 UTC 2021 

Hello Rowland, Louis,
> You do not have any 'idmap config' lines (I think I mentioned this already)
You did, and I replied that the documentation suggests I don´t need it. I am also not using idmap on my DCs either, where OpenSSH works with Kerberos. If there is a fine line inbetween the two setups, then I am missing that in the docs.
Will try later and get back with the results.
Thanks, Joachim

-----Ursprüngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland Penny via samba
Gesendet: Tuesday, 26 October 2021 12:21
An: samba at lists.samba.org
Betreff: Re: [Samba] Domain member?

On Tue, 2021-10-26 at 11:59 +0200, Joachim Lindenberg via samba wrote:
> Hello Louis,
> sure. I know I configured /etc/resolv.conf during join, pointing to a 
> DC manually. Is the local resolver the culprit?
> Thanks,
> Joachim
> 
> root at le:/tmp# cat samba-debug-info.txt Collected config  --- 
> 2021-10-26-09:12 -----------
> 
> Hostname: le
> DNS Domain: samba.lindenberg.one
> FQDN: le.samba.lindenberg.one
> ipaddress: 192.168.176.9
> 
> -----------
> 
> Kerberos SRV _kerberos._tcp.samba.lindenberg.one record verified ok, 
> sample output:
> Server:         127.0.0.53
> Address:        127.0.0.53#53
> 
> Non-authoritative answer:
> _kerberos._tcp.samba.lindenberg.one     service = 0 100 88
> boa.samba.lindenberg.one.
> _kerberos._tcp.samba.lindenberg.one     service = 0 100 88
> mamba.samba.lindenberg.one.
> _kerberos._tcp.samba.lindenberg.one     service = 0 100 88
> cobra.samba.lindenberg.one.
> 
> Authoritative answers can be found from:
> Samba is running as a Unix domain member
>        Checking file: /etc/os-release
> 
> NAME="Ubuntu"
> VERSION="20.04.3 LTS (Focal Fossa)"
> ID=ubuntu
> ID_LIKE=debian
> PRETTY_NAME="Ubuntu 20.04.3 LTS"
> VERSION_ID="20.04"
> HOME_URL="https://www.ubuntu.com/"
> SUPPORT_URL="https://help.ubuntu.com/"
> BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
> PRIVACY_POLICY_URL="
> https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
> VERSION_CODENAME=focal
> UBUNTU_CODENAME=focal
> 
> -----------
> 
> 
> This computer is running Ubuntu 20.04.3 LTS x86_64
> 
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
> group default qlen 1000
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>     inet6 ::1/128 scope host
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1420 qdisc mq state UP 
> group default qlen 1000
>     link/ether 00:15:5d:b1:0c:70 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.176.9/24 brd 192.168.176.255 scope global eth0
>     inet6 fe80::215:5dff:feb1:c70/64 scope link
> 
> -----------
>        Checking file: /etc/hosts
> 
> 127.0.0.1 localhost
> 
> # The following lines are desirable for IPv6 capable hosts
> 192.168.176.9 le.samba.lindenberg.one le
> ::1     ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> -----------
> 
>        Checking file: /etc/resolv.conf
> 
> # This file is managed by man:systemd-resolved(8). Do not edit.
> #
> # This is a dynamic resolv.conf file for connecting local clients to 
> the # internal DNS stub resolver of systemd-resolved. This file lists 
> all # configured search domains.
> #
> # Run "resolvectl status" to see details about the uplink DNS servers 
> # currently in use.
> #
> # Third party programs must not access this file directly, but only 
> through the # symlink at /etc/resolv.conf. To manage 
> man:resolv.conf(5) in a different way, # replace this symlink by a 
> static file or a different symlink.
> #
> # See man:systemd-resolved.service(8) for details about the supported 
> modes of # operation for /etc/resolv.conf.
> 
> nameserver 127.0.0.53
> options edns0 trust-ad
> search samba.lindenberg.one
> 
> -----------
> 
> systemd stub resolver detected, running command : systemd-resolve -- 
> status
> -----------
> Global
>        LLMNR setting: no
> MulticastDNS setting: no
>   DNSOverTLS setting: no
>       DNSSEC setting: no
>     DNSSEC supported: no
>           DNSSEC NTA: 10.in-addr.arpa
>                       16.172.in-addr.arpa
>                       168.192.in-addr.arpa
>                       17.172.in-addr.arpa
>                       18.172.in-addr.arpa
>                       19.172.in-addr.arpa
>                       20.172.in-addr.arpa
>                       21.172.in-addr.arpa
>                       22.172.in-addr.arpa
>                       23.172.in-addr.arpa
>                       24.172.in-addr.arpa
>                       25.172.in-addr.arpa
>                       26.172.in-addr.arpa
>                       27.172.in-addr.arpa
>                       28.172.in-addr.arpa
>                       29.172.in-addr.arpa
>                       30.172.in-addr.arpa
>                       31.172.in-addr.arpa
>                       corp
>                       d.f.ip6.arpa
>                       home
>                       internal
>                       intranet
>                       lan
>                       local
>                       private
>                       test
> 
> Link 2 (eth0)
>       Current Scopes: DNS
> DefaultRoute setting: yes
>        LLMNR setting: yes
> MulticastDNS setting: no
>   DNSOverTLS setting: no
>       DNSSEC setting: no
>     DNSSEC supported: no
>   Current DNS Server: 192.168.177.19
>          DNS Servers: 192.168.177.18
>                       192.168.177.19
>           DNS Domain: samba.lindenberg.one
> 
> -------resolv.conf end----
> 
>        Checking file: /etc/krb5.conf
> 
> [libdefaults]
>         default_realm = SAMBA.LINDENBERG.ONE
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> 
> -----------
> 
>        Checking file: /etc/nsswitch.conf
> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, 
> try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> passwd:         files systemd winbind
> group:          files systemd winbind
> shadow:         files
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> -----------
> 
>        Checking file: /etc/samba/smb.conf
> 
> # Global parameters
> [global]
>         netbios name = LE
>         realm = SAMBA.LINDENBERG.ONE
>         workgroup = SAMBA
>         security = ADS
> #        dns update command = /usr/sbin/samba_dnsupdate --use-samba-
> tool
> #        idmap_ldb:use rfc2307 = yes
>         disable netbios = yes
>         smb encrypt = mandatory
>         kerberos method = secrets and keytab
> #        winbind refresh tickets = yes
>         template shell = /bin/bash
>         template homedir = /home/%U
>         winbind use default domain = yes
> 

You do not have any 'idmap config' lines (I think I mentioned this
already)
As a minimum I would expect something like this:

    idmap config *:backend = tdb
    idmap config *:range = 3000-9999
    idmap config SAMBA : backend = rid
    idmap config SAMBA : range = 10000-999999

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list