Sac Isilia
2019-Nov-26 13:41 UTC
[Samba] security = ads parameter not working in samba 4.9.5
Hi Team,
I need to join the server in AD domain using winbind . Below are the
package version for reference. The server runs Debian 10 and the default
install of samba is 4.9.5.
ii samba 2:4.9.5+dfsg-5+deb10u1
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5+deb10u1
all common files used by both the Samba server and client
ii winbind 2:4.9.5+dfsg-5+deb10u1
amd64 service to resolve user and group information from Windows
NT servers
I searched the internet and few samba mailing list and found that it was
a bug and security = ads will produce error if you start winbind . The
moment i put in smb.conf "security = user" the winbind starts
successfully but the server is not joined to domain when i run the command
net ads join -U xxx I get the below error.
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the
domain.
I just couldn't find any solution to the above if samba runs on 4.9.5.
Please help me so that I can join the server to AD domain.
Below is my smb.conf
------------------------------------
[global]
passdb backend = tdbsam
security = user
password server = 10.34.54.46
idmap config EMEA-MEDIA : backend = ad
idmap config EMEA-MEDIA : range = 16777216-33554431
kerberos method = secrets and keytab
client use spnego = yes
client signing = yes
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
allow trusted domains = yes
winbind nested groups = yes
; interfaces = 127.0.0.0/8 eth0
; bind interfaces only = yes
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
; logon path = \\%N\profiles\%U
; logon drive = H:
; logon script = logon.cmd
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos
"" %u
; add machine script = /usr/sbin/useradd -g machines -c "%u machine
account" -d /var/lib/samba -s /bin/false %u
; add group script = /usr/sbin/addgroup --force-badname %g
; include = /home/samba/etc/smb.conf.%m
; idmap config * : backend = tdb
; idmap config * : range = 3000-7999
; idmap config YOURDOMAINHERE : backend = tdb
; idmap config YOURDOMAINHERE : range = 100000-999999
; template shell = /bin/bash
usershare allow guests = yes
[homes]
comment = Home Directories
browseable = no
read only = yes
create mask = 0700
directory mask = 0700
valid users = %S
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
; write list = root, @lpadmin
Regards
Sachin Kumar
Rowland penny
2019-Nov-26 14:04 UTC
[Samba] security = ads parameter not working in samba 4.9.5
On 26/11/2019 13:41, Sac Isilia via samba wrote:> Hi Team, > > I need to join the server in AD domain using winbind . Below are the > package version for reference. The server runs Debian 10 and the default > install of samba is 4.9.5. > > ii samba 2:4.9.5+dfsg-5+deb10u1 > amd64 SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.9.5+dfsg-5+deb10u1 > all common files used by both the Samba server and client > > ii winbind 2:4.9.5+dfsg-5+deb10u1 > amd64 service to resolve user and group information from Windows > NT servers > > I searched the internet and few samba mailing list and found that it was > a bug and security = ads will produce error if you start winbind . The > moment i put in smb.conf "security = user" the winbind starts > successfully but the server is not joined to domain when i run the command > net ads join -U xxx I get the below error. > > Host is not configured as a member server. > Invalid configuration. Exiting.... > Failed to join domain: This operation is only allowed for the PDC of the > domain. > > I just couldn't find any solution to the above if samba runs on 4.9.5. > Please help me so that I can join the server to AD domain. >I take it that you haven't read the Samba wiki ? https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File I would go and read that and then return with any questions you might have ;-) But in the mean time, 'security = ADS' clashes with 'server role = standalone server' The other question is, is sssd installed ? If it is, then remove it, you cannot use sssd with winbind. You are also probably going to need a few extra packages: acl attr libpam-winbind libpam-krb5 libnss-winbind krb5-config krb5-user ntp Rowland
L.P.H. van Belle
2019-Nov-26 14:07 UTC
[Samba] security = ads parameter not working in samba 4.9.5
Hai, Please read : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member And adjust your smb.conf, start with a minimal smb.conf then join and then add optional extra settings. You current config is incomplete. I suggest you carefully read this chapter.: Choose backend for id mapping in winbindd> Host is not configured as a member server. > Invalid configuration. Exiting....^^^ as it is saying, invalid config. A sample config for a domain member, with backend AD.. You might want RID as backend, to read above links that tell more. Config [global] log level = 1 auth_audit:3 # https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx # https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and # Obey the above rules from the links and avoid problems. workgroup = NTDOM security = ADS realm = YOUR.REALM.HERE_IN_CAPS netbios name = SERVER_HOSTNAME_IN_CAPS_MAX_15CHARS # set master browser for the network. # preffered + domain master = guarantee master browser ( man smb.conf ) #preferred master = yes #domain master = yes # Optional, set ip/interface names where to run samba. interfaces = 192.168.0.10 127.0.0.1 bind interfaces only = yes # Resolve netbios names over DNS. # Your DNS/Resolving setup MUST be correct to make it work. dns proxy = yes # Add and Update TLS Key # If your having domain member, a correct certificate setup is preffered. #tls enabled = yes #tls keyfile = /etc/ssl/private/host.key.pem #tls certfile = /etc/sslcerts/host.cert.pem #tls cafile = /etc/ssl/certs/ca.pem ## map id's outside to domain to tdb files. idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain and (*) the range may not overlap ! # choose the back end that fits your setup. # https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends idmap config NTDOM : backend = ad idmap config NTDOM : range = 10000-3999999 # Backend AD uses often, one or more of these 3 settings idmap config NTDOM : schema_mode = rfc2307 # optional #idmap config NTDOM : unix_nss_info = yes #idmap config NTDOM : unix_primary_group = yes # Most compatible setup. dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab # Renew the kerberos ticket its lifetime. winbind refresh tickets = yes # remove NTDOM\ from the username winbind use default domain = yes # Default = no, only set yes while testing. winbind enum users = no winbind enum groups = no # Enable offline logins winbind offline logon = yes # The user Administrator workaround, without it you are unable to set privileges # Format in the file: !root = NTDOM\Administrator NTDOM\administrator username map = /etc/samba/samba_usermapping # Disable option to allow usershares to be created, when set empty no error log messages. usershare path # Disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # For Windows ACL support on member file server, enabled globaly, OBLIGATED # For a mixed setup of rights, put this per share! vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # Share Setting Globally veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide unreadable = yes ######## SHARE DEFINITIONS ################ .. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sac > Isilia via samba > Verzonden: dinsdag 26 november 2019 14:41 > Aan: samba at lists.samba.org > Onderwerp: [Samba] security = ads parameter not working in samba 4.9.5 > > Hi Team, > > I need to join the server in AD domain using winbind . Below are the > package version for reference. The server runs Debian 10 and > the default > install of samba is 4.9.5. > > ii samba 2:4.9.5+dfsg-5+deb10u1 > amd64 SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.9.5+dfsg-5+deb10u1 > all common files used by both the Samba server and client > > ii winbind 2:4.9.5+dfsg-5+deb10u1 > amd64 service to resolve user and group > information from Windows > NT servers > > I searched the internet and few samba mailing list and > found that it was > a bug and security = ads will produce error if you start winbind . The > moment i put in smb.conf "security = user" the winbind starts > successfully but the server is not joined to domain when i > run the command > net ads join -U xxx I get the below error. > > Host is not configured as a member server. > Invalid configuration. Exiting....> Failed to join domain: This operation is only allowed for the > PDC of the > domain. > > I just couldn't find any solution to the above if samba runs on 4.9.5. > Please help me so that I can join the server to AD domain. > > Below is my smb.conf > ------------------------------------ > [global] > > > > passdb backend = tdbsam > security = user > password server = 10.34.54.46 > idmap config EMEA-MEDIA : backend = ad > idmap config EMEA-MEDIA : range = 16777216-33554431 > kerberos method = secrets and keytab > client use spnego = yes > client signing = yes > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/%D/%U > template shell = /bin/bash > client use spnego = yes > client ntlmv2 auth = yes > encrypt passwords = yes > winbind use default domain = yes > restrict anonymous = 2 > domain master = no > local master = no > preferred master = no > os level = 0 > allow trusted domains = yes > winbind nested groups = yes > > > ; interfaces = 127.0.0.0/8 eth0 > > ; bind interfaces only = yes > > > > > log file = /var/log/samba/log.%m > > max log size = 1000 > > logging = file > > panic action = /usr/share/samba/panic-action %d > > > > server role = standalone server > > obey pam restrictions = yes > > unix password sync = yes > > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > > pam password change = yes > > map to guest = bad user > > > > ; logon path = \\%N\profiles\%U > > ; logon drive = H: > > ; logon script = logon.cmd > > ; add user script = /usr/sbin/adduser --quiet > --disabled-password --gecos > "" %u > > ; add machine script = /usr/sbin/useradd -g machines -c "%u machine > account" -d /var/lib/samba -s /bin/false %u > > ; add group script = /usr/sbin/addgroup --force-badname %g > > > ; include = /home/samba/etc/smb.conf.%m > > ; idmap config * : backend = tdb > ; idmap config * : range = 3000-7999 > ; idmap config YOURDOMAINHERE : backend = tdb > ; idmap config YOURDOMAINHERE : range = 100000-999999 > ; template shell = /bin/bash > > > > usershare allow guests = yes > > > [homes] > comment = Home Directories > browseable = no > > read only = yes > > create mask = 0700 > > directory mask = 0700 > > valid users = %S > > ;[netlogon] > ; comment = Network Logon Service > ; path = /home/samba/netlogon > ; guest ok = yes > ; read only = yes > > ;[profiles] > ; comment = Users profiles > ; path = /home/samba/profiles > ; guest ok = no > ; browseable = no > ; create mask = 0600 > ; directory mask = 0700 > > [printers] > comment = All Printers > browseable = no > path = /var/spool/samba > printable = yes > guest ok = no > read only = yes > create mask = 0700 > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > browseable = yes > read only = yes > guest ok = no > ; write list = root, @lpadmin > > > Regards > Sachin Kumar > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Sérgio Basto
2019-Nov-26 14:26 UTC
[Samba] security = ads parameter not working in samba 4.9.5
On Tue, 2019-11-26 at 15:07 +0100, L.P.H. van Belle via samba wrote:> Hai, > > Please read : > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > And adjust your smb.conf, start with a minimal smb.conf then join and > then add optional extra settings.BTW , unfortunately I hadn't time to write about but see man idmap.ad , it have the right instructions ...> You current config is incomplete. > I suggest you carefully read this chapter.: Choose backend for id > mapping in winbindd > > > > Host is not configured as a member server. > > Invalid configuration. Exiting.... > ^^^ as it is saying, invalid config. > > A sample config for a domain member, with backend AD.. > You might want RID as backend, to read above links that tell more. > > > Config > [global] > > log level = 1 auth_audit:3 > > # > https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx > # > https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and > > # Obey the above rules from the links and avoid problems. > workgroup = NTDOM > security = ADS > realm = YOUR.REALM.HERE_IN_CAPS > netbios name = SERVER_HOSTNAME_IN_CAPS_MAX_15CHARS > > # set master browser for the network. > # preffered + domain master = guarantee master browser ( man > smb.conf ) > #preferred master = yes > #domain master = yes > > # Optional, set ip/interface names where to run samba. > interfaces = 192.168.0.10 127.0.0.1 > bind interfaces only = yes > > # Resolve netbios names over DNS. > # Your DNS/Resolving setup MUST be correct to make it work. > dns proxy = yes > > # Add and Update TLS Key > # If your having domain member, a correct certificate setup is > preffered. > #tls enabled = yes > #tls keyfile = /etc/ssl/private/host.key.pem > #tls certfile = /etc/sslcerts/host.cert.pem > #tls cafile = /etc/ssl/certs/ca.pem > > ## map id's outside to domain to tdb files. > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > ## map ids from the domain and (*) the range may not overlap ! > # choose the back end that fits your setup. > # https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends > idmap config NTDOM : backend = ad > idmap config NTDOM : range = 10000-3999999 > # Backend AD uses often, one or more of these 3 settings > idmap config NTDOM : schema_mode = rfc2307 > # optional > #idmap config NTDOM : unix_nss_info = yes > #idmap config NTDOM : unix_primary_group = yes > > # Most compatible setup. > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > # Renew the kerberos ticket its lifetime. > winbind refresh tickets = yes > > # remove NTDOM\ from the username > winbind use default domain = yes > > # Default = no, only set yes while testing. > winbind enum users = no > winbind enum groups = no > > # Enable offline logins > winbind offline logon = yes > > # The user Administrator workaround, without it you are unable to > set privileges > # Format in the file: !root = NTDOM\Administrator > NTDOM\administrator > username map = /etc/samba/samba_usermapping > > # Disable option to allow usershares to be created, when set > empty no error log messages. > usershare path > > # Disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > # For Windows ACL support on member file server, enabled globaly, > OBLIGATED > # For a mixed setup of rights, put this per share! > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > # Share Setting Globally > veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ > hide unreadable = yes > > ######## SHARE DEFINITIONS ################ > .. > > > Greetz, > > Louis > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sac > > Isilia via samba > > Verzonden: dinsdag 26 november 2019 14:41 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] security = ads parameter not working in samba > > 4.9.5 > > > > Hi Team, > > > > I need to join the server in AD domain using winbind . Below are > > the > > package version for reference. The server runs Debian 10 and > > the default > > install of samba is 4.9.5. > > > > ii samba 2:4.9.5+dfsg-5+deb10u1 > > amd64 SMB/CIFS file, print, and login server for Unix > > ii samba-common 2:4.9.5+dfsg-5+deb10u1 > > all common files used by both the Samba server and > > client > > > > ii winbind 2:4.9.5+dfsg-5+deb10u1 > > amd64 service to resolve user and group > > information from Windows > > NT servers > > > > I searched the internet and few samba mailing list and > > found that it was > > a bug and security = ads will produce error if you start winbind . > > The > > moment i put in smb.conf "security = user" the winbind starts > > successfully but the server is not joined to domain when i > > run the command > > net ads join -U xxx I get the below error. > > > > Host is not configured as a member server. > > Invalid configuration. Exiting.... > > Failed to join domain: This operation is only allowed for the > > PDC of the > > domain. > > > > I just couldn't find any solution to the above if samba runs on > > 4.9.5. > > Please help me so that I can join the server to AD domain. > > > > Below is my smb.conf > > ------------------------------------ > > [global] > > > > > > > > passdb backend = tdbsam > > security = user > > password server = 10.34.54.46 > > idmap config EMEA-MEDIA : backend = ad > > idmap config EMEA-MEDIA : range = 16777216-33554431 > > kerberos method = secrets and keytab > > client use spnego = yes > > client signing = yes > > winbind enum users = yes > > winbind enum groups = yes > > template homedir = /home/%D/%U > > template shell = /bin/bash > > client use spnego = yes > > client ntlmv2 auth = yes > > encrypt passwords = yes > > winbind use default domain = yes > > restrict anonymous = 2 > > domain master = no > > local master = no > > preferred master = no > > os level = 0 > > allow trusted domains = yes > > winbind nested groups = yes > > > > > > ; interfaces = 127.0.0.0/8 eth0 > > > > ; bind interfaces only = yes > > > > > > > > > > log file = /var/log/samba/log.%m > > > > max log size = 1000 > > > > logging = file > > > > panic action = /usr/share/samba/panic-action %d > > > > > > > > server role = standalone server > > > > obey pam restrictions = yes > > > > unix password sync = yes > > > > passwd program = /usr/bin/passwd %u > > passwd chat = *Enter\snew\s*\spassword:* %n\n > > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* > > . > > > > pam password change = yes > > > > map to guest = bad user > > > > > > > > ; logon path = \\%N\profiles\%U > > > > ; logon drive = H: > > > > ; logon script = logon.cmd > > > > ; add user script = /usr/sbin/adduser --quiet > > --disabled-password --gecos > > "" %u > > > > ; add machine script = /usr/sbin/useradd -g machines -c "%u > > machine > > account" -d /var/lib/samba -s /bin/false %u > > > > ; add group script = /usr/sbin/addgroup --force-badname %g > > > > > > ; include = /home/samba/etc/smb.conf.%m > > > > ; idmap config * : backend = tdb > > ; idmap config * : range = 3000-7999 > > ; idmap config YOURDOMAINHERE : backend = tdb > > ; idmap config YOURDOMAINHERE : range = 100000-999999 > > ; template shell = /bin/bash > > > > > > > > usershare allow guests = yes > > > > > > [homes] > > comment = Home Directories > > browseable = no > > > > read only = yes > > > > create mask = 0700 > > > > directory mask = 0700 > > > > valid users = %S > > > > ;[netlogon] > > ; comment = Network Logon Service > > ; path = /home/samba/netlogon > > ; guest ok = yes > > ; read only = yes > > > > ;[profiles] > > ; comment = Users profiles > > ; path = /home/samba/profiles > > ; guest ok = no > > ; browseable = no > > ; create mask = 0600 > > ; directory mask = 0700 > > > > [printers] > > comment = All Printers > > browseable = no > > path = /var/spool/samba > > printable = yes > > guest ok = no > > read only = yes > > create mask = 0700 > > > > [print$] > > comment = Printer Drivers > > path = /var/lib/samba/printers > > browseable = yes > > read only = yes > > guest ok = no > > ; write list = root, @lpadmin > > > > > > Regards > > Sachin Kumar > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > >-- S?rgio M. B.
Seemingly Similar Threads
- security = ads parameter not working in samba 4.9.5
- security = ads parameter not working in samba 4.9.5
- security = ads parameter not working in samba 4.9.5
- security = ads parameter not working in samba 4.9.5
- security = ads parameter not working in samba 4.9.5