Greeting- It has been years since I last set up a Samba server. The last one I did was a 2.x version! For the last two weeks I have been fighting with 2 issues with a samba 4 server I have set up for testing. . Encrypted transport seems to not work for me . Unix user smith and Samba user smith seem to have different UID numbers when files are created. At the moment the second issue is the most vexing, but if I do not solve the first issue as well the project I am testing this for will need to be implemented using some other technology. Here is my current smb4.conf file: # Global parameters [global] workgroup = EXAMPLE kerberos method = secrets and keytab local master = yes netbios name = HOSTNAME log level = 4 dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsa rpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, winreg , srvsvc realm = EXAMPLE.COM os level = 20 username map = /var/db/samba4/private/users.map client max protocol = SMB3 # server min protocol = SMB3 hide dot files = no winbind trusted domains only = yes server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, nt p_signd, kcc, smb winbind use default domain = yes dns forwarder = 192.168.1.1 domain logons = yes smb encrypt = yes security = user encrypt passwords = yes preferred master = yes # # I have tried with and without the line below # #idmap_ldb:use rfc2307 = yes wins support = true server role = active directory domain controller [netlogon] path = /var/db/samba4/sysvol/example.com/scripts read only = No [sysvol] path = /var/db/samba4/sysvol read only = No [archive] writeable = yes browseable = yes valid users = smith write list = smith, at wheel path = /archive comment = /archive revalidate = yes # vfs objects = zfsacl # nfs4:mode = special # nfs4:chown = yes # zfsacl:acesort = dontcare The user was first created as a Unix user with a UID of 50 (historical reasons for the low uid). Then the user was added to samba using smbpasswd. It should be noted that all the kerberos bits seem to be working as doing a kinit then running smbclient -k //server/share yeilds a connection, but of course with the UID different from the UID of the same user at the unix shell level. Also unless I am using the kerberized smbclient it seems that all traffic is passed unencrypted according to my TCPDUMP tests. Tested clients at the moment are Mac OSX 10.6 and various *BSD GNU/Linux boxes with smbclient forced to V3. I probably will not move on to testing with a windows client if I can not solve the UID mismatch issue. Any ideas? I have been searching the net for some time with no joy. Thanks. -Brett -- wynkoop at wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt 917-642-6925 929-272-0000 A free people ought to be armed. - George Washington
On Thu, Dec 18, 2014 at 12:10:18PM -0500, Brett Wynkoop wrote:> Greeting- > > It has been years since I last set up a Samba server. The last one I > did was a 2.x version! > > For the last two weeks I have been fighting with 2 issues with a samba > 4 server I have set up for testing. > > . Encrypted transport seems to not work for me > > . Unix user smith and Samba user smith seem to have different UID > numbers when files are created. > > > At the moment the second issue is the most vexing, but if I do not > solve the first issue as well the project I am testing this for will > need to be implemented using some other technology. > > Here is my current smb4.conf file: > > # Global parameters > [global] > workgroup = EXAMPLE > kerberos method = secrets and keytab > local master = yes > netbios name = HOSTNAME > log level = 4 > > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, > netlogon, lsa rpc, spoolss, drsuapi, dssetup, unixinfo, browser, > eventlog6, backupkey, winreg , srvsvc > > realm = EXAMPLE.COM > os level = 20 > username map = /var/db/samba4/private/users.map > client max protocol = SMB3 > # server min protocol = SMB3 > hide dot files = no > winbind trusted domains only = yes > > server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbind, nt p_signd, kcc, smbRemove 'smb' from this line. In fact, remove this line completely. Where did you find docs telling you to add this to the smb.conf ?
On 18/12/14 17:10, Brett Wynkoop wrote:> Greeting- > > It has been years since I last set up a Samba server. The last one I > did was a 2.x version! > > For the last two weeks I have been fighting with 2 issues with a samba > 4 server I have set up for testing. > > . Encrypted transport seems to not work for me > > . Unix user smith and Samba user smith seem to have different UID > numbers when files are created. > > > At the moment the second issue is the most vexing, but if I do not > solve the first issue as well the project I am testing this for will > need to be implemented using some other technology. > > Here is my current smb4.conf file: > > # Global parameters > [global] > workgroup = EXAMPLE > kerberos method = secrets and keytab > local master = yes > netbios name = HOSTNAME > log level = 4 > > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, > netlogon, lsa rpc, spoolss, drsuapi, dssetup, unixinfo, browser, > eventlog6, backupkey, winreg , srvsvc > > realm = EXAMPLE.COM > os level = 20 > username map = /var/db/samba4/private/users.map > client max protocol = SMB3 > # server min protocol = SMB3 > hide dot files = no > winbind trusted domains only = yes > > server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbind, nt p_signd, kcc, smb > > winbind use default domain = yes > dns forwarder = 192.168.1.1 > domain logons = yes > smb encrypt = yes > security = user > encrypt passwords = yes > preferred master = yes > # > # I have tried with and without the line below > # > #idmap_ldb:use rfc2307 = yes > wins support = true > server role = active directory domain controller > > > > [netlogon] > path = /var/db/samba4/sysvol/example.com/scripts > read only = No > > [sysvol] > path = /var/db/samba4/sysvol > read only = No > > [archive] > writeable = yes > browseable = yes > valid users = smith > write list = smith, at wheel > path = /archive > comment = /archive > revalidate = yes > # vfs objects = zfsacl > # nfs4:mode = special > # nfs4:chown = yes > # zfsacl:acesort = dontcare > > The user was first created as a Unix user with a UID of 50 (historical > reasons for the low uid). Then the user was added to samba using > smbpasswd. > > It should be noted that all the kerberos bits seem to be working as > doing a kinit then running smbclient -k //server/share yeilds a > connection, but of course with the UID different from the UID of the > same user at the unix shell level. > > Also unless I am using the kerberized smbclient it seems that all > traffic is passed unencrypted according to my TCPDUMP tests. Tested > clients at the moment are Mac OSX 10.6 and various *BSD GNU/Linux boxes > with smbclient forced to V3. I probably will not move on to testing > with a windows client if I can not solve the UID mismatch issue. > > Any ideas? I have been searching the net for some time with no joy. > > Thanks. > > -Brett >Hi, After sorting out your smb.conf, it would seem that you are running samba4 as an AD DC and then trying to add parts to it that are either the defaults or are not required. I would suggest that you reinstate the original smb.conf (you did keep a copy, didn't you ?), delete most of, if not all, the Unix users you have added, then add them again, but this time to your AD. Unlike samba 2, when running samba 4 in AD mode, you cannot have Unix users that are also AD users, you store everything in AD. I would suggest that you have a read here: https://wiki.samba.org/index.php/Main_Page I know that you are testing here, but it would seem that samba 4.2 will support OSX clients better, this version seems to be delayed due to problems, but I am sure that the wait will be worth it. Rowland
On Thu, 18 Dec 2014 09:49:28 -0800 Jeremy Allison <jra at samba.org> wrote: winbind trusted domains only = yes> > > > server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > > winbind, nt p_signd, kcc, smb > > Remove 'smb' from this line. In fact, remove this line > completely. Where did you find docs telling you to add > this to the smb.conf ?I am not sure where that came from. The install was from FreeBSD ports and much to my surprise it did not install a sample smb4.conf file, so I went casting about the internet and came up with what I posted here, but I do not remember where I found this. Removing the line above produced a totally non-working samba install: ivory:~ wynkoop$ smbclient -L sambahost Error connecting to X.X.X.X (Connection refused) Connection to sambahost failed (Error NT_STATUS_CONNECTION_REFUSED) ivory:~ wynkoop$ -Brett -- wynkoop at wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt 917-642-6925 929-272-0000 A free people ought to be armed. - George Washington
On Thu, 18 Dec 2014 17:57:55 +0000 Rowland Penny <rowlandpenny at googlemail.com> wrote:> Hi, After sorting out your smb.conf, it would seem that you are > running samba4 as an AD DC and then trying to add parts to it that > are either the defaults or are not required. I would suggest that you > reinstate the original smb.conf (you did keep a copy, didn't you ?), > delete most of, if not all, the Unix users you have added, then add > them again, but this time to your AD. Unlike samba 2, when running > samba 4 in AD mode, you cannot have Unix users that are also AD > users, you store everything in AD. >The FreeBSD Ports system for reasons unknown to me does not install ANY smb4.conf file and provides no example. The one I have came from someplace on the internet in the last couple of weeks. A pointer to a good minimal smb4.conf file would be appreciated. I have existing Unix users with many GB of files that I need to keep the UID the same for because of interactions with other systems and mounts via NFS. Is there any way to force user smith to have uid=50 for example, or am I stuck with the auto-assigned UIDs that end up in AD?> I would suggest that you have a read here: > https://wiki.samba.org/index.php/Main_PageI have poked about the wiki a bit, but could not sort this without resorting to the list, but I will again RTFM. Always good advice. Thanks.> > I know that you are testing here, but it would seem that samba 4.2 > will support OSX clients better, this version seems to be delayed due > to problems, but I am sure that the wait will be worth it. > > RowlandThat sounds good, but I will probably be deploying with 4.1.13 unless 4.2 makes it out before my testing is over. I have an immediate need that just cropped up because all of the sudden I have to bring some MS-Windows boxes into the mix here. For years the site has been running using just NFS. Thanks! -Brett -- wynkoop at wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt 917-642-6925 929-272-0000 A free people ought to be armed. - George Washington