samba - Apr 2023 - DNS problems (still) with Linux domain members - using Samba's internal DNS backend

On 2023-04-26 15:21, Rowland Penny via samba wrote:
>
>
> On 26/04/2023 19:40, Gary Dale via samba wrote:
>>
>> On 2023-04-26 13:54, Rowland Penny via samba wrote:
>>>
>>>
>>> On 26/04/2023 18:27, Gary Dale via samba wrote:
>>>
>>>> No. I am running the tests suggested by the various Samba wiki 
>>>> pages. I can do a getent passwd <local account> on my
workstation
>>>> and on my file & print server but I can't do a getent
passwd
>>>> <domain account> except on my DC. I explicitly showed
that in the
>>>> message before the one you replied to. I also showed how I
can't do
>>>> a login to a domain account except on the DC.
>>>>
>>>> This failure to get domain account information seems likely to
be
>>>> at the heart of the problems I'm having.
>>>>
>>>>
>>>
>>> So you are running 'getent passwd gary' and getting no
output, this
>>> is usually caused by libpam-winbind and libnss-winbind not being 
>>> installed, or /etc/nsswitch.conf not being configured correctly,
the
>>> relevant lines from mine look like this:
>>>
>>> passwd:???????? files winbind
>>> group:????????? files winbind
>>
>> installed and configured correctly
>>
>>
>>>
>>> Or pam-auth-update is configured correctly, again these are the 
>>> lines from mine:
>>>
>>> [*] Unix authentication
>>> [*] Winbind NT/Active Directory authentication
>>> [*] Register user sessions in the systemd control group ...
>>> [*] Create home directory on login
>>>
>> Have an extra entry for systemd that is checked but have Create home 
>> directory on login unchecked. Shouldn't cause the problems I'm
seeing.
>>
>>
>>> Or you are using the 'ad' idmap backend on a Unix domain
member and
>>> haven't added a uidNumber attribute to the users and added a 
>>> gidNumber attribute to the Domain Users group. The numbers you use 
>>> in these attributes have to be unique, though you can use the same 
>>> range for users and groups, that is 'gary' could have the
ID 10000
>>> and Domain Users could also the same ID 10000. Whatever numbers you
>>> use, the Domain idmap config line in smb.conf must enclose those 
>>> numbers e.g.
>>> idmap config DOMAIN : range = 10000-999999
>>
>> Ah, so that explains it. I originally was using autorid because that 
>> seemed the best fit for my circumstances but you complained about me 
>> doing that. Re-reading the 
>>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba
>> I see it mentions that I have to add a the uidNumber and gidNumber 
>> attributes without actually telling me how to do it.
>>
>> I found 
>>
https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_using_samba-tool_and_ldb-tools#Adding_Unix_attributes_to_an_existing_user_account
>> which gives insufficient instruction in the matter. I note, for 
>> example, the line:
>> samba-tool user addunixattrs sambauser uid --gid-number=gid 
>> --login-shell=/bin/bash --unix-home=/home/sambauser
>>
>> which I think may be better written as:
>>
>> samba-tool user addunixattrs <sambauser> <uid>
--gid-number=<gid>
>> --login-shell=/bin/bash --unix-home=/home/<sambauser>
>>
>> followed by an example showing reasonable values (or some discussion 
>> about what those values should be). My immediate reaction would be to 
>> use normal Linux user ids (i.e. starting at 1000 on Debian) and group 
>> ids (i.e. 100 is the normal group for users). However, you have 
>> reacted in horror to that idea, so this would probably be a good wiki 
>> to present an explanation as to why it is a bad idea,
>>
>
> Try reading this:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> Which will lead you to this:
>
> https://wiki.samba.org/index.php/Idmap_config_ad
>
> Rowland
Neither actually addresses the question I raised. Apart from the 
administrative policy of using AD for account maintenance, why not use, 
for example, 100 as the <gid> or 1000 as a <uid>? If I have to set
the
ids manually, I should be able to keep track of them more easily when 
they are smaller numbers....? Or do you need to use large enough numbers 
so that all the ideas you may ever create will be the same length?

Or why not use autorid?

Another issue that isn't addressed with instructions and an example is 
the adding of a GID to the standard domain groups. It seems to be 
necessary but the only example doesn't seem to deal with it. An example 
showing adding a GID to Domain Users, for example would be helpful.

On 27/04/2023 01:37, Gary Dale via samba wrote:
> 
> Neither actually addresses the question I raised. Apart from the 
> administrative policy of using AD for account maintenance, why not use, 
> for example, 100 as the <gid> or 1000 as a <uid>? If I have to
set the
> ids manually, I should be able to keep track of them more easily when 
> they are smaller numbers....? Or do you need to use large enough numbers 
> so that all the ideas you may ever create will be the same length?
If you have read the first page I pointed you to, you would have found this:

As you can see from the above, if you are creating a new domain, you 
shouldn't set either the default domain '*' or the 'SAMDOM'
ranges to
start at 999 or less, as they would interfere with the local system 
users & groups.

It then goes on to say:

You also should leave a space for any local Unix users & groups, so 
starting the 'idmap config' ranges at 3000 seems to be a good
compromise.

Local Linux users & groups are just that, LOCAL and shouldn't take part 
in AD.
> 
> Or why not use autorid?
You can use autorid, but it is really meant for multiple domains, you 
cannot use 'winbind use default domain = yes' with it and you will get 
different Linux ID's on every Unix domain member you run it on.
If you do not wish to add anything extra to AD, then I suggest you use 
the 'rid' backend, you can use 'winbind use default domain =
yes' and,
provided you use the same basic smb.conf on all Unix domain members, you 
will get the same ID's.
> 
> Another issue that isn't addressed with instructions and an example is 
> the adding of a GID to the standard domain groups. It seems to be 
> necessary but the only example doesn't seem to deal with it. An example
> showing adding a GID to Domain Users, for example would be helpful.
>
samba-tool comes with help, try running 'samba-tool user create --help' 
or 'samba-tool user addunixattrs --help'

Rowland