samba - Jan 2015 - Debian wheezy with sernet samba AD script, new and very improved..

I think I see some heavy weather ahead of me:

http://technet.microsoft.com/en-ca/library/dn303411.aspx

specifically w.r.t. Server 2012 r2 (with which I will have to soon(ish) 
wrestle):
> Features Removed or Deprecated in Windows Server 2012 R2
>...
> RSAT: Identity management for Unix/NIS
>
> The Server for Network Information Service (NIS) Tools option of
 > Remote Server Administration Tools (RSAT) is deprecated. Use native
 > LDAP, Samba Client, Kerberos, or non-Microsoft options.

I have recently fixed a problem with using a samba4 member server in a 
domain controlled by a windows 2008r2 AD-DC by installing the role 
service described in the technet article/quote.  I fully expect to run 
into this issue again with server 2012 R2 DCs deployed elsewhere in my 
client base.

Surely someone has run into this situation already.

I have no idea how to configure "native LDAP, Samba Client, Kerberos, or 
non-Microsoft options" to provide the necessary information for the 
member server (essentially NIS group, GID and UID).  Nor really any idea 
of where to begin looking.  I'd be surprised if the technet author had 
the first clue.

Can anybody provide links to relevant documentation that might be usable 
by a Microsoft-phobic SA who will likely have to deal with the issue in 
the future?

Any other thoughts?

Thanks in advance!
d.

This useful reply came via email - thank you Matt.

-------- Original Message --------
Subject: 	Re: [Samba] RSAT - cloud on the horizon
Date: 	Mon, 19 Jan 2015 19:24:16 +0000
From: 	Mattias Zhabinskiy <m at ...>
To: 	Derek Shaw <d3r3kshaw at gmail.com>


Hello Derek,

I'm running 2012 R2 AD DCs with native AD rfc2307 schema (never used 
Identity Management for UNIX) and using powershell scripts to create 
user and group accounts and populate following attributes:
    gecos
    gidNumber
    loginShell
    primaryGroupID
    uidNumber
    unixHomeDirectory

to support Samba 4.1.x domain member servers.

Also, all of the above attributes can be set manually using ADUC's 
Attribute Editor by enabling Advanced Features option under View menu item.

Below are relevant entries from  smb.conf:
    workgroup = DOMAINNAME
    security = ADS
    realm = DOMAINNAME.COM
    encrypt passwords = yes
    local master = no
    idmap config *:backend = tdb
    idmap config *:range = 70001-80000
    idmap config DOMAINNAME:backend = ad
    idmap config DOMAINNAME:schema_mode = rfc2307
    idmap config DOMAINNAME:range = 80001-3100000
    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes
    winbind expand groups = 3

nsswitch.conf:
    passwd:      files winbind
    group:       files winbind

password-auth-ac:
    auth        sufficient    pam_winbind.so use_first_pass
    account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
    password    sufficient    pam_winbind.so use_authtok
    session     required      pam_winbind.so use_first_pass

and appropriate symbolic links:
    libnss_winbind.so -> /usr/local/samba/lib/libnss_winbind.so
    libnss_winbind.so.2 -> /usr/local/samba/lib/libnss_winbind.so.2

    pam_smbpass.so -> /usr/local/samba/lib/security/pam_smbpass.so
    pam_winbind.so -> /usr/local/samba/lib/security/pam_winbind.so

Regards,
Matt
> ________________________________________
> From: samba-bounces at lists.samba.org <samba-bounces at
lists.samba.org> on behalf of Derek Shaw <d3r3kshaw at gmail.com>
> Sent: Monday, January 19, 2015 1:32 AM
> To: samba at lists.samba.org
> Subject: [Samba] RSAT - cloud on the horizon
>
> I think I see some heavy weather ahead of me:
>
> http://technet.microsoft.com/en-ca/library/dn303411.aspx
>
> specifically w.r.t. Server 2012 r2 (with which I will have to soon(ish)
> wrestle):
>
>> Features Removed or Deprecated in Windows Server 2012 R2
>>...
>> RSAT: Identity management for Unix/NIS
>>
>> The Server for Network Information Service (NIS) Tools option of
>  > Remote Server Administration Tools (RSAT) is deprecated. Use native
>  > LDAP, Samba Client, Kerberos, or non-Microsoft options.
>
> I have recently fixed a problem with using a samba4 member server in a
> domain controlled by a windows 2008r2 AD-DC by installing the role
> service described in the technet article/quote.  I fully expect to run
> into this issue again with server 2012 R2 DCs deployed elsewhere in my
> client base.
>
> Surely someone has run into this situation already.
>
> I have no idea how to configure "native LDAP, Samba Client, Kerberos,
or
> non-Microsoft options" to provide the necessary information for the
> member server (essentially NIS group, GID and UID).  Nor really any idea
> of where to begin looking.  I'd be surprised if the technet author had
> the first clue.
>
> Can anybody provide links to relevant documentation that might be usable
> by a Microsoft-phobic SA who will likely have to deal with the issue in
> the future?
>
> Any other thoughts?
>
> Thanks in advance!
> d.

Tim also sent this, but I can't find his posting on the list.

-------- Original Message --------
Subject: 	Re: [Samba] RSAT - cloud on the horizon
Date: 	Mon, 19 Jan 2015 08:49:03 +0100
From: 	Tim <lists at ...>
To: 	Derek Shaw <d3r3kshaw at gmail.com>,samba at lists.samba.org


I have written a script that dynamically can add Unix attribute via cronjob.
So you could use RSAT as usual without having to care about Unix attributes.

I posted it on the list.

IMHO the best way would be that samba would set these informations 
automatically when a domain is provisioned with rfc2307 - possibly with 
an additional provisioning parameter.

Regards
Tim

Am 19. Januar 2015 07:32:39 MEZ, schrieb Derek Shaw
> <d3r3kshaw at gmail.com>:
>
>     I think I see some heavy weather ahead of me:
>
>     http://technet.microsoft.com/en-ca/library/dn303411.aspx

Hai all..  

For eveyone who wants to try.. 

I make a new and very improved script to install sernet samba as ADDC on debian
wheezy.
Go check it out here : https://secure.bazuin.nl/scripts/ 

Now its very (very very very) ;-)  easy for everybody to setup. 

Have a look and if have have suggestions to even improve it more... mail me, or
the mailing list.

Thanks for everybody on the mailing list for suggestions and improvement.


Greetings....  

Louis

On 23/01/15 08:49, L.P.H. van Belle wrote:
> Hai all..
>
> For eveyone who wants to try..
>
> I make a new and very improved script to install sernet samba as ADDC on
debian wheezy.
> Go check it out here : https://secure.bazuin.nl/scripts/
>
> Now its very (very very very) ;-)  easy for everybody to setup.
>
> Have a look and if have have suggestions to even improve it more... mail
me, or the mailing list.
>
> Thanks for everybody on the mailing list for suggestions and improvement.
>
>
> Greetings....
>
> Louis
>
Hi Louis, I think I may have pointed this out to you before, but you 
seem to not believe me, but this:

if [ $FSTAB_CHECK = "1" ]; then
     if [ -z "`cat /etc/fstab | grep xattr`" ]; then
     echo " "
     echo "==========FSTAB==============================="
     echo "YOUR ON ... You need to change something "
     echo "you have 15 seconds to read this"
     echo " "
     echo "please enable acl and user_xattr in /etc/fstab before 
provisioning"
     echo "add : ,acl,user_xattr"
     echo "after defaults and the script will remount "
     echo "starting editor, and press: CTRL+K , Y ,Enter to save it"
     echo " "
     read -p "Do you want to edit fstab now (y/n) : "
FSTAB_CHECK_ANSWER
     FSTAB_CHECK_ANSWER="x"
         while [ $FSTAB_CHECK_ANSWER = "x" ]; do
             echo "If you want to edit fstab now, it wil open mcedit for 
you"
             read -p "Do you want to edit fstab now (y/n) : " 
FSTAB_CHECK_ANSWER
             if [ $FSTAB_CHECK_ANSWER = "y" ]; then
                 mcedit /etc/fstab
                 mount -o remount -a
             else
                 echo "ok, we continue, it up to you"
             fi
         done
     fi
fi

is not needed, what you are suggesting putting into /etc/fstab is 
this:   'defaults,acl,user_xattr'
This will get expanded to this: 'acl,user_xattr,acl,user_xattr'

Don't believe me ? open '/etc/mke2fs.conf' and look for the line
that
starts 'default_mntopts'

Rowland

On 23/01/15 08:49, L.P.H. van Belle wrote:
> Hai all..
>
> For eveyone who wants to try..
>
> I make a new and very improved script to install sernet samba as ADDC on
debian wheezy.
> Go check it out here : https://secure.bazuin.nl/scripts/
>
> Now its very (very very very) ;-)  easy for everybody to setup.
>
> Have a look and if have have suggestions to even improve it more... mail
me, or the mailing list.
>
> Thanks for everybody on the mailing list for suggestions and improvement.
>
>
> Greetings....
>
> Louis
>
Louis, bug, line 180, 4-sernet-samba-addc-debian-wheezy.sh, only one "

Rowland

ah yes, your correct, i'll adjust that. 
That was a copy past of the previous script.. :-/

thanks for this : 
>Don't believe me ? open '/etc/mke2fs.conf' and look for the line
that
>starts 'default_mntopts' 
i couldn't find that on the debian wiki: 
https://wiki.debian.org/fstab 
so is not 100% complete then.. what you pointed out should be there also.. 

I have removed the fstab check. 
Thanks for reporting that (again)  ;-) 
>Louis, bug, line 180, 4-sernet-samba-addc-debian-wheezy.sh, only one "
and also fixed. 

and thank you for checking it ;-) 

what do you think about the new script? 
better isnt it.. i also took your suggestion for the adminstrator password.. 

I hope lots of people wil enjoy it.. 

Greetz, 

Louis





>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: vrijdag 23 januari 2015 11:41
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Debian wheezy with sernet samba AD 
>script, new and very improved..
>
>On 23/01/15 08:49, L.P.H. van Belle wrote:
>> Hai all..
>>
>> For eveyone who wants to try..
>>
>> I make a new and very improved script to install sernet 
>samba as ADDC on debian wheezy.
>> Go check it out here : https://secure.bazuin.nl/scripts/
>>
>> Now its very (very very very) ;-)  easy for everybody to setup.
>>
>> Have a look and if have have suggestions to even improve it 
>more... mail me, or the mailing list.
>>
>> Thanks for everybody on the mailing list for suggestions and 
>improvement.
>>
>>
>> Greetings....
>>
>> Louis
>>
>
>Hi Louis, I think I may have pointed this out to you before, but you 
>seem to not believe me, but this:
>
>if [ $FSTAB_CHECK = "1" ]; then
>     if [ -z "`cat /etc/fstab | grep xattr`" ]; then
>     echo " "
>     echo "==========FSTAB==============================="
>     echo "YOUR ON ... You need to change something "
>     echo "you have 15 seconds to read this"
>     echo " "
>     echo "please enable acl and user_xattr in /etc/fstab before 
>provisioning"
>     echo "add : ,acl,user_xattr"
>     echo "after defaults and the script will remount "
>     echo "starting editor, and press: CTRL+K , Y ,Enter to save
it"
>     echo " "
>     read -p "Do you want to edit fstab now (y/n) : " 
>FSTAB_CHECK_ANSWER
>     FSTAB_CHECK_ANSWER="x"
>         while [ $FSTAB_CHECK_ANSWER = "x" ]; do
>             echo "If you want to edit fstab now, it wil open 
>mcedit for 
>you"
>             read -p "Do you want to edit fstab now (y/n) : " 
>FSTAB_CHECK_ANSWER
>             if [ $FSTAB_CHECK_ANSWER = "y" ]; then
>                 mcedit /etc/fstab
>                 mount -o remount -a
>             else
>                 echo "ok, we continue, it up to you"
>             fi
>         done
>     fi
>fi
>
>is not needed, what you are suggesting putting into /etc/fstab is 
>this:   'defaults,acl,user_xattr'
>This will get expanded to this: 'acl,user_xattr,acl,user_xattr'
>
>Don't believe me ? open '/etc/mke2fs.conf' and look for the line
that
>starts 'default_mntopts'
>
>Rowland
>
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

Hi,

Can you quickly explain why should someone use the script rather that 
perform standard install following the wiki ? Are there any sernet 
specific caveats ?

Regards,

Le 23/01/2015 09:49, L.P.H. van Belle a ?crit :
> Hai all..
>
> For eveyone who wants to try..
>
> I make a new and very improved script to install sernet samba as ADDC on
debian wheezy.
> Go check it out here : https://secure.bazuin.nl/scripts/
>
> Now its very (very very very) ;-)  easy for everybody to setup.
>
> Have a look and if have have suggestions to even improve it more... mail
me, or the mailing list.
>
> Thanks for everybody on the mailing list for suggestions and improvement.
>
>
> Greetings....
>
> Louis
>

Hai, 

Well, useing the script its more easy to reproduce your install. 
I install in a VM, i've created a "clean" debian server with dhcp
ip.
and if i need/want an extra server, i just import the clean server an run my
script(s).
All depending on the type of server it want. 
Its time saving and i like to work with standards. 
All whats in the script is based of things in the wiki and questions of people
in the samba list.

In my environment, its forbidden to compile things on the production servers, so
i preffer packages.
I use sernet packages for my AD DC server, why, more up2date that the debian (
or debian backported ) packages.
And if there are problemen, sernet gives good support and imo its more easy to
trace bugs because of the always
the same installation. Also, it sets a nice base to start from. 

Its really just what you preffer. 

I hope it explains enough for you.. 

Greetz, 

Louis


>-----Oorspronkelijk bericht-----
>Van: S?bastien Le Ray [mailto:sebastien-samba at orniz.org] 
>Verzonden: vrijdag 23 januari 2015 14:08
>Aan: L.P.H. van Belle; samba at lists.samba.org
>Onderwerp: Re: [Samba] Debian wheezy with sernet samba AD 
>script, new and very improved..
>
>Hi,
>
>Can you quickly explain why should someone use the script rather that 
>perform standard install following the wiki ? Are there any sernet 
>specific caveats ?
>
>Regards,
>
>Le 23/01/2015 09:49, L.P.H. van Belle a ?crit :
>> Hai all..
>>
>> For eveyone who wants to try..
>>
>> I make a new and very improved script to install sernet 
>samba as ADDC on debian wheezy.
>> Go check it out here : https://secure.bazuin.nl/scripts/
>>
>> Now its very (very very very) ;-)  easy for everybody to setup.
>>
>> Have a look and if have have suggestions to even improve it 
>more... mail me, or the mailing list.
>>
>> Thanks for everybody on the mailing list for suggestions and 
>improvement.
>>
>>
>> Greetings....
>>
>> Louis
>>
>
>