samba - Dec 2014 - Samba 4 problems

Greeting-

It has been years since I last set up a Samba server.  The last one I
did was a 2.x version!

For the last two weeks I have been fighting with 2 issues with a samba
4 server I have set up for testing.

. Encrypted transport seems to not work for me

. Unix user smith and Samba user smith seem to have different UID
  numbers when files are created.


At the moment the second issue is the most vexing, but if I do not
solve the first issue as well the project I am testing this for will
need to be implemented using some other technology.

Here is my current smb4.conf file:

# Global parameters
[global]
        workgroup = EXAMPLE
        kerberos method = secrets and keytab
        local master = yes
        netbios name = HOSTNAME
        log level = 4

        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsa rpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey,  winreg , srvsvc

        realm = EXAMPLE.COM
        os level = 20
        username map = /var/db/samba4/private/users.map
        client max protocol = SMB3
#        server min protocol = SMB3
        hide dot files = no
        winbind trusted domains only = yes

        server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind,  nt p_signd, kcc, smb

        winbind use default domain = yes
        dns forwarder = 192.168.1.1
        domain logons = yes
        smb encrypt = yes
        security = user
        encrypt passwords = yes
        preferred master = yes
#
# I have tried with and without the line below
#
        #idmap_ldb:use rfc2307 = yes
        wins support = true
        server role = active directory domain controller



[netlogon]
        path = /var/db/samba4/sysvol/example.com/scripts
        read only = No

[sysvol]
        path = /var/db/samba4/sysvol
        read only = No

[archive]
        writeable = yes
        browseable = yes
        valid users = smith
        write list = smith, at wheel
        path = /archive
        comment = /archive
        revalidate = yes
#       vfs objects = zfsacl
#       nfs4:mode = special
#       nfs4:chown = yes
#       zfsacl:acesort = dontcare

The user was first created as a Unix user with a UID of 50 (historical
reasons for the low uid).  Then the user was added to samba using
smbpasswd.

It should be noted that all the kerberos bits seem to be working as
doing a kinit then running smbclient -k //server/share yeilds a
connection, but of course with the UID different from the UID of the
same user at the unix shell level.

Also unless I am using the kerberized smbclient it seems that all
traffic is passed unencrypted according to my TCPDUMP tests.  Tested
clients at the moment are Mac OSX 10.6 and various *BSD GNU/Linux boxes
with smbclient forced to V3.  I probably will not move on to testing
with a windows client if I can not solve the UID mismatch issue.

Any ideas?  I have been searching the net for some time with no joy.

Thanks.

-Brett

-- 

wynkoop at wynn.com               http://prd4.wynn.com/wynkoop/pgp-keys.txt
917-642-6925
929-272-0000

A free people ought to be armed. - George Washington

On Thu, Dec 18, 2014 at 12:10:18PM -0500, Brett Wynkoop
wrote:
> Greeting-
> 
> It has been years since I last set up a Samba server.  The last one I
> did was a 2.x version!
> 
> For the last two weeks I have been fighting with 2 issues with a samba
> 4 server I have set up for testing.
> 
> . Encrypted transport seems to not work for me
> 
> . Unix user smith and Samba user smith seem to have different UID
>   numbers when files are created.
> 
> 
> At the moment the second issue is the most vexing, but if I do not
> solve the first issue as well the project I am testing this for will
> need to be implemented using some other technology.
> 
> Here is my current smb4.conf file:
> 
> # Global parameters
> [global]
>         workgroup = EXAMPLE
>         kerberos method = secrets and keytab
>         local master = yes
>         netbios name = HOSTNAME
>         log level = 4
> 
>         dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> netlogon, lsa rpc, spoolss, drsuapi, dssetup, unixinfo, browser,
> eventlog6, backupkey,  winreg , srvsvc
> 
>         realm = EXAMPLE.COM
>         os level = 20
>         username map = /var/db/samba4/private/users.map
>         client max protocol = SMB3
> #        server min protocol = SMB3
>         hide dot files = no
>         winbind trusted domains only = yes
> 
>         server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind,  nt p_signd, kcc, smb
Remove 'smb' from this line. In fact, remove this line
completely. Where did you find docs telling you to add
this to the smb.conf ?

On 18/12/14 17:10, Brett Wynkoop wrote:
> Greeting-
>
> It has been years since I last set up a Samba server.  The last one I
> did was a 2.x version!
>
> For the last two weeks I have been fighting with 2 issues with a samba
> 4 server I have set up for testing.
>
> . Encrypted transport seems to not work for me
>
> . Unix user smith and Samba user smith seem to have different UID
>    numbers when files are created.
>
>
> At the moment the second issue is the most vexing, but if I do not
> solve the first issue as well the project I am testing this for will
> need to be implemented using some other technology.
>
> Here is my current smb4.conf file:
>
> # Global parameters
> [global]
>          workgroup = EXAMPLE
>          kerberos method = secrets and keytab
>          local master = yes
>          netbios name = HOSTNAME
>          log level = 4
>
>          dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> netlogon, lsa rpc, spoolss, drsuapi, dssetup, unixinfo, browser,
> eventlog6, backupkey,  winreg , srvsvc
>
>          realm = EXAMPLE.COM
>          os level = 20
>          username map = /var/db/samba4/private/users.map
>          client max protocol = SMB3
> #        server min protocol = SMB3
>          hide dot files = no
>          winbind trusted domains only = yes
>
>          server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind,  nt p_signd, kcc, smb
>
>          winbind use default domain = yes
>          dns forwarder = 192.168.1.1
>          domain logons = yes
>          smb encrypt = yes
>          security = user
>          encrypt passwords = yes
>          preferred master = yes
> #
> # I have tried with and without the line below
> #
>          #idmap_ldb:use rfc2307 = yes
>          wins support = true
>          server role = active directory domain controller
>
>
>
> [netlogon]
>          path = /var/db/samba4/sysvol/example.com/scripts
>          read only = No
>
> [sysvol]
>          path = /var/db/samba4/sysvol
>          read only = No
>
> [archive]
>          writeable = yes
>          browseable = yes
>          valid users = smith
>          write list = smith, at wheel
>          path = /archive
>          comment = /archive
>          revalidate = yes
> #       vfs objects = zfsacl
> #       nfs4:mode = special
> #       nfs4:chown = yes
> #       zfsacl:acesort = dontcare
>
> The user was first created as a Unix user with a UID of 50 (historical
> reasons for the low uid).  Then the user was added to samba using
> smbpasswd.
>
> It should be noted that all the kerberos bits seem to be working as
> doing a kinit then running smbclient -k //server/share yeilds a
> connection, but of course with the UID different from the UID of the
> same user at the unix shell level.
>
> Also unless I am using the kerberized smbclient it seems that all
> traffic is passed unencrypted according to my TCPDUMP tests.  Tested
> clients at the moment are Mac OSX 10.6 and various *BSD GNU/Linux boxes
> with smbclient forced to V3.  I probably will not move on to testing
> with a windows client if I can not solve the UID mismatch issue.
>
> Any ideas?  I have been searching the net for some time with no joy.
>
> Thanks.
>
> -Brett
>
Hi, After sorting out your smb.conf, it would seem that you are running 
samba4 as an AD DC and then trying to add parts to it that are either 
the defaults or are not required. I would suggest that you reinstate the 
original smb.conf (you did keep a copy, didn't you ?), delete most of, 
if not all, the Unix users you have added, then add them again, but this 
time to your AD. Unlike samba 2, when running samba 4 in AD mode, you 
cannot have Unix users that are also AD users, you store everything in AD.

I would suggest that you have a read here: 
https://wiki.samba.org/index.php/Main_Page

I know that you are testing here, but it would seem that samba 4.2 will 
support OSX clients better, this version seems to be delayed due to 
problems, but I am sure that the wait will be worth it.

Rowland

On Thu, 18 Dec 2014 09:49:28 -0800
Jeremy Allison <jra at samba.org> wrote:

        winbind trusted domains only = yes
> > 
> >         server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > winbind,  nt p_signd, kcc, smb
> 
> Remove 'smb' from this line. In fact, remove this line
> completely. Where did you find docs telling you to add
> this to the smb.conf ?
I am not sure where that came from.  The install was from FreeBSD ports
and much to my surprise it did not install a sample smb4.conf file, so
I went casting about the internet and came up with what I posted here,
but I do not remember where I found this.

Removing the line above produced a totally non-working samba install:

ivory:~ wynkoop$ smbclient -L sambahost
Error connecting to X.X.X.X (Connection refused)
Connection to sambahost failed (Error NT_STATUS_CONNECTION_REFUSED)
ivory:~ wynkoop$ 

-Brett


-- 

wynkoop at wynn.com               http://prd4.wynn.com/wynkoop/pgp-keys.txt
917-642-6925
929-272-0000

A free people ought to be armed. - George Washington

On Thu, 18 Dec 2014 17:57:55 +0000
Rowland Penny <rowlandpenny at googlemail.com> wrote:
> Hi, After sorting out your smb.conf, it would seem that you are
> running samba4 as an AD DC and then trying to add parts to it that
> are either the defaults or are not required. I would suggest that you
> reinstate the original smb.conf (you did keep a copy, didn't you ?),
> delete most of, if not all, the Unix users you have added, then add
> them again, but this time to your AD. Unlike samba 2, when running
> samba 4 in AD mode, you cannot have Unix users that are also AD
> users, you store everything in AD.
> 
The FreeBSD Ports system for reasons unknown to me does not install ANY
smb4.conf file and provides no example.  The one I have came from
someplace on the internet in the last couple of weeks.  A pointer to a
good minimal smb4.conf file would be appreciated.

I have existing Unix users with many GB of files that I need to keep
the UID the same for because of interactions with other systems and
mounts via NFS.  Is there any way to force user smith to have uid=50
for example, or am I stuck with the auto-assigned UIDs that end up in
AD?
> I would suggest that you have a read here: 
> https://wiki.samba.org/index.php/Main_Page
I have poked about the wiki a bit, but could not sort this without
resorting to the list, but I will again RTFM.  Always good advice.
Thanks.
> 
> I know that you are testing here, but it would seem that samba 4.2
> will support OSX clients better, this version seems to be delayed due
> to problems, but I am sure that the wait will be worth it.
> 
> Rowland

That sounds good, but I will probably be deploying with 4.1.13 unless
4.2 makes it out before my testing is over.  I have an immediate need
that just cropped up because all of the sudden I have to bring some
MS-Windows boxes into the mix here.  For years the site has been
running using just NFS.

Thanks!

-Brett



-- 

wynkoop at wynn.com               http://prd4.wynn.com/wynkoop/pgp-keys.txt
917-642-6925
929-272-0000

A free people ought to be armed. - George Washington