samba - Mar 2019 - (no subject)

Hello,

I'm running a Samba DC on Debian 9 (version 4.5.12-Debian) in a lab
environment, set up like this:
https://jonathonreinhart.com/posts/blog/2019/02/11/setting-up-a-samba-4-domain-controller-on-debian-9/

I would now like to configure this server to enable login via domain
credentials. I'm aware that the Samba wiki recommends the following:

- https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
- https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM

However, I'm familiar with using Realmd (using its default SSSD) to
join Linux servers to a MS AD domain, to enable SSH and sudo using
domain credentials.  So I'm trying to use Realmd on my Samba DC, using
windbind instead of sssd (because Samba already uses winbind).

I first installed libpam-winbind, and then attempted the following:
# realm join --client-software=winbind --automatic-id-mapping=no ad.example.com

After entering my domain Administrator password, I received this error message:
realm: Couldn't join realm: Failed to enroll machine in realm. See
diagnostics.

Upon a second attempt, I got this error message:
realm: Couldn't join realm: Joining the domain ad.example.com failed

Looking in the realmd logs, I see the following:

    * LANG=C LOGNAME=root /usr/bin/net -s
/var/cache/realmd/realmd-smb-conf.3D2AXZ -U Administrator ads join
ad.example.com
    gss_init_sec_context failed with [ Miscellaneous failure (see
text): Server (ldap/samba-dc.ad.example.com at AD.EXAMPLE.COM)
unknown]
    kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: for
ldap/samba-dc.ad.example.com user[Administrator]
realm[AD.EXAMPLE.COM]: An internal error occurred.

At this point, I'm stumped. This is on a very fresh install, so it
should be very easy to reproduce.

Is what I'm attempting to do a valid operation? Or is it weird that
realmd is trying to "join" the DC to the domain?

Thank you,

Jonathon Reinhart

On Fri, 1 Mar 2019 08:21:54 -0500
Jonathon Reinhart via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I'm running a Samba DC on Debian 9 (version 4.5.12-Debian) in a lab
> environment, set up like this:
>
https://jonathonreinhart.com/posts/blog/2019/02/11/setting-up-a-samba-4-domain-controller-on-debian-9/
There are a few 'not quite right' things there and at least one
'Nooooo, don't do that' ;-)

The 'Nooooo, don't do that is:
Don't change the UPN
> 
> I would now like to configure this server to enable login via domain
> credentials. I'm aware that the Samba wiki recommends the following:
> 
> -
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> -
> https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM
> 
> However, I'm familiar with using Realmd (using its default SSSD) to
> join Linux servers to a MS AD domain, to enable SSH and sudo using
> domain credentials.  So I'm trying to use Realmd on my Samba DC, using
> windbind instead of sssd (because Samba already uses winbind).
> 
> I first installed libpam-winbind, and then attempted the following:
> # realm join --client-software=winbind --automatic-id-mapping=no
> ad.example.com
What about libnss-winbind ?
> 
> After entering my domain Administrator password, I received this
> error message: realm: Couldn't join realm: Failed to enroll machine
> in realm. See diagnostics.
Well, you would.
> 
> Upon a second attempt, I got this error message:
> realm: Couldn't join realm: Joining the domain ad.example.com failed
> 
Again, you would.
> Looking in the realmd logs, I see the following:
> 
>     * LANG=C LOGNAME=root /usr/bin/net -s
> /var/cache/realmd/realmd-smb-conf.3D2AXZ -U Administrator ads join
> ad.example.com
>     gss_init_sec_context failed with [ Miscellaneous failure (see
> text): Server (ldap/samba-dc.ad.example.com at AD.EXAMPLE.COM)
> unknown]
>     kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: for
> ldap/samba-dc.ad.example.com user[Administrator]
> realm[AD.EXAMPLE.COM]: An internal error occurred.
Yes, you would get an error message.
> 
> At this point, I'm stumped. This is on a very fresh install, so it
> should be very easy to reproduce.
> 
> Is what I'm attempting to do a valid operation? 
No
>Or is it weird that realmd is trying to "join" the DC to the
domain?
Oh yes, very weird, trying to join something that is already joined to
the domain by the provision command.
Oh and just in passing, you probably do not have a forwarder set in
smb.conf

Rowland
> 
> Thank you,
> 
> Jonathon Reinhart
>

Hai Jonathon,  

in addition to Rowlands coment.. ..
He is always quicker in the resonse when im typing them.. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Jonathon Reinhart via samba
> Verzonden: vrijdag 1 maart 2019 14:22
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] (no subject)
> 
> Hello,
> 
> I'm running a Samba DC on Debian 9 (version 4.5.12-Debian) in a lab
> environment, set up like this:
> https://jonathonreinhart.com/posts/blog/2019/02/11/setting-up-
> a-samba-4-domain-controller-on-debian-9/
few minor points. 

REALM="ad.onthefive.com" 
Realm always in CAPS, this prevens problems with other programs. Most
program's expect REALM in CAPS.
For example postfix expect REALM in CAPS. 

I suggest you add a note here that the DNS-domain and REALM are 2 differnt
things.
And the other sidenote on this is, often the dns-domain == REALM ( but in caps )

The krb5.conf.  mv /etc/krb5.conf /etc/krb5.conf.old
The default from debian, if you enter the REALM in CAPS at install is
sufficient.
Not really needed but not wrong. 

I also suggest, add a check if the reverse zone exists. 
> 
> I would now like to configure this server to enable login via domain
> credentials. I'm aware that the Samba wiki recommends the following:
apt install ssh-krb5 libpam-krb5 libnss-winbind libpam-winbind 

That configures 1-2 paramaters in sshd_config and gives you direct the ability
to login with kerberos.
Note, not accounting for the missing "templates" paramters. 

Default: template homedir = /home/%D/%U
Default: template shell = /bin/false
(man smb.conf) 
And how are the homedirs created, through ADUC or mk_homedir 

Needed on the DC's with logins and members that used RID setup also set in
/etc/nsswitch.conf
passwd:         compat winbind
group:          compat winbind
> 
> - 
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> - 
> https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM
> 
> However, I'm familiar with using Realmd (using its default SSSD) to
> join Linux servers to a MS AD domain, to enable SSH and sudo using
> domain credentials.  So I'm trying to use Realmd on my Samba DC, using
> windbind instead of sssd (because Samba already uses winbind).
If i may suggest. Go through these. 
https://github.com/thctlo/samba4/tree/master/howtos
These are a bit older, im working on the update and nice layouts etc. 
Its my git link, most thing your wanting/ask are in my scripts. 

For example, what i dont see on the site is the check on /etc/hosts 
If you installed with dhcp you need to change 127.0.1.1 to the real ip of the
server in /etc/hosts
> 
> I first installed libpam-winbind, and then attempted the following:
> # realm join --client-software=winbind 
> --automatic-id-mapping=no ad.example.com
> 
> After entering my domain Administrator password, I received 
> this error message:
> realm: Couldn't join realm: Failed to enroll machine in 
> realm. See diagnostics.
> 
> Upon a second attempt, I got this error message:
> realm: Couldn't join realm: Joining the domain ad.example.com failed
> 
> Looking in the realmd logs, I see the following:
> 
>     * LANG=C LOGNAME=root /usr/bin/net -s
> /var/cache/realmd/realmd-smb-conf.3D2AXZ -U Administrator ads join
> ad.example.com
>     gss_init_sec_context failed with [ Miscellaneous failure (see
> text): Server (ldap/samba-dc.ad.example.com at AD.EXAMPLE.COM)
> unknown]
>     kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: for
> ldap/samba-dc.ad.example.com user[Administrator]
> realm[AD.EXAMPLE.COM]: An internal error occurred.
> 
> At this point, I'm stumped. This is on a very fresh install, so it
> should be very easy to reproduce.
> 
> Is what I'm attempting to do a valid operation? Or is it weird that
> realmd is trying to "join" the DC to the domain?
No, not strange, but realmd is "joining" the AD-DC and its trying that
with member settings.
That wont work on the DC itself ofcourse. 



Greetz, 

Louis

In one word:
DONT!

Tried it once and realmd moved the DC to the Computer OU in AD. There it
no longer is a DC and nothing worked for us...

As it is already joind you don't need realmd at all. Just configure
sssd.conf and start sssd.

However, I would not recommend that. We have since switched to winbind
as this is already running and with the sernet packages can not be
installed alongside sssd anyway.


Regards

Christian


Am 01.03.19 um 14:21 schrieb Jonathon Reinhart via
samba:
> Hello,
> 
> I'm running a Samba DC on Debian 9 (version 4.5.12-Debian) in a lab
> environment, set up like this:
>
https://jonathonreinhart.com/posts/blog/2019/02/11/setting-up-a-samba-4-domain-controller-on-debian-9/
> 
> I would now like to configure this server to enable login via domain
> credentials. I'm aware that the Samba wiki recommends the following:
> 
> - https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> - https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM
> 
> However, I'm familiar with using Realmd (using its default SSSD) to
> join Linux servers to a MS AD domain, to enable SSH and sudo using
> domain credentials.  So I'm trying to use Realmd on my Samba DC, using
> windbind instead of sssd (because Samba already uses winbind).
> 
> I first installed libpam-winbind, and then attempted the following:
> # realm join --client-software=winbind --automatic-id-mapping=no
ad.example.com
> 
> After entering my domain Administrator password, I received this error
message:
> realm: Couldn't join realm: Failed to enroll machine in realm. See
diagnostics.
> 
> Upon a second attempt, I got this error message:
> realm: Couldn't join realm: Joining the domain ad.example.com failed
> 
> Looking in the realmd logs, I see the following:
> 
>     * LANG=C LOGNAME=root /usr/bin/net -s
> /var/cache/realmd/realmd-smb-conf.3D2AXZ -U Administrator ads join
> ad.example.com
>     gss_init_sec_context failed with [ Miscellaneous failure (see
> text): Server (ldap/samba-dc.ad.example.com at AD.EXAMPLE.COM)
> unknown]
>     kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: for
> ldap/samba-dc.ad.example.com user[Administrator]
> realm[AD.EXAMPLE.COM]: An internal error occurred.
> 
> At this point, I'm stumped. This is on a very fresh install, so it
> should be very easy to reproduce.
> 
> Is what I'm attempting to do a valid operation? Or is it weird that
> realmd is trying to "join" the DC to the domain?
> 
> Thank you,
> 
> Jonathon Reinhart
> 
-- 
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Ludger Mueller

On Fri, 1 Mar 2019 15:03:37 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai Jonathon,  
> 
> in addition to Rowlands coment.. ..
> He is always quicker in the resonse when im typing them.. 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Jonathon Reinhart via samba
> > Verzonden: vrijdag 1 maart 2019 14:22
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] (no subject)
> > 
> > Hello,
> > 
> > I'm running a Samba DC on Debian 9 (version 4.5.12-Debian) in a
lab
> > environment, set up like this:
> > https://jonathonreinhart.com/posts/blog/2019/02/11/setting-up-
> > a-samba-4-domain-controller-on-debian-9/
> 
> few minor points. 
> 
> REALM="ad.onthefive.com" 
> Realm always in CAPS, this prevens problems with other programs. Most
> program's expect REALM in CAPS. For example postfix expect REALM in
> CAPS. 
> 
> I suggest you add a note here that the DNS-domain and REALM are 2
> differnt things. And the other sidenote on this is, often the
> dns-domain == REALM ( but in caps ) 
> 
> The krb5.conf.  mv /etc/krb5.conf /etc/krb5.conf.old
> The default from debian, if you enter the REALM in CAPS at install is
> sufficient. Not really needed but not wrong. 
> 
> I also suggest, add a check if the reverse zone exists. 
> 
> > 
> > I would now like to configure this server to enable login via domain
> > credentials. I'm aware that the Samba wiki recommends the
following:
> 
> apt install ssh-krb5 libpam-krb5 libnss-winbind libpam-winbind 
> 
> That configures 1-2 paramaters in sshd_config and gives you direct
> the ability to login with kerberos. Note, not accounting for the
> missing "templates" paramters. 
> 
> Default: template homedir = /home/%D/%U
> Default: template shell = /bin/false
> (man smb.conf) 
> And how are the homedirs created, through ADUC or mk_homedir 
> 
> Needed on the DC's with logins and members that used RID setup also
> set in /etc/nsswitch.conf passwd:         compat winbind
> group:          compat winbind
> 
> > 
> > - 
> > https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> > - 
> > https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM
> > 
> > However, I'm familiar with using Realmd (using its default SSSD)
to
> > join Linux servers to a MS AD domain, to enable SSH and sudo using
> > domain credentials.  So I'm trying to use Realmd on my Samba DC,
> > using windbind instead of sssd (because Samba already uses winbind).
> 
> If i may suggest. Go through these. 
> https://github.com/thctlo/samba4/tree/master/howtos
> These are a bit older, im working on the update and nice layouts etc. 
> Its my git link, most thing your wanting/ask are in my scripts. 
> 
> For example, what i dont see on the site is the check on /etc/hosts 
> If you installed with dhcp you need to change 127.0.1.1 to the real
> ip of the server in /etc/hosts
> 
> > 
> > I first installed libpam-winbind, and then attempted the following:
> > # realm join --client-software=winbind 
> > --automatic-id-mapping=no ad.example.com
> > 
> > After entering my domain Administrator password, I received 
> > this error message:
> > realm: Couldn't join realm: Failed to enroll machine in 
> > realm. See diagnostics.
> > 
> > Upon a second attempt, I got this error message:
> > realm: Couldn't join realm: Joining the domain ad.example.com
failed
> > 
> > Looking in the realmd logs, I see the following:
> > 
> >     * LANG=C LOGNAME=root /usr/bin/net -s
> > /var/cache/realmd/realmd-smb-conf.3D2AXZ -U Administrator ads join
> > ad.example.com
> >     gss_init_sec_context failed with [ Miscellaneous failure (see
> > text): Server (ldap/samba-dc.ad.example.com at AD.EXAMPLE.COM)
> > unknown]
> >     kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed:
> > for ldap/samba-dc.ad.example.com user[Administrator]
> > realm[AD.EXAMPLE.COM]: An internal error occurred.
> > 
> > At this point, I'm stumped. This is on a very fresh install, so it
> > should be very easy to reproduce.
> > 
> > Is what I'm attempting to do a valid operation? Or is it weird
that
> > realmd is trying to "join" the DC to the domain?
> 
> No, not strange, but realmd is "joining" the AD-DC and its trying
> that with member settings. That wont work on the DC itself ofcourse. 
> 
Not strange ? 
He is trying to join the DC to the domain and it is already joined.

Rowland

> > > 
> > > At this point, I'm stumped. This is on a very fresh install,
so it
> > > should be very easy to reproduce.
> > > 
> > > Is what I'm attempting to do a valid operation? Or is it 
> weird that
> > > realmd is trying to "join" the DC to the domain?
> > 
> > No, not strange, but realmd is "joining" the AD-DC and its
trying
> > that with member settings. That wont work on the DC itself 
> ofcourse. 
> > 
> 
> Not strange ? 
> He is trying to join the DC to the domain and it is already joined.
No, to me it's not strange that it errors out. 

The realmd command is to join a domain yes, it generated a new config and it
used that, thats ok,
but he is running it ON the DC itself, or am i miss reading things here. 

So not strange it error out, if I i did read this correclty. 

Greetz, 

Louis

On Fri, 1 Mar 2019 15:05:39 +0100
Christian Naumer via samba <samba at lists.samba.org> wrote:
> In one word:
> DONT!
> 
> Tried it once and realmd moved the DC to the Computer OU in AD. There
> it no longer is a DC and nothing worked for us...
> 
> As it is already joind you don't need realmd at all. Just configure
> sssd.conf and start sssd.
> 
> However, I would not recommend that. We have since switched to winbind
> as this is already running and with the sernet packages can not be
> installed alongside sssd anyway.
> 
If you must use something other than winbindd, use nslcd, but the only
time you might need something else, is if you are using the DC as a
fileserver.

Rowland

Thanks for the input, Rowland! Replies inline:

On Fri, Mar 1, 2019 at 8:57 AM Rowland Penny via samba
<samba at lists.samba.org> wrote:

[snip]
> The 'Nooooo, don't do that is:
> Don't change the UPN
Why not? It's a recommended best practice to choose a subdomain of your
primary domain (e.g. "ad.example.com"), and then add alternate UPN
suffix which allows user logons to match their email addresses.

In fact, this page on the Samba Wiki recommends just that:
https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#My_User_Logins_Does_Not_Match_My_Email

[snip]
> > I first installed libpam-winbind, and then attempted the following:
> > # realm join --client-software=winbind --automatic-id-mapping=no
> > ad.example.com
>
> What about libnss-winbind ?
My mistake: I actually installed both libpam-winbind and libnss-winbind.

[snip]
> >Or is it weird that realmd is trying to "join" the DC to the
domain?
>
> Oh yes, very weird, trying to join something that is already joined to
> the domain by the provision command.
Fair enough. I attempted this out of convenience since I was familiar
with Realmd.  My biggest concern was the ability to control which
groups can login, but it looks like I can still do this with winbind by
instead using /etc/security/access.conf:

http://man7.org/linux/man-pages/man5/access.conf.5.html

I wrote a second blog post which goes on to configure libnss-winbind:
https://jonathonreinhart.com/posts/blog/2019/02/26/configuring-winbind-on-a-samba-ad-dc-on-debian-9
> Oh and just in passing, you probably do not have a forwarder set in
> smb.conf
This was somehat intentional. My machines are given a different DNS
server via DHCP (both on pfSense). I've delegated the AD zone to the
Samba DC. So, the AD DNS server should only receive requests for
which he is authoritative. Is this a valid assumption?

Hey guys, sorry for the (no subject) message. I copy/pasted from a
previous email and missed the subject.

I really appreciate the quick feedback! I'm hoping to produce a series
of blog posts that are guaranteed to work (on Debian 9 at least) and
produce the ultimate Samba-powered Active Directory environment.

On Fri, Mar 1, 2019 at 9:04 AM L.P.H. van Belle via samba
<samba at lists.samba.org> wrote:
[snip]
> few minor points.
>
> REALM="ad.onthefive.com"
> Realm always in CAPS, this prevens problems with other programs. Most
program's expect REALM in CAPS.
> For example postfix expect REALM in CAPS.
I agree with you, however:

1) The Samba Wiki [1] uses lowercase:
> Realm  --realm    Kerberos realm. This is also used as the AD DNS
>                   domain. For example: samdom.example.com.
2) samba-tool seems to do the "right thing" and capitalize this string
where required. My generated smb.conf has:

    [global]
            netbios name = SAMBA-DC
            realm = AD.ONTHEFIVE.COM
            workgroup = ONTHEFIVE

While the generated krb5.conf has:

    [libdefaults]
        default_realm = AD.ONTHEFIVE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

Since "--realm" is kind of a dual-use parameter, I'm inclined to
leave
it lowercase.
> I suggest you add a note here that the DNS-domain and REALM are 2 differnt
things.
> And the other sidenote on this is, often the dns-domain == REALM ( but in
caps )
Yes, this is a great point. Does the term "REALM" apply to anything
besides Kerberos?
>
> The krb5.conf.  mv /etc/krb5.conf /etc/krb5.conf.old
> The default from debian, if you enter the REALM in CAPS at install is
sufficient.
> Not really needed but not wrong.
The krb5.conf file generated during "samba-tool provision" contains
only
what I've shown above. The Debian file has a lot of other stuff, including
various *.MIT.EDU [realms]. I felt it was better to trust "samba-tool"
than
the Debian maintainers :-)
> I also suggest, add a check if the reverse zone exists.
Can you elaborate? Are you suggesting to check for a reverse DNS entry
for the IP address of the DC?


[snip]
> apt install ssh-krb5 libpam-krb5 libnss-winbind libpam-winbind
>
> That configures 1-2 paramaters in sshd_config and gives you direct the
ability to login with kerberos.
> Note, not accounting for the missing "templates" paramters.
>
> Default: template homedir = /home/%D/%U
> Default: template shell = /bin/false
> (man smb.conf)
> And how are the homedirs created, through ADUC or mk_homedir
>
> Needed on the DC's with logins and members that used RID setup also set
in /etc/nsswitch.conf
> passwd:         compat winbind
> group:          compat winbind
I actually wrote a subsequent blog post, where I set up all of the
winbind configuration:
https://jonathonreinhart.com/posts/blog/2019/02/26/configuring-winbind-on-a-samba-ad-dc-on-debian-9

I did not include kerberos login, however, so thank you for that!

Setting uidNumber, gidNumber, etc. from Microsoft tools is deprecated, so I
plan to put together some solution to automatically assign them during/after
user creation, e.g.

- https://serverfault.com/q/764185/55544
- https://serverfault.com/q/484908/55544

I used  pam_mkhomedir to create the home directory on the DC.

Correct me if I'm wrong, but winbind (on a Samba DC) can **only** use
"template homedir" and "template shell", and will not
respect the RFC 2307
attributes in LDAP. Is that correct?
> If i may suggest. Go through these.
> https://github.com/thctlo/samba4/tree/master/howtos
> These are a bit older, im working on the update and nice layouts etc.
> Its my git link, most thing your wanting/ask are in my scripts.
>
> For example, what i dont see on the site is the check on /etc/hosts
> If you installed with dhcp you need to change 127.0.1.1 to the real ip of
the server in /etc/hosts
Thanks for that reference; I will check them out.

In general, I prefer DHCP reservations over static IP addresses, and in
fact, that's how my current DC is running. But if it's safer, I will
change to use a static IP address, and update /etc/hosts, etc.

[snip]
> > Is what I'm attempting to do a valid operation? Or is it weird
that
> > realmd is trying to "join" the DC to the domain?
>
> No, not strange, but realmd is "joining" the AD-DC and its trying
that with member settings.
> That wont work on the DC itself ofcourse.
I abandoned the idea of using Realmd on the DC itself. I'm still hoping
to use Realmd + SSSD on my other Linux servers, like I have with
Microsoft Active Directory.
> Greetz,
>
> Louis
Thanks again for your input!

Jonathon

[1]
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Parameter_Explanation