samba - Nov 2019 - security = ads parameter not working in samba 4.9.5

On 27/11/2019 15:30, S?rgio Basto wrote:
> On Wed, 2019-11-27 at 12:29 +0000, Rowland penny via samba wrote:
>> On 27/11/2019 11:03, S?rgio Basto via samba wrote:
>>> Sorry I meant man idmap_ad. But checking again man is equal of
>>> https://wiki.samba.org/index.php/Idmap_config_ad in EXAMPLES of man
>>> page [1]
>>>    
>>> Examples don't mention netbios name ... I did [2] which instead
use
>>> workgroup I used netbios name and it is working but still don't
>>> know
>>> why or even if it correct .
>> You do not need to set 'netbios name', it will be set for you
from
>> the
>> hostname
>>>
>>> [2]
>>> [global]
>>>       netbios name = REPO
>>>       security = ADS
>>>       workgroup = SAMDOM
>>>       realm = SAMDOM.EXAMPLE.COM
>>>
>>>       winbind use default domain = yes
>>>
>>>       idmap config * : backend = tdb
>>>       idmap config * : range = 1000000-1999999
>>>      
>>>       idmap config REPO : backend = ad
>>>       idmap config REPO : schema_mode = rfc2307
>>>       idmap config REPO : range = 10000-999999
>>>       idmap config REPO : unix_nss_info = yes
>> You need to use the workgroup name, not the netbios name. There will
>> be
>> three domains on your Unix domain member:
>>
>> BUILTIN : Mostly used for the Well Known SIDs
>>
>> SAMDOM : Your AD domain
>>
>> REPO : a local domain and not really relevant
>
> Hi, many thanks for the reply and it started to work but I had to use
> realm
>
>       security = ADS
>       workgroup = SAMDOM
>       realm = SAMDOM.LOCAL
>       idmap config * : backend = tdb
>       idmap config * : range = 1000000-1999999
>     
>       idmap config SAMDOM.LOCAL : backend = ad
>       idmap config SAMDOM.LOCAL : schema_mode = rfc2307
>       idmap config SAMDOM.LOCAL : range = 10000-999999
>       idmap config SAMDOM.LOCAL : unix_nss_info = yes
You have something mis-configured somewhere, it MUST be workgroup, not 
realm.

Please download this:

https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh

Run it on the Unix domain member and paste the ouput into a post, do not 
attach it, this list strips attachments.

Rowland

On Wed, 2019-11-27 at 15:51 +0000, Rowland penny via samba
wrote:
> On 27/11/2019 15:30, S?rgio Basto wrote:
> > On Wed, 2019-11-27 at 12:29 +0000, Rowland penny via samba wrote:
> > > On 27/11/2019 11:03, S?rgio Basto via samba wrote:
> > > > Sorry I meant man idmap_ad. But checking again man is equal
of
> > > > https://wiki.samba.org/index.php/Idmap_config_ad in EXAMPLES
of
> > > > man
> > > > page [1]
> > > >    
> > > > Examples don't mention netbios name ... I did [2] which
instead
> > > > use
> > > > workgroup I used netbios name and it is working but still
don't
> > > > know
> > > > why or even if it correct .
> > > You do not need to set 'netbios name', it will be set for
you
> > > from
> > > the
> > > hostname
> > > > [2]
> > > > [global]
> > > >       netbios name = REPO
> > > >       security = ADS
> > > >       workgroup = SAMDOM
> > > >       realm = SAMDOM.EXAMPLE.COM
> > > > 
> > > >       winbind use default domain = yes
> > > > 
> > > >       idmap config * : backend = tdb
> > > >       idmap config * : range = 1000000-1999999
> > > >      
> > > >       idmap config REPO : backend = ad
> > > >       idmap config REPO : schema_mode = rfc2307
> > > >       idmap config REPO : range = 10000-999999
> > > >       idmap config REPO : unix_nss_info = yes
> > > You need to use the workgroup name, not the netbios name. There
> > > will
> > > be
> > > three domains on your Unix domain member:
> > > 
> > > BUILTIN : Mostly used for the Well Known SIDs
> > > 
> > > SAMDOM : Your AD domain
> > > 
> > > REPO : a local domain and not really relevant
> > 
> > Hi, many thanks for the reply and it started to work but I had to
> > use
> > realm
> > 
> >       security = ADS
> >       workgroup = SAMDOM
> >       realm = SAMDOM.LOCAL
> >       idmap config * : backend = tdb
> >       idmap config * : range = 1000000-1999999
> >     
> >       idmap config SAMDOM.LOCAL : backend = ad
> >       idmap config SAMDOM.LOCAL : schema_mode = rfc2307
> >       idmap config SAMDOM.LOCAL : range = 10000-999999
> >       idmap config SAMDOM.LOCAL : unix_nss_info = yes
> 
> You have something mis-configured somewhere, it MUST be workgroup,
> not 
> realm.
> 
> Please download this:
> 
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
> Run it on the Unix domain member and paste the ouput into a post, do
> not 
> attach it, this list strips attachments.
Thank you for the warning :) [1] , I'm fighting the same problem but I
have a different configuration that I never told you before , I'm
running my centos 7 packages (very similar to other fellows) [2] where
DC1 , DC2 and DC3 are running SambaAD, samba-4.8.8-2.el7.x86_64 with
BIND9_DLZ (bind-9.11.4-9.P2.el7.x86_64) .
REPO server is Domain_Member [3] with Idmap_config_ad, of DOMAIN corp
and I'm testing with SambaAD-4.10.9 or 10 .

What else ? 
getent passwd and getent group just works with previous configuration
and stop when I set the workgroup in idmap when you wrote "it MUST be
workgroup not realm" 


Notes on script :
Centos 7 dns configuration is on /etc/named.conf not in
/etc/bind/named.conf I had to hack a little the script and for dpkg -l,
I replaced with rpm -qa 


[1] 
https://paste.centos.org/view/8d205024
https://paste.centos.org/view/bba5f6c4

[2]
https://copr.fedorainfracloud.org/coprs/sergiomb/SambaAD/

[3]
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member


> Rowland
> 
Best regards,
-- 
S?rgio M. B.

On 27/11/2019 23:57, S?rgio Basto wrote:
> Thank you for the warning :) [1] , I'm fighting the same problem but I
> have a different configuration that I never told you before , I'm
> running my centos 7 packages (very similar to other fellows) [2] where
> DC1 , DC2 and DC3 are running SambaAD, samba-4.8.8-2.el7.x86_64 with
> BIND9_DLZ (bind-9.11.4-9.P2.el7.x86_64) .
First things first, remove sssd, it is not supported with Samba.

Next, stop network manager altering /etc/resolv.conf

Make /etc/hosts look like this:

127.0.0.1?? localhost
::1???????? localhost
172.27.28.1 ccdc1.corp.local

Just change the DCs info to match the DC it is on

/etc/resolv.conf should look like this:

search corp.local
nameserver 172.27.2.1

Again match the IP to the DC.

Remove these lines from smb.conf:

 ??????????? vfs objects = acl_xattr
 ??????????? map acl inherit = yes
 ??????????? store dos attributes = yes

You are breaking Samba by having them.

Make /etc/named.conf look like this:

options {
 ??? directory?????? "/var/named";
 ??? dump-file?????? "/var/named/data/cache_dump.db";
 ??? statistics-file "/var/named/data/named_stats.txt";
 ??? memstatistics-file "/var/named/data/named_mem_stats.txt";
 ??? notify no;
 ??? empty-zones-enable no;
 ??? allow-query { any; };
 ??? allow-query-cache { any; };
 ??? forwarders { 8.8.8.8; 8.8.4.4; };
 ??? allow-transfer { none; };
 ??? dnssec-validation no;
 ??? dnssec-enable no;
 ??? dnssec-lookaside no;
 ??? listen-on port 53 { 172.27.28.1; 127.0.0.1; };
 ??? listen-on-v6 port 53 { ::1;};
 ??? tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

};

logging {
 ??? channel default_debug {
 ???????? file "data/named.run";
 ???????? severity dynamic;
 ??? };
};

zone "." IN {
 ??? type hint;
 ??? file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/var/lib/samba/bind-dns/named.conf";

The howto you ultimately linked to tells you to open ports 1024:5000 in 
the firewall, thinks is now incorrect, you need to open ports 49152-65535
> REPO server is Domain_Member [3] with Idmap_config_ad, of DOMAIN corp
> and I'm testing with SambaAD-4.10.9 or 10 .
>
> What else ?
> getent passwd and getent group just works with previous configuration
> and stop when I set the workgroup in idmap when you wrote "it MUST be
> workgroup not realm"
>
>
> Notes on script :
> Centos 7 dns configuration is on /etc/named.conf not in
> /etc/bind/named.conf I had to hack a little the script and for dpkg -l,
> I replaced with rpm -qa
>
>
> [1]
> https://paste.centos.org/view/8d205024
> https://paste.centos.org/view/bba5f6c4
>
> [2]
> https://copr.fedorainfracloud.org/coprs/sergiomb/SambaAD/
>
> [3]
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
Fix your DCs and see how you go on ;-)

Rowland