[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend

Gary Dale gary at extremeground.com
Wed Apr 26 15:05:34 UTC 2023 

On 2023-04-25 12:01, Rowland Penny via samba wrote:
>
>
> On 25/04/2023 16:34, Gary Dale via samba wrote:
>> On 2023-04-25 07:30, Rowland Penny via samba wrote:
>>>
>>>
>>> On 25/04/2023 04:56, Gary Dale via samba wrote:
>>>>
>>>> which is owned by root:Domain Admins. This shows up in Linux as:
>>>> root at TheLibrarian:~# ls -l /srv/
>>>> total 4
>>>> drwxr-xr-x 2 root 110512 4096 Apr 23 11:30 taxes
>>>
>>> Why is the group being shown as a number rather than by name (which 
>>> ends in '512' so is probably Domain Admins, which shouldn't have a 
>>> gidNumber, it breaks sysvol when using the 'ad idmap backend)
>>> Is /etc/nsswitch.conf setup correctly ? arre libpam-winbind and 
>>> libnss-winbind installed ?
>>>
>>> Rowland
>>>
>> Both are installed from backports (version 4.17.7).
>>
>> /etc/nsswitch.conf reads:
>> passwd:         db files winbind systemd
>> group:          db files winbind systemd
>
> I had to look up what 'db' was, never come across it before, I do not 
> know who put it there, but I would remove every mention of it from 
> nsswitch.conf
>
>> shadow:         files
>>
>> hosts:          files wins mdns4_minimal [NOTFOUND=return] dns mdns4 
>
> How did 'wins get there ? AD does not use it, so I would remove it, in 
> fact, I would remove the mdns4 stuff as well, leaving just this
>
> hosts:          files dns
>
>> mymachines
>> networks:       files
>>
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>>
>> netgroup:       nis
>>
>>
>> I can't see any mention of any configuration for libpam-winbind.
>
> You do not need to configure, just install it and ensure that 
> 'winbind' is in the passwd and group lines.
>
>  When I
>> look at 
>> https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM, 
>> there isn't much there. Under Configuring PAM, it just lists the 
>> utilities but doesn't say what you are supposed to do with them. It 
>> also shows an example for enabling SSH authentication on a Red Hat 
>> system, but I never use password authentication for SSH. I use 
>> certificates.
>
> That is the problem, PAM is set up differently depending on the 
> distro, so you have to refer to the distros documentation. However, 
> Debian does most of the required modifications for you, run 
> 'pam-auth-update' to see what is available and if it is already in use.
>
>>
>> The man page for pam-auth-update isn't helpful but looking at the 
>> individual /etc/pam.dl files, they seem to have mention of winbind 
>> and kerberos.
>>
>> I note that:
>> root at TheLibrarian:~# net rpc group list -U Administrator  ## same 
>> results from my workstation.
>> Password for [HOME\Administrator]:
>> Could not connect to server 127.0.0.1
>
> It is trying to to connect to a non-existing server on localhost, you 
> will need to use '-S <DC_hostname>'
>
>> The username or password was not correct.
>> Connection failed: NT_STATUS_LOGON_FAILURE
>>
>> but the command(s) work on DC1. Both machines were joined to the 
>> domain and both show in the list of domain computers.
>>
>
While adding the -S option works on net rpc, the similar -s option fails 
for getent commands. e.g.

root at DC1:~# getent passwd HOME\\gary
HOME\gary:*:3000022:100::/home/HOME/gary:/bin/false

root at TheLibrarian:~# getent passwd HOME\\gary
root at TheLibrarian:~# getent passwd HOME\\gary -s DC1
root at TheLibrarian:~#

Simlarly, when trying to login from a domain account I get:

root at DC1:~# login
DC1 login: gary
Password:
Linux DC1 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Apr 26 10:43:27 EDT 2023 on pts/0
No directory, logging in with HOME=/

However on a member server I get (after setting the winbind separator tp 
":" - it rejected other characters I tried. Moreover I get the same 
results when I omit the winbind separator from smb.conf and use 
HOME\\gary to login)

root at TheLibrarian:~# login
TheLibrarian login: HOME:gary
Password:

Login incorrect

and without the winbind separator and after restarting winbind

root at TheLibrarian:~# login
TheLibrarian login: HOME\\gary
Password:

Login incorrect

The bit about the winbind separator is from an outdated Samba 3 wiki at 
https://www.samba.org/~ab/output/htmldocs/Samba3-HOWTO/winbind.html that 
I thought I try since login wasn't working anyway.

More information about the samba mailing list