Hi,
I have Samba 4.2.10 server with NT4 configuration, with ldap backend on
Debian Jessie, and I want to upgrade it to AD. I test it now in virtul
environment. The classicupgrade was succesful.
getent passwd username
and
chown "username:Domain Users" test.txt
didn't work with this nsswitch.conf:
passwd: files ldap
group: files ldap
shadow: files ldap
, so I changed ldap to winbind. Now the two above commands work, but the
local login delays some seconds. Which nss setup is better: ldap, or
winbind? Ldap doesn't work perfectly, because I cannot use ldapsearch:
ldapsearch -xLL -H ldap://localhost:389 -D
"cn=Administrator,dc=Users,dc=our,dc=site" -b
"dc=our,dc=site"
ldap_bind: Strong(er) authentication required(8)
additional info: BindSimple: transport encryption required.
smb.conf:
[global]
workgroup = OUR
realm = our.site
interfaces = lo eth0
bind interfaces only = yes
server role = active directory domain controller
passdb backend = samba_dsdb
winbind enum users = yes
winbind enum groups = yes
winbind use default domain =yes
dns forwarder = 208.67.222.222
rpc_server:tcpip = no
rpc_daemon:spoolssd = enabled
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config our : range = 10000-100000
idmap config our : backend = ad
idmap config * : range = 1000000-1999999
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = no
map readonly = no
store dos attributes = yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path= /var/lib/samba/sysvol/perczelmor.site/scripts
read only = no
[sysvol]
path= /var/lib/samba/sysvol
read only = no
/etc/ldap/ldap.conf:
host 127.0.0.1
base dc=our,dc=site
logdir /var/lib/ldap/log
TLS_REQCERT hard
TLS_CACERT /etc/ssl/certs/cacert.pem
I tried to integrate winbind login into pam according to this:
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto but it didn't
work.
Regards,
Tamas.
Your search, Thats because of : ldap server require strong auth (G) ( man smb.conf ) Search over ssl that helps, or change the above setting. More about that here : https://www.samba.org/samba/latest_news.html#4.4.2 ldapsearch -H ldaps://fqdn.internal.domain.tld:636 -b "dc=our,dc=site" \ -Y EXTERNAL Whats best ldap or winbind, i really dont know, i only use winbindd. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Pisch Tamás via > samba > Verzonden: donderdag 11 augustus 2016 10:37 > Aan: samba at lists.samba.org > Onderwerp: [Samba] after classicupgrade > > Hi, > > I have Samba 4.2.10 server with NT4 configuration, with ldap backend on > Debian Jessie, and I want to upgrade it to AD. I test it now in virtul > environment. The classicupgrade was succesful. > getent passwd username > and > chown "username:Domain Users" test.txt > didn't work with this nsswitch.conf: > passwd: files ldap > group: files ldap > shadow: files ldap > , so I changed ldap to winbind. Now the two above commands work, but the > local login delays some seconds. Which nss setup is better: ldap, or > winbind? Ldap doesn't work perfectly, because I cannot use ldapsearch: > ldapsearch -xLL -H ldap://localhost:389 -D > "cn=Administrator,dc=Users,dc=our,dc=site" -b "dc=our,dc=site" > ldap_bind: Strong(er) authentication required(8) > additional info: BindSimple: transport encryption required. > smb.conf: > [global] > workgroup = OUR > realm = our.site > interfaces = lo eth0 > bind interfaces only = yes > server role = active directory domain controller > passdb backend = samba_dsdb > winbind enum users = yes > winbind enum groups = yes > winbind use default domain =yes > dns forwarder = 208.67.222.222 > rpc_server:tcpip = no > rpc_daemon:spoolssd = enabled > rpc_server:spoolss = embedded > rpc_server:winreg = embedded > rpc_server:ntsvcs = embedded > rpc_server:eventlog = embedded > rpc_server:srvsvc = embedded > rpc_server:default = external > winbindd:use external pipes = true > idmap config our : range = 10000-100000 > idmap config our : backend = ad > idmap config * : range = 1000000-1999999 > idmap_ldb:use rfc2307 = yes > idmap config * : backend = tdb > map archive = no > map readonly = no > store dos attributes = yes > vfs objects = dfs_samba4 acl_xattr > > [netlogon] > path= /var/lib/samba/sysvol/perczelmor.site/scripts > read only = no > > [sysvol] > path= /var/lib/samba/sysvol > read only = no > > /etc/ldap/ldap.conf: > host 127.0.0.1 > base dc=our,dc=site > logdir /var/lib/ldap/log > TLS_REQCERT hard > TLS_CACERT /etc/ssl/certs/cacert.pem > > I tried to integrate winbind login into pam according to this: > https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto but it > didn't > work. > > Regards, > > Tamas. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Thu, 11 Aug 2016 10:36:57 +0200 Pisch Tamás via samba <samba at lists.samba.org> wrote:> Hi, > > I have Samba 4.2.10 server with NT4 configuration, with ldap backend > on Debian Jessie, and I want to upgrade it to AD. I test it now in > virtul environment. The classicupgrade was succesful. > getent passwd username > and > chown "username:Domain Users" test.txt > didn't work with this nsswitch.conf: > passwd: files ldap > group: files ldap > shadow: files ldap > , so I changed ldap to winbind. Now the two above commands work, but > the local login delays some seconds. Which nss setup is better: ldap, > or winbind?It isn't a case of which is better, it is a case of which will work ;-) You need to use 'winbind' with AD. you also need to remove 'winbind' from the shadow line.>Ldap doesn't work perfectly, because I cannot use > ldapsearch: ldapsearch -xLL -H ldap://localhost:389 -D > "cn=Administrator,dc=Users,dc=our,dc=site" -b "dc=our,dc=site" > ldap_bind: Strong(er) authentication required(8) > additional info: BindSimple: transport encryption required.This has nothing to do ldap, there was a rather major update to do with stopping man-in-the-middle attacks, see here: https://www.samba.org/samba/history/samba-4.2.11.html Yes, I know thats for 4.2.11, but that is what you actually have. Temporarily, you can set 'ldap server require strong auth = no' in smb.conf whilst reading up on using ssl with your ldap searches.> smb.conf: > [global] > workgroup = OUR > realm = our.site > interfaces = lo eth0 > bind interfaces only = yes > server role = active directory domain controller > passdb backend = samba_dsdb > winbind enum users = yes > winbind enum groups = yes > winbind use default domain =yes > dns forwarder = 208.67.222.222 > rpc_server:tcpip = no > rpc_daemon:spoolssd = enabled > rpc_server:spoolss = embedded > rpc_server:winreg = embedded > rpc_server:ntsvcs = embedded > rpc_server:eventlog = embedded > rpc_server:srvsvc = embedded > rpc_server:default = external > winbindd:use external pipes = true > idmap config our : range = 10000-100000 > idmap config our : backend = ad > idmap config * : range = 1000000-1999999 > idmap_ldb:use rfc2307 = yes > idmap config * : backend = tdb > map archive = no > map readonly = no > store dos attributes = yes > vfs objects = dfs_samba4 acl_xattr > > [netlogon] > path= /var/lib/samba/sysvol/perczelmor.site/scripts > read only = no > > [sysvol] > path= /var/lib/samba/sysvol > read only = noCan I suggest you remove the lines you added to smb.conf, they will not do anything, or are defaults, or will make things worse. Then add the line I suggested above.> > /etc/ldap/ldap.conf: > host 127.0.0.1 > base dc=our,dc=site > logdir /var/lib/ldap/log > TLS_REQCERT hard > TLS_CACERT /etc/ssl/certs/cacert.pem > > I tried to integrate winbind login into pam according to this: > https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto but it > didn't work. >If you have these packages installed: libpam-krb5 libpam-winbind libnss-winbind You shouldn't have to do anything else. Rowland
> > If you have these packages installed: libpam-krb5 libpam-winbind > libnss-winbind > You shouldn't have to do anything else. > > Rowland >Yes, one think you need todo after the package install. Run : pam-auth-update ;-) Greetz,
On Thu, 11 Aug 2016 11:36:46 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> > > > > If you have these packages installed: libpam-krb5 libpam-winbind > > libnss-winbind > > You shouldn't have to do anything else. > > > > Rowland > > > > Yes, one think you need todo after the package install. > > Run : pam-auth-update > > ;-) > > Greetz, > > > >Why ? I never do and everything just works ;-) Rowland
Your lucky man, I always to it, because i notices it somethimes didnt tot it automaticly, and running it does not hurt. That somethimes happens when you install/remove/install again. Gr. Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via > samba > Verzonden: donderdag 11 augustus 2016 11:41 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] after classicupgrade > > On Thu, 11 Aug 2016 11:36:46 +0200 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > > > > > > > If you have these packages installed: libpam-krb5 libpam-winbind > > > libnss-winbind > > > You shouldn't have to do anything else. > > > > > > Rowland > > > > > > > Yes, one think you need todo after the package install. > > > > Run : pam-auth-update > > > > ;-) > > > > Greetz, > > > > > > > > > > Why ? I never do and everything just works ;-) > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba