[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend

Gary Dale gary at extremeground.com
Wed Apr 26 15:24:50 UTC 2023 

On 2023-04-26 11:05, Gary Dale via samba wrote:
> On 2023-04-25 12:01, Rowland Penny via samba wrote:
>>
>>
>> On 25/04/2023 16:34, Gary Dale via samba wrote:
>>> On 2023-04-25 07:30, Rowland Penny via samba wrote:
>>>>
>>>>
>>>> On 25/04/2023 04:56, Gary Dale via samba wrote:
>>>>>
>>>>> which is owned by root:Domain Admins. This shows up in Linux as:
>>>>> root at TheLibrarian:~# ls -l /srv/
>>>>> total 4
>>>>> drwxr-xr-x 2 root 110512 4096 Apr 23 11:30 taxes
>>>>
>>>> Why is the group being shown as a number rather than by name (which 
>>>> ends in '512' so is probably Domain Admins, which shouldn't have a 
>>>> gidNumber, it breaks sysvol when using the 'ad idmap backend)
>>>> Is /etc/nsswitch.conf setup correctly ? arre libpam-winbind and 
>>>> libnss-winbind installed ?
>>>>
>>>> Rowland
>>>>
>>> Both are installed from backports (version 4.17.7).
>>>
>>> /etc/nsswitch.conf reads:
>>> passwd:         db files winbind systemd
>>> group:          db files winbind systemd
>>
>> I had to look up what 'db' was, never come across it before, I do not 
>> know who put it there, but I would remove every mention of it from 
>> nsswitch.conf
>>
>>> shadow:         files
>>>
>>> hosts:          files wins mdns4_minimal [NOTFOUND=return] dns mdns4 
>>
>> How did 'wins get there ? AD does not use it, so I would remove it, 
>> in fact, I would remove the mdns4 stuff as well, leaving just this
>>
>> hosts:          files dns
>>
>>> mymachines
>>> networks:       files
>>>
>>> protocols:      db files
>>> services:       db files
>>> ethers:         db files
>>> rpc:            db files
>>>
>>> netgroup:       nis
>>>
>>>
>>> I can't see any mention of any configuration for libpam-winbind.
>>
>> You do not need to configure, just install it and ensure that 
>> 'winbind' is in the passwd and group lines.
>>
>>  When I
>>> look at 
>>> https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM, 
>>> there isn't much there. Under Configuring PAM, it just lists the 
>>> utilities but doesn't say what you are supposed to do with them. It 
>>> also shows an example for enabling SSH authentication on a Red Hat 
>>> system, but I never use password authentication for SSH. I use 
>>> certificates.
>>
>> That is the problem, PAM is set up differently depending on the 
>> distro, so you have to refer to the distros documentation. However, 
>> Debian does most of the required modifications for you, run 
>> 'pam-auth-update' to see what is available and if it is already in use.
>>
>>>
>>> The man page for pam-auth-update isn't helpful but looking at the 
>>> individual /etc/pam.dl files, they seem to have mention of winbind 
>>> and kerberos.
>>>
>>> I note that:
>>> root at TheLibrarian:~# net rpc group list -U Administrator  ## same 
>>> results from my workstation.
>>> Password for [HOME\Administrator]:
>>> Could not connect to server 127.0.0.1
>>
>> It is trying to to connect to a non-existing server on localhost, you 
>> will need to use '-S <DC_hostname>'
>>
>>> The username or password was not correct.
>>> Connection failed: NT_STATUS_LOGON_FAILURE
>>>
>>> but the command(s) work on DC1. Both machines were joined to the 
>>> domain and both show in the list of domain computers.
>>>
>>
> While adding the -S option works on net rpc, the similar -s option 
> fails for getent commands. e.g.
>
> root at DC1:~# getent passwd HOME\\gary
> HOME\gary:*:3000022:100::/home/HOME/gary:/bin/false
>
> root at TheLibrarian:~# getent passwd HOME\\gary
> root at TheLibrarian:~# getent passwd HOME\\gary -s DC1
> root at TheLibrarian:~#
>
> Simlarly, when trying to login from a domain account I get:
>
> root at DC1:~# login
> DC1 login: gary
> Password:
> Linux DC1 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64
>
> The programs included with the Debian GNU/Linux system are free software;
> the exact distribution terms for each program are described in the
> individual files in /usr/share/doc/*/copyright.
>
> Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> permitted by applicable law.
> Last login: Wed Apr 26 10:43:27 EDT 2023 on pts/0
> No directory, logging in with HOME=/
>
> However on a member server I get (after setting the winbind separator 
> tp ":" - it rejected other characters I tried. Moreover I get the same 
> results when I omit the winbind separator from smb.conf and use 
> HOME\\gary to login)
>
> root at TheLibrarian:~# login
> TheLibrarian login: HOME:gary
> Password:
>
> Login incorrect
>
> and without the winbind separator and after restarting winbind
>
> root at TheLibrarian:~# login
> TheLibrarian login: HOME\\gary
> Password:
>
> Login incorrect
>
> The bit about the winbind separator is from an outdated Samba 3 wiki 
> at https://www.samba.org/~ab/output/htmldocs/Samba3-HOWTO/winbind.html 
> that I thought I try since login wasn't working anyway.
>
Further to above, I tried the testing it suggested and got this:
root at transponder:~# wbinfo -g
domain controllers
domain computers
group policy creator owners
dnsadmins
denied rodc password replication group
protected users
schema admins
read-only domain controllers
enterprise admins
allowed rodc password replication group
domain admins
ras and ias servers
enterprise read-only domain controllers
dnsupdateproxy
cert publishers
domain guests
domain users
root at transponder:~# wbinfo -u
krbtgt
gary
guest
administrator

which clearly are from the domain - I don't have a local user named 
"gary", for example. However the getent tests only show the local users, 
which is also what I get when I use it to find domain users - it fails 
to find them.

More information about the samba mailing list