Gary Dale
2023-Apr-26 18:40 UTC
[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
On 2023-04-26 13:54, Rowland Penny via samba wrote:> > > On 26/04/2023 18:27, Gary Dale via samba wrote: > >> No. I am running the tests suggested by the various Samba wiki pages. >> I can do a getent passwd <local account> on my workstation and on my >> file & print server but I can't do a getent passwd <domain account> >> except on my DC. I explicitly showed that in the message before the >> one you replied to. I also showed how I can't do a login to a domain >> account except on the DC. >> >> This failure to get domain account information seems likely to be at >> the heart of the problems I'm having. >> >> > > So you are running 'getent passwd gary' and getting no output, this is > usually caused by libpam-winbind and libnss-winbind not being > installed, or /etc/nsswitch.conf not being configured correctly, the > relevant lines from mine look like this: > > passwd:???????? files winbind > group:????????? files winbindinstalled and configured correctly> > Or pam-auth-update is configured correctly, again these are the lines > from mine: > > [*] Unix authentication > [*] Winbind NT/Active Directory authentication > [*] Register user sessions in the systemd control group ... > [*] Create home directory on login >Have an extra entry for systemd that is checked but have Create home directory on login unchecked. Shouldn't cause the problems I'm seeing.> Or you are using the 'ad' idmap backend on a Unix domain member and > haven't added a uidNumber attribute to the users and added a gidNumber > attribute to the Domain Users group. The numbers you use in these > attributes have to be unique, though you can use the same range for > users and groups, that is 'gary' could have the ID 10000 and Domain > Users could also the same ID 10000. Whatever numbers you use, the > Domain idmap config line in smb.conf must enclose those numbers e.g. > idmap config DOMAIN : range = 10000-999999Ah, so that explains it. I originally was using autorid because that seemed the best fit for my circumstances but you complained about me doing that. Re-reading the https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba I see it mentions that I have to add a the uidNumber and gidNumber attributes without actually telling me how to do it. I found https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_using_samba-tool_and_ldb-tools#Adding_Unix_attributes_to_an_existing_user_account which gives insufficient instruction in the matter. I note, for example, the line: samba-tool user addunixattrs sambauser uid --gid-number=gid --login-shell=/bin/bash --unix-home=/home/sambauser which I think may be better written as: samba-tool user addunixattrs <sambauser> <uid> --gid-number=<gid> --login-shell=/bin/bash --unix-home=/home/<sambauser> followed by an example showing reasonable values (or some discussion about what those values should be). My immediate reaction would be to use normal Linux user ids (i.e. starting at 1000 on Debian) and group ids (i.e. 100 is the normal group for users). However, you have reacted in horror to that idea, so this would probably be a good wiki to present an explanation as to why it is a bad idea,> > You may have done all of these, if so I will have another think. > > Rowland >
Rowland Penny
2023-Apr-26 19:21 UTC
[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
On 26/04/2023 19:40, Gary Dale via samba wrote:> > On 2023-04-26 13:54, Rowland Penny via samba wrote: >> >> >> On 26/04/2023 18:27, Gary Dale via samba wrote: >> >>> No. I am running the tests suggested by the various Samba wiki pages. >>> I can do a getent passwd <local account> on my workstation and on my >>> file & print server but I can't do a getent passwd <domain account> >>> except on my DC. I explicitly showed that in the message before the >>> one you replied to. I also showed how I can't do a login to a domain >>> account except on the DC. >>> >>> This failure to get domain account information seems likely to be at >>> the heart of the problems I'm having. >>> >>> >> >> So you are running 'getent passwd gary' and getting no output, this is >> usually caused by libpam-winbind and libnss-winbind not being >> installed, or /etc/nsswitch.conf not being configured correctly, the >> relevant lines from mine look like this: >> >> passwd:???????? files winbind >> group:????????? files winbind > > installed and configured correctly > > >> >> Or pam-auth-update is configured correctly, again these are the lines >> from mine: >> >> [*] Unix authentication >> [*] Winbind NT/Active Directory authentication >> [*] Register user sessions in the systemd control group ... >> [*] Create home directory on login >> > Have an extra entry for systemd that is checked but have Create home > directory on login unchecked. Shouldn't cause the problems I'm seeing. > > >> Or you are using the 'ad' idmap backend on a Unix domain member and >> haven't added a uidNumber attribute to the users and added a gidNumber >> attribute to the Domain Users group. The numbers you use in these >> attributes have to be unique, though you can use the same range for >> users and groups, that is 'gary' could have the ID 10000 and Domain >> Users could also the same ID 10000. Whatever numbers you use, the >> Domain idmap config line in smb.conf must enclose those numbers e.g. >> idmap config DOMAIN : range = 10000-999999 > > Ah, so that explains it. I originally was using autorid because that > seemed the best fit for my circumstances but you complained about me > doing that. Re-reading the > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba I see it mentions that I have to add a the uidNumber and gidNumber attributes without actually telling me how to do it. > > I found > https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_using_samba-tool_and_ldb-tools#Adding_Unix_attributes_to_an_existing_user_account which gives insufficient instruction in the matter. I note, for example, the line: > samba-tool user addunixattrs sambauser uid --gid-number=gid > --login-shell=/bin/bash --unix-home=/home/sambauser > > which I think may be better written as: > > samba-tool user addunixattrs <sambauser> <uid> --gid-number=<gid> > --login-shell=/bin/bash --unix-home=/home/<sambauser> > > followed by an example showing reasonable values (or some discussion > about what those values should be). My immediate reaction would be to > use normal Linux user ids (i.e. starting at 1000 on Debian) and group > ids (i.e. 100 is the normal group for users). However, you have reacted > in horror to that idea, so this would probably be a good wiki to present > an explanation as to why it is a bad idea, >Try reading this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Which will lead you to this: https://wiki.samba.org/index.php/Idmap_config_ad Rowland