On 8/7/20 12:00 PM, Rowland penny via samba wrote:> On 07/08/2020 19:46, Simon Matthews via samba wrote: >> I have a network with a Samba server (Samba 4, but running as an old >> NT-style domain), Windows and Linux clients. > You really should consider upgrading to AD, >> Is there any way to have the Windows client access map to just "user", >> with its Linux UID? What should I expect with a machine that is joined >> to a domain -- or is the problem that the Linux client is not actually >> joined to the domain? If so, how do I fix this? > > Can we start by seeing your smb.conf files from your PDC and a linux > client, also what OS is the client running. > > RowlandThe client is running CentOS 7: # cat /etc/redhat-release CentOS Linux release 7.8.2003 (Core) After another attempt, I have successfully joined the linux client to the domain: # net rpc join MEMBER -S raidserver -U root%<password> Using short domain name -- BLUE Joined 'TURQUOISE' to domain 'BLUE' Note that the hostname of the Linux client is actually "H2". Turquoise is a hold over from what it was earlier. "turquoise" resolves on the network: $ ping turquoise PING h2.sj.bps (192.168.254.105) 56(84) bytes of data. 64 bytes from h2.sj.bps (192.168.254.105): icmp_seq=1 ttl=64 time=0.264 ms Client config: ======== grep -v ^# /etc/samba/smb.conf [global] workgroup = BLUE password server = raidserver security = domain idmap config * : range = 16777216-33554431 template shell = /bin/false kerberos method = secrets only winbind use default domain = false winbind offline logon = true username map = /etc/samba/usermap.txt # This file is empty. server string = Samba Server Version %v netbios name = TURQUOISE # client ntlmv2 auth = yes # ntlm auth = no interfaces = lo eth1 local master = no os level = 20 preferred master = no wins support = no load printers = no cups options = raw [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes [build2] comment = build2 on Turquoise path = /export/build browseable = yes writeable = yes guest ok = yes [install] comment = install on Turquoise path = /mnt/newbuild2/install browseable = yes writeable = yes guest ok = yes [squish] comment = squish on Turquoise path = /mnt/newbuild2/TestArea browseable = yes writeable = yes guest ok = yes [build4] comment = build4 on Turquoise path = /build4 browseable = yes writeable = yes guest ok = yes [build-H4] comment = build4 on Turquoise path = /build4 browseable = yes writeable = yes guest ok = yes Config on PDC (raidserver): ================ # grep -v ^# /etc/samba/smb.conf [global] workgroup = BLUE netbios name = RAIDSERVER server string = Samba Server %v interfaces = 192.168.254.3, 127.0.0.1 bind interfaces only = yes map to guest = Bad User smb passwd file = /etc/samba/private/smbpasswd log file = /var/log/samba3/log.%m log level = 1 max log size = 500 # socket options = IPTOS_LOWDELAY TCP_NODELAY socket_options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # write cache size = 262144 printcap name = cups os level = 64 # WINS support must be present for domain logins wins support = yes dns proxy = No ldap ssl = no domain master = yes domain logons = yes enable privileges = yes security = user local master = yes preferred master = yes #logon path = \\%N\profiles\%U logon path logon home = \\raidserver\%U logon drive = h: logon script = logon.bat passdb backend = tdbsam #null passwords = yes time server = yes dos filetimes = yes max protocol = SMB3 map untrusted to domain = yes [netlogon] path = /local/samba/netlogon read only = yes browseable = no [profiles] path = /local/samba/profiles read only = no create mask = 0666 directory mask = 0700 browseable = no [homes] comment = Home Directories path = /home/%S invalid users = root read only = No browseable = No dos filetime resolution = yes [home] comment = Home Directories path = /home/ invalid users = root read only = No browseable = Yes dos filetime resolution = yes [build2] comment = Home Directories path = /home/build2 invalid users = root read only = No browseable = No dos filetime resolution = yes [printers] comment = All Printers path = /var/spool/samba create mask = 0700 guest ok = Yes printable = Yes browseable = No # printer admin = root,simon [print$] path = /var/lib/samba/printers write list = @adm, root guest ok = Yes read only = yes browseable = yes # printer admin = root,simon [export] comment = Export dir path = /export invalid users = root admin users = simon read only = No dos filetime resolution = yes> > > >Blue Pearl Software, Inc. will collect and process information about you that may be subject to data protection laws. For more information about how we use and disclose your personal information, how we protect your information, our legal basis to use your information, your rights and who you can contact, please refer to the relevant sections of our Privacy note at www.bluepearlsoftware.com/privacypolicy.
On 07/08/2020 20:12, Simon Matthews wrote:> > The client is running CentOS 7: > > # cat /etc/redhat-release > CentOS Linux release 7.8.2003 (Core) > > After another attempt, I have successfully joined the linux client to > the domain: > > # net rpc join MEMBER? -S raidserver -U root%<password> > Using short domain name -- BLUE > Joined 'TURQUOISE' to domain 'BLUE' > > Note that the hostname of the Linux client is actually "H2". Turquoise > is a hold over from what it was earlier. "turquoise" resolves on the > network: > > $ ping turquoise > PING h2.sj.bps (192.168.254.105) 56(84) bytes of data. > 64 bytes from h2.sj.bps (192.168.254.105): icmp_seq=1 ttl=64 > time=0.264 msI would suggest you stop it resolving if it has gone away.> > Client config: > ========> > [global] > > > ?? workgroup = BLUE > ?? password server = raidserver > ?? security = domain > ?? idmap config * : range = 16777216-33554431This is where your problems start, you do not have enough lines, I would expect something like this: ??? idmap config * : backend = tdb ??? idmap config * : range = 100000-9999999 ??? idmap config BLUE : backend = rid ??? idmap config BLUE : range = 500-99999> template shell = /bin/false > ?? kerberos method = secrets onlyYou do not use kerberos with a PDC> winbind use default domain = falseIf you want to remove the domain name 'BLUE\' from users and groups, change 'false' to 'yes'> > ?? winbind offline logon = true > ?? username map = /etc/samba/usermap.txt??? # This file is empty. > > ??? server string = Samba Server Version %v > > ??? netbios name = TURQUOISEIf the clients name isn't 'turquoise' remove the above line and let Samba set it for you.> # client ntlmv2 auth = yes > ??? # ntlm auth = no > > ??? interfaces = lo eth1 > > ??? local master = no > ??? os level = 20 > ??? preferred master = no > > ??? wins support = noMight be an idea to replace the above line with 'wins server = <PDC IP>' Add this line: client max protocol = NT1> > Config on PDC (raidserver): > ================Not a lot wrong with the PDC smb.conf Again, can I stress that it would be a very good idea to upgrade to AD, Rowland
On 8/7/20 12:58 PM, Rowland penny via samba wrote:> On 07/08/2020 20:12, Simon Matthews wrote: >> >> The client is running CentOS 7: >> >> # cat /etc/redhat-release >> CentOS Linux release 7.8.2003 (Core) >> >> After another attempt, I have successfully joined the linux client to >> the domain: >> >> # net rpc join MEMBER -S raidserver -U root%<password> >> Using short domain name -- BLUE >> Joined 'TURQUOISE' to domain 'BLUE' >> >> Note that the hostname of the Linux client is actually "H2". Turquoise >> is a hold over from what it was earlier. "turquoise" resolves on the >> network: >> >> $ ping turquoise >> PING h2.sj.bps (192.168.254.105) 56(84) bytes of data. >> 64 bytes from h2.sj.bps (192.168.254.105): icmp_seq=1 ttl=64 >> time=0.264 ms > I would suggest you stop it resolving if it has gone away. >> >> Client config: >> ========>> >> [global] >> >> >> workgroup = BLUE >> password server = raidserver >> security = domain >> idmap config * : range = 16777216-33554431 > > This is where your problems start, you do not have enough lines, I > would expect something like this: > > idmap config * : backend = tdb > idmap config * : range = 100000-9999999 > idmap config BLUE : backend = rid > idmap config BLUE : range = 500-99999 > >> template shell = /bin/false >> kerberos method = secrets only > You do not use kerberos with a PDC >> winbind use default domain = false > If you want to remove the domain name 'BLUE\' from users and groups, > change 'false' to 'yes' >> >> winbind offline logon = true >> username map = /etc/samba/usermap.txt # This file is empty. >> >> server string = Samba Server Version %v >> >> netbios name = TURQUOISE > If the clients name isn't 'turquoise' remove the above line and let > Samba set it for you. >> # client ntlmv2 auth = yes >> # ntlm auth = no >> >> interfaces = lo eth1 >> >> local master = no >> os level = 20 >> preferred master = no >> >> wins support = no > > Might be an idea to replace the above line with 'wins server = <PDC IP>' > > Add this line: > > client max protocol = NT1 > >> >> Config on PDC (raidserver): >> ================> > Not a lot wrong with the PDC smb.conf > > Again, can I stress that it would be a very good idea to upgrade to AD,Yes, but I have limited resources for IT and the upgrade to AD is somewhat intrusive to the network (I am thinking of the impact to DNS). The changes you suggested have worked. Thank you very much. Simon> > Rowland >> > >Blue Pearl Software, Inc. will collect and process information about you that may be subject to data protection laws. For more information about how we use and disclose your personal information, how we protect your information, our legal basis to use your information, your rights and who you can contact, please refer to the relevant sections of our Privacy note at www.bluepearlsoftware.com/privacypolicy.