On Sat, 2022-09-17 at 15:17 +0000, Shannon Price via samba wrote:> We support our Windows clients via Samba since the 1990s. Our main > infrastructure is NIS/NFS to support our servers and Linux clients. > We have Samba using ADS for authentication for many years, but our > users and groups still come from NIS. Our last Samba server is > running on Ubuntu 18 (Samba 4.7.6) and is rock solid using > smbd/nmbd. Our newest Samba server is running on Ubuntu 20.04 (Samba > 4.11.6 - we found severe problems with the current versions: > https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1954342 > and have pinned Samba at 4.11.6 for now). We're running it the same > way we always have - the machine is ADS joined (net join ads ....). I > experimented with winbind for quite a while, but we don't need AD > groups or user attributes, so it seems unnecessary and we couldn't > get our NIS groups to work when we did that even trying to monkey > with nsswitch.conf using nis for groups. > > The problem now is only that I have full access to everything with > unqualfied names (\\SERVER\homes< > file://SERVER/homes> > works), but FQDN (\\server.domain.edu\homes< > file://server.domain.edu/homes>) > doesn't work and the debug logs show that Samba wants winbind > whenever I talk to the server with FQDN. > > Logs with FQDN: > [2022/09/17 08:40:16.941558, 0] > ../../source3/auth/auth_winbind.c:120(check_winbind_security) > check_winbind_security: winbindd not running - but required as > domain member: NT_STATUS_NO_LOGON_SERVERS > [2022/09/17 08:40:16.943204, 2] > ../../source3/auth/auth.c:343(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [USERNAME] -> > [USERNAME] FAILED with error NT_STATUS_NO_LOGON_SERVERS, > authoritative=1 > [2022/09/17 08:40:16.943300, 2] > ../../auth/auth_log.c:635(log_authentication_event_human_readable) > > Logs without FQDN: > 131.204.17.34 (ipv4:131.204.17.34:28915) connect to service > USERNAME initially as user USERNAME (uid=12345, gid=123) (pid 454545) > [2022/09/17 10:15:38.595009, 0] > ../../source3/param/loadparm.c:3358(process_usershare_file)What you do is still possible, perhaps with some work (see the Nov 2021 security guidance as you have not applied those patches). Just run winbindd but don't configure it in the smb.conf. We recogninise that for some the authentication is via AD but the authorization is via other methods specified in nsswitch.conf, and we now have tests specifically aimed at this. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
On 18/09/2022 10:16, Andrew Bartlett via samba wrote:> > > What you do is still possible, perhaps with some work (see the Nov 2021 > security guidance as you have not applied those patches). > > Just run winbindd but don't configure it in the smb.conf. > > We recogninise that for some the authentication is via AD but the > authorization is via other methods specified in nsswitch.conf, and we > now have tests specifically aimed at this. > > Andrew BartlettIt is all very well saying that Andrew, but the OP referred to Windows clients, he also has Linux clients, along with NIS and NFS. This means that he must maintain Linux users that are really Windows users, Linux Users that are authenticating from AD, NFS users that are authenticating to AD, NIS users that are authenticating to AD, finally I have no idea how or where the NIS groups are stored. Sooner or later, Samba is going to drop SMBv1 and anything that relies on it will also disappear, not that this will really matter to the OP, because he is using 'security = ADS'. If he sets up the smb.conf correctly, His Windows clients will treat Linux machines as if they are Windows machines, he can get his Linux machines to behave as if they are Windows machines (so he will not need NIS) and NFS can easily authenticate to AD. To be honest, I expect better of Universities, they are supposed to be places of learning, pity most of them do not seem to want to use new (if you can call AD new) and better ways Rowland
Thank you very much for your response, Andrew. I removed the idmap and template settings from smb.conf (which I thought would achieve what you recommended - "don't configure it in smb.conf"). The FQDN mapping is working, but shares which are accessible only via NIS groups are broken again this way. create_connection_session_info failed: NT_STATUS_ACCESS_DENIED [2022/09/18 10:00:31.881426, 1] ../../source3/smbd/service.c:355(create_connection_session_info) create_connection_session_info: user 'USERNAME' (from session setup) not permitted to access this share (GROUPSHARE) [2022/09/18 10:00:31.881496, 1] ../../source3/smbd/service.c:530(make_connection_snum) nsswitch.conf still looks like this: passwd: compat nis group: compat nis I realize that this configuration is antiquated. I'll follow up with Rowland to get some ideas about modernizing. -- Shannon -----Original Message----- From: Andrew Bartlett <abartlet at samba.org> Sent: Sunday, September 18, 2022 4:16 AM To: Shannon Price <pricesw at auburn.edu>; samba at lists.samba.org Subject: [EXT] Re: [Samba] Samba 4 without winbind CAUTION: Email Originated Outside of Auburn. On Sat, 2022-09-17 at 15:17 +0000, Shannon Price via samba wrote:> We support our Windows clients via Samba since the 1990s. Our main > infrastructure is NIS/NFS to support our servers and Linux clients. > We have Samba using ADS for authentication for many years, but our > users and groups still come from NIS. Our last Samba server is running > on Ubuntu 18 (Samba 4.7.6) and is rock solid using smbd/nmbd. Our > newest Samba server is running on Ubuntu 20.04 (Samba > 4.11.6 - we found severe problems with the current versions: > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs > .launchpad.net%2Fubuntu%2F%2Bsource%2Fsamba%2F%2Bbug%2F1954342&dat > a=05%7C01%7Cpricesw%40auburn.edu%7C4bad248cea9d479c2dbb08da99566f4e%7C > ccb6deedbd294b388979d72780f62d3b%7C1%7C0%7C637990893780005351%7CUnknow > n%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLC > JXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=c6GXLfrr2riBPEDt%2FbmxoTY6KE2En > mm0Dg6hVWTnEWM%3D&reserved=0 and have pinned Samba at 4.11.6 for > now). We're running it the same way we always have - the machine is > ADS joined (net join ads ....). I experimented with winbind for quite > a while, but we don't need AD groups or user attributes, so it seems > unnecessary and we couldn't get our NIS groups to work when we did > that even trying to monkey with nsswitch.conf using nis for groups. > > The problem now is only that I have full access to everything with > unqualfied names (\\SERVER\homes< file://SERVER/homes> works), but > FQDN (\\server.domain.edu\homes< > file://server.domain.edu/homes>) > doesn't work and the debug logs show that Samba wants winbind > whenever I talk to the server with FQDN. > > Logs with FQDN: > [2022/09/17 08:40:16.941558, 0] > ../../source3/auth/auth_winbind.c:120(check_winbind_security) > check_winbind_security: winbindd not running - but required as > domain member: NT_STATUS_NO_LOGON_SERVERS > [2022/09/17 08:40:16.943204, 2] > ../../source3/auth/auth.c:343(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [USERNAME] -> > [USERNAME] FAILED with error NT_STATUS_NO_LOGON_SERVERS, > authoritative=1 > [2022/09/17 08:40:16.943300, 2] > ../../auth/auth_log.c:635(log_authentication_event_human_readable) > > Logs without FQDN: > 131.204.17.34 (ipv4:131.204.17.34:28915) connect to service USERNAME > initially as user USERNAME (uid=12345, gid=123) (pid 454545) > [2022/09/17 10:15:38.595009, 0] > ../../source3/param/loadparm.c:3358(process_usershare_file)What you do is still possible, perhaps with some work (see the Nov 2021 security guidance as you have not applied those patches). Just run winbindd but don't configure it in the smb.conf. We recogninise that for some the authentication is via AD but the authorization is via other methods specified in nsswitch.conf, and we now have tests specifically aimed at this. Andrew Bartlett -- Andrew Bartlett (he/him) https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abartlet%2F&data=05%7C01%7Cpricesw%40auburn.edu%7C4bad248cea9d479c2dbb08da99566f4e%7Cccb6deedbd294b388979d72780f62d3b%7C1%7C0%7C637990893780005351%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8Mr7KuxaYsDTRvsCSdBkcYGuDXAxZwkjdt%2BB6qBdbKE%3D&reserved=0 Samba Team Member (since 2001) https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cpricesw%40auburn.edu%7C4bad248cea9d479c2dbb08da99566f4e%7Cccb6deedbd294b388979d72780f62d3b%7C1%7C0%7C637990893780005351%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Z1ZY9vYZaigXpnkwH8LC72t3SPYQiARXjIjJ8mSZ41s%3D&reserved=0 Samba Team Lead, Catalyst IT https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cpricesw%40auburn.edu%7C4bad248cea9d479c2dbb08da99566f4e%7Cccb6deedbd294b388979d72780f62d3b%7C1%7C0%7C637990893780005351%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=RV5MXz1OMYdHDEn75BBk8X33c6dbpMXw3t4WFcun8X4%3D&reserved=0 Samba Development and Support, Catalyst IT - Expert Open Source Solutions
I assume this is the Nov 2021 security guidance that you mention? I'll include the link for reference in the thread. https://www.cisa.gov/uscert/ncas/current-activity/2021/11/09/samba-releases-security-updates Could you tell that only from the version that I mentioned (4.11.6)? -- Shannon -----Original Message----- From: Andrew Bartlett <abartlet at samba.org> Sent: Sunday, September 18, 2022 4:16 AM To: Shannon Price <pricesw at auburn.edu>; samba at lists.samba.org Subject: [EXT] Re: [Samba] Samba 4 without winbind CAUTION: Email Originated Outside of Auburn. On Sat, 2022-09-17 at 15:17 +0000, Shannon Price via samba wrote:> We support our Windows clients via Samba since the 1990s. Our main > infrastructure is NIS/NFS to support our servers and Linux clients. > We have Samba using ADS for authentication for many years, but our > users and groups still come from NIS. Our last Samba server is running > on Ubuntu 18 (Samba 4.7.6) and is rock solid using smbd/nmbd. Our > newest Samba server is running on Ubuntu 20.04 (Samba > 4.11.6 - we found severe problems with the current versions: > and have pinned Samba at 4.11.6 for > now). We're running it the same way we always have - the machine is > ADS joined (net join ads ....). I experimented with winbind for quite > a while, but we don't need AD groups or user attributes, so it seems > unnecessary and we couldn't get our NIS groups to work when we did > that even trying to monkey with nsswitch.conf using nis for groups. > > The problem now is only that I have full access to everything with > unqualfied names (\\SERVER\homes< file://SERVER/homes> works), but > FQDN (\\server.domain.edu\homes< > file://server.domain.edu/homes>) > doesn't work and the debug logs show that Samba wants winbind > whenever I talk to the server with FQDN. > > Logs with FQDN: > [2022/09/17 08:40:16.941558, 0] > ../../source3/auth/auth_winbind.c:120(check_winbind_security) > check_winbind_security: winbindd not running - but required as > domain member: NT_STATUS_NO_LOGON_SERVERS > [2022/09/17 08:40:16.943204, 2] > ../../source3/auth/auth.c:343(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [USERNAME] -> > [USERNAME] FAILED with error NT_STATUS_NO_LOGON_SERVERS, > authoritative=1 > [2022/09/17 08:40:16.943300, 2] > ../../auth/auth_log.c:635(log_authentication_event_human_readable) > > Logs without FQDN: > 131.204.17.34 (ipv4:131.204.17.34:28915) connect to service USERNAME > initially as user USERNAME (uid=12345, gid=123) (pid 454545) > [2022/09/17 10:15:38.595009, 0] > ../../source3/param/loadparm.c:3358(process_usershare_file)What you do is still possible, perhaps with some work (see the Nov 2021 security guidance as you have not applied those patches). Just run winbindd but don't configure it in the smb.conf. We recogninise that for some the authentication is via AD but the authorization is via other methods specified in nsswitch.conf, and we now have tests specifically aimed at this. Andrew Bartlett -- Andrew Bartlett (he/him) Samba Development and Support, Catalyst IT - Expert Open Source Solutions