We support our Windows clients via Samba since the 1990s. Our main infrastructure is NIS/NFS to support our servers and Linux clients. We have Samba using ADS for authentication for many years, but our users and groups still come from NIS. Our last Samba server is running on Ubuntu 18 (Samba 4.7.6) and is rock solid using smbd/nmbd. Our newest Samba server is running on Ubuntu 20.04 (Samba 4.11.6 - we found severe problems with the current versions: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1954342 and have pinned Samba at 4.11.6 for now). We're running it the same way we always have - the machine is ADS joined (net join ads ....). I experimented with winbind for quite a while, but we don't need AD groups or user attributes, so it seems unnecessary and we couldn't get our NIS groups to work when we did that even trying to monkey with nsswitch.conf using nis for groups. The problem now is only that I have full access to everything with unqualfied names (\\SERVER\homes<file://SERVER/homes> works), but FQDN (\\server.domain.edu\homes<file://server.domain.edu/homes>) doesn't work and the debug logs show that Samba wants winbind whenever I talk to the server with FQDN. Logs with FQDN: [2022/09/17 08:40:16.941558, 0] ../../source3/auth/auth_winbind.c:120(check_winbind_security) check_winbind_security: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS [2022/09/17 08:40:16.943204, 2] ../../source3/auth/auth.c:343(auth_check_ntlm_password) check_ntlm_password: Authentication for user [USERNAME] -> [USERNAME] FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1 [2022/09/17 08:40:16.943300, 2] ../../auth/auth_log.c:635(log_authentication_event_human_readable) Logs without FQDN: 131.204.17.34 (ipv4:131.204.17.34:28915) connect to service USERNAME initially as user USERNAME (uid=12345, gid=123) (pid 454545) [2022/09/17 10:15:38.595009, 0] ../../source3/param/loadparm.c:3358(process_usershare_file) Smb.conf [global] # workgroup and naming workgroup = DOMAIN netbios name = SAMBASERVERNAME # server settings interfaces = MY IP ADDRESS bind interfaces only = yes deadtime = 15 strict locking = no # disable server ntlmv1 support # require ntlmv2.1 or higher (windows 7 and up) server min protocol = SMB2_10 client max protocol = SMB3 client min protocol = SMB2_10 security = ads password server = KERBEROS SERVER passdb backend = tdbsam realm = DOMAIN.EDU idmap config * : backend = tdb idmap config * : range = 1000000-1999999 # browsing settings domain master = no local master = no preferred master = no -- Shannon Price College of Engineering Auburn University
On 17/09/2022 16:17, Shannon Price via samba wrote:> > We support our Windows clients via Samba since the 1990s. Our main infrastructure is NIS/NFS to support our servers and Linux clients. We have Samba using ADS for authentication for many years, but our users and groups still come from NIS. Our last Samba server is running on Ubuntu 18 (Samba 4.7.6) and is rock solid using smbd/nmbd. Our newest Samba server is running on Ubuntu 20.04 (Samba 4.11.6 - we found severe problems with the current versions: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1954342 and have pinned Samba at 4.11.6 for now). We're running it the same way we always have - the machine is ADS joined (net join ads ....). I experimented with winbind for quite a while, but we don't need AD groups or user attributes, so it seems unnecessary and we couldn't get our NIS groups to work when we did that even trying to monkey with nsswitch.conf using nis for groups.NIS is dead. The link you provided refers to an old way of doing things, NT4-style domains aren't dead yet, but they are staggering along on their last legs. From Samba 4.8.0 if security is set to 'domain' or 'ads' you must run winbind.> > The problem now is only that I have full access to everything with unqualfied names (\\SERVER\homes<file://SERVER/homes> works), but FQDN (\\server.domain.edu\homes<file://server.domain.edu/homes>) doesn't work and the debug logs show that Samba wants winbind whenever I talk to the server with FQDN. > > Logs with FQDN: > [2022/09/17 08:40:16.941558, 0] ../../source3/auth/auth_winbind.c:120(check_winbind_security) > check_winbind_security: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS > [2022/09/17 08:40:16.943204, 2] ../../source3/auth/auth.c:343(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [USERNAME] -> [USERNAME] FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1 > [2022/09/17 08:40:16.943300, 2] ../../auth/auth_log.c:635(log_authentication_event_human_readable) > > Logs without FQDN: > 131.204.17.34 (ipv4:131.204.17.34:28915) connect to service USERNAME initially as user USERNAME (uid=12345, gid=123) (pid 454545) > [2022/09/17 10:15:38.595009, 0] ../../source3/param/loadparm.c:3358(process_usershare_file) > > > Smb.conf > > [global] > # workgroup and naming > workgroup = DOMAIN > netbios name = SAMBASERVERNAME > > # server settings > interfaces = MY IP ADDRESS > bind interfaces only = yes > deadtime = 15 > strict locking = no > > # disable server ntlmv1 support > # require ntlmv2.1 or higher (windows 7 and up) > server min protocol = SMB2_10 > client max protocol = SMB3 > client min protocol = SMB2_10You do not need the 'protocol' lines, from 4.11.0 the 'min' ones have been set to SMB2 and the max ones were set to SMB3 quite some time ago.> > security = ads > password server = KERBEROS SERVERYou shouldn't set that, allow Samba to find the best one.> passdb backend = tdbsam > realm = DOMAIN.EDU > idmap config * : backend = tdb > idmap config * : range = 1000000-1999999That is totally wrong, you do not '9999999' for the default domain and there should be lines for the 'DOMAIN' domain.> > > # browsing settings > domain master = no > local master = no > preferred master = no >I suggest you upgrade to AD as soon as possible. Rowland
On Sat, 2022-09-17 at 15:17 +0000, Shannon Price via samba wrote:> We support our Windows clients via Samba since the 1990s. Our main > infrastructure is NIS/NFS to support our servers and Linux clients. > We have Samba using ADS for authentication for many years, but our > users and groups still come from NIS. Our last Samba server is > running on Ubuntu 18 (Samba 4.7.6) and is rock solid using > smbd/nmbd. Our newest Samba server is running on Ubuntu 20.04 (Samba > 4.11.6 - we found severe problems with the current versions: > https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1954342 > and have pinned Samba at 4.11.6 for now). We're running it the same > way we always have - the machine is ADS joined (net join ads ....). I > experimented with winbind for quite a while, but we don't need AD > groups or user attributes, so it seems unnecessary and we couldn't > get our NIS groups to work when we did that even trying to monkey > with nsswitch.conf using nis for groups. > > The problem now is only that I have full access to everything with > unqualfied names (\\SERVER\homes< > file://SERVER/homes> > works), but FQDN (\\server.domain.edu\homes< > file://server.domain.edu/homes>) > doesn't work and the debug logs show that Samba wants winbind > whenever I talk to the server with FQDN. > > Logs with FQDN: > [2022/09/17 08:40:16.941558, 0] > ../../source3/auth/auth_winbind.c:120(check_winbind_security) > check_winbind_security: winbindd not running - but required as > domain member: NT_STATUS_NO_LOGON_SERVERS > [2022/09/17 08:40:16.943204, 2] > ../../source3/auth/auth.c:343(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [USERNAME] -> > [USERNAME] FAILED with error NT_STATUS_NO_LOGON_SERVERS, > authoritative=1 > [2022/09/17 08:40:16.943300, 2] > ../../auth/auth_log.c:635(log_authentication_event_human_readable) > > Logs without FQDN: > 131.204.17.34 (ipv4:131.204.17.34:28915) connect to service > USERNAME initially as user USERNAME (uid=12345, gid=123) (pid 454545) > [2022/09/17 10:15:38.595009, 0] > ../../source3/param/loadparm.c:3358(process_usershare_file)What you do is still possible, perhaps with some work (see the Nov 2021 security guidance as you have not applied those patches). Just run winbindd but don't configure it in the smb.conf. We recogninise that for some the authentication is via AD but the authorization is via other methods specified in nsswitch.conf, and we now have tests specifically aimed at this. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions