[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend

Gary Dale gary at extremeground.com
Thu Apr 27 00:37:36 UTC 2023 

On 2023-04-26 15:21, Rowland Penny via samba wrote:
>
>
> On 26/04/2023 19:40, Gary Dale via samba wrote:
>>
>> On 2023-04-26 13:54, Rowland Penny via samba wrote:
>>>
>>>
>>> On 26/04/2023 18:27, Gary Dale via samba wrote:
>>>
>>>> No. I am running the tests suggested by the various Samba wiki 
>>>> pages. I can do a getent passwd <local account> on my workstation 
>>>> and on my file & print server but I can't do a getent passwd 
>>>> <domain account> except on my DC. I explicitly showed that in the 
>>>> message before the one you replied to. I also showed how I can't do 
>>>> a login to a domain account except on the DC.
>>>>
>>>> This failure to get domain account information seems likely to be 
>>>> at the heart of the problems I'm having.
>>>>
>>>>
>>>
>>> So you are running 'getent passwd gary' and getting no output, this 
>>> is usually caused by libpam-winbind and libnss-winbind not being 
>>> installed, or /etc/nsswitch.conf not being configured correctly, the 
>>> relevant lines from mine look like this:
>>>
>>> passwd:         files winbind
>>> group:          files winbind
>>
>> installed and configured correctly
>>
>>
>>>
>>> Or pam-auth-update is configured correctly, again these are the 
>>> lines from mine:
>>>
>>> [*] Unix authentication
>>> [*] Winbind NT/Active Directory authentication
>>> [*] Register user sessions in the systemd control group ...
>>> [*] Create home directory on login
>>>
>> Have an extra entry for systemd that is checked but have Create home 
>> directory on login unchecked. Shouldn't cause the problems I'm seeing.
>>
>>
>>> Or you are using the 'ad' idmap backend on a Unix domain member and 
>>> haven't added a uidNumber attribute to the users and added a 
>>> gidNumber attribute to the Domain Users group. The numbers you use 
>>> in these attributes have to be unique, though you can use the same 
>>> range for users and groups, that is 'gary' could have the ID 10000 
>>> and Domain Users could also the same ID 10000. Whatever numbers you 
>>> use, the Domain idmap config line in smb.conf must enclose those 
>>> numbers e.g.
>>> idmap config DOMAIN : range = 10000-999999
>>
>> Ah, so that explains it. I originally was using autorid because that 
>> seemed the best fit for my circumstances but you complained about me 
>> doing that. Re-reading the 
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba 
>> I see it mentions that I have to add a the uidNumber and gidNumber 
>> attributes without actually telling me how to do it.
>>
>> I found 
>> https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_using_samba-tool_and_ldb-tools#Adding_Unix_attributes_to_an_existing_user_account 
>> which gives insufficient instruction in the matter. I note, for 
>> example, the line:
>> samba-tool user addunixattrs sambauser uid --gid-number=gid 
>> --login-shell=/bin/bash --unix-home=/home/sambauser
>>
>> which I think may be better written as:
>>
>> samba-tool user addunixattrs <sambauser> <uid> --gid-number=<gid> 
>> --login-shell=/bin/bash --unix-home=/home/<sambauser>
>>
>> followed by an example showing reasonable values (or some discussion 
>> about what those values should be). My immediate reaction would be to 
>> use normal Linux user ids (i.e. starting at 1000 on Debian) and group 
>> ids (i.e. 100 is the normal group for users). However, you have 
>> reacted in horror to that idea, so this would probably be a good wiki 
>> to present an explanation as to why it is a bad idea,
>>
>
> Try reading this:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> Which will lead you to this:
>
> https://wiki.samba.org/index.php/Idmap_config_ad
>
> Rowland

Neither actually addresses the question I raised. Apart from the 
administrative policy of using AD for account maintenance, why not use, 
for example, 100 as the <gid> or 1000 as a <uid>? If I have to set the 
ids manually, I should be able to keep track of them more easily when 
they are smaller numbers....  Or do you need to use large enough numbers 
so that all the ideas you may ever create will be the same length?

Or why not use autorid?

Another issue that isn't addressed with instructions and an example is 
the adding of a GID to the standard domain groups. It seems to be 
necessary but the only example doesn't seem to deal with it. An example 
showing adding a GID to Domain Users, for example would be helpful.

More information about the samba mailing list