[Samba] [EXT] Re: Samba 4 without winbind
abartlet at samba.org
Sun Sep 18 20:42:54 UTC 2022
I'm sorry, I was tired when I wrote that, I meant nsswitch.conf, not
In terms of the idmap configuration, idmap_nss may be what you are
after, as long as the user/group names in NIS match what is seen in AD.
On Sun, 2022-09-18 at 15:08 +0000, Shannon Price wrote:
> Thank you very much for your response, Andrew.
> I removed the idmap and template settings from smb.conf (which I
> thought would achieve what you recommended - "don't configure it in
> smb.conf"). The FQDN mapping is working, but shares which are
> accessible only via NIS groups are broken again this way.
> create_connection_session_info failed:
> NT_STATUS_ACCESS_DENIED[2022/09/18 10:00:31.881426, 1]
> ../../source3/smbd/service.c:355(create_connection_session_info) cre
> ate_connection_session_info: user 'USERNAME' (from session setup) not
> permitted to access this share (GROUPSHARE)[2022/09/18
> 10:00:31.881496, 1]
> nsswitch.conf still looks like this:passwd: compat
> nisgroup: compat nis
> I realize that this configuration is antiquated. I'll follow up with
> Rowland to get some ideas about modernizing.
> -----Original Message-----From: Andrew Bartlett <abartlet at samba.org>
> Sent: Sunday, September 18, 2022 4:16 AMTo: Shannon Price <
> pricesw at auburn.edu>; samba at lists.samba.org
> Subject: [EXT] Re: [Samba] Samba 4 without winbind
> CAUTION: Email Originated Outside of Auburn.
> On Sat, 2022-09-17 at 15:17 +0000, Shannon Price via samba wrote:
> > We support our Windows clients via Samba since the 1990s. Our main
> > infrastructure is NIS/NFS to support our servers and Linux
> > clients.We have Samba using ADS for authentication for many years,
> > but our users and groups still come from NIS. Our last Samba server
> > is running on Ubuntu 18 (Samba 4.7.6) and is rock solid using
> > smbd/nmbd. Our newest Samba server is running on Ubuntu 20.04
> > (Samba4.11.6 - we found severe problems with the current versions:
> > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs
> > .launchpad.net%2Fubuntu%2F%2Bsource%2Fsamba%2F%2Bbug%2F1954342&
> > data=05%7C01%7Cpricesw%40auburn.edu%7C4bad248cea9d479c2dbb08da99566
> > f4e%7Cccb6deedbd294b388979d72780f62d3b%7C1%7C0%7C637990893780005351
> > %7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
> > I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=c6GXLfrr2riBPEDt
> > %2FbmxoTY6KE2Enmm0Dg6hVWTnEWM%3D&reserved=0 and have pinned
> > Samba at 4.11.6 for now). We're running it the same way we always
> > have - the machine is ADS joined (net join ads ....). I
> > experimented with winbind for quite a while, but we don't need AD
> > groups or user attributes, so it seems unnecessary and we couldn't
> > get our NIS groups to work when we did that even trying to monkey
> > with nsswitch.conf using nis for groups.
> > The problem now is only that I have full access to everything with
> > unqualfied names (\\SERVER\homes< file://SERVER/homes> works), but
> > FQDN (\\server.domain.edu\homes<file://server.domain.edu/homes>)
> > doesn't work and the debug logs show that Samba wants winbind
> > whenever I talk to the server with FQDN.
> > Logs with FQDN:[2022/09/17
> > 08:40:16.941558, 0]../../source3/auth/auth_winbind.c:120(check_win
> > bind_security) check_winbind_security: winbindd not running - but
> > required as domain member: NT_STATUS_NO_LOGON_SERVERS[2022/09/17
> > 08:40:16.943204, 2]../../source3/auth/auth.c:343(auth_check_ntlm_p
> > assword) check_ntlm_password: Authentication for user [USERNAME]
> > -> [USERNAME] FAILED with error
> > NT_STATUS_NO_LOGON_SERVERS,authoritative=1[2022/09/17
> > 08:40:16.943300, 2]../../auth/auth_log.c:635(log_authentication_ev
> > ent_human_readable)
> > Logs without FQDN: 184.108.40.206 (ipv4:220.127.116.11:28915)
> > connect to service USERNAME initially as user USERNAME (uid=12345,
> > gid=123) (pid 454545)[2022/09/17
> > 10:15:38.595009, 0]../../source3/param/loadparm.c:3358(process_use
> > rshare_file)
> What you do is still possible, perhaps with some work (see the Nov
> 2021 security guidance as you have not applied those patches).
> Just run winbindd but don't configure it in the smb.conf.
> We recogninise that for some the authentication is via AD but the
> authorization is via other methods specified in nsswitch.conf, and we
> now have tests specifically aimed at this.
> Andrew Bartlett
Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open SourceSolutions
More information about the samba