samba - Dec 2016 - How to join join Ubuntu desktop to AD

On Tue, 6 Dec 2016 14:52:20 -0500
lingpanda101 via samba <samba at lists.samba.org> wrote:
> On 12/6/2016 1:49 PM, Rowland Penny via samba wrote:
> > On Tue, 6 Dec 2016 19:38:49 +0100
> > Marc Muehlfeld via samba <samba at lists.samba.org> wrote:
> >
> >> Hello,
> >>
> >> Am 06.12.2016 um 19:15 schrieb lingpanda101 via samba:
> >>>      Does the wiki contain documentation on how to join a
Linux
> >>> workstation to Samba? I can't seem to find it. I do see
this
> >>>
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> >>> but this appears to use SSH to login. I'm looking to login
> >>> locally.
> >> This is the documentation you're looking for.
> >>
> >> SSH is just an example in the documentation how to use
pam_winbind.
> >> Have a look at your PAM configuration files and the PAM
> >> documentation to see which file you have to add pam_winbind to for
> >> local logins.
> >>
> >> Regards,
> >> Marc
> >>
> > libpam-winbind, libpam-krb5 and libnss-winbind on Debian, presumably
> > the same on Ubuntu.
> >
> > Rowland
> >
> 
> OK thanks. I'm a bit stuck at the part where I configure my smb.conf. 
> I'm going with the winbind ad backend.
> 
> [global]
>      security = ADS
>      workgroup = MYDOMAIN
>      realm = MYDOMAIN.LOCAL (Yes I know about .local)
> 
>      log file = /var/log/samba/%m.log
>      log level = 1
>      idmap config * : backend = tdb
>      idmap config * : range = 2000-9999  (This is the range for local 
> users on the workstation?)
>      winbind nss info = rfc2307
>      idmap config MYDOMAIN:backend = ad
>      idmap config MYDOMAIN:schema_mode = rfc2307
>      idmap config MYDOMAIN:range = 10000-999999 (This is the default 
> range samba uses correct?)
> 
> If I # cat /etc/adduser.conf I see
> 
> FIRST_UID=1000
> LAST_UID=29999
> 
> Is this the range I should use for 'idmap config * : range >
2000-9999'?
No, the '*' range is for the 'well known SIDs' (see here:
https://support.microsoft.com/en-us/kb/243330) and anything outside
your domain (aka workgroup).

The suggested ranges on the samba wiki are known to work (well, they
work for me). They allow for local Unix users & groups in the range
1000-1999, for the well known SIDs in the range 2000-9999 and domain
users & groups in the range 10000-999999

The local Unix users & groups will get their IDs when they are added
and they will be created in /etc/passwd and /etc/group.
The well known SIDs will be allocated an ID, starting from 2000 i.e.
the start number for the range
You will have to add unique uidNumber attributes to each user, starting
from 10000, you must also give 'Domain Users' a gidNumber attribute,
you can use 10000 for this (yes, you can have a user with uidNumber
10000 and a group with the same number)

If everything is installed and setup correctly and you run 'getent
passwd auser' you should get something like this:

rowland at devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

Any further questions, just ask ;-)

Rowland

On 12/6/2016 3:09 PM, Rowland Penny via samba wrote:
> On Tue, 6 Dec 2016 14:52:20 -0500
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>
>> On 12/6/2016 1:49 PM, Rowland Penny via samba wrote:
>>> On Tue, 6 Dec 2016 19:38:49 +0100
>>> Marc Muehlfeld via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hello,
>>>>
>>>> Am 06.12.2016 um 19:15 schrieb lingpanda101 via samba:
>>>>>       Does the wiki contain documentation on how to join a
Linux
>>>>> workstation to Samba? I can't seem to find it. I do see
this
>>>>>
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>>>> but this appears to use SSH to login. I'm looking to
login
>>>>> locally.
>>>> This is the documentation you're looking for.
>>>>
>>>> SSH is just an example in the documentation how to use
pam_winbind.
>>>> Have a look at your PAM configuration files and the PAM
>>>> documentation to see which file you have to add pam_winbind to
for
>>>> local logins.
>>>>
>>>> Regards,
>>>> Marc
>>>>
>>> libpam-winbind, libpam-krb5 and libnss-winbind on Debian,
presumably
>>> the same on Ubuntu.
>>>
>>> Rowland
>>>
>> OK thanks. I'm a bit stuck at the part where I configure my
smb.conf.
>> I'm going with the winbind ad backend.
>>
>> [global]
>>       security = ADS
>>       workgroup = MYDOMAIN
>>       realm = MYDOMAIN.LOCAL (Yes I know about .local)
>>
>>       log file = /var/log/samba/%m.log
>>       log level = 1
>>       idmap config * : backend = tdb
>>       idmap config * : range = 2000-9999  (This is the range for local
>> users on the workstation?)
>>       winbind nss info = rfc2307
>>       idmap config MYDOMAIN:backend = ad
>>       idmap config MYDOMAIN:schema_mode = rfc2307
>>       idmap config MYDOMAIN:range = 10000-999999 (This is the default
>> range samba uses correct?)
>>
>> If I # cat /etc/adduser.conf I see
>>
>> FIRST_UID=1000
>> LAST_UID=29999
>>
>> Is this the range I should use for 'idmap config * : range >>
2000-9999'?
> No, the '*' range is for the 'well known SIDs' (see here:
> https://support.microsoft.com/en-us/kb/243330) and anything outside
> your domain (aka workgroup).
>
> The suggested ranges on the samba wiki are known to work (well, they
> work for me). They allow for local Unix users & groups in the range
> 1000-1999, for the well known SIDs in the range 2000-9999 and domain
> users & groups in the range 10000-999999
>
> The local Unix users & groups will get their IDs when they are added
> and they will be created in /etc/passwd and /etc/group.
> The well known SIDs will be allocated an ID, starting from 2000 i.e.
> the start number for the range
> You will have to add unique uidNumber attributes to each user, starting
> from 10000, you must also give 'Domain Users' a gidNumber
attribute,
> you can use 10000 for this (yes, you can have a user with uidNumber
> 10000 and a group with the same number)
>
> If everything is installed and setup correctly and you run 'getent
> passwd auser' you should get something like this:
>
> rowland at devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> Any further questions, just ask ;-)
>
> Rowland
>
>
>
>
OK, unable to get anything back from 'getent'. Using Ubuntu 16.04.1, 
Samba 4.5.1 built from tar.

*# /usr/local/samba/bin/net ads join -U administrator*
Enter administrator's password:
Using short domain name -- DOMAIN
Joined 'DR210' to dns domain 'domain.local'
DNS update failed: NT_STATUS_UNSUCCESSFUL (I manually added the DNS A RR.)

*smb.conf file*

[global]
        security = ADS
        workgroup = DOMAIN
        realm = DOMAIN.LOCAL

        log file = /var/log/samba/%m.log
        log level = 1

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        winbind nss info = rfc2307
        idmap config DOMAIN:backend = ad
        idmap config DOMAIN:schema_mode = rfc2307
        idmap config DOMAIN:range = 10000-999999


*'libnss_winbind' links*

lrwxrwxrwx 1 root root      41 Dec  7 07:51 libnss_winbind.so -> 
/lib/x86_64-linux-gnu/libnss_winbind.so.2
lrwxrwxrwx 1 root root      40 Dec  7 07:51 libnss_winbind.so.2 -> 
/usr/local/samba/lib/libnss_winbind.so.2


*root at DR210:/# cat /etc/nsswitch.conf*
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


*root at DR210:/# cat /etc/resolv.conf *
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by 
resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 172.16.232.29
nameserver 172.16.232.39
search domain.local


*root at DR210:/# cat /var/log/samba/winbindd.log *

[2016/12/07 08:12:17.545371,  0] 
../lib/util/become_daemon.c:124(daemon_ready)
   STATUS=daemon 'winbindd' finished starting up and ready to serve 
connections
[2016/12/07 08:14:32.678686,  1] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)
   tdb(/usr/local/samba/var/lock/mutex.tdb): tdb_lock failed on list 63 
ltype=1 (Interrupted system call)
[2016/12/07 08:14:32.678743,  0] 
../source3/lib/util_tdb.c:497(tdb_chainlock_with_timeout_internal)
   tdb_chainlock_with_timeout_internal: alarm (40) timed out for key 
PFDC1 in tdb /usr/local/samba/var/lock/mutex.tdb
[2016/12/07 08:14:32.678796,  1] 
../source3/lib/server_mutex.c:97(grab_named_mutex)
   Could not get the lock for PFDC1
[2016/12/07 08:14:32.678860,  0] 
../source3/winbindd/winbindd_cm.c:1039(cm_prepare_connection)
   cm_prepare_connection: mutex grab failed for PFDC1
[2016/12/07 08:18:13.433118,  1] 
../source3/winbindd/winbindd_util.c:352(trustdom_list_done)
   trustdom_list_done: Could not receive trusts for domain DOMAIN

-- 
- James

On 12/6/2016 3:09 PM, Rowland Penny via samba wrote:
> On Tue, 6 Dec 2016 14:52:20 -0500
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>
>> On 12/6/2016 1:49 PM, Rowland Penny via samba wrote:
>>> On Tue, 6 Dec 2016 19:38:49 +0100
>>> Marc Muehlfeld via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hello,
>>>>
>>>> Am 06.12.2016 um 19:15 schrieb lingpanda101 via samba:
>>>>>       Does the wiki contain documentation on how to join a
Linux
>>>>> workstation to Samba? I can't seem to find it. I do see
this
>>>>>
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>>>> but this appears to use SSH to login. I'm looking to
login
>>>>> locally.
>>>> This is the documentation you're looking for.
>>>>
>>>> SSH is just an example in the documentation how to use
pam_winbind.
>>>> Have a look at your PAM configuration files and the PAM
>>>> documentation to see which file you have to add pam_winbind to
for
>>>> local logins.
>>>>
>>>> Regards,
>>>> Marc
>>>>
>>> libpam-winbind, libpam-krb5 and libnss-winbind on Debian,
presumably
>>> the same on Ubuntu.
>>>
>>> Rowland
>>>
>> OK thanks. I'm a bit stuck at the part where I configure my
smb.conf.
>> I'm going with the winbind ad backend.
>>
>> [global]
>>       security = ADS
>>       workgroup = MYDOMAIN
>>       realm = MYDOMAIN.LOCAL (Yes I know about .local)
>>
>>       log file = /var/log/samba/%m.log
>>       log level = 1
>>       idmap config * : backend = tdb
>>       idmap config * : range = 2000-9999  (This is the range for local
>> users on the workstation?)
>>       winbind nss info = rfc2307
>>       idmap config MYDOMAIN:backend = ad
>>       idmap config MYDOMAIN:schema_mode = rfc2307
>>       idmap config MYDOMAIN:range = 10000-999999 (This is the default
>> range samba uses correct?)
>>
>> If I # cat /etc/adduser.conf I see
>>
>> FIRST_UID=1000
>> LAST_UID=29999
>>
>> Is this the range I should use for 'idmap config * : range >>
2000-9999'?
> No, the '*' range is for the 'well known SIDs' (see here:
> https://support.microsoft.com/en-us/kb/243330) and anything outside
> your domain (aka workgroup).
>
> The suggested ranges on the samba wiki are known to work (well, they
> work for me). They allow for local Unix users & groups in the range
> 1000-1999, for the well known SIDs in the range 2000-9999 and domain
> users & groups in the range 10000-999999
>
> The local Unix users & groups will get their IDs when they are added
> and they will be created in /etc/passwd and /etc/group.
> The well known SIDs will be allocated an ID, starting from 2000 i.e.
> the start number for the range
> You will have to add unique uidNumber attributes to each user, starting
> from 10000, you must also give 'Domain Users' a gidNumber
attribute,
> you can use 10000 for this (yes, you can have a user with uidNumber
> 10000 and a group with the same number)
>
> If everything is installed and setup correctly and you run 'getent
> passwd auser' you should get something like this:
>
> rowland at devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> Any further questions, just ask ;-)
>
> Rowland
>
>
>
>
I'll point out a typo in the wiki while I go through this exercise.

# smbd -B | grep LIBDIR

The switch is actually lowercase for me.

# smbd -b | grep LIBDIR

-- 
- James

On 12/6/2016 3:09 PM, Rowland Penny via samba wrote:
> On Tue, 6 Dec 2016 14:52:20 -0500
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>
>> On 12/6/2016 1:49 PM, Rowland Penny via samba wrote:
>>> On Tue, 6 Dec 2016 19:38:49 +0100
>>> Marc Muehlfeld via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hello,
>>>>
>>>> Am 06.12.2016 um 19:15 schrieb lingpanda101 via samba:
>>>>>       Does the wiki contain documentation on how to join a
Linux
>>>>> workstation to Samba? I can't seem to find it. I do see
this
>>>>>
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>>>> but this appears to use SSH to login. I'm looking to
login
>>>>> locally.
>>>> This is the documentation you're looking for.
>>>>
>>>> SSH is just an example in the documentation how to use
pam_winbind.
>>>> Have a look at your PAM configuration files and the PAM
>>>> documentation to see which file you have to add pam_winbind to
for
>>>> local logins.
>>>>
>>>> Regards,
>>>> Marc
>>>>
>>> libpam-winbind, libpam-krb5 and libnss-winbind on Debian,
presumably
>>> the same on Ubuntu.
>>>
>>> Rowland
>>>
>> OK thanks. I'm a bit stuck at the part where I configure my
smb.conf.
>> I'm going with the winbind ad backend.
>>
>> [global]
>>       security = ADS
>>       workgroup = MYDOMAIN
>>       realm = MYDOMAIN.LOCAL (Yes I know about .local)
>>
>>       log file = /var/log/samba/%m.log
>>       log level = 1
>>       idmap config * : backend = tdb
>>       idmap config * : range = 2000-9999  (This is the range for local
>> users on the workstation?)
>>       winbind nss info = rfc2307
>>       idmap config MYDOMAIN:backend = ad
>>       idmap config MYDOMAIN:schema_mode = rfc2307
>>       idmap config MYDOMAIN:range = 10000-999999 (This is the default
>> range samba uses correct?)
>>
>> If I # cat /etc/adduser.conf I see
>>
>> FIRST_UID=1000
>> LAST_UID=29999
>>
>> Is this the range I should use for 'idmap config * : range >>
2000-9999'?
> No, the '*' range is for the 'well known SIDs' (see here:
> https://support.microsoft.com/en-us/kb/243330) and anything outside
> your domain (aka workgroup).
>
> The suggested ranges on the samba wiki are known to work (well, they
> work for me). They allow for local Unix users & groups in the range
> 1000-1999, for the well known SIDs in the range 2000-9999 and domain
> users & groups in the range 10000-999999
>
> The local Unix users & groups will get their IDs when they are added
> and they will be created in /etc/passwd and /etc/group.
> The well known SIDs will be allocated an ID, starting from 2000 i.e.
> the start number for the range
> You will have to add unique uidNumber attributes to each user, starting
> from 10000, you must also give 'Domain Users' a gidNumber
attribute,
> you can use 10000 for this (yes, you can have a user with uidNumber
> 10000 and a group with the same number)
>
> If everything is installed and setup correctly and you run 'getent
> passwd auser' you should get something like this:
>
> rowland at devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> Any further questions, just ask ;-)
>
> Rowland
>
>
>
>
I think I have a issue with ldconfig not finding winbind. I create the 
sym links and verified they exist. What am I missing? Thanks.

ldconfig -v | grep "libnss_"
/sbin/ldconfig.real: Path `/lib/x86_64-linux-gnu' given more than once
/sbin/ldconfig.real: Path `/usr/lib/x86_64-linux-gnu' given more than once
/sbin/ldconfig.real: /lib/x86_64-linux-gnu/ld-2.23.so is the dynamic 
linker, ignoring

     libnss_mdns4_minimal.so.2 -> libnss_mdns4_minimal.so.2
     libnss_files.so.2 -> libnss_files-2.23.so
     libnss_nis.so.2 -> libnss_nis-2.23.so
     libnss_mdns.so.2 -> libnss_mdns.so.2
     libnss_dns.so.2 -> libnss_dns-2.23.so
     libnss_nisplus.so.2 -> libnss_nisplus-2.23.so
     libnss_mdns6_minimal.so.2 -> libnss_mdns6_minimal.so.2
     libnss_compat.so.2 -> libnss_compat-2.23.so
     libnss_mdns_minimal.so.2 -> libnss_mdns_minimal.so.2
     libnss_hesiod.so.2 -> libnss_hesiod-2.23.so
     libnss_mdns6.so.2 -> libnss_mdns6.so.2
     libnss_mdns4.so.2 -> libnss_mdns4.so.2

-- 
- James

On Thu, 8 Dec 2016 12:27:20 -0500
lingpanda101 via samba <samba at lists.samba.org> wrote:
> 
> I think I have a issue with ldconfig not finding winbind. I create
> the sym links and verified they exist. What am I missing? Thanks.
> 
> ldconfig -v | grep "libnss_"
> /sbin/ldconfig.real: Path `/lib/x86_64-linux-gnu' given more than once
> /sbin/ldconfig.real: Path `/usr/lib/x86_64-linux-gnu' given more than
> once /sbin/ldconfig.real: /lib/x86_64-linux-gnu/ld-2.23.so is the
> dynamic linker, ignoring
> 
>      libnss_mdns4_minimal.so.2 -> libnss_mdns4_minimal.so.2
>      libnss_files.so.2 -> libnss_files-2.23.so
>      libnss_nis.so.2 -> libnss_nis-2.23.so
>      libnss_mdns.so.2 -> libnss_mdns.so.2
>      libnss_dns.so.2 -> libnss_dns-2.23.so
>      libnss_nisplus.so.2 -> libnss_nisplus-2.23.so
>      libnss_mdns6_minimal.so.2 -> libnss_mdns6_minimal.so.2
>      libnss_compat.so.2 -> libnss_compat-2.23.so
>      libnss_mdns_minimal.so.2 -> libnss_mdns_minimal.so.2
>      libnss_hesiod.so.2 -> libnss_hesiod-2.23.so
>      libnss_mdns6.so.2 -> libnss_mdns6.so.2
>      libnss_mdns4.so.2 -> libnss_mdns4.so.2
> 
What version of Samba are you using ? I got the impression you were
using the distro's packages, in which case you do not create the
symlinks, you just install the packages I referred to earlier. 

Rowland