[Samba] Problem with AD & idmap
Lars Schimmer
l.schimmer at cgv.tugraz.at
Fri Mar 4 10:48:48 UTC 2022
Am 03.03.2022 um 15:30 schrieb Rowland Penny via samba:
> On Thu, 2022-03-03 at 15:17 +0100, Lars Schimmer via samba wrote:
>>
>>
>>>>> The fact that the 'rid' idmap backend works, shows that Samba
>>>>> is
>>>>> working. When you change to the 'ad' backend and it doesn't
>>>>> work,
>>>>> usually means that there is something wrong with the uidNumber
>>>>> &
>>>>> gidNumber attributes in AD.
>>>>> Try running 'testparm -s', this may show errors.
>>>>
>>>>
>> Becuase it was described as absolute good practise for security to
>> protect against golden ticket attacks and others in the AD.
>> And it worked well on the (newer) Domain.
>
> Who described it as absolute good practise ?
At least our security department. Also I did run castleping on our
domains and it was described as good practise to change that key every year.
Over the end, thats just the Krb5TGTkey, it should not change the way
users are found, as krb5 should accept the new key, to.
Esp if the client was added to domain AFTER the keychange.
>>> In what respect ?
>>> You should have two domains configured in smb.conf (unless you are
>>> using the autorid idmap backend). The first is the default or '*'
>>> domain, this is used for the 'Well Known SIDs' and anything outside
>>> the
>>> main domain, this only needs to be small, 2000 IDs are more than
>>> enough. The second domain (which uses the workgroup name to
>>> identify
>>> it) is for the users stored in AD. You will have to add the RFC2307
>>> attributes if you use the 'ad' idmap backend. Whichever backend you
>>> use, you need to set a range for it in smb.conf. This range must
>>> cover
>>> all users in AD that you want to be mapped to Unix users, 'rid' and
>>> 'autorid' calculate the Unix ID from the RID, any Unix IDs that are
>>> outside the range set in smb.conf will be ignored. The same goes
>>> for
>>> the 'ad' backen, but in this case, any uidNumber or gidNumber
>>> attributes that are outside the range will be ignored, but Domain
>>> Users
>>> must have a gidNumber set and be inside the range, or all users
>>> will be
>>> ignored.
>>
>> Ok, thats what I guessed, but thats not how it works here now.
>
> Then something is seriously wrong, if this is on all Unix domain
> members ? if it is, then this points to a problem on the DC, if it is
> just one Unix domain member, then it is probably something wrong with
> that Unix domain member.
>
> I suggest you download this script:
>
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
>
> Run it on the Unix domain member and post the output here.
Yeah, sth is wrong, as the result happens on all work stations.
Script shows no anomalies AFAIK, I needed to install krb5-user to run
it, never needed that krb5 tools to get the users before. But it does
not hurt (still some experience duie to OpenAFS config back in the old
days...).
Collected config --- 2022-03-04-11:40 -----------
Hostname: larsdeb
DNS Domain: cgv.tugraz.at
FQDN: larsdeb.cgv.tugraz.at
ipaddress: 129.27.218.32
-----------
Kerberos SRV _kerberos._tcp.cgv.tugraz.at record verified ok, sample
output:
Server: 129.27.218.24
Address: 129.27.218.24#53
_kerberos._tcp.cgv.tugraz.at service = 0 100 88 carme.cgv.tugraz.at.
_kerberos._tcp.cgv.tugraz.at service = 0 100 88 io.cgv.tugraz.at.
Samba is running as a Unix domain member
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 11.2 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 00:50:56:84:83:e8 brd ff:ff:ff:ff:ff:ff
altname enp11s0
inet 129.27.218.32/24 brd 129.27.218.255 scope global ens192
inet6 fe80::250:56ff:fe84:83e8/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
129.27.218.27 larsdeb.cgv.tugraz.at larsdeb
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
search cgv.tugraz.at
nameserver 129.27.218.24
nameserver 129.27.218.37
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = CGV.TUGRAZ.AT
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
CGV.TUGRAZ.AT = {
kdc = carme.cgv.tugraz.at
kdc = deimos.cgv.tugraz.at
admin_server = carme.cgv.tugraz.at
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
CSAIL.MIT.EDU = {
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
ANDREW.CMU.EDU = {
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos-1.srv.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
kdc = kerberos-3.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.cgv.tugraz.at = CGV.TUGRAZ.AT
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind
group: files winbind
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: files winbind
-----------
Checking file: /etc/samba/smb.conf
#======================= Global Settings =======================
[global]
security = ADS
workgroup = CGV
realm = CGV.TUGRAZ.AT
min protocol = SMB2
dns proxy = no
bind interfaces only = yes
interfaces = lo 129.27.218.0/24
# Default idmap config for local BUILTIN accounts and groups
# Mandatory, but hopefully not used, because the ids must not overlap
idmap config * : backend = tdb
idmap config * : range = 2000000-3000000
#idmap config for the CGV domain
idmap config CGV:backend = ad
idmap config CGV:schema_mode = template
#idmap config CGV:schema_mode = rfc2307
# We have the Users group with id 100 - so we neet to start at 100.
# Probably a really bad idea, but at the moment we have no other choice
idmap config CGV:range = 300-1999999
idmap config CGV:unix_primary_group = yes
idmap config CGV:unix_nss_info = yes
#winbind nss info = template
template shell = /bin/zsh
template homedir = /home/%U
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
map to guest = bad user
#syslog only = yes
panic action = /usr/share/samba/panic-action %d
log file = /var/log/samba/%m.log
log level = 10
-----------
Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
-----------
Warning, /etc/idmapd.conf does not exist
-----------
Installed packages:
ii attr 1:2.4.48-6 amd64
utilities for manipulating filesystem extended attributes
ii krb5-config 2.6+nmu1 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.18.3-6+deb11u1 all
internationalization support for MIT Kerberos
ii krb5-user 1.18.3-6+deb11u1 amd64
basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-10 amd64
access control list - shared library
ii libattr1:amd64 1:2.4.48-6 amd64
extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.18.3-6+deb11u1 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.18.3-6+deb11u1 amd64
MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.13.13+dfsg-1~deb11u3 amd64
Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.13.13+dfsg-1~deb11u3 amd64
Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.13.13+dfsg-1~deb11u3 amd64
Samba winbind client library
ii python3-samba 2:4.13.13+dfsg-1~deb11u3 amd64
Python 3 bindings for Samba
ii samba 2:4.13.13+dfsg-1~deb11u3 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.13.13+dfsg-1~deb11u3 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.13.13+dfsg-1~deb11u3 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.13.13+dfsg-1~deb11u3 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.13.13+dfsg-1~deb11u3 amd64
Samba core libraries
ii samba-vfs-modules:amd64 2:4.13.13+dfsg-1~deb11u3 amd64
Samba Virtual FileSystem plugins
ii winbind 2:4.13.13+dfsg-1~deb11u3 amd64
service to resolve user and group information from Windows NT
servers
-----------
> Rowland
>
>
>
MfG,
Lars Schimmer
--
-------------------------------------------------------------
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405 E-Mail: l.schimmer at cgv.tugraz.at
Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
More information about the samba
mailing list