jd at ionica.lv
2015-Apr-06 09:09 UTC
[Samba] Samba as AD member can not validate domain user
Cit?ju Rowland Penny <rowlandpenny at googlemail.com>:>> getent passwd shows list of local users, freezes for a while and exits; > > This is possibly because you may have (somehow) the same username in > AD and /etc/passwdeven with the "problematic" user removed behaviour is the same (with net ads leave, remove krb5 keytab and join +restart)> >> id user shows user info if it exists locally. > > On an AD joined machine id should show user info if the user exists > in AD and has the required rfc2307 attributes.I re-checked what I have on AD DC: 1. getent passwd shows local + AD users (AD users having uids in the range of 30000XX) 2. getent group shows local + AD grous, AD groups having gids in the range of 30000XX, just Domain Users having gid 100 3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)' objectSID gidNumber gives onlyObjectSID without gidNumber; CFG files from fileserver: ===========krb5.conf [libdefaults] default = INTERNAL.DOMAIN.LV dns_lookup_realm = false dns_lookup_kdc = true ==========nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat files hosts: files dns networks: files services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files bootparams: files automount: files aliases: files nisplus publickey: nisplus ============SMB.conf on fileserver [global] security = ADS workgroup = INTERNAL acl group control = yes inherit acls = Yes map acl inherit = Yes realm = INTERNAL.DOMAIN.LV kerberos method = secrets and keytab idmap config internal:backend = ad idmap config internal:range = 10000-3001000 idmap config internal:schema_mode = rfc2307 idmap config *:range = 2000-9999 idmap config *:backend = tdb dedicated keytab file = /etc/krb5.keytab winbind enum users = Yes winbind enum groups = Yes winbind separator = \ winbind refresh tickets = Yes winbind nss info = rfc2307 winbind use default domain = yes winbind trusted domains only = yes utmp = yes wins server = sambadc.DOMAIN.lv wins support = yes dns proxy = no wins proxy = no wtmp directory = /var/log/wtmp preferred master = no log level = 4 bind interfaces only = Yes interfaces = lo, eth1 netbios name = FS2 os level = 33 =====================smb.conf on AD DC [global] wins support = yes server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate winbind trusted domains only = yes os level = 65 workgroup = INTERNAL realm = INTERNAL.DOMAIN.LV name resolve order = bcast wins host log level = 4 idmap_ldb:use rfc2307 = yes preferred master = Yes map to guest = Bad Password security = user server role = active directory domain controller domain logons = Yes kerberos method = secrets and keytab server string = Samba AD DC Server %v domain master = Yes winbind use default domain = yes utmp = yes max log size = 5000 netbios name = SAMBADC local master = Yes wtmp directory = /var/log/wtmp I feel lost and I do not understand what else to read or how to detect what is wrong with cfg. Janis
Rowland Penny
2015-Apr-06 09:38 UTC
[Samba] Samba as AD member can not validate domain user
On 06/04/15 10:09, jd at ionica.lv wrote:> > Cit?ju Rowland Penny <rowlandpenny at googlemail.com>: > >>> getent passwd shows list of local users, freezes for a while and exits; >> >> This is possibly because you may have (somehow) the same username in >> AD and /etc/passwd > > even with the "problematic" user removed behaviour is the same (with > net ads leave, remove krb5 keytab and join +restart) >> >>> id user shows user info if it exists locally. >> >> On an AD joined machine id should show user info if the user exists >> in AD and has the required rfc2307 attributes. > > I re-checked what I have on AD DC: > 1. getent passwd shows local + AD users (AD users having uids in the > range of 30000XX) > 2. getent group shows local + AD grous, AD groups having gids in the > range of 30000XX, just Domain Users having gid 100 > 3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)' objectSID > gidNumber > gives onlyObjectSID without gidNumber; > > CFG files from fileserver: > ===========> krb5.conf > [libdefaults] > default = INTERNAL.DOMAIN.LV > dns_lookup_realm = false > dns_lookup_kdc = true > > ==========> nsswitch.conf > passwd: compat winbind > group: compat winbind > shadow: compat files > > hosts: files dns > networks: files > > services: files > protocols: files > rpc: files > ethers: files > netmasks: files > netgroup: files > bootparams: files > > automount: files > aliases: files nisplus > publickey: nisplus > ============> SMB.conf on fileserver > [global] > security = ADS > workgroup = INTERNAL > acl group control = yes > inherit acls = Yes > map acl inherit = Yes > realm = INTERNAL.DOMAIN.LV > kerberos method = secrets and keytab > idmap config internal:backend = ad > idmap config internal:range = 10000-3001000 > idmap config internal:schema_mode = rfc2307 > idmap config *:range = 2000-9999 > idmap config *:backend = tdb > dedicated keytab file = /etc/krb5.keytab > winbind enum users = Yes > winbind enum groups = Yes > winbind separator = \ > winbind refresh tickets = Yes > winbind nss info = rfc2307 > winbind use default domain = yes > winbind trusted domains only = yes > utmp = yes > wins server = sambadc.DOMAIN.lv > wins support = yes > dns proxy = no > wins proxy = no > wtmp directory = /var/log/wtmp > preferred master = no > log level = 4 > bind interfaces only = Yes > interfaces = lo, eth1 > netbios name = FS2 > os level = 33 > =====================> smb.conf on AD DC > [global] > wins support = yes > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbind, ntp_signd, kcc, dnsupdate > winbind trusted domains only = yes > os level = 65 > workgroup = INTERNAL > realm = INTERNAL.DOMAIN.LV > name resolve order = bcast wins host > log level = 4 > idmap_ldb:use rfc2307 = yes > preferred master = Yes > map to guest = Bad Password > security = user > server role = active directory domain controller > domain logons = Yes > kerberos method = secrets and keytab > server string = Samba AD DC Server %v > domain master = Yes > winbind use default domain = yes > utmp = yes > max log size = 5000 > netbios name = SAMBADC > local master = Yes > wtmp directory = /var/log/wtmp > > I feel lost and I do not understand what else to read or how to detect > what is wrong with cfg. > > Janis >Firstly, please put the smb.conf on the AD DC back to what it was just after the provision. You do not need the extra lines you have added. You have posted what is probably your problem: 3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)' objectSID gidNumber gives onlyObjectSID without gidNumber; You are using the winbind 'ad' backend on the member server, for this to work, your users need a 'uidNumber' attribute and 'Domain Users' (at least) *NEEDS* a 'gidNumber' If you use the 'ad' backend, then giving your users a 'uidNumber' is not enough, you must give their primarygroup (Domain Users) a 'gidNumber' attribute. Rowland
jd at ionica.lv
2015-Apr-06 18:49 UTC
[Samba] Samba as AD member can not validate domain user
Cit?ju Rowland Penny <rowlandpenny at googlemail.com>:>> CFG files from fileserver: >> ===========>> krb5.conf >> [libdefaults] >> default = INTERNAL.DOMAIN.LV >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> ==========>> nsswitch.conf >> passwd: compat winbind >> group: compat winbind >> shadow: compat files >> >> hosts: files dns >> networks: files >> >> services: files >> protocols: files >> rpc: files >> ethers: files >> netmasks: files >> netgroup: files >> bootparams: files >> >> automount: files >> aliases: files nisplus >> publickey: nisplus >> ============>> SMB.conf on fileserver >> [global] >> security = ADS >> workgroup = INTERNAL >> acl group control = yes >> inherit acls = Yes >> map acl inherit = Yes >> realm = INTERNAL.DOMAIN.LV >> kerberos method = secrets and keytab >> idmap config internal:backend = ad >> idmap config internal:range = 10000-3001000 >> idmap config internal:schema_mode = rfc2307 >> idmap config *:range = 2000-9999 >> idmap config *:backend = tdb >> dedicated keytab file = /etc/krb5.keytab >> winbind enum users = Yes >> winbind enum groups = Yes >> winbind separator = \ >> winbind refresh tickets = Yes >> winbind nss info = rfc2307 >> winbind use default domain = yes >> winbind trusted domains only = yes >> utmp = yes >> wins server = sambadc.DOMAIN.lv >> wins support = yes >> dns proxy = no >> wins proxy = no >> wtmp directory = /var/log/wtmp >> preferred master = no >> log level = 4 >> bind interfaces only = Yes >> interfaces = lo, eth1 >> netbios name = FS2 >> os level = 33 >> =====================> Firstly, please put the smb.conf on the AD DC back to what it was > just after the provision. You do not need the extra lines you have > added.now smb.conf is rather short: [global] workgroup = INTERNAL realm = INTERNAL.DOMAIN.LV netbios name = SAMBADC server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes log level = 4 [netlogon] path = /var/lib/samba/sysvol/internal.domain.lv/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No> You have posted what is probably your problem: > > 3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)' objectSID > gidNumber > gives onlyObjectSID without gidNumber; > > You are using the winbind 'ad' backend on the member server, for > this to work, your users need a 'uidNumber' attribute and 'Domain > Users' (at least) *NEEDS* a 'gidNumber'after assigning UNIX attributes to users and domain groups all of them have uidNUmbers and gidNumbers starting from 10000, ldbsearch gives: dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv objectSid: S-1-5-21-216404829-505555237-127066545-513 gidNumber: 10000> If you use the 'ad' backend, then giving your users a 'uidNumber' is > not enough, you must give their primarygroup (Domain Users) a > 'gidNumber' attribute.all of the AD users are members of the Domain Users group now. Now on DC getent passwd gives just list of local users; getent passwd INTERNAL\\username gives domain user info with uid/gid 100xx:10000 still no changes on fileserver, getent passwd INTERNAL\\username finishes without any msg; in log.winbindd there is notion: 2015/04/06 21:42:37.714639, 3] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam INTERNAL\username joining to the AD DC ends with joined server and such messages: DNS Update for mail.domain.lv failed: ERROR_DNS_INVALID_MESSAGE DNS update failed: NT_STATUS_UNSUCCESSFUL (mail.domain.lv being the hostname of the server where samba fileserver with netbios name FS2 resides) I do not see anything in capital letters in the logs Janis