samba - Feb 2016 - AD Controller + File Server + Unix Logins one 1 machine

Hi Sambassadors,

I would like to setup one machine that acts as AD Controller, File 
Server, DNS, and DHCP servers.   I have read the warning against having 
AD Controller + File Server on the same machine and those are 
understood.  This is for a very small environment, so I'm ok with the 
single point of failure.

That said,  I have the AD Controller setup and tested (Very cool!) I've 
joined a windows machine to the domain and have the home directories 
setup to autocreate and mount.  This is using Ubuntu 14LTS.  I have 
compiled and installed into the /usr prefix using the ./configure 
settings found in the debian packaging files, and so far it seems to be 
happy.

Well almost...

1. I am seeing a "Unwilling to Perform" error from ADUC when assigning
a
GUID to the group "Domain Users".   I'm not sure if this is a real
problem or not
(similar threads: 
https://lists.samba.org/archive/samba/2014-September/184967.html 
https://lists.samba.org/archive/samba/2015-October/195281.html)

2. The last component for me is to allow domain users to be able to log 
into and use the ADC (Ubuntu) machine.     Can someone point me to a way 
of doing this on the ADC?   I've started with 
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto but am not 
having a lot of luck so far in getting pam to talk to winbind to talk to 
the ADC.   All documentation I've found so far is not doing it on the 
ADC itself.

Thanks so much,
-m

On 19/02/16 16:48, Max Baker wrote:
> Hi Sambassadors,
>
> I would like to setup one machine that acts as AD Controller, File 
> Server, DNS, and DHCP servers.   I have read the warning against 
> having AD Controller + File Server on the same machine and those are 
> understood.  This is for a very small environment, so I'm ok with the 
> single point of failure.
>
> That said,  I have the AD Controller setup and tested (Very cool!) 
> I've joined a windows machine to the domain and have the home 
> directories setup to autocreate and mount.  This is using Ubuntu 
> 14LTS.  I have compiled and installed into the /usr prefix using the 
> ./configure settings found in the debian packaging files, and so far 
> it seems to be happy.
>
> Well almost...
>
> 1. I am seeing a "Unwilling to Perform" error from ADUC when
assigning
> a GUID to the group "Domain Users".   I'm not sure if this is
a real
> problem or not
> (similar threads: 
> https://lists.samba.org/archive/samba/2014-September/184967.html 
> https://lists.samba.org/archive/samba/2015-October/195281.html)
What are you feelings on using the command line ?
You could always open a terminal on the Samba 4 DC, enter:

ldbedit -e nano -H /usr/local/samba/private/sam.ldb

press enter

press Ctrl+w
type 'dn: cn=domain users'
then add 'gidNumber: <whatever number you want to use>'
I suggest 10000
Press Ctrl+x
Press 'y'
Press 'enter'

That's it, Domain Users now has a gidNumber.

>
> 2. The last component for me is to allow domain users to be able to 
> log into and use the ADC (Ubuntu) machine.     Can someone point me to 
> a way of doing this on the ADC?   I've started with 
> https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto but am 
> not having a lot of luck so far in getting pam to talk to winbind to 
> talk to the ADC.   All documentation I've found so far is not doing it 
> on the ADC itself.
>
Ah, but setting up libnss_winbind is the same as on a domain member, go 
here and read the info:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#libnss_winbind

remember to follow the links.

You may need another file, if getent doesn't work after setting up the 
links, just say and I will post the possibly missing file.

Rowland
> Thanks so much,
> -m
>

Hi Rowland,

Thanks for the quick response.   My response is inline below...


On 02/19/2016 06:32 PM, Rowland penny wrote:
> What are you feelings on using the command line ?
> You could always open a terminal on the Samba 4 DC, enter:
>
> ldbedit -e nano -H /usr/local/samba/private/sam.ldb
>
> press enter
>
> press Ctrl+w
> type 'dn: cn=domain users'
> then add 'gidNumber: <whatever number you want to use>'
> I suggest 10000
> Press Ctrl+x
> Press 'y'
> Press 'enter'
>
> That's it, Domain Users now has a gidNumber.
>
I like the command line, thanks for the option.   For this particular 
install I used 'ldbedit -e vim -H /var/lib/samba/private/sam.ldb'.    As
it turns out, the GID was in place just fine, but for some reason the 
Windows tool is throwing that error.
>
> Ah, but setting up libnss_winbind is the same as on a domain member, 
> go here and read the info:
>
>
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#libnss_winbind
>
>
> remember to follow the links.
>
> You may need another file, if getent doesn't work after setting up the 
> links, just say and I will post the possibly missing file.
Excellent,  I think I'm in business now.

nsswitch.conf:
----
passwd: compat winbind
group:  compat winbind
...

----
smb.conf additions to make the ADC also an AD-Client:
----
# sercurity=ads  # Mutually exclusive with server role = a.d.d.c!
idmap config MY_DOMAIN : backend = ad
idmap config MY_DOMAIN : range = 10000 - 99999
template shell = /bin/bash
template homedir = /home/%U
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nss info = rfc2307
----
Look good? Any suggestions?

Unrelated : A couple of un-intuitive things in order to get a logon 
script to work with an ADC:
1. Use ADUC to add logon script name like normal.  This however has to 
be a relative path (logon.cmd not \\DC\netlogon\logon.cmd)
2. Set the +x bit in unix on the script


Thanks again for your help and of course for Samba.
-m