Rich Webb
2018-Sep-14 03:41 UTC
[Samba] Having problem with RID backend - must be missing something
Greetings, I currently am using Samba 4.8.5 as an AD DC on one server - working great! I am also using 4.8.5 on another server joined as a member server and I'm trying to configure the RID idmap backend and I believe I have the settings correct but when I try to access a share on the server from a joined Windows machine I am getting prompted for credentials. Here is my config on the DC: #> cat /etc/samba/smb.conf # Global parameters [global] netbios name = SBS-DC1 realm = CUSTOMER.LOCAL server role = active directory domain controller workgroup = CUSTOMER dns forwarder = 8.8.8.8 [netlogon] path = /var/locks/sysvol/customer.local/scripts read only = No [sysvol] path = /var/locks/sysvol read only = No Here is my config on the File Server: #> cat /etc/samba/smb.conf [global] netbios name = fs1 workgroup = CUSTOMER security = ADS realm = CUSTOMER.LOCAL # dedicated keytab file = /etc/krb5.keytab # kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 3000-7999 idmap config CUSTOMER:backend = rid idmap config CUSTOMER:range = 10000-999999 winbind nss info = template template shell = /bin/false template homedir = /home/%U # winbind trusted domains only = no # winbind use default domain = yes # winbind enum users = yes # winbind enum groups = yes # winbind refresh tickets = Yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes [Shared] writeable = yes path = /server/shared [AdminOnly] writeable = yes path = /server/adminonly The kerberos items I just commented to test - same with the winbind lines. With them not commented the results are the same. Another piece to the puzzle is that I had this configured and working with the AD backend but I wanted to try to set it up a little simpler so that I don't have to select unix attributes every time I create a new user. So due to this some of my users already have the unix attributes assigned to them in the AD. The one that I am testing with (that is asking for credentials) does not. In fact the behavior that I am seeing is identical to that of having created a new user and forgetting to add the unix attributes. The result is no access to the file server shares. Some background is that There is only ever going to be one file server in this setup and one or two domain controllers but all running samba 4. No network users are ever going to log into the linux servers - they will all be Windows users accessing file shares. Samba was compiled from source - only change on the file server compile was that I included --without-ad-dc. I tried to follow the wiki on Setting up Samba as a domain member. I hope I have included enough information for someone to go "Ah Ha!" and know exactly what is wrong with my setup here. Thanks in advance, Rich
Rowland Penny
2018-Sep-14 08:56 UTC
[Samba] Having problem with RID backend - must be missing something
On Thu, 13 Sep 2018 23:41:42 -0400 (EDT) Rich Webb via samba <samba at lists.samba.org> wrote:> Greetings, > > I currently am using Samba 4.8.5 as an AD DC on one server - working > great! I am also using 4.8.5 on another server joined as a member > server and I'm trying to configure the RID idmap backend and I > believe I have the settings correct but when I try to access a share > on the server from a joined Windows machine I am getting prompted for > credentials. >What OS ? If it is debian, do you have libpam_krb5 installed ? Snip> Another piece to the puzzle is that I had this configured and working > with the AD backend but I wanted to try to set it up a little simpler > so that I don't have to select unix attributes every time I create a > new user. So due to this some of my users already have the unix > attributes assigned to them in the AD. The one that I am testing > with (that is asking for credentials) does not. In fact the behavior > that I am seeing is identical to that of having created a new user > and forgetting to add the unix attributes. The result is no access > to the file server shares.Having rfc2307 attributes in AD shouldn't affect the way the 'rid' backend works.> > Some background is that There is only ever going to be one file > server in this setup and one or two domain controllers but all > running samba 4. No network users are ever going to log into the > linux servers - they will all be Windows users accessing file > shares. Samba was compiled from source - only change on the file > server compile was that I included --without-ad-dc. > > I tried to follow the wiki on Setting up Samba as a domain member.Did you find it easy to understand ?> > I hope I have included enough information for someone to go "Ah Ha!" > and know exactly what is wrong with my setup here. >Well, No ;-) there doesn't seem to be anything really wrong, I would use this smb.conf: [global] workgroup = CUSTOMER security = ADS realm = CUSTOMER.LOCAL idmap config *:backend = tdb idmap config *:range = 3000-7999 idmap config CUSTOMER:backend = rid idmap config CUSTOMER:range = 10000-999999 winbind use default domain = yes winbind refresh tickets = Yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes [Shared] writeable = yes path = /server/shared [AdminOnly] writeable = yes path = /server/adminonly You only need the kerberos lines if you are going to connect to AD with something like squid. What packages did you install to make Samba work ? Rowland
Rich Webb
2018-Sep-14 14:52 UTC
[Samba] Having problem with RID backend - must be missing something
----- On Sep 14, 2018, at 4:56 AM, Rowland Penny via samba samba at lists.samba.org wrote:> What OS ? > If it is debian, do you have libpam_krb5 installed ?It is CentOS 7. I feel stupid because it was super simple. See Below.> Having rfc2307 attributes in AD shouldn't affect the way the 'rid' > backend works. >I was thinking this as well.> > Did you find it easy to understand ? >I thought so but it wasn't working so I didn't know what to think.> there doesn't seem to be anything really wrongAnd there wasn't!> What packages did you install to make Samba work ?I didn't use RPMs or any pre-built packages - I downloaded samba-latest.tar.gz and compiled from scratch. If you're referring to OS specific packages I followed the wiki on package requirements for building samba. My yum commands to install all the requirements were these: yum -y groupinstall 'Development Tools' yum -y install epel-release yum -y install attr bind-utils docbook-style-xsl krb5-workstation \ libsemanage-python libxslt perl-ExtUtils-MakeMaker \ perl-Parse-Yapp policycoreutils-python perl-Test-Base \ python2-crypto gnutls-devel libattr-devel keyutils-libs-devel \ libacl-devel libaio-devel libblkid-devel libxml2-devel openldap-devel \ pam-devel popt-devel python-devel readline-devel zlib-devel systemd-devel So I compiled it with the options to create the systemd service files and it did but I had to move them to the proper location to use them. First time I tested I manually started the services and forgot about enabling them to run with system startup. I had made some changes to config files and for some reason unknown right now I rebooted the server. I had only started the smb and nmb daemons and not winbind. It doesn't work very well if winbind is not running if you want to use any backend for idmapping. After enabling all three services and making sure all three were running the RID backend works great as configured. I will take your advice on the kerberos lines though and take those out. Not using squid or anything like that. If you have any suggestions on optimizations I could make on either the file server of the DC that would be great. My overall goal is I am creating a small business server type solution with vmware and multiple VMs encompassing a domain controller, file server, email server (using Zimbra), backup server, and vpn server (using SoftEther) using all free and open source software. My plan once I get all the components together is to put together a website detailing the setup so that others can benefit from this solution. I'm sure there are people looking for Microsoft alternatives that could benefit from having all the steps in one place. Thanks for your help! Rich
Reasonably Related Threads
- Having problem with RID backend - must be missing something
- Having problem with RID backend - must be missing something
- Fwd: Having problem with RID backend - must be missing something
- Fwd: Having problem with RID backend - must be missing something
- Fwd: Having problem with RID backend - must be missing something