samba - Apr 2015 - Samba as AD member can not validate domain user

Cit?ju Rowland Penny <rowlandpenny at googlemail.com>:
>> CFG files from fileserver:
>> ===========>> krb5.conf
>> [libdefaults]
>> default = INTERNAL.DOMAIN.LV
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> ==========>> nsswitch.conf
>> passwd:         compat winbind
>> group:          compat winbind
>> shadow:         compat files
>>
>> hosts:          files dns
>> networks:       files
>>
>> services:       files
>> protocols:      files
>> rpc:            files
>> ethers:         files
>> netmasks:       files
>> netgroup:       files
>> bootparams:     files
>>
>> automount:      files
>> aliases:        files nisplus
>> publickey:      nisplus
>> ============>> SMB.conf on fileserver
>> [global]
>>        security = ADS
>>        workgroup = INTERNAL
>>        acl group control = yes
>>        inherit acls = Yes
>>        map acl inherit = Yes
>>        realm = INTERNAL.DOMAIN.LV
>>        kerberos method = secrets and keytab
>>        idmap config internal:backend = ad
>>        idmap config internal:range = 10000-3001000
>>        idmap config internal:schema_mode = rfc2307
>>        idmap config *:range = 2000-9999
>>        idmap config *:backend = tdb
>>        dedicated keytab file = /etc/krb5.keytab
>>        winbind enum users = Yes
>>        winbind enum groups = Yes
>>        winbind separator = \
>>        winbind refresh tickets = Yes
>>        winbind nss info = rfc2307
>>        winbind use default domain = yes
>>        winbind trusted domains only = yes
>>        utmp = yes
>>        wins server = sambadc.DOMAIN.lv
>>        wins support = yes
>>        dns proxy = no
>>        wins proxy = no
>>        wtmp directory = /var/log/wtmp
>>        preferred master = no
>>        log level = 4
>>        bind interfaces only = Yes
>>        interfaces = lo, eth1
>>        netbios name = FS2
>>        os level = 33
>> =====================> Firstly, please put the smb.conf on the AD DC
back to what it was
> just after the provision. You do not need the extra lines you have  
> added.
now smb.conf is rather short:
[global]
         workgroup = INTERNAL
         realm = INTERNAL.DOMAIN.LV
         netbios name = SAMBADC
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,  
drepl, winbindd, ntp_signd, kcc, dnsupdate
         idmap_ldb:use rfc2307 = yes
         log level = 4

[netlogon]
         path = /var/lib/samba/sysvol/internal.domain.lv/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No
> You have posted what is probably your problem:
>
> 3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)'
objectSID
> gidNumber
> gives onlyObjectSID without gidNumber;
>
> You are using the winbind 'ad' backend on the member server, for  
> this to work, your users need a 'uidNumber' attribute and
'Domain
> Users' (at least) *NEEDS* a 'gidNumber'
after assigning UNIX attributes to users and domain groups all of them have
uidNUmbers and gidNumbers starting from 10000,
ldbsearch gives:
dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv
objectSid: S-1-5-21-216404829-505555237-127066545-513
gidNumber: 10000
> If you use the 'ad' backend, then giving your users a
'uidNumber' is
> not enough, you must give their primarygroup (Domain Users) a  
> 'gidNumber' attribute.
all of the AD users are members of the Domain Users group now.

Now on DC getent passwd gives just list of local users;
getent passwd INTERNAL\\username gives domain user info with uid/gid  
100xx:10000

still no changes on fileserver, getent passwd INTERNAL\\username  
finishes without any msg;
in log.winbindd there is notion:
2015/04/06 21:42:37.714639,  3]  
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
   getpwnam INTERNAL\username


joining to the AD DC ends with joined server and such messages:
DNS Update for mail.domain.lv failed: ERROR_DNS_INVALID_MESSAGE
DNS update failed: NT_STATUS_UNSUCCESSFUL

(mail.domain.lv being the hostname of the server where samba  
fileserver with netbios name FS2 resides)

I do not see anything in capital letters in the logs

Janis

Cit?ju jd at ionica.lv:
> Cit?ju Rowland Penny <rowlandpenny at googlemail.com>:
>
>>> CFG files from fileserver:
>>> ===========>>> krb5.conf
>>> [libdefaults]
>>> default = INTERNAL.DOMAIN.LV
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>>
>>> ==========>>> nsswitch.conf
>>> passwd:         compat winbind
>>> group:          compat winbind
>>> shadow:         compat files
>>>
>>> hosts:          files dns
>>> networks:       files
>>>
>>> services:       files
>>> protocols:      files
>>> rpc:            files
>>> ethers:         files
>>> netmasks:       files
>>> netgroup:       files
>>> bootparams:     files
>>>
>>> automount:      files
>>> aliases:        files nisplus
>>> publickey:      nisplus
>>> ============>>> SMB.conf on fileserver
>>> [global]
>>>       security = ADS
>>>       workgroup = INTERNAL
>>>       acl group control = yes
>>>       inherit acls = Yes
>>>       map acl inherit = Yes
>>>       realm = INTERNAL.DOMAIN.LV
>>>       kerberos method = secrets and keytab
>>>       idmap config internal:backend = ad
>>>       idmap config internal:range = 10000-3001000
>>>       idmap config internal:schema_mode = rfc2307
>>>       idmap config *:range = 2000-9999
>>>       idmap config *:backend = tdb
>>>       dedicated keytab file = /etc/krb5.keytab
>>>       winbind enum users = Yes
>>>       winbind enum groups = Yes
>>>       winbind separator = \
>>>       winbind refresh tickets = Yes
>>>       winbind nss info = rfc2307
>>>       winbind use default domain = yes
>>>       winbind trusted domains only = yes
>>>       utmp = yes
>>>       wins server = sambadc.DOMAIN.lv
>>>       wins support = yes
>>>       dns proxy = no
>>>       wins proxy = no
>>>       wtmp directory = /var/log/wtmp
>>>       preferred master = no
>>>       log level = 4
>>>       bind interfaces only = Yes
>>>       interfaces = lo, eth1
>>>       netbios name = FS2
>>>       os level = 33
>>> =====================>> Firstly, please put the smb.conf on
the AD DC back to what it was
>> just after the provision. You do not need the extra lines you have  
>> added.
>
> now smb.conf is rather short:
> [global]
>         workgroup = INTERNAL
>         realm = INTERNAL.DOMAIN.LV
>         netbios name = SAMBADC
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,  
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         idmap_ldb:use rfc2307 = yes
>         log level = 4
>
> [netlogon]
>         path = /var/lib/samba/sysvol/internal.domain.lv/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
>> You have posted what is probably your problem:
>>
>> 3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)'  
>> objectSID gidNumber
>> gives onlyObjectSID without gidNumber;
>>
>> You are using the winbind 'ad' backend on the member server,
for
>> this to work, your users need a 'uidNumber' attribute and
'Domain
>> Users' (at least) *NEEDS* a 'gidNumber'
>
> after assigning UNIX attributes to users and domain groups all of them have
> uidNUmbers and gidNumbers starting from 10000,
> ldbsearch gives:
> dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv
> objectSid: S-1-5-21-216404829-505555237-127066545-513
> gidNumber: 10000
>
>> If you use the 'ad' backend, then giving your users a
'uidNumber'
>> is not enough, you must give their primarygroup (Domain Users) a  
>> 'gidNumber' attribute.
>
> all of the AD users are members of the Domain Users group now.
>
> Now on DC getent passwd gives just list of local users;
> getent passwd INTERNAL\\username gives domain user info with uid/gid  
> 100xx:10000
>
> still no changes on fileserver, getent passwd INTERNAL\\username  
> finishes without any msg;
> in log.winbindd there is notion:
> 2015/04/06 21:42:37.714639,  3]  
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>   getpwnam INTERNAL\username
>
>
> joining to the AD DC ends with joined server and such messages:
> DNS Update for mail.domain.lv failed: ERROR_DNS_INVALID_MESSAGE
> DNS update failed: NT_STATUS_UNSUCCESSFUL
>
> (mail.domain.lv being the hostname of the server where samba  
> fileserver with netbios name FS2 resides)
>
> I do not see anything in capital letters in the logs
just wanted to add :

log.smbd on fileserver get such msg after unsuccessful attempt to  
browse shares:

[2015/04/06 22:12:41.553353,  3]  
../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
   Found account name from PAC: username []
[2015/04/06 22:12:41.553372,  3]  
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
   Kerberos ticket principal name is [username at INTERNAL.DOMAIN.LV]
[2015/04/06 22:12:41.554105,  1]  
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
   Username INTERNALwusername is invalid on this system

Janis

correction (see below)
Cit?ju jd at ionica.lv:
> Cit?ju jd at ionica.lv:
>
>> Cit?ju Rowland Penny <rowlandpenny at googlemail.com>:
>>
>>>> CFG files from fileserver:
>>>> ===========>>>> krb5.conf
>>>> [libdefaults]
>>>> default = INTERNAL.DOMAIN.LV
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>>
>>>> ==========>>>> nsswitch.conf
>>>> passwd:         compat winbind
>>>> group:          compat winbind
>>>> shadow:         compat files
>>>>
>>>> hosts:          files dns
>>>> networks:       files
>>>>
>>>> services:       files
>>>> protocols:      files
>>>> rpc:            files
>>>> ethers:         files
>>>> netmasks:       files
>>>> netgroup:       files
>>>> bootparams:     files
>>>>
>>>> automount:      files
>>>> aliases:        files nisplus
>>>> publickey:      nisplus
>>>> ============>>>> SMB.conf on fileserver
>>>> [global]
>>>>      security = ADS
>>>>      workgroup = INTERNAL
>>>>      acl group control = yes
>>>>      inherit acls = Yes
>>>>      map acl inherit = Yes
>>>>      realm = INTERNAL.DOMAIN.LV
>>>>      kerberos method = secrets and keytab
>>>>      idmap config internal:backend = ad
>>>>      idmap config internal:range = 10000-3001000
>>>>      idmap config internal:schema_mode = rfc2307
>>>>      idmap config *:range = 2000-9999
>>>>      idmap config *:backend = tdb
>>>>      dedicated keytab file = /etc/krb5.keytab
>>>>      winbind enum users = Yes
>>>>      winbind enum groups = Yes
>>>>      winbind separator = \
>>>>      winbind refresh tickets = Yes
>>>>      winbind nss info = rfc2307
>>>>      winbind use default domain = yes
>>>>      winbind trusted domains only = yes
>>>>      utmp = yes
>>>>      wins server = sambadc.DOMAIN.lv
>>>>      wins support = yes
>>>>      dns proxy = no
>>>>      wins proxy = no
>>>>      wtmp directory = /var/log/wtmp
>>>>      preferred master = no
>>>>      log level = 4
>>>>      bind interfaces only = Yes
>>>>      interfaces = lo, eth1
>>>>      netbios name = FS2
>>>>      os level = 33
>>>> =====================>>> Firstly, please put the
smb.conf on the AD DC back to what it was
>>> just after the provision. You do not need the extra lines you have
>>> added.
>>
>> now smb.conf is rather short:
>> [global]
>>        workgroup = INTERNAL
>>        realm = INTERNAL.DOMAIN.LV
>>        netbios name = SAMBADC
>>        server role = active directory domain controller
>>        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,  
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>        idmap_ldb:use rfc2307 = yes
>>        log level = 4
>>
>> [netlogon]
>>        path = /var/lib/samba/sysvol/internal.domain.lv/scripts
>>        read only = No
>>
>> [sysvol]
>>        path = /var/lib/samba/sysvol
>>        read only = No
>>
>>> You have posted what is probably your problem:
>>>
>>> 3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)'
>>> objectSID gidNumber
>>> gives onlyObjectSID without gidNumber;
>>>
>>> You are using the winbind 'ad' backend on the member
server, for
>>> this to work, your users need a 'uidNumber' attribute and
'Domain
>>> Users' (at least) *NEEDS* a 'gidNumber'
>>
>> after assigning UNIX attributes to users and domain groups all of them
have
>> uidNUmbers and gidNumbers starting from 10000,
>> ldbsearch gives:
>> dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv
>> objectSid: S-1-5-21-216404829-505555237-127066545-513
>> gidNumber: 10000
>>
>>> If you use the 'ad' backend, then giving your users a
'uidNumber'
>>> is not enough, you must give their primarygroup (Domain Users) a  
>>> 'gidNumber' attribute.
>>
>> all of the AD users are members of the Domain Users group now.
>>
>> Now on DC getent passwd gives just list of local users;
>> getent passwd INTERNAL\\username gives domain user info with  
>> uid/gid 100xx:10000
>>
>> still no changes on fileserver, getent passwd INTERNAL\\username  
>> finishes without any msg;
>> in log.winbindd there is notion:
>> 2015/04/06 21:42:37.714639,  3]  
>> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>>  getpwnam INTERNAL\username
>>
>>
>> joining to the AD DC ends with joined server and such messages:
>> DNS Update for mail.domain.lv failed: ERROR_DNS_INVALID_MESSAGE
>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>
>> (mail.domain.lv being the hostname of the server where samba  
>> fileserver with netbios name FS2 resides)
>>
>> I do not see anything in capital letters in the logs
>
> just wanted to add :
>
> log.smbd on fileserver get such msg after unsuccessful attempt to  
> browse shares:
>
> [2015/04/06 22:12:41.553353,  3]  
> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
>   Found account name from PAC: username []
> [2015/04/06 22:12:41.553372,  3]  
> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
>   Kerberos ticket principal name is [username at INTERNAL.DOMAIN.LV]
> [2015/04/06 22:12:41.554105,  1]  
> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>   Username INTERNALwusername is invalid on this system
[2015/04/06 22:26:05.829369,  1]  
../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
   Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)

(??? the couldn't be such local user as I understood)

On 06/04/15 19:49, jd at ionica.lv wrote:
>
> Cit?ju Rowland Penny <rowlandpenny at googlemail.com>:
>
>>> CFG files from fileserver:
>>> ===========>>> krb5.conf
>>> [libdefaults]
>>> default = INTERNAL.DOMAIN.LV
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>>
>>> ==========>>> nsswitch.conf
>>> passwd:         compat winbind
>>> group:          compat winbind
>>> shadow:         compat files
>>>
>>> hosts:          files dns
>>> networks:       files
>>>
>>> services:       files
>>> protocols:      files
>>> rpc:            files
>>> ethers:         files
>>> netmasks:       files
>>> netgroup:       files
>>> bootparams:     files
>>>
>>> automount:      files
>>> aliases:        files nisplus
>>> publickey:      nisplus
>>> ============>>> SMB.conf on fileserver
>>> [global]
>>>        security = ADS
>>>        workgroup = INTERNAL
>>>        acl group control = yes
>>>        inherit acls = Yes
>>>        map acl inherit = Yes
>>>        realm = INTERNAL.DOMAIN.LV
>>>        kerberos method = secrets and keytab
>>>        idmap config internal:backend = ad
>>>        idmap config internal:range = 10000-3001000
>>>        idmap config internal:schema_mode = rfc2307
>>>        idmap config *:range = 2000-9999
>>>        idmap config *:backend = tdb
>>>        dedicated keytab file = /etc/krb5.keytab
>>>        winbind enum users = Yes
>>>        winbind enum groups = Yes
>>>        winbind separator = \
>>>        winbind refresh tickets = Yes
>>>        winbind nss info = rfc2307
>>>        winbind use default domain = yes
>>>        winbind trusted domains only = yes
>>>        utmp = yes
>>>        wins server = sambadc.DOMAIN.lv
>>>        wins support = yes
>>>        dns proxy = no
>>>        wins proxy = no
>>>        wtmp directory = /var/log/wtmp
>>>        preferred master = no
>>>        log level = 4
>>>        bind interfaces only = Yes
>>>        interfaces = lo, eth1
>>>        netbios name = FS2
>>>        os level = 33
>>> =====================>> Firstly, please put the smb.conf on
the AD DC back to what it was
>> just after the provision. You do not need the extra lines you have 
>> added.
>
> now smb.conf is rather short:
> [global]
>         workgroup = INTERNAL
>         realm = INTERNAL.DOMAIN.LV
>         netbios name = SAMBADC
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         idmap_ldb:use rfc2307 = yes
>         log level = 4
>
> [netlogon]
>         path = /var/lib/samba/sysvol/internal.domain.lv/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
>> You have posted what is probably your problem:
>>
>> 3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)'
objectSID
>> gidNumber
>> gives onlyObjectSID without gidNumber;
>>
>> You are using the winbind 'ad' backend on the member server,
for this
>> to work, your users need a 'uidNumber' attribute and
'Domain Users'
>> (at least) *NEEDS* a 'gidNumber'
>
> after assigning UNIX attributes to users and domain groups all of them 
> have
> uidNUmbers and gidNumbers starting from 10000,
> ldbsearch gives:
> dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv
> objectSid: S-1-5-21-216404829-505555237-127066545-513
> gidNumber: 10000
>
>> If you use the 'ad' backend, then giving your users a
'uidNumber' is
>> not enough, you must give their primarygroup (Domain Users) a 
>> 'gidNumber' attribute.
>
> all of the AD users are members of the Domain Users group now.
what do you mean 'all of the AD users are members of the Domain Users 
group now.' ??

I hope you haven't changed the users primaryGroupID attribute.

>
> Now on DC getent passwd gives just list of local users;
> getent passwd INTERNAL\\username gives domain user info with uid/gid 
> 100xx:10000
This is what I get when I run getent on one of my DCs:

root at dc01:~# getent passwd rowland
EXAMPLE\rowland:*:10000:10000:Rowland Penny:/home/EXAMPLE/rowland:/bin/bash

NOTE: I also have this line in smb.conf:

template shell = /bin/bash
> still no changes on fileserver, getent passwd INTERNAL\\username 
> finishes without any msg;
Hmm, if I run (on a member server):

getent passwd EXAMPLE\\rowland

I get:

rowland:*:10000:10000::/home/rowland:/bin/bash
> in log.winbindd there is notion:
> 2015/04/06 21:42:37.714639,  3] 
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>   getpwnam INTERNAL\username
>
>
> joining to the AD DC ends with joined server and such messages:
> DNS Update for mail.domain.lv failed: ERROR_DNS_INVALID_MESSAGE
> DNS update failed: NT_STATUS_UNSUCCESSFUL
>
> (mail.domain.lv being the hostname of the server where samba 
> fileserver with netbios name FS2 resides)
>
> I do not see anything in capital letters in the logs
>
> Janis
>
Try changing smb.conf on the fileserver to this:

[global]
         workgroup = INTERNAL
         security = ADS
         realm = INTERNAL.DOMAIN.LV
         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = yes
         winbind expand groups = 4
         winbind nss info = rfc2307
         winbind refresh tickets = Yes
         winbind offline logon = yes
         winbind normalize names = Yes
         idmap config *:backend = tdb
         idmap config *:range = 2000-9999
         idmap config INTERNAL:backend = ad
         idmap config INTERNAL:range = 10000-3001000
         idmap config INTERNAL:schema_mode = rfc2307
         dns proxy = no
         preferred master = no
         log level = 4
         bind interfaces only = Yes
         interfaces = lo, eth1
         os level = 33
         domain master = no
         local master = no
         map to guest = bad user
         vfs objects = acl_xattr
         map acl inherit = Yes
         store dos attributes = Yes

Rowland

Cit?ju Rowland Penny <rowlandpenny at googlemail.com>:
>> after assigning UNIX attributes to users and domain groups all of them
have
>> uidNUmbers and gidNumbers starting from 10000,
>> ldbsearch gives:
>> dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv
>> objectSid: S-1-5-21-216404829-505555237-127066545-513
>> gidNumber: 10000
>>
>>> If you use the 'ad' backend, then giving your users a
'uidNumber'
>>> is not enough, you must give their primarygroup (Domain Users) a  
>>> 'gidNumber' attribute.
>
>> all of the AD users are members of the Domain Users group now.
>
> what do you mean 'all of the AD users are members of the Domain  
> Users group now.' ??
>
> I hope you haven't changed the users primaryGroupID attribute.
I assigned primary group to each domain user through UNIX  
attributes(?) in Windows (8.1) domain management tool, choosing  
INTERNAL as NIS realm.
> This is what I get when I run getent on one of my DCs:
>
> root at dc01:~# getent passwd rowland
> EXAMPLE\rowland:*:10000:10000:Rowland Penny:/home/EXAMPLE/rowland:/bin/bash
yes, I am getting similar:
username:*:10000:10000::/home/INTERNAL/username:/bin/false

Some questions related to this -

- can I have domain user's home directory kind of \\FS\home\username?  
As far as I understand, home directory /home/INTERNAL/username is not  
created automatically. I tried to create it by hand (and chown to  
10000.10000) in order to see what's changing, but is remained empty.

- does the shell parameter play any role if all domain users are pure  
windows users?

- if the shell is set to /bin/bash, for example, is the domain user  
able to login to any Linux server's, which is domain member, shell?
> Hmm, if I run (on a member server):
>
> getent passwd EXAMPLE\\rowland
>
> I get:
>
> rowland:*:10000:10000::/home/rowland:/bin/bash
Yes, finally, I am getting similar now. I'll check later what effect  
it has overall.

Janis