> On 29 Oct 2015, at 20:52, Rowland Penny <rowlandpenny241155 at gmail.com> wrote: > >> On 29/10/15 19:27, Viktor Trojanovic wrote: >> >> >>> On 29.10.2015 18:49, Rowland Penny wrote: >>>> On 29/10/15 17:27, Viktor Trojanovic wrote: >>>> >>>> >>>>> On 29.10.2015 17:54, Rowland Penny wrote: >>>>>> On 29/10/15 16:21, Viktor Trojanovic wrote: >>>>>> >>>>>> >>>>>>> On 27.10.2015 16:16, Rowland Penny wrote: >>>>>>>> On 27/10/15 14:58, Viktor Trojanovic wrote: >>>>>>>> >>>>>>>> >>>>>>>>> On 27.10.2015 13:54, Rowland Penny wrote: >>>>>>>>> [...] >>>>>>>>>> Yes, I meant the administrator. I did your suggested change on my member server and restarted it. 'getent passwd administrator' is still not returning anything, though. Or is that the wrong way to check if it worked? >>>>>>>>> >>>>>>>>> If you ran the same command on the DC, it will return something, but on a member server it won't, because the range you set in smb.conf is (if you followed the wiki, 10000-99999) above '0' and anything that is outside the range is ignored. This is not a problem, remember that Administrator is mapped to root on the member server, so if you want to log into the member server, you would so as root. From windows, Administrator becomes root and carries out any changes etc as root. >>>>>>>>> >>>>>>>>> Rowland >>>>>>>> >>>>>>>> Ok, all understood, thank you. But how can I check if it worked with the users? I manually changed the Nisdomain and uidNumber for two users using ADUC (to 10001 and 10002, respectively), I restarted Samba (was this even necessary?), and getent passwd <username> will still not return anything. >>>>>>>> >>>>>>>> In other words, what is the quickest way to check if my member server setup worked out alright? >>>>>>> >>>>>>> OK, if you compiled samba yourself and you want to test getent on the member server, see this that I posted earlier: >>>>>>> >>>>>>> https://lists.samba.org/archive/samba/2015-October/195319.html >>>>>>> >>>>>>> If you are using distro packages, the wiki pages should give you a good idea of what you need. >>>>>>> >>>>>>> Rowland >>>>>> So, I spent quite some time researching it all a bit more in depth but I get stuck at the same point, although I at least seem to have a better understanding of how things should be now. >>>>>> >>>>>> So, my smb.conf on the member server looks exactly like the one in the wiki, except that I also added ACL support as suggested on the wiki page "Shares with Windows ACLs". My filesystem is XFS and has ACL built-in. >>>>>> >>>>>> I do get proper results for wbinfo -u and wbinfo -g, but the id and getent commands just won't work. I'm trying it on users and groups that have a uidNumber or gidNumber defined, respectively. >>>>>> >>>>>> This is how my nsswitch.conf looks like: >>>>>> >>>>>> passwd: compat winbind >>>>>> group: compat winbind >>>>>> hosts:compat dns >>>>>> networks: compat dns >>>>>> >>>>>> My Samba came from a package but I verified that libnss_winbind.so.2 is properly linked. >>>>>> >>>>>> smbd, nmbd and winbindd are properly started with no errors in the logs, I'm joined to the AD, I can browse the member server from my windows machine being logged in as Administrator. But I still can't seem to change ACLs on any objects in the share from within Windows, I'm getting error messages "Error when applying security" (I'm translating freely from German). >>>>>> >>>>>> Do you have any idea what's going wrong here? >>>>>> >>>>>> Viktor >>>>> >>>>> OK, If I remember correctly, we are talking about a domain member here, not a DC. If you are using the default smb.conf from here: >>>>> >>>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member >>>> No. I'm using the smb.conf from https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>>> >>>>> with the 'ad' setup from here: >>>>> >>>>> https://wiki.samba.org/index.php/Idmap_config_ad >>>> Those lines are already implemented in the smb.conf retrieved from https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>> >>> OK, what is the difference between a 'domain member' and a 'member server', well to be honest, not much. You can think of a 'domain member' being the same as a normal windows workstation that a user logs into and it doesn't share anything. You can turn a 'domain member' into a 'member server' very easily, just make it share something :-) if you share printers from it, it becomes a 'Print Server' , add data shares and it becomes a 'File Server', I think you get the idea here :-) >>> >>> Your smb.conf from the 'member server' page is equivalent to the one you can create from the three pages I posted. >>> >>>>> with the acl support lines from here: >>>>> >>>>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#ACL_support_on_domain_members >>>> Those exact 3 lines, yes. >>>>> then getent should work, but they are a few caveats, the users must have a uidNumber inside the range 10000-99999 and Domain Users (at least) must have a gidNumber inside the same range. Any users or groups outside this range will be ignored and *all* users will be ignored if Domain Users either doesn't have a gidNumber or it is outside the range. >>>> The user I'm trying to return has a uidNumber of 10002, and Domain Users is set to gidNumber 10000. I have not set those attributes for other groups and did not expect them to show up with getent. >>>> >>>>> Time must be synchronised between the machines, within 5 mins if remember correctly. >>>> Time is synced and well within 5 mins. Kerberos would fail otherwise and I am able to request k-tickets for any user without issues. >>>>> The domain member must be joined to the domain (obviously) >>>> Of course. >>>>> The domain member must be using the DC has its DNS server >>>>> >>>>> /etc/resolv.conf >>>>> search samdom.example.com >>>>> nameserver 192.168.0.3 <-- this is the ip of the DC >>>> My DC has a fixed IP and that's exactly how my resolv.conf looks like, no other lines. >>> >>> Yes but does your 'member server' have a fixed ip ? >>> >>>>> You only need this in /etc/krb5.conf >>>>> >>>>> [libdefaults] >>>>> default_realm = SAMDOM.EXAMPLE.COM >>>>> dns_lookup_realm = false >>>>> dns_lookup_kdc = true >>>> That's exactly what I have. As mentioned, Kerberos seems to work properly. >>>> >>>>> Ideally your domain member should have a fixed ip, but if you are using dhcp, check that the ipaddress isn't 127.0.0.1 or even worse 127.0.1.1. If you using Ubuntu with Network Manager, stop it using dnsmasq. >>>> See above. >>>>> Check that pam is setup correctly, on debian you can do this by running 'pam-auth-update' >>>> I don't have pam setup since I don't need the users to log in to Linux. It is nowhere mentioned, neither on the wiki nor on the book that this is a prerequisite for getent to work. >>> >>> Applying Hand brake screeching to a halt :-D >>> >>> If pam is not set up you will not get 'getent' to work. Can you please refresh my memory and tell me what OS you are using. Pam is not required on a DC unless you require your users to actually log into it, but it is definitely needed on a 'domain member' (or as you call it, a 'member server') >>> >>> There is a mention of setting up PAM on the page you referred to: >>> >>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Setting_up_PAM_authentication >>> >>> Though it is a bit unclear that it is required to make 'getent' work, I will not update this page because there is a very good chance it will get a massive overhaul soon, but I will look into whether any other Pam info specifies that it is needed on a domain member. >>> >>> Rowland >> >> Well, I'll be... I really didn't figure out that that was any kind of necessity. Since the getent checks on the wiki (and in my book) are performed before the comments about PAM, I thought that's just for special situations (such as needing users to log in on Linux). So you're saying I can't set my ACL's with domain users because of that? > > getent shows what the OS knows about a user, if it shows nothing, that user is unknown to the OS and as such cannot own anything. On the DC, this is not really a problem because the users are automatically given an xidNumber and this is used instead and most people only use the DC for authentication. You only need the libnss_winbind links and pam (or something in its place) if you want your users to connect to the member server. >>Let me just reconfirm something. Is PAM still needed if I used RID as a mapping backend instead of AD? I'm asking because I came accross other tutorials how to set up a samba member server and it didn't involve pam. The main difference in the config was the backend which is RID in their case. In the Arch Wiki (which could be outdated) it is explicitely stated that all that is needed for getent to work is a proper nsswitch.conf. https://wiki.archlinux.org/index.php/Active_Directory_Integration Here is a tutorial how to do it on Freebsd 9. The info is based on Samba 3.6 joining a windows dc, though. See http://samba.ninja/2012/05/freebsd-9-samba-ad-member-server/
On 29/10/15 22:58, Viktor Trojanovic wrote:>> On 29 Oct 2015, at 20:52, Rowland Penny <rowlandpenny241155 at gmail.com> wrote: >> >>> On 29/10/15 19:27, Viktor Trojanovic wrote: >>> >>> >>>> On 29.10.2015 18:49, Rowland Penny wrote: >>>>> On 29/10/15 17:27, Viktor Trojanovic wrote: >>>>> >>>>> >>>>>> On 29.10.2015 17:54, Rowland Penny wrote: >>>>>>> On 29/10/15 16:21, Viktor Trojanovic wrote: >>>>>>> >>>>>>> >>>>>>>> On 27.10.2015 16:16, Rowland Penny wrote: >>>>>>>>> On 27/10/15 14:58, Viktor Trojanovic wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>>> On 27.10.2015 13:54, Rowland Penny wrote: >>>>>>>>>> [...] >>>>>>>>>>> Yes, I meant the administrator. I did your suggested change on my member server and restarted it. 'getent passwd administrator' is still not returning anything, though. Or is that the wrong way to check if it worked? >>>>>>>>>> If you ran the same command on the DC, it will return something, but on a member server it won't, because the range you set in smb.conf is (if you followed the wiki, 10000-99999) above '0' and anything that is outside the range is ignored. This is not a problem, remember that Administrator is mapped to root on the member server, so if you want to log into the member server, you would so as root. From windows, Administrator becomes root and carries out any changes etc as root. >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>> Ok, all understood, thank you. But how can I check if it worked with the users? I manually changed the Nisdomain and uidNumber for two users using ADUC (to 10001 and 10002, respectively), I restarted Samba (was this even necessary?), and getent passwd <username> will still not return anything. >>>>>>>>> >>>>>>>>> In other words, what is the quickest way to check if my member server setup worked out alright? >>>>>>>> OK, if you compiled samba yourself and you want to test getent on the member server, see this that I posted earlier: >>>>>>>> >>>>>>>> https://lists.samba.org/archive/samba/2015-October/195319.html >>>>>>>> >>>>>>>> If you are using distro packages, the wiki pages should give you a good idea of what you need. >>>>>>>> >>>>>>>> Rowland >>>>>>> So, I spent quite some time researching it all a bit more in depth but I get stuck at the same point, although I at least seem to have a better understanding of how things should be now. >>>>>>> >>>>>>> So, my smb.conf on the member server looks exactly like the one in the wiki, except that I also added ACL support as suggested on the wiki page "Shares with Windows ACLs". My filesystem is XFS and has ACL built-in. >>>>>>> >>>>>>> I do get proper results for wbinfo -u and wbinfo -g, but the id and getent commands just won't work. I'm trying it on users and groups that have a uidNumber or gidNumber defined, respectively. >>>>>>> >>>>>>> This is how my nsswitch.conf looks like: >>>>>>> >>>>>>> passwd: compat winbind >>>>>>> group: compat winbind >>>>>>> hosts:compat dns >>>>>>> networks: compat dns >>>>>>> >>>>>>> My Samba came from a package but I verified that libnss_winbind.so.2 is properly linked. >>>>>>> >>>>>>> smbd, nmbd and winbindd are properly started with no errors in the logs, I'm joined to the AD, I can browse the member server from my windows machine being logged in as Administrator. But I still can't seem to change ACLs on any objects in the share from within Windows, I'm getting error messages "Error when applying security" (I'm translating freely from German). >>>>>>> >>>>>>> Do you have any idea what's going wrong here? >>>>>>> >>>>>>> Viktor >>>>>> OK, If I remember correctly, we are talking about a domain member here, not a DC. If you are using the default smb.conf from here: >>>>>> >>>>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member >>>>> No. I'm using the smb.conf from https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>>>> >>>>>> with the 'ad' setup from here: >>>>>> >>>>>> https://wiki.samba.org/index.php/Idmap_config_ad >>>>> Those lines are already implemented in the smb.conf retrieved from https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>>> OK, what is the difference between a 'domain member' and a 'member server', well to be honest, not much. You can think of a 'domain member' being the same as a normal windows workstation that a user logs into and it doesn't share anything. You can turn a 'domain member' into a 'member server' very easily, just make it share something :-) if you share printers from it, it becomes a 'Print Server' , add data shares and it becomes a 'File Server', I think you get the idea here :-) >>>> >>>> Your smb.conf from the 'member server' page is equivalent to the one you can create from the three pages I posted. >>>> >>>>>> with the acl support lines from here: >>>>>> >>>>>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#ACL_support_on_domain_members >>>>> Those exact 3 lines, yes. >>>>>> then getent should work, but they are a few caveats, the users must have a uidNumber inside the range 10000-99999 and Domain Users (at least) must have a gidNumber inside the same range. Any users or groups outside this range will be ignored and *all* users will be ignored if Domain Users either doesn't have a gidNumber or it is outside the range. >>>>> The user I'm trying to return has a uidNumber of 10002, and Domain Users is set to gidNumber 10000. I have not set those attributes for other groups and did not expect them to show up with getent. >>>>> >>>>>> Time must be synchronised between the machines, within 5 mins if remember correctly. >>>>> Time is synced and well within 5 mins. Kerberos would fail otherwise and I am able to request k-tickets for any user without issues. >>>>>> The domain member must be joined to the domain (obviously) >>>>> Of course. >>>>>> The domain member must be using the DC has its DNS server >>>>>> >>>>>> /etc/resolv.conf >>>>>> search samdom.example.com >>>>>> nameserver 192.168.0.3 <-- this is the ip of the DC >>>>> My DC has a fixed IP and that's exactly how my resolv.conf looks like, no other lines. >>>> Yes but does your 'member server' have a fixed ip ? >>>> >>>>>> You only need this in /etc/krb5.conf >>>>>> >>>>>> [libdefaults] >>>>>> default_realm = SAMDOM.EXAMPLE.COM >>>>>> dns_lookup_realm = false >>>>>> dns_lookup_kdc = true >>>>> That's exactly what I have. As mentioned, Kerberos seems to work properly. >>>>> >>>>>> Ideally your domain member should have a fixed ip, but if you are using dhcp, check that the ipaddress isn't 127.0.0.1 or even worse 127.0.1.1. If you using Ubuntu with Network Manager, stop it using dnsmasq. >>>>> See above. >>>>>> Check that pam is setup correctly, on debian you can do this by running 'pam-auth-update' >>>>> I don't have pam setup since I don't need the users to log in to Linux. It is nowhere mentioned, neither on the wiki nor on the book that this is a prerequisite for getent to work. >>>> Applying Hand brake screeching to a halt :-D >>>> >>>> If pam is not set up you will not get 'getent' to work. Can you please refresh my memory and tell me what OS you are using. Pam is not required on a DC unless you require your users to actually log into it, but it is definitely needed on a 'domain member' (or as you call it, a 'member server') >>>> >>>> There is a mention of setting up PAM on the page you referred to: >>>> >>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Setting_up_PAM_authentication >>>> >>>> Though it is a bit unclear that it is required to make 'getent' work, I will not update this page because there is a very good chance it will get a massive overhaul soon, but I will look into whether any other Pam info specifies that it is needed on a domain member. >>>> >>>> Rowland >>> Well, I'll be... I really didn't figure out that that was any kind of necessity. Since the getent checks on the wiki (and in my book) are performed before the comments about PAM, I thought that's just for special situations (such as needing users to log in on Linux). So you're saying I can't set my ACL's with domain users because of that? >> getent shows what the OS knows about a user, if it shows nothing, that user is unknown to the OS and as such cannot own anything. On the DC, this is not really a problem because the users are automatically given an xidNumber and this is used instead and most people only use the DC for authentication. You only need the libnss_winbind links and pam (or something in its place) if you want your users to connect to the member server. > Let me just reconfirm something. Is PAM still needed if I used RID as a mapping backend instead of AD?Yes, pam is still required. I am no expert, but this is how I think nsswitch works: when you run 'getent passwd user' it checks in /etc/nsswitch.conf for what the 'passwd' line contains It then checks each of the databases one by one, normally it would check the local files first (though this can be called 'compat') if it finds a local user it stops and returns the info for the user. If it doesn't find anything it moves on to the next database, in our case 'winbind', this checks for the user and if the user is found, the users info is returned. This is where PAM comes in, you can think of it as a 'bridge' between getent and AD, without this bridge winbind cannot get to the info.> > I'm asking because I came accross other tutorials how to set up a samba member server and it didn't involve pam. The main difference in the config was the backend which is RID in their case. > > In the Arch Wiki (which could be outdated) it is explicitely stated that all that is needed for getent to work is a proper nsswitch.conf. https://wiki.archlinux.org/index.php/Active_Directory_IntegrationYes, but it also tells you to install pam-krb5> > Here is a tutorial how to do it on Freebsd 9. The info is based on Samba 3.6 joining a windows dc, though. See http://samba.ninja/2012/05/freebsd-9-samba-ad-member-server/The only thing it doesn't mention is PAM, but does freebsd use PAM? All I can say is that I use Debian Wheezy and I have to install PAM packages to make getent work. Rowland
On 30.10.2015 09:22, Rowland Penny wrote:> On 29/10/15 22:58, Viktor Trojanovic wrote: >>> On 29 Oct 2015, at 20:52, Rowland Penny >>> <rowlandpenny241155 at gmail.com> wrote: >>> >>>> On 29/10/15 19:27, Viktor Trojanovic wrote: >>>> >>>> >>>>> On 29.10.2015 18:49, Rowland Penny wrote: >>>>>> On 29/10/15 17:27, Viktor Trojanovic wrote: >>>>>> >>>>>> >>>>>>> On 29.10.2015 17:54, Rowland Penny wrote: >>>>>>>> On 29/10/15 16:21, Viktor Trojanovic wrote: >>>>>>>> >>>>>>>> >>>>>>>>> On 27.10.2015 16:16, Rowland Penny wrote: >>>>>>>>>> On 27/10/15 14:58, Viktor Trojanovic wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> On 27.10.2015 13:54, Rowland Penny wrote: >>>>>>>>>>> [...] >>>>>>>>>>>> Yes, I meant the administrator. I did your suggested change >>>>>>>>>>>> on my member server and restarted it. 'getent passwd >>>>>>>>>>>> administrator' is still not returning anything, though. Or >>>>>>>>>>>> is that the wrong way to check if it worked? >>>>>>>>>>> If you ran the same command on the DC, it will return >>>>>>>>>>> something, but on a member server it won't, because the >>>>>>>>>>> range you set in smb.conf is (if you followed the wiki, >>>>>>>>>>> 10000-99999) above '0' and anything that is outside the >>>>>>>>>>> range is ignored. This is not a problem, remember that >>>>>>>>>>> Administrator is mapped to root on the member server, so if >>>>>>>>>>> you want to log into the member server, you would so as >>>>>>>>>>> root. From windows, Administrator becomes root and carries >>>>>>>>>>> out any changes etc as root. >>>>>>>>>>> >>>>>>>>>>> Rowland >>>>>>>>>> Ok, all understood, thank you. But how can I check if it >>>>>>>>>> worked with the users? I manually changed the Nisdomain and >>>>>>>>>> uidNumber for two users using ADUC (to 10001 and 10002, >>>>>>>>>> respectively), I restarted Samba (was this even necessary?), >>>>>>>>>> and getent passwd <username> will still not return anything. >>>>>>>>>> >>>>>>>>>> In other words, what is the quickest way to check if my >>>>>>>>>> member server setup worked out alright? >>>>>>>>> OK, if you compiled samba yourself and you want to test getent >>>>>>>>> on the member server, see this that I posted earlier: >>>>>>>>> >>>>>>>>> https://lists.samba.org/archive/samba/2015-October/195319.html >>>>>>>>> >>>>>>>>> If you are using distro packages, the wiki pages should give >>>>>>>>> you a good idea of what you need. >>>>>>>>> >>>>>>>>> Rowland >>>>>>>> So, I spent quite some time researching it all a bit more in >>>>>>>> depth but I get stuck at the same point, although I at least >>>>>>>> seem to have a better understanding of how things should be now. >>>>>>>> >>>>>>>> So, my smb.conf on the member server looks exactly like the one >>>>>>>> in the wiki, except that I also added ACL support as suggested >>>>>>>> on the wiki page "Shares with Windows ACLs". My filesystem is >>>>>>>> XFS and has ACL built-in. >>>>>>>> >>>>>>>> I do get proper results for wbinfo -u and wbinfo -g, but the id >>>>>>>> and getent commands just won't work. I'm trying it on users and >>>>>>>> groups that have a uidNumber or gidNumber defined, respectively. >>>>>>>> >>>>>>>> This is how my nsswitch.conf looks like: >>>>>>>> >>>>>>>> passwd: compat winbind >>>>>>>> group: compat winbind >>>>>>>> hosts:compat dns >>>>>>>> networks: compat dns >>>>>>>> >>>>>>>> My Samba came from a package but I verified that >>>>>>>> libnss_winbind.so.2 is properly linked. >>>>>>>> >>>>>>>> smbd, nmbd and winbindd are properly started with no errors in >>>>>>>> the logs, I'm joined to the AD, I can browse the member server >>>>>>>> from my windows machine being logged in as Administrator. But I >>>>>>>> still can't seem to change ACLs on any objects in the share >>>>>>>> from within Windows, I'm getting error messages "Error when >>>>>>>> applying security" (I'm translating freely from German). >>>>>>>> >>>>>>>> Do you have any idea what's going wrong here? >>>>>>>> >>>>>>>> Viktor >>>>>>> OK, If I remember correctly, we are talking about a domain >>>>>>> member here, not a DC. If you are using the default smb.conf >>>>>>> from here: >>>>>>> >>>>>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member >>>>>> No. I'm using the smb.conf from >>>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>>>>> >>>>>>> with the 'ad' setup from here: >>>>>>> >>>>>>> https://wiki.samba.org/index.php/Idmap_config_ad >>>>>> Those lines are already implemented in the smb.conf retrieved >>>>>> from https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>>>> OK, what is the difference between a 'domain member' and a 'member >>>>> server', well to be honest, not much. You can think of a 'domain >>>>> member' being the same as a normal windows workstation that a user >>>>> logs into and it doesn't share anything. You can turn a 'domain >>>>> member' into a 'member server' very easily, just make it share >>>>> something :-) if you share printers from it, it becomes a 'Print >>>>> Server' , add data shares and it becomes a 'File Server', I think >>>>> you get the idea here :-) >>>>> >>>>> Your smb.conf from the 'member server' page is equivalent to the >>>>> one you can create from the three pages I posted. >>>>> >>>>>>> with the acl support lines from here: >>>>>>> >>>>>>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#ACL_support_on_domain_members >>>>>>> >>>>>> Those exact 3 lines, yes. >>>>>>> then getent should work, but they are a few caveats, the users >>>>>>> must have a uidNumber inside the range 10000-99999 and Domain >>>>>>> Users (at least) must have a gidNumber inside the same range. >>>>>>> Any users or groups outside this range will be ignored and *all* >>>>>>> users will be ignored if Domain Users either doesn't have a >>>>>>> gidNumber or it is outside the range. >>>>>> The user I'm trying to return has a uidNumber of 10002, and >>>>>> Domain Users is set to gidNumber 10000. I have not set those >>>>>> attributes for other groups and did not expect them to show up >>>>>> with getent. >>>>>> >>>>>>> Time must be synchronised between the machines, within 5 mins if >>>>>>> remember correctly. >>>>>> Time is synced and well within 5 mins. Kerberos would fail >>>>>> otherwise and I am able to request k-tickets for any user without >>>>>> issues. >>>>>>> The domain member must be joined to the domain (obviously) >>>>>> Of course. >>>>>>> The domain member must be using the DC has its DNS server >>>>>>> >>>>>>> /etc/resolv.conf >>>>>>> search samdom.example.com >>>>>>> nameserver 192.168.0.3 <-- this is the ip of the DC >>>>>> My DC has a fixed IP and that's exactly how my resolv.conf looks >>>>>> like, no other lines. >>>>> Yes but does your 'member server' have a fixed ip ? >>>>> >>>>>>> You only need this in /etc/krb5.conf >>>>>>> >>>>>>> [libdefaults] >>>>>>> default_realm = SAMDOM.EXAMPLE.COM >>>>>>> dns_lookup_realm = false >>>>>>> dns_lookup_kdc = true >>>>>> That's exactly what I have. As mentioned, Kerberos seems to work >>>>>> properly. >>>>>> >>>>>>> Ideally your domain member should have a fixed ip, but if you >>>>>>> are using dhcp, check that the ipaddress isn't 127.0.0.1 or even >>>>>>> worse 127.0.1.1. If you using Ubuntu with Network Manager, stop >>>>>>> it using dnsmasq. >>>>>> See above. >>>>>>> Check that pam is setup correctly, on debian you can do this by >>>>>>> running 'pam-auth-update' >>>>>> I don't have pam setup since I don't need the users to log in to >>>>>> Linux. It is nowhere mentioned, neither on the wiki nor on the >>>>>> book that this is a prerequisite for getent to work. >>>>> Applying Hand brake screeching to a halt :-D >>>>> >>>>> If pam is not set up you will not get 'getent' to work. Can you >>>>> please refresh my memory and tell me what OS you are using. Pam is >>>>> not required on a DC unless you require your users to actually log >>>>> into it, but it is definitely needed on a 'domain member' (or as >>>>> you call it, a 'member server') >>>>> >>>>> There is a mention of setting up PAM on the page you referred to: >>>>> >>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Setting_up_PAM_authentication >>>>> >>>>> >>>>> Though it is a bit unclear that it is required to make 'getent' >>>>> work, I will not update this page because there is a very good >>>>> chance it will get a massive overhaul soon, but I will look into >>>>> whether any other Pam info specifies that it is needed on a domain >>>>> member. >>>>> >>>>> Rowland >>>> Well, I'll be... I really didn't figure out that that was any kind >>>> of necessity. Since the getent checks on the wiki (and in my book) >>>> are performed before the comments about PAM, I thought that's just >>>> for special situations (such as needing users to log in on Linux). >>>> So you're saying I can't set my ACL's with domain users because of >>>> that? >>> getent shows what the OS knows about a user, if it shows nothing, >>> that user is unknown to the OS and as such cannot own anything. On >>> the DC, this is not really a problem because the users are >>> automatically given an xidNumber and this is used instead and most >>> people only use the DC for authentication. You only need the >>> libnss_winbind links and pam (or something in its place) if you want >>> your users to connect to the member server. >> Let me just reconfirm something. Is PAM still needed if I used RID as >> a mapping backend instead of AD? > > Yes, pam is still required. I am no expert, but this is how I think > nsswitch works: > > when you run 'getent passwd user' it checks in /etc/nsswitch.conf for > what the 'passwd' line contains > It then checks each of the databases one by one, normally it would > check the local files first (though this can be called 'compat') if it > finds a local user it stops and returns the info for the user. If it > doesn't find anything it moves on to the next database, in our case > 'winbind', this checks for the user and if the user is found, the > users info is returned. This is where PAM comes in, you can think of > it as a 'bridge' between getent and AD, without this bridge winbind > cannot get to the info. > >> >> I'm asking because I came accross other tutorials how to set up a >> samba member server and it didn't involve pam. The main difference in >> the config was the backend which is RID in their case. >> >> In the Arch Wiki (which could be outdated) it is explicitely stated >> that all that is needed for getent to work is a proper nsswitch.conf. >> https://wiki.archlinux.org/index.php/Active_Directory_Integration > > Yes, but it also tells you to install pam-krb5 > >> >> Here is a tutorial how to do it on Freebsd 9. The info is based on >> Samba 3.6 joining a windows dc, though. See >> http://samba.ninja/2012/05/freebsd-9-samba-ad-member-server/ > > The only thing it doesn't mention is PAM, but does freebsd use PAM? > > All I can say is that I use Debian Wheezy and I have to install PAM > packages to make getent work. > > Rowland >Finally! It works! Fireworks! So I tried it with Arch Linux this time. I did exactly what I did before, meaning: - fixed IP, added the DC to /etc/hosts, configured /etc/resolv.conf to contain the dc nameserver and search domain - added new host (A) entry on the DC - set up ntp to get times from the dc - joined the AD (error messages about DNS remain as before but the join is OK) - set up /etc/smb.conf as per the wiki, added parts for "load printers=no", the 3 lines for acl file sharing, and the usermapping file containing the root=admin mapping - added "winbind" to the lines for passwd, group, and shadow in /etc/nsswitch.conf - started the 3 services smbd, nmbd, winbindd And voilĂ , it all works. getent passwd/group is returning the expected values, I can define ACLs through Windows and read them in Linux. While the PAM packages are installed on the base system by default, I did not have to change or adapt the configuration. I did not even install the pam-krb5 package. You indeed only need to do all this if you want to log in to the machine with AD user accounts. Next step is now to change to the RID backend.. I think that makes more sense in my setup. That was quite an exhausting learning experience.. :) Thanks once more for all your support. Without it, I probably would have given up stuck as I was. Viktor