samba - Aug 2016 - Configuring Samba as a file server to use AD authentication

Thanks for the information,

I am unclear how to implement the winbind 'rid' backend.  I've
identified that winbindd is not operating on my demo server (fresh installation
of Ubuntu 16), and am looking for some assistance if possible.

1] 'apt-get install winbind' informs me that the package is already
installed (v4.3.9), yet it is not operating;
2] Lsof -Pnl +M -i4 provides:
root at smb-srv:/home/inbay# lsof -Pnl +M -i4
COMMAND    PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dhclient  2976        0    6u  IPv4  20143      0t0  UDP *:68
lwsmd     3217        0   17u  IPv4  59606      0t0  TCP
10.10.40.164:35156->10.10.20.93:445 (ESTABLISHED)
lwsmd     3231        0   24u  IPv4  64193      0t0  TCP
10.10.40.164:40020->10.10.20.92:3268 (ESTABLISHED)
lwsmd     3231        0   26u  IPv4  64244      0t0  TCP
10.10.40.164:46136->10.10.20.93:389 (ESTABLISHED)
lwsmd     3231        0   32u  IPv4  64190      0t0  TCP
10.10.40.164:46130->10.10.20.93:389 (ESTABLISHED)
sshd      9140        0    3u  IPv4  37379      0t0  TCP *:22 (LISTEN)
nmbd     28134        0   16u  IPv4  62715      0t0  UDP *:137
nmbd     28134        0   17u  IPv4  62716      0t0  UDP *:138
nmbd     28134        0   18u  IPv4  62718      0t0  UDP 10.10.40.164:137
nmbd     28134        0   19u  IPv4  62719      0t0  UDP 10.10.40.255:137
nmbd     28134        0   20u  IPv4  62720      0t0  UDP 10.10.40.164:138
nmbd     28134        0   21u  IPv4  62721      0t0  UDP 10.10.40.255:138
smbd     28247        0   37u  IPv4  63448      0t0  TCP *:445 (LISTEN)
smbd     28247        0   38u  IPv4  63449      0t0  TCP *:139 (LISTEN)
sshd     28317        0    3u  IPv4  63824      0t0  TCP
10.10.40.164:22->10.10.40.178:65205 (ESTABLISHED)
sshd     28397     1000    3u  IPv4  63824      0t0  TCP
10.10.40.164:22->10.10.40.178:65205 (ESTABLISHED)

3] To start winbindd I visited this site
https://ubuntuforums.org/showthread.php?t=1865647 which informed to run 'net
ads join -U administrator' with my own id, which returns:
'Joined 'SMB-SRV-001' to dns domain 'domain' No DNS domain
configured for SMB-SRV.  Unable to perform DNS update.  DNS update failed:
NT_STATUS_INVALID_PARAMETER'

Upon review of the [3] winbindd is still not implemented, and I would like to
know how to get it running, as from my understanding it is part of the samba
package, and I will require it.


-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
via samba
Sent: Wednesday, August 24, 2016 2:54 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Configuring Samba as a file server to use AD authentication

On Tue, 23 Aug 2016 21:58:43 +0000
Kyle Manel via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I am attempting to install Samba as a file server within an Active 
> Directory domain to use the AD server for group authentication. I have 
> worked through various guides, but all leave me unable to authenticate 
> into the samba shares using my organizations existing user groups in 
> Active Directory. I need the following configuration:
> 
> Share - users : description
> Admin - Admin : This share is exclusive to its user group Media - 
> media users : This share is exclusive to its user group and the Admin 
> group Junk - all users : This share is accessible to everyone
> 
> There are 3 different user groups that will be using this server, 
> Admin, Media and Everyone.
> 
> I have a Microsoft Active Directory Server (2012R2) operating as my AD 
> server, and an Ubuntu server operating for Samba.
> 
> I would like:
> users to be authenticated each access to the share, the process of 
> adding/removing users to be done by the AD server.

Because you are using 2012R2 it will be a little harder, but it should be
do-able. See here:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Because of 2012R2 (no IDMU), you will need to use the winbind 'rid'
backend.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Thu, 25 Aug 2016 15:29:46 +0000
Kyle Manel via samba <samba at lists.samba.org> wrote:
> Thanks for the information,
> 
> I am unclear how to implement the winbind 'rid' backend.  I've
> identified that winbindd is not operating on my demo server (fresh
> installation of Ubuntu 16), and am looking for some assistance if
> possible.
> 
> 1] 'apt-get install winbind' informs me that the package is already
> installed (v4.3.9), yet it is not operating; 2] Lsof -Pnl +M -i4
> provides: root at smb-srv:/home/inbay# lsof -Pnl +M -i4
> COMMAND    PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> dhclient  2976        0    6u  IPv4  20143      0t0  UDP *:68
> lwsmd     3217        0   17u  IPv4  59606      0t0  TCP
> 10.10.40.164:35156->10.10.20.93:445 (ESTABLISHED) lwsmd
> 3231        0   24u  IPv4  64193      0t0  TCP
> 10.10.40.164:40020->10.10.20.92:3268 (ESTABLISHED) lwsmd
> 3231        0   26u  IPv4  64244      0t0  TCP
> 10.10.40.164:46136->10.10.20.93:389 (ESTABLISHED) lwsmd
> 3231        0   32u  IPv4  64190      0t0  TCP
> 10.10.40.164:46130->10.10.20.93:389 (ESTABLISHED) sshd
> 9140        0    3u  IPv4  37379      0t0  TCP *:22 (LISTEN) nmbd
> 28134        0   16u  IPv4  62715      0t0  UDP *:137 nmbd
> 28134        0   17u  IPv4  62716      0t0  UDP *:138 nmbd
> 28134        0   18u  IPv4  62718      0t0  UDP 10.10.40.164:137
> nmbd     28134        0   19u  IPv4  62719      0t0  UDP
> 10.10.40.255:137 nmbd     28134        0   20u  IPv4  62720      0t0
> UDP 10.10.40.164:138 nmbd     28134        0   21u  IPv4  62721
> 0t0  UDP 10.10.40.255:138 smbd     28247        0   37u  IPv4
> 63448      0t0  TCP *:445 (LISTEN) smbd     28247        0   38u
> IPv4  63449      0t0  TCP *:139 (LISTEN) sshd     28317        0
> 3u  IPv4  63824      0t0  TCP 10.10.40.164:22->10.10.40.178:65205
> (ESTABLISHED) sshd     28397     1000    3u  IPv4  63824      0t0
> TCP 10.10.40.164:22->10.10.40.178:65205 (ESTABLISHED)
> 
> 3] To start winbindd I visited this site
> https://ubuntuforums.org/showthread.php?t=1865647 which informed to
> run 'net ads join -U administrator' with my own id, which returns:
> 'Joined 'SMB-SRV-001' to dns domain 'domain' No DNS
domain configured
> for SMB-SRV.  Unable to perform DNS update.  DNS update failed:
> NT_STATUS_INVALID_PARAMETER'
> 
> Upon review of the [3] winbindd is still not implemented, and I would
> like to know how to get it running, as from my understanding it is
> part of the samba package, and I will require it.
> 
> 
Firstly, can I make a recommendation, forget Ubuntu forums, read the
Samba wiki or ask here instead ;-)

Just joining a machine to the domain will not start winbind, this is
just like any of the Samba binaries, it needs to be started by
whatever your OS uses to start programs. I think the problem is that
Debian uses a script called 'samba', this starts two other scripts
'smbd' and 'nmbd', it does not start winbind. I think if you
look, you
will find there is another script called 'winbind', guess what this
does ? ;-)
Do what ever you do to start samba, but replace 'samba' with
'winbind', it should then start.
I haven't a clue how you start packages on Ubuntu now, I don't use it.

You could always reboot the server, just like the person in your link
did, this is what started winbind, not the join.

Rowland

> On Aug 25, 2016, at 10:29 AM, Kyle Manel via samba <samba at
lists.samba.org> wrote:
> 
> No DNS domain configured for
Kyle—

For rid, check out this:

https://wiki.samba.org/index.php/Idmap_config_rid
<https://wiki.samba.org/index.php/Idmap_config_rid>

There is an example section of the additional lines to smb.conf you’ll need, but
keep in mind that you’ll need to change them to meet your needs i.e. the ranges
will need to be specified for your needs.  Also, in the config for domain
SAMDOM, you need to change the SAMDOM domain to your actual domain.  The
template settings for login shell and home directory are for your unix machines
so that AD users may log into unix workstations, if needed.

For your DNS issue, make sure your file server’s hosts file at /etc/hosts
includes your file server’s IP address and hostname, like this:

192.168.0.10	FILESERV01	FILESERV01.my.domain.tld

of course replacing the IP address with your server’s IP address, and the host
names with the correct host name and domain.  I’m not certain it’s required, but
much of what goes in in AD seems to use an all-capital letters host name, like
I’ve shown above, so I recommend doing that as well.

Finally, you have to change the hostname specified in the file /etc/hostname on
your fileserver, and then I would net ads leave the domain, and rejoin, and you
should be good.

Be sure as well that your file server is set to use the DNS as provided by the
AD server you have.  That is, in a terminal, enter

nslookup

and type

server

followed by <enter> and see what server IP address it returns to you.  It
should be your AD DC.

To get out of nslookup, type

exit

followed by <enter> and you’re back out.

Good luck!

Mike

Fair point on Ubuntu.  Though, there is no value added by mentioning that as I
am already seeking help here. :-)
What I was searching for was 'how to start winbindd' which doesn't
provide any valuable excerpts beyond that.

Upon rebooting the machine winbindd is not operating all the same however, so I
am puzzled why this is an issue for me.


-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
via samba
Sent: Thursday, August 25, 2016 12:06 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Configuring Samba as a file server to use AD authentication

On Thu, 25 Aug 2016 15:29:46 +0000
Kyle Manel via samba <samba at lists.samba.org> wrote:
> Thanks for the information,
> 
> I am unclear how to implement the winbind 'rid' backend.  I've 
> identified that winbindd is not operating on my demo server (fresh 
> installation of Ubuntu 16), and am looking for some assistance if 
> possible.
> 
> 1] 'apt-get install winbind' informs me that the package is already
> installed (v4.3.9), yet it is not operating; 2] Lsof -Pnl +M -i4
> provides: root at smb-srv:/home/inbay# lsof -Pnl +M -i4
> COMMAND    PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> dhclient  2976        0    6u  IPv4  20143      0t0  UDP *:68
> lwsmd     3217        0   17u  IPv4  59606      0t0  TCP
> 10.10.40.164:35156->10.10.20.93:445 (ESTABLISHED) lwsmd
> 3231        0   24u  IPv4  64193      0t0  TCP
> 10.10.40.164:40020->10.10.20.92:3268 (ESTABLISHED) lwsmd
> 3231        0   26u  IPv4  64244      0t0  TCP
> 10.10.40.164:46136->10.10.20.93:389 (ESTABLISHED) lwsmd
> 3231        0   32u  IPv4  64190      0t0  TCP
> 10.10.40.164:46130->10.10.20.93:389 (ESTABLISHED) sshd
> 9140        0    3u  IPv4  37379      0t0  TCP *:22 (LISTEN) nmbd
> 28134        0   16u  IPv4  62715      0t0  UDP *:137 nmbd
> 28134        0   17u  IPv4  62716      0t0  UDP *:138 nmbd
> 28134        0   18u  IPv4  62718      0t0  UDP 10.10.40.164:137
> nmbd     28134        0   19u  IPv4  62719      0t0  UDP
> 10.10.40.255:137 nmbd     28134        0   20u  IPv4  62720      0t0
> UDP 10.10.40.164:138 nmbd     28134        0   21u  IPv4  62721
> 0t0  UDP 10.10.40.255:138 smbd     28247        0   37u  IPv4
> 63448      0t0  TCP *:445 (LISTEN) smbd     28247        0   38u
> IPv4  63449      0t0  TCP *:139 (LISTEN) sshd     28317        0
> 3u  IPv4  63824      0t0  TCP 10.10.40.164:22->10.10.40.178:65205
> (ESTABLISHED) sshd     28397     1000    3u  IPv4  63824      0t0
> TCP 10.10.40.164:22->10.10.40.178:65205 (ESTABLISHED)
> 
> 3] To start winbindd I visited this site
> https://ubuntuforums.org/showthread.php?t=1865647 which informed to 
> run 'net ads join -U administrator' with my own id, which returns:
> 'Joined 'SMB-SRV-001' to dns domain 'domain' No DNS
domain configured
> for SMB-SRV.  Unable to perform DNS update.  DNS update failed:
> NT_STATUS_INVALID_PARAMETER'
> 
> Upon review of the [3] winbindd is still not implemented, and I would 
> like to know how to get it running, as from my understanding it is 
> part of the samba package, and I will require it.
> 
> 
Firstly, can I make a recommendation, forget Ubuntu forums, read the Samba wiki
or ask here instead ;-)

Just joining a machine to the domain will not start winbind, this is just like
any of the Samba binaries, it needs to be started by whatever your OS uses to
start programs. I think the problem is that Debian uses a script called
'samba', this starts two other scripts 'smbd' and
'nmbd', it does not start winbind. I think if you look, you will find
there is another script called 'winbind', guess what this does ? ;-) Do
what ever you do to start samba, but replace 'samba' with
'winbind', it should then start.
I haven't a clue how you start packages on Ubuntu now, I don't use it.

You could always reboot the server, just like the person in your link did, this
is what started winbind, not the join.

Rowland 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba