samba - Aug 2016 - Configuration of smb.conf for Active Directory authentication

I've completed the configuration specified, and the command 'wbinfo
-g' provides a list of the groups available and 'wbinfo -u' provides
a list of all the users on the system, but I cannot access the shares;  When I
navigate a file explorer to \\ip.ad.dre.ss I am presented with a login screen,
which I cannot log into with my ID; 'The user name or password is
incorrect'

I suspect an issue with my idmap configuration:

[global]
        netbios name = FILESERVER-001
        security = ADS
        workgroup = SUBDOMAIN
        realm = SUBDOMAIN.DOMAIN.COM

        log file = /var/log/samba/%m.log
        log level = 1

        idmap config    CORP:   backend =       ad
        idmap config    CORP:   schema_mode =   rfc2307
        idmap config    CORP:   range =         1000-9999999999
        idmap uid =                             50-9999999999
        idmap gid =                             50-9999999999
        winbind nss info =                      rfc2307

       allow dns updates = nonsecure

[public]
        path = /srv/samba/share
        available =                             yes
        read only =                             no
        browsable =                             yes
        public =                                yes
        guest ok =                              yes
        writable =                              yes

Regards,
Kyle


-----Original Message-----
From: Michael A Weber [mailto:mweber.subscriptions01 at gmail.com] 
Sent: Wednesday, August 24, 2016 5:21 PM
To: Kyle Manel <Kyle.Manel at inbaytech.com>
Cc: samba at lists.samba.org
Subject: Re: [Samba] Configuration of smb.conf for Active Directory
authentication

Kyle—

Keep it simple and follow the guide you linked, and Rowland’s rid
recommendation, and you’ll be set.

Mike

> On Aug 24, 2016, at 3:04 PM, Kyle Manel via samba <samba at
lists.samba.org> wrote:
> 
> I've been working through a guide documenting how to do this at
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member and am
presently deciphering what needs I have in my winbind configuration.
> In doing so, I've come across the 'passdb backend = ldapsam'
option and am curious if I can use this, and if it is wise, identifying that key
exchange is complex and a vulnerability at times, but it does provide no local
storage of pw either, which may be a greater vulnerability.
> 
> Any insight into this, or if this passdb option even works as I 
> believe it to would be valuable to me, Kyle
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

See inline comments.

On Fri, 26 Aug 2016 15:11:25 +0000
Kyle Manel via samba <samba at lists.samba.org> wrote:
> I've completed the configuration specified,
No you haven't
> and the command 'wbinfo
> -g' provides a list of the groups available and 'wbinfo -u'
provides
> a list of all the users on the system, but I cannot access the
> shares;  When I navigate a file explorer to \\ip.ad.dre.ss I am
> presented with a login screen, which I cannot log into with my ID;
> 'The user name or password is incorrect'
> 
> I suspect an issue with my idmap configuration:
> 
> [global]
>         netbios name = FILESERVER-001
>         security = ADS
>         workgroup = SUBDOMAIN
>         realm = SUBDOMAIN.DOMAIN.COM
> 
>         log file = /var/log/samba/%m.log
>         log level = 1
> 
>         idmap config    CORP:   backend =       ad
>         idmap config    CORP:   schema_mode =   rfc2307
>         idmap config    CORP:   range =         1000-9999999999
I thought you were advised to use the 'rid' backend
>         idmap uid =                             50-9999999999
>         idmap gid =                             50-9999999999
Why have you also added the deprecated 'idmap uid' & 'idmap
gid' lines,
they are not on the domain member wiki page.
>         winbind nss info =                      rfc2307
You dont use the above line with the 'rid' backend
> 
>        allow dns updates = nonsecure
> 
> [public]
>         path = /srv/samba/share
>         available =                             yes
>         read only =                             no
>         browsable =                             yes
>         public =                                yes
>         guest ok =                              yes
>         writable =                              yes
the available line is the default
'read only = no' and 'writable = yes' are the same way of saying
the
same thing, you do not need both.
'browsable = yes' is the default.
'public = yes' and 'guest ok = yes' are the same way of saying
the
same thing, you do not need both.

Rowland

> 
> Regards,
> Kyle

> On Aug 26, 2016, at 10:51 AM, Rowland Penny via samba <samba at
lists.samba.org> wrote:
> 
> 
> See inline comments.
> 
> On Fri, 26 Aug 2016 15:11:25 +0000
> Kyle Manel via samba <samba at lists.samba.org> wrote:
> 
>> I've completed the configuration specified,
> 
> No you haven't
> 
>> and the command 'wbinfo
>> -g' provides a list of the groups available and 'wbinfo -u'
provides
>> a list of all the users on the system, but I cannot access the
>> shares;  When I navigate a file explorer to \\ip.ad.dre.ss I am
>> presented with a login screen, which I cannot log into with my ID;
>> 'The user name or password is incorrect'
>> 
>> I suspect an issue with my idmap configuration:
>> 
>> [global]
>>        netbios name = FILESERVER-001
>>        security = ADS
>>        workgroup = SUBDOMAIN
>>        realm = SUBDOMAIN.DOMAIN.COM
>> 
>>        log file = /var/log/samba/%m.log
>>        log level = 1
>> 
>>        idmap config    CORP:   backend =       ad
>>        idmap config    CORP:   schema_mode =   rfc2307
>>        idmap config    CORP:   range =         1000-9999999999
> 
> I thought you were advised to use the 'rid' backend
> 
>>        idmap uid =                             50-9999999999
>>        idmap gid =                             50-9999999999
> 
> Why have you also added the deprecated 'idmap uid' & 'idmap
gid' lines,
> they are not on the domain member wiki page.
> 
>>        winbind nss info =                      rfc2307
> 
> You dont use the above line with the 'rid' backend
> 
>> 
>>       allow dns updates = nonsecure
>> 
>> [public]
>>        path = /srv/samba/share
>>        available =                             yes
>>        read only =                             no
>>        browsable =                             yes
>>        public =                                yes
>>        guest ok =                              yes
>>        writable =                              yes
> 
> the available line is the default
> 'read only = no' and 'writable = yes' are the same way of
saying the
> same thing, you do not need both.
> 'browsable = yes' is the default.
> 'public = yes' and 'guest ok = yes' are the same way of
saying the
> same thing, you do not need both.
> 
> Rowland
> 
> 
>> 
>> Regards,
>> Kyle
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
Rowland—

I’m curious…  if Kyle didn’t set the permissions on the share, and the ID he’s
using to attempt to access them did not have permission to access, would the
login prompt tell him “access denied,” or would it just present itself saying
‘incorrect id/password?”

I seem to recall trying to access a share on a Mac from a Windows machine and it
just telling me my username/pw were wrong rather than telling me I don’t have
access.



Kyle—

Are you able to use the Computer Management tool to access your new samba file
server and its shares, and set permissions on them?  Also, if you joined it to
the domain, you should be able to see it in your AD DNS as well as access it by
host name rather than IP address.

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#Setup_share_permissions_.28optional.29
<https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#Setup_share_permissions_.28optional.29>

Mike

Thanks for the feedback.

With the modifications you specified I have this smb.conf, however it cannot be
accessed?;
"
[global]
        netbios name =					FILESERVER-001
        security =						ADS
        workgroup =					CORP
        realm =						CORP.INBAYTECH.COM

        log file =						/var/log/samba/%m.log
        log level =						1

        idmap config	*:      backend =			tdb
        idmap config	*:      range =			2000-9999

        idmap config	CORP:	backend =		rid
        idmap config	CORP:	schema_mode =	rfc2307
        idmap config	CORP:	range =			1000-9999999999

        template shell =					/sbin/bash
        template homedir =				/home/%U

[public]
        path =						/srv/samba/share
        public =						yes
        guest ok =						yes
        writable =						yes
"
As for your question:
"Why have you also added the deprecated 'idmap uid' &
'idmap gid' lines, they are not on the domain member wiki page."
	-NOTE: line 108 of
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
	This stipulates;
		'# Just adding the following three lines is not enough!!'
	-I apologize; Without further instruction I chose to access the wiki and
documentation:
		https://wiki.samba.org/index.php/Idmap_config_rid and
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2606596
	-The latter specifies IDMAP_RID with WinBind and specifies the idmap uid and
gid as global parameters alongside this construct; You have now identified them
as deprecated.
	-If there was some expectation of using RID exclusively, I did not read it as
such, my apologies.
	{Now: -removed (as above)-}



-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
via samba
Sent: Friday, August 26, 2016 11:51 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Configuration of smb.conf for Active Directory
authentication


See inline comments.

On Fri, 26 Aug 2016 15:11:25 +0000
Kyle Manel via samba <samba at lists.samba.org> wrote:
> I've completed the configuration specified,
No you haven't
> and the command 'wbinfo
> -g' provides a list of the groups available and 'wbinfo -u'
provides a
> list of all the users on the system, but I cannot access the shares;  
> When I navigate a file explorer to \\ip.ad.dre.ss I am presented with 
> a login screen, which I cannot log into with my ID; 'The user name or 
> password is incorrect'
> 
> I suspect an issue with my idmap configuration:
> 
> [global]
>         netbios name = FILESERVER-001
>         security = ADS
>         workgroup = SUBDOMAIN
>         realm = SUBDOMAIN.DOMAIN.COM
> 
>         log file = /var/log/samba/%m.log
>         log level = 1
> 
>         idmap config    CORP:   backend =       ad
>         idmap config    CORP:   schema_mode =   rfc2307
>         idmap config    CORP:   range =         1000-9999999999
I thought you were advised to use the 'rid' backend
>         idmap uid =                             50-9999999999
>         idmap gid =                             50-9999999999
Why have you also added the deprecated 'idmap uid' & 'idmap
gid' lines, they are not on the domain member wiki page.
>         winbind nss info =                      rfc2307
You dont use the above line with the 'rid' backend
> 
>        allow dns updates = nonsecure
> 
> [public]
>         path = /srv/samba/share
>         available =                             yes
>         read only =                             no
>         browsable =                             yes
>         public =                                yes
>         guest ok =                              yes
>         writable =                              yes
the available line is the default
'read only = no' and 'writable = yes' are the same way of saying
the same thing, you do not need both.
'browsable = yes' is the default.
'public = yes' and 'guest ok = yes' are the same way of saying
the same thing, you do not need both.

Rowland

> 
> Regards,
> Kyle

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba