Hi, i have a centos7 system, build samba from source usif samba-4.9.6.tar.gz done provision as ad dc and all working good (i use samba a lot of time in past) than i have problem on domain users/group, system not read them vi /usr/local/samba/etc/smb.conf [global] dns forwarder = 192.168.0.1 netbios name = DC realm = TECNOGM.LAN server role = active directory domain controller workgroup = TECNOGM idmap_ldb:use rfc2307 = yes username map = /usr/local/samba/etc/user.map vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes template shell = /bin/bash template homedir = /data/%D/users/%U [netlogon] path = /usr/local/samba/var/locks/sysvol/tecnogm.lan/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [profiles] comment = Windows profiles path = /data/%D/profiles read only = No [users] comment = Users home directories path = /data/%D/users read only = No /usr/local/samba/etc/user.map !root = TECNOGM\Administrator net rpc rights grant "TECNOGM\Domain Admins" SeDiskOperatorPrivilege -U "TECNOGM\administrator" vi /etc/pam.d/password-auth added auth sufficient pam_winbind.so use_first_pass account [default=bad success=ok user_unknown=ignore] pam_winbind.so password sufficient pam_winbind.so use_authtok vi /etc/nsswitch.conf added winbind to group and password THE PROBLEM: the system not read domain users and groups, infact getent passwd TECNOGM\\test give no result
On Fri, 12 Apr 2019 12:53:49 +0200 Marco Gemignani via samba <samba at lists.samba.org> wrote:> Hi, > > i have a centos7 system, build samba from source usif > samba-4.9.6.tar.gz > > done provision as ad dc and all working good (i use samba a lot of > time in past) > > than i have problem on domain users/group, system not read them > > vi /usr/local/samba/etc/smb.conf > [global] > dns forwarder = 192.168.0.1 > netbios name = DC > realm = TECNOGM.LAN > server role = active directory domain controller > workgroup = TECNOGM > idmap_ldb:use rfc2307 = yesYou are running as an AD DC> username map = /usr/local/samba/etc/user.map > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yesSo remove the four lines above, they have no place in an AD DC smb.conf> THE PROBLEM: > > the system not read domain users and groups, infact > > getent passwd TECNOGM\\test > > give no resultIt will not until you remove those 4 lines, you have wiped out the method to connect to the AD database. Rowland
On Fri, 12 Apr 2019 13:20:54 +0200 Marco Gemignani <marko.gem at inwind.it> wrote:> Thanks for your reply, wiped out the four line, but still have the > same problems :-( >Did you read the Samba wiki, specifically this bit: https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC Rowland
On Fri, 12 Apr 2019 14:49:24 +0200 Marco Gemignani <marko.gem at inwind.it> wrote:> I decided to try with last version of samba(4.10.2), but in compiling > i have this errorWhy, if you are having a problem, did you think using the very latest version would fix it ?> > > Testing pyext configuration : Could not build python extensions > > > i have Python-3.8.0a2, the strange thing is that i have no problem > with samba-4.9.6 ( i have winbind problem... aaaahhh)4.10.0 is the first Samba version that defaults to python3, that is probably where your latest problem lies.> > > Il 12/04/2019 13:37, Rowland Penny via samba ha scritto: > > On Fri, 12 Apr 2019 13:20:54 +0200 > > Marco Gemignani <marko.gem at inwind.it> wrote: > > > >> Thanks for your reply, wiped out the four line, but still have the > >> same problems :-( > >> > > Did you read the Samba wiki, specifically this bit: > > > > https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC > > > > Rowland > >You said you compiled Samba yourself and altered /etc/nsswitch.conf, but did you create the libnss-winbind links ? (this is what the above link is mainly about), if you didn't, then it will never work. Rowland
On Fri, 12 Apr 2019 16:15:36 +0200 Marco Gemignani <marko.gem at inwind.it> wrote:> as you told me, i re-do al link for pam_winbind and libnss > > > and now "getent passwd TECNOGM\\testUser" workOK, one step forward ;-)> i still unable to login by ssh but i'm trying to solveDrat, I keep forgetting this. install oddjob-mkhomedir run 'authconfig --enablemkhomedir --update' and you then should be able to login via ssh> > and olso i can sent linux permission do domain admins, at first repy > you told me to remove > > username map = /usr/local/samba/etc/user.map > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > this is for a small office and samba AD DC is olso used as a > fileserver, so i need to set Windows ACLs so i need (user map) the > others: > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > i still to keep wiped out?Yes, they are built in on a DC. what error are you getting whilst trying to set the ACL's on windows ? Rowland
On Fri, 12 Apr 2019 17:46:22 +0200 Marco Gemignani <marko.gem at inwind.it> wrote:> Il 12/04/2019 16:32, Rowland Penny via samba ha scritto: > > On Fri, 12 Apr 2019 16:15:36 +0200 > > Marco Gemignani <marko.gem at inwind.it> wrote: > > > >> as you told me, i re-do al link for pam_winbind and libnss > >> > >> > >> and now "getent passwd TECNOGM\\testUser" work > > OK, one step forward ;-) > > > >> i still unable to login by ssh but i'm trying to solve > > Drat, I keep forgetting this. > > > > install oddjob-mkhomedir > > > > run 'authconfig --enablemkhomedir --update' > > > > and you then should be able to login via ssh > > Done but i still unable to login via ssh.It does work: rowland at devstation:~$ ssh rowland at dc4 Password: Linux dc4 4.9.0-8-amd64 x86_64 GNU/Linux The programs included with the Devuan GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Feb 8 16:36:45 2019 from 192.168.0.88 SAMDOM\rowland at dc4:~$ You must have something set wrong somewhere.> > i olso have that problem > > getent passwd TECNOGM\\marco > > TECNOGM\marco:*:3000021:100::/data/TECNOGM/users/marco:/bin/bash > > group is not mapped as domain admins, but as unix user group, this is > not a big problem for me...No it is 'Domain Users' mapped to the Unix group 'users' in idmap.ldb Using a DC as a fileserver, comes with problems like this. Rowland
On Fri, 12 Apr 2019 18:16:06 +0200 Marco Gemignani <marko.gem at inwind.it> wrote:> ok roland, sorry if i stress you,No, you are not stressing me ;-)> > i need to do a storage, how i can do it?I take it you mean a separate fileserver.> > another linux system that JOIN the samba domain ad? And make shares?You mean a Unix domain member.> > on wiki i not foun any common exaple to do itTry reading this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Ask questions if required Once you have decided if you want to use the 'ad' or 'rid' backend end, read one of these: For the 'ad' backend: https://wiki.samba.org/index.php/Idmap_config_ad For the 'rid' backend: https://wiki.samba.org/index.php/Idmap_config_rid Then for shares: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland