[Samba] [EXT] Re: Samba 4 without winbind

Shannon Price pricesw at auburn.edu
Mon Sep 19 00:58:07 UTC 2022


Our users match,  but the groups do not. Should we create matching group names in AD and NIS? Do the group members need to match as well?

Shannon



Sent from my Verizon, Samsung Galaxy smartphone



-------- Original message --------
From: Andrew Bartlett <abartlet at samba.org>
Date: 9/18/22 3:43 PM (GMT-06:00)
To: Shannon Price <pricesw at auburn.edu>, samba at lists.samba.org
Subject: Re: [EXT] Re: [Samba] Samba 4 without winbind

I'm sorry, I was tired when I wrote that, I meant nsswitch.conf, not smb.conf.

In terms of the idmap configuration, idmap_nss may be what you are after, as long as the user/group names in NIS match what is seen in AD.

Andrew Bartlett

On Sun, 2022-09-18 at 15:08 +0000, Shannon Price wrote:

Thank you very much for your response, Andrew.


I removed the idmap and template settings from smb.conf (which I thought would achieve what you recommended - "don't configure it in smb.conf").  The FQDN mapping is working, but shares which are accessible only via NIS groups are broken again this way.


  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED

[2022/09/18 10:00:31.881426,  1] ../../source3/smbd/service.c:355(create_connection_session_info)

  create_connection_session_info: user 'USERNAME' (from session setup) not permitted to access this share (GROUPSHARE)

[2022/09/18 10:00:31.881496,  1] ../../source3/smbd/service.c:530(make_connection_snum)



nsswitch.conf still looks like this:

passwd:         compat nis

group:          compat nis


I realize that this configuration is antiquated. I'll follow up with Rowland to get some ideas about modernizing.


--

Shannon


-----Original Message-----

From: Andrew Bartlett <

<mailto:abartlet at samba.org>

abartlet at samba.org

>

Sent: Sunday, September 18, 2022 4:16 AM

To: Shannon Price <

<mailto:pricesw at auburn.edu>

pricesw at auburn.edu

>;

<mailto:samba at lists.samba.org>

samba at lists.samba.org


Subject: [EXT] Re: [Samba] Samba 4 without winbind


CAUTION: Email Originated Outside of Auburn.


On Sat, 2022-09-17 at 15:17 +0000, Shannon Price via samba wrote:

We support our Windows clients via Samba since the 1990s. Our main

infrastructure is NIS/NFS to support our servers and Linux clients.

We have Samba using ADS for authentication for many years, but our

users and groups still come from NIS. Our last Samba server is running

on Ubuntu 18 (Samba 4.7.6) and is rock solid using smbd/nmbd.  Our

newest Samba server is running on Ubuntu 20.04 (Samba

4.11.6 - we found severe problems with the current versions:

<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs>

https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs


.launchpad.net%2Fubuntu%2F%2Bsource%2Fsamba%2F%2Bbug%2F1954342&dat

a=05%7C01%7Cpricesw%40auburn.edu%7C4bad248cea9d479c2dbb08da99566f4e%7C

ccb6deedbd294b388979d72780f62d3b%7C1%7C0%7C637990893780005351%7CUnknow

n%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLC

JXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=c6GXLfrr2riBPEDt%2FbmxoTY6KE2En

mm0Dg6hVWTnEWM%3D&reserved=0  and have pinned Samba at 4.11.6 for

now).  We're running it the same way we always have - the machine is

ADS joined (net join ads ....). I experimented with winbind for quite

a while, but we don't need AD groups or user attributes, so it seems

unnecessary and we couldn't get our NIS groups to work when we did

that even trying to monkey with nsswitch.conf using nis for groups.


The problem now is only that I have full access to everything with

unqualfied names (\\SERVER\homes<

<file://SERVER/homes>>

file://SERVER/homes>

  works), but

FQDN (\\server.domain.edu\homes<

<file://server.domain.edu/homes>)>

file://server.domain.edu/homes>)


 doesn't work and the debug logs show that Samba wants winbind

whenever I talk to the server with FQDN.


Logs with FQDN:

[2022/09/17 08:40:16.941558,  0]

../../source3/auth/auth_winbind.c:120(check_winbind_security)

  check_winbind_security: winbindd not running - but required as

domain member: NT_STATUS_NO_LOGON_SERVERS

[2022/09/17 08:40:16.943204,  2]

../../source3/auth/auth.c:343(auth_check_ntlm_password)

  check_ntlm_password:  Authentication for user [USERNAME] ->

[USERNAME] FAILED with error NT_STATUS_NO_LOGON_SERVERS,

authoritative=1

[2022/09/17 08:40:16.943300,  2]

../../auth/auth_log.c:635(log_authentication_event_human_readable)


Logs without FQDN:

  131.204.17.34 (ipv4:131.204.17.34:28915) connect to service USERNAME

initially as user USERNAME (uid=12345, gid=123) (pid 454545)

[2022/09/17 10:15:38.595009,  0]

../../source3/param/loadparm.c:3358(process_usershare_file)


What you do is still possible, perhaps with some work (see the Nov 2021 security guidance as you have not applied those patches).


Just run winbindd but don't configure it in the smb.conf.


We recogninise that for some the authentication is via AD but the authorization is via other methods specified in nsswitch.conf, and we now have tests specifically aimed at this.


Andrew Bartlett

--

Andrew Bartlett (he/him)       https://samba.org/~abartlet/<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abartlet%2F&data=05%7C01%7Cpricesw%40auburn.edu%7C26253df29e5d4e94f61f08da99b66401%7Cccb6deedbd294b388979d72780f62d3b%7C1%7C0%7C637991305900393699%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2oUzKSFfkTnVvn1VI7pxNS4ze4Req3l8ievRP8T1OnQ%3D&reserved=0>
Samba Team Member (since 2001) https://samba.org<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cpricesw%40auburn.edu%7C26253df29e5d4e94f61f08da99b66401%7Cccb6deedbd294b388979d72780f62d3b%7C1%7C0%7C637991305900393699%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=DLW6Hr%2Fipox9Iy0FOET2OD0BbeOyAmSM7OmN4A0Z1uU%3D&reserved=0>
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cpricesw%40auburn.edu%7C26253df29e5d4e94f61f08da99b66401%7Cccb6deedbd294b388979d72780f62d3b%7C1%7C0%7C637991305900393699%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sOILZ6h3w4YapRihm%2BWDZnl2mclsDHYiCsfAPK7kkcU%3D&reserved=0>

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions


More information about the samba mailing list