Hello All, I'm trying to set up linux ssh/shell authentication on a CentOS_6.2 server running smbd version 3.5.10-114 using winbind/smb/pam. We've done this successfully using the tdb backend but wanted users to get the same UID/GID on every machine. Switched to rid for the backend but users still got a foreign number for UID and their default group was always Domain Users. So I'm trying to get a working setup for using our AD and the Windows Attributes for their UID and GID. After about a week of crawling the web and rooting through others' copies of smb.conf I've assembled the following config file. I think I understand what every line does and have pared it down to the minimum. UID's are the same as employeeID and should always be 5000-70000. Anyone logging in NOT from the AD will be in /etc/passwd and /etc/grp so there shouldn't be any need for a local tdb backend. wbinfo -g or -u returns AD groups and users but getent fails for any AD user or group. And it still doesn't work. In fact, it doesn't allow logins at all (every SSH attempt kicks up an "invalid user" line across syslog). Or, if I roll back far enough to the rid version, I can log in but get the wrong (rid-based) UID and GID. Can anyone tell me what's wrong with the below file? Or at least provide a working example? Is there a complete howto anywhere for SMB3.5 and AD2008R2? Hope to hear from you, rrue seattle /etc/samba/smb.conf: [global] workgroup = FOO password server = dcx.foo.org dcy.foo.org dcz.foo.org realm = FOO.ORG security = ads winbind use default domain = true winbind offline logon = false log file = /var/log/samba/%m.log max log size = 100 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no idmap config FHCRC : default = yes idmap config FHCRC : backend = ad idmap config FHCRC : schema_mode = rfc2307 idmap config FHCRC : range = 5000 - 70000 allow trusted domains = No winbind enum users = Yes winbind enum groups = Yes winbind nested groups = Yes
Michael Wandel
2012-May-30 04:59 UTC
[Samba] idmap backend = ad and Active Directory 2008R2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey,> > /etc/samba/smb.conf: [global] workgroup = FOO password server > dcx.foo.org dcy.foo.org dcz.foo.org realm = FOO.ORG security = ads > winbind use default domain = true winbind offline logon = false log > file = /var/log/samba/%m.log max log size = 100 socket options > TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no idmap > config FHCRC : default = yes idmap config FHCRC : backend = ad > idmap config FHCRC : schema_mode = rfc2307 idmap config FHCRC : > range = 5000 - 70000Is this option FHCRC correct, I think your DOMAIN is FOO, then it must be idmap config FOO : backend = ad I hope it will help Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPxalDAAoJEL/EwdcvY5PEUgMH/jQevJm5gqHJvKujR0dWb7Ev sn1vP5tTetTD0Bq+Cpdw8xcR4/yrYQhKFSMeZutoyxdaAt6muFxfLjQKUYsX17Fb 5XfYa17w8fb53x8r+QlWJFquh9c1BPnOCwtDVQlsZ8gJBVq0mVnucQAexbLdKqlt tVQhvdsDDUOMcZLK3KBHJ7ZXF2Sf+t07tzT3ID2x6UJ0Ma23khxwAUIq0NZCMlu5 KQQR+sYHMQiP6tUAEPQBDY/UGNl+GXULHeGH2Qm1LmPV8IFgyAdEPmPLWBJb9H1d x5A/bO7Z1sxfE/IT/rXjA+WUKNs1oUmOqCXQb6UHXaOuLaWboNAPzfncUV5fBoQ=4gvv -----END PGP SIGNATURE-----
Michael Wandel
2012-May-30 05:31 UTC
[Samba] idmap backend = ad and Active Directory 2008R2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hallo have you enabled Unix Integration in your Windows Server ? If yes, have you a User with an uid/gid in the Unix Extension ? Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPxbCsAAoJEL/EwdcvY5PE2CkH/i75YPSSmQ1M7nUNyYn7vaOX zD99l7Ej0kKEOFbK/+h7yFAwTmsWzqt0I1EA5+5E2+7aO5v60qXgvfoLDOFoCT1w PuKIKaaXHWU0kM23UNOJ7qt24NqfYODVUIkWfPcIwBmxzYKg4DwtAylQB84l7RVr IftLIYJMBgW8SS51RZ1C7lerdV5Tkt3KIO/JaYtMIClt/PVRPzTHN4vTZk1278VW pN9nx7AzHg0J4vgxY8PJ5YH3qxZZshSTT7h2OJ8tM2If/hZWNEKQJRFO966r5P9C fRv69czxJDY9E9OD1Wzl5ZBHtBleQ3tS8AkjSW85vcDdSH7IQW12IC1lmwoKPzM=0cMy -----END PGP SIGNATURE-----
Jonathan Buzzard
2012-May-30 12:10 UTC
[Samba] idmap backend = ad and Active Directory 2008R2
On Tue, 2012-05-29 at 15:41 -0700, Randy Rue wrote:> > Can anyone tell me what's wrong with the below file? Or at least provide a > working example? Is there a complete howto anywhere for SMB3.5 and AD2008R2? >Yes, for starters where is the default writable backend that is required as specified in "man idmap_ad"? You need some lines like the following idmap backend = tdb idmap uid = 1000000-1999999 idmap gid = 1000000-1999999 Where those numbers don't overlap with the numbers for your FHCRC domain.> Hope to hear from you, > > rrue > seattle > > /etc/samba/smb.conf: > [global] > workgroup = FOO > password server = dcx.foo.org dcy.foo.org dcz.foo.org > realm = FOO.ORG > security = ads > winbind use default domain = true > winbind offline logon = false > log file = /var/log/samba/%m.log > max log size = 100 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > dns proxy = no > idmap config FHCRC : default = yes > idmap config FHCRC : backend = ad > idmap config FHCRC : schema_mode = rfc2307 > idmap config FHCRC : range = 5000 - 70000 > allow trusted domains = No > winbind enum users = Yes > winbind enum groups = Yes > winbind nested groups = YesI also don't see a "winbind nss info = rfc2307" line either so it is not clear how the UID's and GID's from the AD scheme are getting through to Linux. Note for reasons I don't follow the primary GID of the user is calculated from the "primaryGroupID" attribute. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom.
I've swapped in my domain name/etc and commented the lines that I believe
don't apply to my environment, if I disabled something necessary please let
me know. Here's the smb.conf I tried:
[global]
netbios name = HAPPYTOBEHERE
security = ads
workgroup = FOO
realm = FOO.ORG
password server = dcx.foo.org dcy.foo.org dcz.foo.org
<----I also tried it with a single DC entry
preferred master = no
encrypt passwords = yes
kerberos method = secrets only
# general options
# vfs objects = shadow_copy2 fileid gpfs
# unix extensions = no
# mangled names = no
# case sensitive = no
# map untrusted to domain = yes
deadtime = 0
log level = 1
log file = /var/log/samba/%I.log
max log size = 100
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
SO_REUSEADDR SO_KEEPALIVE
# store DOS attributes in extended attributes (vfs_gpfs then stores them in
the file system)
# ea support = yes
# store dos attributes = yes
# map readonly = no
# map archive = no
# map system = no
# the ctdb clustering and GPFS stuff
# clustering = yes
# ctdbd socket = /tmp/ctdb.socket
# fileid : algorithm = fsname
# gpfs : sharemodes = yes
# gpfs : winattr = yes
# force unknown acl user = yes
# nfs4 : mode = special
# nfs4 : chown = no
# nfs4 : acedup = merge
# enable shadow copies
# shadow : snapdir = /happytobehere/.snapshots
# shadow : basedir = /happytobehere
# shadow : fixinodes = yes
# silence warnings about CUPS
# printing = bsd
# printcap name = /etc/printcap
# load printers = yes
cups options = raw
# stuff necessary for guest logins to work where required
# guest account = nobody
# map to guest = bad user
# fake the dfree information to match the fileset quota if it exists
# dfree cache time = 15
# dfree command = /var/lib/samba/scripts/mmdfree
# deal with NSS and the whole UID/SID id mapping stuff
idmap backend = tdb
idmap uid = 2000000 - 2999999
idmap gid = 2000000 - 2999999
idmap config FOO : backend = ad
idmap config FOO : schema_mode = rfc2307
idmap config FOO : readonly = yes
idmap config FOO : range = 500 - 1999999
idmap cache time = 604800
idmap negative cache time = 20
winbind cache time = 600
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind offline logon = false
Here's /etc/pam.d/password-auth-ac if that helps:
[root at happytobehere samba]# cat /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_succeed_if.so user ingroup
adm_it_sops_lessadmins_mod
auth sufficient pam_succeed_if.so user ingroup "domain
admins"
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_access.so
account sufficient pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 typepassword
sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
[BTW, when this does work I still see errors in syslog about accounts I know
are Domain Admins still not being recognized as members of the group
"domain," do I need to do something else to escape that space in the
group
name? Maybe a backslash?]
And here's what syslog sees for an attempt via SSH:
May 31 08:11:54 happytobehere sshd[12713]: Invalid user should_work from
www.xxx.yyy.zzz May 31 08:11:54 happytobehere sshd[12716]:
input_userauth_request: invalid user should_work May 31 08:12:01
happytobehere sshd[12713]: pam_succeed_if(sshd:auth): error retrieving
information about user should_work May 31 08:12:01 happytobehere
sshd[12713]: pam_succeed_if(sshd:auth): error retrieving information about
user should_work May 31 08:12:01 happytobehere sshd[12713]:
pam_unix(sshd:auth): check pass; user unknown May 31 08:12:01 happytobehere
sshd[12713]: pam_unix(sshd:auth): authentication failure; logname= uid=0
euid=0 tty=ssh ruser= rhost=machineX.foo.org May 31 08:12:01 happytobehere
sshd[12713]: pam_succeed_if(sshd:auth): error retrieving information about
user should_work May 31 08:12:03 happytobehere sshd[12713]: Failed password
for invalid user should_work from www.xxx.yyy.zzz port 51602 ssh2 May 31
08:12:06 happytobehere sshd[12716]: Received disconnect from
www.xxx.yyy.zzz: 13: Unable to authenticate
Grateful for you help...
Randy Rue
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Jonathan Buzzard
Sent: Thursday, May 31, 2012 5:36 AM
To: samba at lists.samba.org
Subject: Re: [Samba] idmap backend = ad and Active Directory 2008R2
This is a working smb.conf CentOS 6.2 latest aka 3.5.10-116.el6_2.x86_6
configuration against a Windows 2008R2 domain. Note we are using GPFS as our
underlying file system and CTDB. All I have changed is the names
[global]
netbios name = NEMO
security = ads
workgroup = MYDOMAIN
realm = MYDOMAIN.MEGACORP.COM
password server = *
preferred master = no
encrypt passwords = yes
kerberos method = secrets only
# general options
vfs objects = shadow_copy2 fileid gpfs
unix extensions = no
mangled names = no
case sensitive = no
map untrusted to domain = yes
deadtime = 0
log level = 1
log file = /var/log/samba/%I.log
max log size = 100
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
SO_REUSEADDR SO_KEEPALIVE
# store DOS attributes in extended attributes (vfs_gpfs then stores them in
the file system)
ea support = yes
store dos attributes = yes
map readonly = no
map archive = no
map system = no
# the ctdb clustering and GPFS stuff
clustering = yes
ctdbd socket = /tmp/ctdb.socket
fileid : algorithm = fsname
gpfs : sharemodes = yes
gpfs : winattr = yes
force unknown acl user = yes
nfs4 : mode = special
nfs4 : chown = no
nfs4 : acedup = merge
# enable shadow copies
shadow : snapdir = /nemo/.snapshots
shadow : basedir = /nemo
shadow : fixinodes = yes
# silence warnings about CUPS
printing = bsd
printcap name = /etc/printcap
load printers = yes
cups options = raw
# stuff necessary for guest logins to work where required
guest account = nobody
map to guest = bad user
# fake the dfree information to match the fileset quota if it exists
dfree cache time = 15
dfree command = /var/lib/samba/scripts/mmdfree
# deal with NSS and the whole UID/SID id mapping stuff
idmap backend = tdb
idmap uid = 2000000 - 2999999
idmap gid = 2000000 - 2999999
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : schema_mode = rfc2307
idmap config MYDOMAIN : readonly = yes
idmap config MYDOMAIN : range = 500 - 1999999
idmap cache time = 604800
idmap negative cache time = 20
winbind cache time = 600
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind offline logon = false
--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba