Rowland penny
2019-Nov-29 17:19 UTC
[Samba] security = ads parameter not working in samba 4.9.5
Lets start by removing this: krb5-server-1.15.1-37.el7_7.2.x86_64
And if it is installed on the DCs remove it from them as well.
Not sure if I asked this, but where did you get the Samba packages from ?
Can I also point out, when I ask for the output of the script in a post
here, I mean here, not somewhere on the internet that can and will
disappear. If needed, I can then review the output easily, I cannot, if
it has disappeared, so, to make sure it doesn't disappear, here is your
latest output:
Collected config --- 2019-11-29-16:51 -----------
Hostname: estagiov2
DNS Domain: corp.local
FQDN: estagiov2.corp.local
ipaddress: 172.27.2.56
-----------
Kerberos SRV _kerberos._tcp.corp.local record verified ok, sample output:
Server: 172.27.28.1
Address: 172.27.28.1#53
_kerberos._tcp.corp.local service = 0 100 88 aldc3.corp.local.
_kerberos._tcp.corp.local service = 0 100 88 ccdc1.corp.local.
_kerberos._tcp.corp.local service = 0 100 88 ccdc2.corp.local.
Samba is running as a Unix domain member
-----------
Checking file: /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
-----------
This computer is running an unknown distribution x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
link/ether 00:50:56:9c:25:86 brd ff:ff:ff:ff:ff:ff
inet 172.27.2.56/22 brd 172.27.3.255 scope global noprefixroute ens160
inet6 fe80::bbc2:13a4:154:7fb8/64 scope link noprefixroute
-----------
Checking file: /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.27.2.56 estagiov2.corp.local estagiov2
-----------
Checking file: /etc/resolv.conf
# Generated by NetworkManager
search corp.local
nameserver 172.27.28.1
nameserver 172.27.2.5
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = CORP.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries
you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
#passwd: files winbind sss
#shadow: files sss
#group: files winbind sss
passwd: files winbind
shadow: files
group: files winbind
#initgroups: files sss
#hosts: db files nisplus nis dns
hosts: files dns myhostname
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: nisplus sss
publickey: nisplus
automount: files nisplus sss
aliases: files nisplus
-----------
Checking file: /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
#netbios name = ESTAGIOV2
workgroup = CORP
realm = CORP.LOCAL
security = ADS
log file = /var/log/samba/%m.log
log level = 9
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config CORP:backend = ad
idmap config CORP:schema_mode = rfc2307
idmap config CORP:range = 10000-999999
idmap config CORP:unix_nss_info = yes
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U
username map = /var/lib/samba/user.map
# printing = cups
# printcap name = cups
# load printers = yes
# cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775
[]
path = /srv/samba//
read only = no
-----------
Running as Unix domain member and user.map detected.
Contents of /var/lib/samba/user.map
!root = CORP\Administrator CORP\administrator
Server Role is set to : auto
-----------
Installed packages:
samba-common-tools-4.10.10-2.el7.x86_64
samba-dc-libs-4.10.10-2.el7.x86_64
samba-dc-bind-dlz-4.10.10-2.el7.x86_64
samba-python-test-4.10.10-2.el7.x86_64
pyxattr-0.5.1-5.el7.x86_64
krb5-workstation-1.15.1-37.el7_7.2.x86_64
samba-python-4.10.10-2.el7.x86_64
samba-client-4.10.10-2.el7.x86_64
samba-4.10.10-2.el7.x86_64
samba-dc-4.10.10-2.el7.x86_64
samba-test-4.10.10-2.el7.x86_64
samba-winbind-krb5-locator-4.10.10-2.el7.x86_64
samba-winbind-clients-4.10.10-2.el7.x86_64
samba-pidl-4.10.10-2.el7.noarch
krb5-server-1.15.1-37.el7_7.2.x86_64
samba-winbind-modules-4.10.10-2.el7.x86_64
samba-common-libs-4.10.10-2.el7.x86_64
samba-python-dc-4.10.10-2.el7.x86_64
libsmbclient-4.10.10-2.el7.x86_64
libacl-2.2.51-14.el7.x86_64
samba-libs-4.10.10-2.el7.x86_64
samba-test-libs-4.10.10-2.el7.x86_64
samba-krb5-printing-4.10.10-2.el7.x86_64
libattr-2.4.46-13.el7.x86_64
krb5-libs-1.15.1-37.el7_7.2.x86_64
acl-2.2.51-14.el7.x86_64
samba-common-4.10.10-2.el7.noarch
samba-client-libs-4.10.10-2.el7.x86_64
samba-winbind-4.10.10-2.el7.x86_64
-----------
Rowland
Sérgio Basto
2019-Nov-29 18:17 UTC
[Samba] security = ads parameter not working in samba 4.9.5
On Fri, 2019-11-29 at 17:19 +0000, Rowland penny via samba wrote:> Lets start by removing this: krb5-server-1.15.1-37.el7_7.2.x86_64ATM I can't, it will remove all samba packages :)> And if it is installed on the DCs remove it from them as well.OK I will try remove krb5-server , Monday I will give you feedback> Not sure if I asked this, but where did you get the Samba packages > from ?my packages are made by me [1] but they are similar to Nico Kadel- Garcia rpms [2] [1] https://github.com/sergiomb2/sambaad The first patch is for disabling MIT Kerberos integration and enabling optional Heimdal Kerberos with Domain Controller functionality in the Redhat/Fedora package i.e. with MIT Kerberos we not have a fully functional PDC. [2] https://github.com/nkadel/samba4repo https://lists.samba.org/archive/samba/2019-October/226703.html> > Can I also point out, when I ask for the output of the script in a > post > here, I mean here, not somewhere on the internet that can and will > disappear. If needed, I can then review the output easily, I cannot, > if > it has disappeared, so, to make sure it doesn't disappear, here is > your > latest output:OK , /var/log/samba/winbindd.log as a lot of messages "Could not convert sid" NT_STATUS_NONE_MAPPED is very strange> Collected config --- 2019-11-29-16:51 ----------- > > Hostname: estagiov2 > DNS Domain: corp.local > FQDN: estagiov2.corp.local > ipaddress: 172.27.2.56 > > ----------- > > Kerberos SRV _kerberos._tcp.corp.local record verified ok, sample > output: > Server: 172.27.28.1 > Address: 172.27.28.1#53 > > _kerberos._tcp.corp.local service = 0 100 88 aldc3.corp.local. > _kerberos._tcp.corp.local service = 0 100 88 ccdc1.corp.local. > _kerberos._tcp.corp.local service = 0 100 88 ccdc2.corp.local. > Samba is running as a Unix domain member > > ----------- > Checking file: /etc/os-release > > NAME="CentOS Linux" > VERSION="7 (Core)" > ID="centos" > ID_LIKE="rhel fedora" > VERSION_ID="7" > PRETTY_NAME="CentOS Linux 7 (Core)" > ANSI_COLOR="0;31" > CPE_NAME="cpe:/o:centos:centos:7" > HOME_URL="https://www.centos.org/" > BUG_REPORT_URL="https://bugs.centos.org/" > > CENTOS_MANTISBT_PROJECT="CentOS-7" > CENTOS_MANTISBT_PROJECT_VERSION="7" > REDHAT_SUPPORT_PRODUCT="centos" > REDHAT_SUPPORT_PRODUCT_VERSION="7" > > ----------- > > > This computer is running an unknown distribution x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state > UP group default qlen 1000 > link/ether 00:50:56:9c:25:86 brd ff:ff:ff:ff:ff:ff > inet 172.27.2.56/22 brd 172.27.3.255 scope global noprefixroute > ens160 > inet6 fe80::bbc2:13a4:154:7fb8/64 scope link noprefixroute > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 > ::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6 > 172.27.2.56 estagiov2.corp.local estagiov2 > > ----------- > > Checking file: /etc/resolv.conf > > # Generated by NetworkManager > search corp.local > nameserver 172.27.28.1 > nameserver 172.27.2.5 > > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = CORP.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > ----------- > > Checking file: /etc/nsswitch.conf > > # > # /etc/nsswitch.conf > # > # An example Name Service Switch config file. This file should be > # sorted with the most-used services at the beginning. > # > # The entry '[NOTFOUND=return]' means that the search for an > # entry should stop if the search in the previous entry turned > # up nothing. Note that if the search failed due to some other reason > # (like no NIS server responding) then the search continues with the > # next entry. > # > # Valid entries include: > # > # nisplus Use NIS+ (NIS version 3) > # nis Use NIS (NIS version 2), also called > YP > # dns Use DNS (Domain Name Service) > # files Use the local files > # db Use the local database (.db) files > # compat Use NIS on compat mode > # hesiod Use Hesiod for user lookups > # [NOTFOUND=return] Stop searching if not found so far > # > > # To use db, put the "db" in front of "files" for entries you want to > be > # looked up first in the databases > # > # Example: > #passwd: db files nisplus nis > #shadow: db files nisplus nis > #group: db files nisplus nis > > #passwd: files winbind sss > #shadow: files sss > #group: files winbind sss > passwd: files winbind > shadow: files > group: files winbind > #initgroups: files sss > > #hosts: db files nisplus nis dns > hosts: files dns myhostname > > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc: nisplus [NOTFOUND=return] files > #ethers: nisplus [NOTFOUND=return] files > #netmasks: nisplus [NOTFOUND=return] files > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files sss > > netgroup: nisplus sss > > publickey: nisplus > > automount: files nisplus sss > aliases: files nisplus > > ----------- > > Checking file: /etc/samba/smb.conf > > # See smb.conf.example for a more detailed config file or > # read the smb.conf manpage. > # Run 'testparm' to verify the config is correct after > # you modified it. > > [global] > #netbios name = ESTAGIOV2 > workgroup = CORP > realm = CORP.LOCAL > security = ADS > log file = /var/log/samba/%m.log > log level = 9 > winbind refresh tickets = Yes > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind use default domain = yes > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use a read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 1000000-1999999 > > # - You must set a DOMAIN backend configuration > # idmap config for the SAMDOM domain > idmap config CORP:backend = ad > idmap config CORP:schema_mode = rfc2307 > idmap config CORP:range = 10000-999999 > idmap config CORP:unix_nss_info = yes > > # Template settings for login shell and home directory > template shell = /bin/bash > template homedir = /home/%U > username map = /var/lib/samba/user.map > > > # printing = cups > # printcap name = cups > # load printers = yes > # cups options = raw > > [homes] > comment = Home Directories > valid users = %S, %D%w%S > browseable = No > read only = No > inherit acls = Yes > > [printers] > comment = All Printers > path = /var/tmp > printable = Yes > create mask = 0600 > browseable = No > > [print$] > comment = Printer Drivers > path = /var/lib/samba/drivers > write list = @printadmin root > force group = @printadmin > create mask = 0664 > directory mask = 0775 > > [] > path = /srv/samba// > read only = no > > ----------- > > Running as Unix domain member and user.map detected. > > Contents of /var/lib/samba/user.map > > !root = CORP\Administrator CORP\administrator > > Server Role is set to : auto > > ----------- > > Installed packages: > samba-common-tools-4.10.10-2.el7.x86_64 > samba-dc-libs-4.10.10-2.el7.x86_64 > samba-dc-bind-dlz-4.10.10-2.el7.x86_64 > samba-python-test-4.10.10-2.el7.x86_64 > pyxattr-0.5.1-5.el7.x86_64 > krb5-workstation-1.15.1-37.el7_7.2.x86_64 > samba-python-4.10.10-2.el7.x86_64 > samba-client-4.10.10-2.el7.x86_64 > samba-4.10.10-2.el7.x86_64 > samba-dc-4.10.10-2.el7.x86_64 > samba-test-4.10.10-2.el7.x86_64 > samba-winbind-krb5-locator-4.10.10-2.el7.x86_64 > samba-winbind-clients-4.10.10-2.el7.x86_64 > samba-pidl-4.10.10-2.el7.noarch > krb5-server-1.15.1-37.el7_7.2.x86_64 > samba-winbind-modules-4.10.10-2.el7.x86_64 > samba-common-libs-4.10.10-2.el7.x86_64 > samba-python-dc-4.10.10-2.el7.x86_64 > libsmbclient-4.10.10-2.el7.x86_64 > libacl-2.2.51-14.el7.x86_64 > samba-libs-4.10.10-2.el7.x86_64 > samba-test-libs-4.10.10-2.el7.x86_64 > samba-krb5-printing-4.10.10-2.el7.x86_64 > libattr-2.4.46-13.el7.x86_64 > krb5-libs-1.15.1-37.el7_7.2.x86_64 > acl-2.2.51-14.el7.x86_64 > samba-common-4.10.10-2.el7.noarch > samba-client-libs-4.10.10-2.el7.x86_64 > samba-winbind-4.10.10-2.el7.x86_64 > > ----------- > > Rowland > > >-- S?rgio M. B.
Rowland penny
2019-Nov-29 18:33 UTC
[Samba] security = ads parameter not working in samba 4.9.5
On 29/11/2019 18:17, S?rgio Basto via samba wrote:> On Fri, 2019-11-29 at 17:19 +0000, Rowland penny via samba wrote: >> Lets start by removing this: krb5-server-1.15.1-37.el7_7.2.x86_64 > ATM I can't, it will remove all samba packages :)Then your packages are depending on the krb5-server package, which is MIT, which is experimental. This shouldn't be a problem on a Unix domain member, but there is absolutely no need for it. Are absolutely wedded to red-hat, it is so much easier with Debian based distros ;-) Rowland