samba - Apr 2023 - DNS problems (still) with Linux domain members - using Samba's internal DNS backend

On 25/04/2023 16:34, Gary Dale via samba wrote:
> On 2023-04-25 07:30, Rowland Penny via samba wrote:
>>
>>
>> On 25/04/2023 04:56, Gary Dale via samba wrote:
>>>
>>> which is owned by root:Domain Admins. This shows up in Linux as:
>>> root at TheLibrarian:~# ls -l /srv/
>>> total 4
>>> drwxr-xr-x 2 root 110512 4096 Apr 23 11:30 taxes
>>
>> Why is the group being shown as a number rather than by name (which 
>> ends in '512' so is probably Domain Admins, which shouldn't
have a
>> gidNumber, it breaks sysvol when using the 'ad idmap backend)
>> Is /etc/nsswitch.conf setup correctly ? arre libpam-winbind and 
>> libnss-winbind installed ?
>>
>> Rowland
>>
> Both are installed from backports (version 4.17.7).
> 
> /etc/nsswitch.conf reads:
> passwd:???????? db files winbind systemd
> group:????????? db files winbind systemd
I had to look up what 'db' was, never come across it before, I do not 
know who put it there, but I would remove every mention of it from 
nsswitch.conf
> shadow:???????? files
> 
> hosts:????????? files wins mdns4_minimal [NOTFOUND=return] dns mdns4 
How did 'wins get there ? AD does not use it, so I would remove it, in 
fact, I would remove the mdns4 stuff as well, leaving just this

hosts:          files dns
> mymachines
> networks:?????? files
> 
> protocols:????? db files
> services:?????? db files
> ethers:???????? db files
> rpc:??????????? db files
> 
> netgroup:?????? nis
> 
> 
> I can't see any mention of any configuration for libpam-winbind.
You do not need to configure, just install it and ensure that 'winbind' 
is in the passwd and group lines.

  When I
> look at 
> https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM, 
> there isn't much there. Under Configuring PAM, it just lists the 
> utilities but doesn't say what you are supposed to do with them. It
also
> shows an example for enabling SSH authentication on a Red Hat system, 
> but I never use password authentication for SSH. I use certificates.
That is the problem, PAM is set up differently depending on the distro, 
so you have to refer to the distros documentation. However, Debian does 
most of the required modifications for you, run 'pam-auth-update' to see
what is available and if it is already in use.
> 
> The man page for pam-auth-update isn't helpful but looking at the 
> individual /etc/pam.dl files, they seem to have mention of winbind and 
> kerberos.
> 
> I note that:
> root at TheLibrarian:~# net rpc group list -U Administrator? ## same 
> results from my workstation.
> Password for [HOME\Administrator]:
> Could not connect to server 127.0.0.1
It is trying to to connect to a non-existing server on localhost, you 
will need to use '-S <DC_hostname>'
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
> 
> but the command(s) work on DC1. Both machines were joined to the domain 
> and both show in the list of domain computers.
> 
> 
Rowland

On 2023-04-25 12:01, Rowland Penny via samba wrote:
>
>
> On 25/04/2023 16:34, Gary Dale via samba wrote:
>> On 2023-04-25 07:30, Rowland Penny via samba wrote:
>>>
>>>
>>> On 25/04/2023 04:56, Gary Dale via samba wrote:
>>>>
>>>> which is owned by root:Domain Admins. This shows up in Linux
as:
>>>> root at TheLibrarian:~# ls -l /srv/
>>>> total 4
>>>> drwxr-xr-x 2 root 110512 4096 Apr 23 11:30 taxes
>>>
>>> Why is the group being shown as a number rather than by name (which
>>> ends in '512' so is probably Domain Admins, which
shouldn't have a
>>> gidNumber, it breaks sysvol when using the 'ad idmap backend)
>>> Is /etc/nsswitch.conf setup correctly ? arre libpam-winbind and 
>>> libnss-winbind installed ?
>>>
>>> Rowland
>>>
>> Both are installed from backports (version 4.17.7).
>>
>> /etc/nsswitch.conf reads:
>> passwd:???????? db files winbind systemd
>> group:????????? db files winbind systemd
>
> I had to look up what 'db' was, never come across it before, I do
not
> know who put it there, but I would remove every mention of it from 
> nsswitch.conf
>
>> shadow:???????? files
>>
>> hosts:????????? files wins mdns4_minimal [NOTFOUND=return] dns mdns4 
>
> How did 'wins get there ? AD does not use it, so I would remove it, in 
> fact, I would remove the mdns4 stuff as well, leaving just this
>
> hosts:????????? files dns
>
>> mymachines
>> networks:?????? files
>>
>> protocols:????? db files
>> services:?????? db files
>> ethers:???????? db files
>> rpc:??????????? db files
>>
>> netgroup:?????? nis
>>
>>
>> I can't see any mention of any configuration for libpam-winbind.
>
> You do not need to configure, just install it and ensure that 
> 'winbind' is in the passwd and group lines.
>
> ?When I
>> look at 
>> https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM,
>> there isn't much there. Under Configuring PAM, it just lists the 
>> utilities but doesn't say what you are supposed to do with them. It
>> also shows an example for enabling SSH authentication on a Red Hat 
>> system, but I never use password authentication for SSH. I use 
>> certificates.
>
> That is the problem, PAM is set up differently depending on the 
> distro, so you have to refer to the distros documentation. However, 
> Debian does most of the required modifications for you, run 
> 'pam-auth-update' to see what is available and if it is already in
use.
>
>>
>> The man page for pam-auth-update isn't helpful but looking at the 
>> individual /etc/pam.dl files, they seem to have mention of winbind 
>> and kerberos.
>>
>> I note that:
>> root at TheLibrarian:~# net rpc group list -U Administrator? ## same 
>> results from my workstation.
>> Password for [HOME\Administrator]:
>> Could not connect to server 127.0.0.1
>
> It is trying to to connect to a non-existing server on localhost, you 
> will need to use '-S <DC_hostname>'
>
>> The username or password was not correct.
>> Connection failed: NT_STATUS_LOGON_FAILURE
>>
>> but the command(s) work on DC1. Both machines were joined to the 
>> domain and both show in the list of domain computers.
>>
>>
>
> Rowland
>
OK. Did all that. And yes, when I use the -S option, I can get the 
command to work. However, why is it even looking at localhost? The 
wbinfo --ping-dc shows that it knows the DC is DC1. Where is the net rpc 
command getting localhost from?

I'd think the the -S option is useful when you have multiple DCs and 
want to check the results from a particular one. If Samba on the file & 
print server isn't automatically going to the DC, I'd think that would 
cause a lot of problems - like the ones I'm seeing.

I might suspect that the issue had to do with the server's previous life 
as the AD DC, but I get the same thing happening on my workstation, 
which has only just had Samba installed on it and has never served files 
let alone domain accounts.

On 2023-04-25 12:01, Rowland Penny via samba wrote:
>
>
> On 25/04/2023 16:34, Gary Dale via samba wrote:
>> On 2023-04-25 07:30, Rowland Penny via samba wrote:
>>>
>>>
>>> On 25/04/2023 04:56, Gary Dale via samba wrote:
>>>>
>>>> which is owned by root:Domain Admins. This shows up in Linux
as:
>>>> root at TheLibrarian:~# ls -l /srv/
>>>> total 4
>>>> drwxr-xr-x 2 root 110512 4096 Apr 23 11:30 taxes
>>>
>>> Why is the group being shown as a number rather than by name (which
>>> ends in '512' so is probably Domain Admins, which
shouldn't have a
>>> gidNumber, it breaks sysvol when using the 'ad idmap backend)
>>> Is /etc/nsswitch.conf setup correctly ? arre libpam-winbind and 
>>> libnss-winbind installed ?
>>>
>>> Rowland
>>>
>> Both are installed from backports (version 4.17.7).
>>
>> /etc/nsswitch.conf reads:
>> passwd:???????? db files winbind systemd
>> group:????????? db files winbind systemd
>
> I had to look up what 'db' was, never come across it before, I do
not
> know who put it there, but I would remove every mention of it from 
> nsswitch.conf
>
>> shadow:???????? files
>>
>> hosts:????????? files wins mdns4_minimal [NOTFOUND=return] dns mdns4 
>
> How did 'wins get there ? AD does not use it, so I would remove it, in 
> fact, I would remove the mdns4 stuff as well, leaving just this
>
> hosts:????????? files dns
>
>> mymachines
>> networks:?????? files
>>
>> protocols:????? db files
>> services:?????? db files
>> ethers:???????? db files
>> rpc:??????????? db files
>>
>> netgroup:?????? nis
>>
>>
>> I can't see any mention of any configuration for libpam-winbind.
>
> You do not need to configure, just install it and ensure that 
> 'winbind' is in the passwd and group lines.
>
> ?When I
>> look at 
>> https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM,
>> there isn't much there. Under Configuring PAM, it just lists the 
>> utilities but doesn't say what you are supposed to do with them. It
>> also shows an example for enabling SSH authentication on a Red Hat 
>> system, but I never use password authentication for SSH. I use 
>> certificates.
>
> That is the problem, PAM is set up differently depending on the 
> distro, so you have to refer to the distros documentation. However, 
> Debian does most of the required modifications for you, run 
> 'pam-auth-update' to see what is available and if it is already in
use.
>
>>
>> The man page for pam-auth-update isn't helpful but looking at the 
>> individual /etc/pam.dl files, they seem to have mention of winbind 
>> and kerberos.
>>
>> I note that:
>> root at TheLibrarian:~# net rpc group list -U Administrator? ## same 
>> results from my workstation.
>> Password for [HOME\Administrator]:
>> Could not connect to server 127.0.0.1
>
> It is trying to to connect to a non-existing server on localhost, you 
> will need to use '-S <DC_hostname>'
>
>> The username or password was not correct.
>> Connection failed: NT_STATUS_LOGON_FAILURE
>>
>> but the command(s) work on DC1. Both machines were joined to the 
>> domain and both show in the list of domain computers.
>>
>
While adding the -S option works on net rpc, the similar -s option fails 
for getent commands. e.g.

root at DC1:~# getent passwd HOME\\gary
HOME\gary:*:3000022:100::/home/HOME/gary:/bin/false

root at TheLibrarian:~# getent passwd HOME\\gary
root at TheLibrarian:~# getent passwd HOME\\gary -s DC1
root at TheLibrarian:~#

Simlarly, when trying to login from a domain account I get:

root at DC1:~# login
DC1 login: gary
Password:
Linux DC1 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Apr 26 10:43:27 EDT 2023 on pts/0
No directory, logging in with HOME=/

However on a member server I get (after setting the winbind separator tp 
":" - it rejected other characters I tried. Moreover I get the same 
results when I omit the winbind separator from smb.conf and use 
HOME\\gary to login)

root at TheLibrarian:~# login
TheLibrarian login: HOME:gary
Password:

Login incorrect

and without the winbind separator and after restarting winbind

root at TheLibrarian:~# login
TheLibrarian login: HOME\\gary
Password:

Login incorrect

The bit about the winbind separator is from an outdated Samba 3 wiki at 
https://www.samba.org/~ab/output/htmldocs/Samba3-HOWTO/winbind.html that 
I thought I try since login wasn't working anyway.