Hi,
I'm switching Samba shares to use Winbind rather than SSSD for
authentication, with AD as the auth provider. nsswitch and pam have
been updated to use winbind via authconfig. The domain is example.com,
and 'ad.example.com' is a srv record that points to the domain
controllers. The samba server has been joined to the domain via 'net
ads join' and when I run a 'wbinfo -t' it reports the trust secret
has
succeeded, and 'wbinfo -u' lists all the users (e.g., EXAMPLE\cam) on
the domain, and a wbinfo -g lists the groups in the domain. But I
cannot look up users via 'id' (either via 'id EXAMPLE\cam' or
'id
cam'). OS version is RHEL 7.6, Samba version is 4.8.3-4.
smb.conf:
# Global parameters
[global]
max log size = 0
realm = AD.EXAMPLE.COM
security = ADS
template homedir = /u/%U
template shell = /bin/bash
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = EXAMPLE
idmap config * : range = 1000-20000000
idmap config * : rangesize = 19900000
idmap config * : backend = autorid
[user_data]
comment = user_data
path = /user_data
read only = No
nsswitch.conf:
passwd: files winbind
shadow: files winbind
group: files winbind
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
pam.d/system-auth:
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet_success
auth sufficient pam_winbind.so cached_login use_first_pass
auth required pam_deny.so
account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore]
pam_winbind.so cached_login
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass retry=3 typepassword
sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_winbind.so cached_login
krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD.EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 7d
renew_lifetime = 14d
allow_weak_crypto = true
forwardable = true
rdns=false
[realms]
AD.EXAMPLE.COM = {
kdc = ad.example.com
}
[domain_realm]
dneg.com = AD.EXAMPLE.COM
.dneg.com = AD.EXAMPLE.COM
I've followed the official Redhat guide, and have done various
searches on the web, but every solution out there seems to offer
different configurations, none of which have worked for me as yet.
sssd used to work fine but I believe is no longer supported after
Samba 4.8.0. Any ideas what I am doing wrong here?
Thanks for any help
Cam
You're missing the id mapping sections for the actual domain; * is the default (internally used) domain. On 11/4/21 10:42, Campbell McLeay via samba wrote:> Hi, > > I'm switching Samba shares to use Winbind rather than SSSD for > authentication, with AD as the auth provider. nsswitch and pam have > been updated to use winbind via authconfig. The domain is example.com, > and 'ad.example.com' is a srv record that points to the domain > controllers. The samba server has been joined to the domain via 'net > ads join' and when I run a 'wbinfo -t' it reports the trust secret has > succeeded, and 'wbinfo -u' lists all the users (e.g., EXAMPLE\cam) on > the domain, and a wbinfo -g lists the groups in the domain. But I > cannot look up users via 'id' (either via 'id EXAMPLE\cam' or 'id > cam'). OS version is RHEL 7.6, Samba version is 4.8.3-4. > > smb.conf: > > # Global parameters > [global] > max log size = 0 > realm = AD.EXAMPLE.COM > security = ADS > template homedir = /u/%U > template shell = /bin/bash > winbind offline logon = Yes > winbind refresh tickets = Yes > winbind use default domain = Yes > workgroup = EXAMPLE > idmap config * : range = 1000-20000000 > idmap config * : rangesize = 19900000 > idmap config * : backend = autorid > > > [user_data] > comment = user_data > path = /user_data > read only = No > > nsswitch.conf: > > passwd: files winbind > shadow: files winbind > group: files winbind > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files > netgroup: files > publickey: nisplus > automount: files > aliases: files nisplus > > pam.d/system-auth: > > auth required pam_env.so > auth required pam_faildelay.so delay=2000000 > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet_success > auth sufficient pam_winbind.so cached_login use_first_pass > auth required pam_deny.so > > account required pam_access.so > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] > pam_winbind.so cached_login > account required pam_permit.so > > password requisite pam_pwquality.so try_first_pass retry=3 type> password sufficient pam_unix.so sha512 shadow nullok > try_first_pass use_authtok > password sufficient pam_winbind.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_winbind.so cached_login > > krb5.conf: > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = AD.EXAMPLE.COM > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 7d > renew_lifetime = 14d > allow_weak_crypto = true > forwardable = true > rdns=false > > [realms] > AD.EXAMPLE.COM = { > kdc = ad.example.com > } > > [domain_realm] > dneg.com = AD.EXAMPLE.COM > .dneg.com = AD.EXAMPLE.COM > > I've followed the official Redhat guide, and have done various > searches on the web, but every solution out there seems to offer > different configurations, none of which have worked for me as yet. > sssd used to work fine but I believe is no longer supported after > Samba 4.8.0. Any ideas what I am doing wrong here? > > Thanks for any help > > Cam >
On Thu, 2021-11-04 at 15:42 +0000, Campbell McLeay via samba wrote:> Hi, > > I'm switching Samba shares to use Winbind rather than SSSD for > authentication, with AD as the auth provider. nsswitch and pam have > been updated to use winbind via authconfig. The domain is > example.com, > and 'ad.example.com' is a srv record that points to the domain > controllers.What do you mean by that ? Your dns domain must be the same as the AD dns domain.> The samba server has been joined to the domain via 'net > ads join' and when I run a 'wbinfo -t' it reports the trust secret > has > succeeded, and 'wbinfo -u' lists all the users (e.g., EXAMPLE\cam) on > the domain, and a wbinfo -g lists the groups in the domain. But I > cannot look up users via 'id' (either via 'id EXAMPLE\cam' or 'id > cam'). OS version is RHEL 7.6, Samba version is 4.8.3-4.Have you installed 'samba-winbind-clients' and run the correct 'authselect' incantation ?> > smb.conf: > > # Global parameters > [global] > max log size = 0 > realm = AD.EXAMPLE.COM > security = ADS > template homedir = /u/%U > template shell = /bin/bash > winbind offline logon = Yes > winbind refresh tickets = Yes > winbind use default domain = Yes > workgroup = EXAMPLE > idmap config * : range = 1000-20000000 > idmap config * : rangesize = 19900000 > idmap config * : backend = autorid > > > [user_data] > comment = user_data > path = /user_data > read only = No > > nsswitch.conf: > > passwd: files winbind > shadow: files winbindRemove winbind from the 'shadow' line, it shouldn't be there.> group: files winbind > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files > netgroup: files > publickey: nisplus > automount: files > aliases: files nisplus > > pam.d/system-auth: > > auth required pam_env.so > auth required pam_faildelay.so delay=2000000 > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet_success > auth sufficient pam_winbind.so cached_login use_first_pass > auth required pam_deny.so > > account required pam_access.so > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] > pam_winbind.so cached_login > account required pam_permit.so > > password requisite pam_pwquality.so try_first_pass retry=3 > type> password sufficient pam_unix.so sha512 shadow nullok > try_first_pass use_authtok > password sufficient pam_winbind.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_winbind.so cached_login > > krb5.conf: > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = AD.EXAMPLE.COM > dns_lookup_realm = trueThe above should be 'false' not 'true'> dns_lookup_kdc = true > ticket_lifetime = 7d > renew_lifetime = 14d > allow_weak_crypto = true > forwardable = true > rdns=false > > [realms] > AD.EXAMPLE.COM = { > kdc = ad.example.com > } > > [domain_realm] > dneg.com = AD.EXAMPLE.COM > .dneg.com = AD.EXAMPLE.COM > > I've followed the official Redhat guide, and have done various > searches on the web, but every solution out there seems to offer > different configurations, none of which have worked for me as yet. > sssd used to work fine but I believe is no longer supported after > Samba 4.8.0. Any ideas what I am doing wrong here?Using the wrong OS :-D Rowland
On Thu, 2021-11-04 at 15:42 +0000, Campbell McLeay via samba wrote:> Hi, > > I'm switching Samba shares to use Winbind rather than SSSD for > authentication, with AD as the auth provider. nsswitch and pam have > been updated to use winbind via authconfig. The domain is > example.com, > and 'ad.example.com' is a srv record that points to the domain > controllers. The samba server has been joined to the domain via 'net > ads join' and when I run a 'wbinfo -t' it reports the trust secret > has > succeeded, and 'wbinfo -u' lists all the users (e.g., EXAMPLE\cam) on > the domain, and a wbinfo -g lists the groups in the domain. But I > cannot look up users via 'id' (either via 'id EXAMPLE\cam' or 'id > cam'). OS version is RHEL 7.6, Samba version is 4.8.3-4.OK, so I have installed Centos 7 and fully updated it (it now has Samba 4.10.16) and I have 'id' working. I had to change a few things to get it to work and I will never trust authconfig again. Rowland