samba - Sep 2016 - idmap_ad

Hi

Thanks for the feedback.



I currently have 3 production domains.
-  MYDOMAIN.COM is a  production Windows 2008 domain used to support MS 
Exchange  (but not file sharing.)
-  TECH  -    Samba3 "classic" domain  with unix domain controllers
that
supports most users for authentication and file sharing.  The DC 
machines are both Samba domains (for Windows clients) and KRB/LDAP 
servers for Linux clients.
- SALES -Small Win 2008 AD domain for a separate group.

I want to eventually  build a  TECH.MYDOMAIN.COM domain as a child 
domain of MYDOMAIN.COM and migrate computers from the "classic" TECH 
domain to the new TECH.MYDOMAIN.COM.      I will  want to preserve user 
ID numbers as much as possible.    Some of the user accounts go back 15 
years in the production TECH domain, when local service accounts didn't 
go over uidNumber 100.     For the moment I am just testing machines in 
the parent domain rather than add too many variables upfront.

" winbind nss info = templater"  was a typo, I did try   
"winbind nss
info = templates"

I fixed nsswitch.conf


I think I had krb.conf set up properly with realm before joining the domain.





                  # cat /etc/krb5.conf
                [logging]
                  default = FILE:/var/log/krb5libs.log
                  kdc = FILE:/var/log/krb5kdc.log
                  admin_server = FILE:/var/log/kadmind.log

                [libdefaults]
                  dns_lookup_realm = false
                  ticket_lifetime = 24h
                  renew_lifetime = 7d
                  forwardable = true
                  rdns = false


                default_realm = MYDOMAIN.COM
                [realms]


                MYDOMAIN.COM = {
                   kdc = pdc.mydomain.com
                   admin_server = pdc.mydomain.com
                  }

                [domain_realm]

                mydomain.com = MYDOMAIN.COM
                .mydomain.com = MYDOMAIN.COM
                #



But to be safe I did rejoin domain



            # net ads join -U administrator -S pdc.mydomain.com
            Enter administrator's password:
            Using short domain name -- MYDOMAIN
            Joined 'LINUX1' to dns domain 'mydomain.com'
            #

            # net ads testjoin
            Join is OK
            #



Set a uidNumber of 1000 for one of the user accounts and updated the 
idmap range for MYDOMAIN to be from 100-1999.

Still not luck.


Kinit indicates the machine account does exist

        # kinit linux1
        Password for linux1 at MYDOMAIN.COM:  ^C


Since mapping for the child domain is working it indicates that the 
idmap_tdb back is OK and that the problem may be with idmap_ad ?


        #smbd -b
        ....

        --with Options:
            WITH_ADS
            WITH_AUTOMOUNT
            WITH_DNS_UPDATES
            WITH_PAM
            WITH_PAM_MODULES
            WITH_PROFILE
            WITH_PTHREADPOOL
            WITH_QUOTAS
            WITH_SENDFILE
            WITH_SYSLOG
            WITH_WINBIND

        ...
        Builtin modules:
            vfs_posixacl auth_sam auth_winbind auth_domain auth_builtin
        vfs_default nss_info_template idmap_tdb idmap_passdb idmap_nss
        idmap_ldap
        #

        Build Options:
        ...
            auth_netlogond_init
            auth_samba4_init
            auth_script_init
            auth_server_init
            auth_unix_init
            auth_wbc_init
            idmap_ad_init
            idmap_adex_init
            idmap_autorid_init
            idmap_hash_init
            idmap_rfc2307_init
            idmap_rid_init
            idmap_script_init
            idmap_tdb2_init

        ....



I could presumably use idmap_ldap to maintain a consistent mapping 
across machines.    Since file servers serve users from both Windows and 
Unix systems, it is important to make sure that the uidNumbers and 
gidNumbers are consistent across machines and between Unix and Samba.



I am a little hesitant to try recompiling samba because then I am not 
sure if nsswitch is calling the correct winbind files.


Thanks




On 09/20/16 04:49, Rowland Penny via samba wrote:
> See inline comments:
>
> On Mon, 19 Sep 2016 17:36:05 -0400
> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>
>>
>> I am trying to configure idmap_ad on a linux member server (fedora
>> core 23, samba 4.3.11) with a Windows 2008 domain controller.    The
>> domain is "MYDOMAIN.COM" with a child domain of
>> "CHILD1.MYDOMAIN.COM."  By default those domains trust each
other.
>>
>>
>>
>> The MYDOMAIN PDC  has the unix identity mapping feature installed, so
>> I can use "active directory users and computers" to set unix
>> uidNumbers and gidNumbers (which start at 100.)      I have set
>> uidNumbers for some users but not others.      I have not  up unix
>> identity mapping on the child domain.
> This may be your problem, why are using 100-900 ? standard Unix users
> start at 1000, BUILTIN and anything outside the domain is using
> 2000-9999, so why not use IDs starting at 10000 ???
>
> Have you also given Domain Users a gidNumber ??
>
>>
>>
>> The partial smb.conf is
>>
>>
>>           security = ads
>>
>>
>>           workgroup = MYDOMAIN
>>           netbios name = LINUX1
>>
>>           realm = MYDOMAIN.COM
>>
>>          idmap config *:backend = tdb
>>          idmap config *:range = 2000-9999
>>
>>
>>          idmap config MYDOMAIN:backend = ad
>>          idmap config MYDOMAIN:schema_mode = rfc2307
>>          idmap config MYDOMAIN:range = 100-900
>>
>>          winbind nss info = rfc2307
>>            winbind enum users = yes
>>           winbind enum groups = yes
>>
>>
>>
>>
>>
>> I did need to fix a symlink since samba was looking for some
>> libraries in the wrong place
>>
>>
>>       #ln -s /usr/lib64/ldb /usr/lib64/samba/ldb
>>
>>
>>
>> I was able to join the domain
>>
>>       #net ads join -U administrator -S pdc.mydomain.com
>>
>>
>> I set /etc/krb5.conf to point to the domain controllers as the
>> kerberos server (although I don't think this is necessary at this
>> stage.)
> You needed this set up before you joined the domain and it should point
> to the realm.
>
>> the "wbinfo -u" and "wbinfo -g"  show users from
the domain.
>>
>>
>> I updated /etc/nsswitch.conf to include winbind
>>
>>
>>           passwd:     files sss winbind
>>           shadow:     files sss winbind
> I would suggest removing 'sss' if you are not using it, also remove
> 'winbind' from the shadow line and putting it on the group line.
>
>>
>> (sssd daemon is not enabled.)
>>
>>
>> The "getent passwd" command does NOT show users from
MYDOMAIN. The
>> weird thing is that it does show users from the child domain.
> Well, it would, they are getting mapped because they are not in your
> domain.
>
>>
>>
>>
CHILD1\administrator:*:2000:2004:Administrator:/home/CHILD1/administrator:/bin/false
>> CHILD1\guest:*:2001:2005:Guest:/home/CHILD1/guest:/bin/false
>> CHILD1\krbtgt:*:2002:2004:krbtgt:/home/CHILD1/krbtgt:/bin/false
>> CHILD1\bobsmith:*:2003:2004:Bob Smith:/home/CHILD1/bobsmith:/bin/false
>> CHILD1\mydomain$:*:2004:2004:MYDOMAIN$:/home/CHILD1/ssci_:/bin/false
>>
>>
>> I tried the following settings with no luck
>>
>>       winbind nss info = templater
> I take it that is a typo and should have been 'template' and all
that
> does (if using the 'ad' backend) is just use uidNumber &
gidNumber
> attributes.
>
>>       idmap config MYDOMAIN:schema_mode = sfu
> If using 'ad' backend, just stick to 'schema_mode =
rfc2307'
>
>>       winbind use default domain = yes
> This just removes the domain name from user & groupnames.
>
>>
>> The "testparm -v | grep domain" gives the following
>>
>>
>>
>>       allow trusted domains = Yes
>>       map untrusted to domain = No
>>       domain logons = No
>>       domain master = Auto
>>       winbind use default domain = No
>>       winbind trusted domains only = No
>>       winbind max domain connections = 1
>>
>>
>>
>> FYI I do have another linux machine , not running samba, that is
>> configured to use LDAP/Kerberos authentication against the same
>> domain controller so I am pretty use the unix attributes are set up
>> correctly.
>>
>> Appreciate any help.
> It might well do, but winbind works differently, see here for more info:
>
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
> Rowland
>
>

On Tue, 20 Sep 2016 09:00:23 -0400
Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
> Hi
> 
> Thanks for the feedback.
> 
> 
> 
> I currently have 3 production domains.
> -  MYDOMAIN.COM is a  production Windows 2008 domain used to support
> MS Exchange  (but not file sharing.)
> -  TECH  -    Samba3 "classic" domain  with unix domain
controllers
> that supports most users for authentication and file sharing.  The DC 
> machines are both Samba domains (for Windows clients) and KRB/LDAP 
> servers for Linux clients.
You could probably use the 'classicupgrade' tool to upgrade your
NT4-style domain, apart from the fact that you want to change the
domain name.
> - SALES -Small Win 2008 AD domain for a separate group.
> 
> I want to eventually  build a  TECH.MYDOMAIN.COM domain as a child 
> domain of MYDOMAIN.COM and migrate computers from the "classic"
TECH
> domain to the new TECH.MYDOMAIN.COM.
Child domains do not work (yet), unless I missed something ;-)
This shouldn't really be a problem, just set up a new Samba AD domain
and then import your users.
>      I will  want to preserve
> user ID numbers as much as possible.    Some of the user accounts go
> back 15 years in the production TECH domain, when local service
> accounts didn't go over uidNumber 100.
That explains the low numbers, but perhaps it might be better to bite
the bullet and start afresh.
 
>    For the moment I am just
> testing machines in the parent domain rather than add too many
> variables upfront.
> 
> " winbind nss info = templater"  was a typo, I did try   
"winbind
> nss info = templates"
>
The smb.conf on the wiki page I pointed you at does work, so if you
are still having problems, can I suggest you post your test smb.conf.
 
> I fixed nsswitch.conf
> 
> 
> I think I had krb.conf set up properly with realm before joining the
> domain.
> 
> 
> 
> 
> 
>                   # cat /etc/krb5.conf
>                 [logging]
>                   default = FILE:/var/log/krb5libs.log
>                   kdc = FILE:/var/log/krb5kdc.log
>                   admin_server = FILE:/var/log/kadmind.log
> 
>                 [libdefaults]
>                   dns_lookup_realm = false
>                   ticket_lifetime = 24h
>                   renew_lifetime = 7d
>                   forwardable = true
>                   rdns = false
> 
> 
>                 default_realm = MYDOMAIN.COM
>                 [realms]
> 
> 
>                 MYDOMAIN.COM = {
>                    kdc = pdc.mydomain.com
>                    admin_server = pdc.mydomain.com
>                   }
> 
>                 [domain_realm]
> 
>                 mydomain.com = MYDOMAIN.COM
>                 .mydomain.com = MYDOMAIN.COM
>                 #
> 
>
This is mine, from the machine I am typing this on:

 [libdefaults]
    default_realm = SAMDOM.EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true
> 
> But to be safe I did rejoin domain
> 
> 
> 
>             # net ads join -U administrator -S pdc.mydomain.com
>             Enter administrator's password:
>             Using short domain name -- MYDOMAIN
>             Joined 'LINUX1' to dns domain 'mydomain.com'
>             #
> 
>             # net ads testjoin
>             Join is OK
>             #
> 
> 
> 
> Set a uidNumber of 1000 for one of the user accounts and updated the 
> idmap range for MYDOMAIN to be from 100-1999.
> 
> Still not luck.
> 
>
How have installed samba ?
It is possible you now have a PAM problem
 
> Kinit indicates the machine account does exist
> 
>         # kinit linux1
>         Password for linux1 at MYDOMAIN.COM:  ^C
> 
> 
> Since mapping for the child domain is working it indicates that the 
> idmap_tdb back is OK and that the problem may be with idmap_ad ?
> 
> 
>         #smbd -b
>         ....
> 
>         --with Options:
>             WITH_ADS
>             WITH_AUTOMOUNT
>             WITH_DNS_UPDATES
>             WITH_PAM
>             WITH_PAM_MODULES
>             WITH_PROFILE
>             WITH_PTHREADPOOL
>             WITH_QUOTAS
>             WITH_SENDFILE
>             WITH_SYSLOG
>             WITH_WINBIND
> 
>         ...
>         Builtin modules:
>             vfs_posixacl auth_sam auth_winbind auth_domain
> auth_builtin vfs_default nss_info_template idmap_tdb idmap_passdb
> idmap_nss idmap_ldap
>         #
> 
>         Build Options:
>         ...
>             auth_netlogond_init
>             auth_samba4_init
>             auth_script_init
>             auth_server_init
>             auth_unix_init
>             auth_wbc_init
>             idmap_ad_init
>             idmap_adex_init
>             idmap_autorid_init
>             idmap_hash_init
>             idmap_rfc2307_init
>             idmap_rid_init
>             idmap_script_init
>             idmap_tdb2_init
> 
>         ....
> 
> 
> 
> I could presumably use idmap_ldap to maintain a consistent mapping 
> across machines.    Since file servers serve users from both Windows
> and Unix systems, it is important to make sure that the uidNumbers
> and gidNumbers are consistent across machines and between Unix and
> Samba.
Winbind can do this, it just need setting up correctly ;-)
> 
> 
> 
> I am a little hesitant to try recompiling samba because then I am not 
> sure if nsswitch is calling the correct winbind files.
It probably wouldn't, but agian these would need setting up, read the
Samba wiki, all the required info is there.

Rowland

I don't think classic upgrade would work, unless I can make my classic 
TECH domain become TECH.MYDOMAIN.COM.  If I could that would almost be 
ideal at least to preserve machine accounts if not user accounts.

Actually, I need to preserve the users the the parent domain-  I will 
just move them into the child domains (otherwise all the exchange 
mailbox stuff will be broken.)

I am envisioning moving user and computer accounts from old domain to 
new in batches off hours, not all at once, which will require trusts 
between the domains during the transition.




On 09/20/16 09:30, Rowland Penny via samba wrote:
> On Tue, 20 Sep 2016 09:00:23 -0400
> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>
>> Hi
>>
>> Thanks for the feedback.
>>
>>
>>
>> I currently have 3 production domains.
>> -  MYDOMAIN.COM is a  production Windows 2008 domain used to support
>> MS Exchange  (but not file sharing.)
>> -  TECH  -    Samba3 "classic" domain  with unix domain
controllers
>> that supports most users for authentication and file sharing.  The DC
>> machines are both Samba domains (for Windows clients) and KRB/LDAP
>> servers for Linux clients.
> You could probably use the 'classicupgrade' tool to upgrade your
> NT4-style domain, apart from the fact that you want to change the
> domain name.
>
>> - SALES -Small Win 2008 AD domain for a separate group.
>>
>> I want to eventually  build a  TECH.MYDOMAIN.COM domain as a child
>> domain of MYDOMAIN.COM and migrate computers from the
"classic" TECH
>> domain to the new TECH.MYDOMAIN.COM.
> Child domains do not work (yet), unless I missed something ;-)
> This shouldn't really be a problem, just set up a new Samba AD domain
> and then import your users.
>
>>       I will  want to preserve
>> user ID numbers as much as possible.    Some of the user accounts go
>> back 15 years in the production TECH domain, when local service
>> accounts didn't go over uidNumber 100.
> That explains the low numbers, but perhaps it might be better to bite
> the bullet and start afresh.
>   
>>     For the moment I am just
>> testing machines in the parent domain rather than add too many
>> variables upfront.
>>
>> " winbind nss info = templater"  was a typo, I did try   
"winbind
>> nss info = templates"
>>
> The smb.conf on the wiki page I pointed you at does work, so if you
> are still having problems, can I suggest you post your test smb.conf.
>   
>> I fixed nsswitch.conf
>>
>>
>> I think I had krb.conf set up properly with realm before joining the
>> domain.
>>
>>
>>
>>
>>
>>                    # cat /etc/krb5.conf
>>                  [logging]
>>                    default = FILE:/var/log/krb5libs.log
>>                    kdc = FILE:/var/log/krb5kdc.log
>>                    admin_server = FILE:/var/log/kadmind.log
>>
>>                  [libdefaults]
>>                    dns_lookup_realm = false
>>                    ticket_lifetime = 24h
>>                    renew_lifetime = 7d
>>                    forwardable = true
>>                    rdns = false
>>
>>
>>                  default_realm = MYDOMAIN.COM
>>                  [realms]
>>
>>
>>                  MYDOMAIN.COM = {
>>                     kdc = pdc.mydomain.com
>>                     admin_server = pdc.mydomain.com
>>                    }
>>
>>                  [domain_realm]
>>
>>                  mydomain.com = MYDOMAIN.COM
>>                  .mydomain.com = MYDOMAIN.COM
>>                  #
>>
>>
> This is mine, from the machine I am typing this on:
>
>   [libdefaults]
>      default_realm = SAMDOM.EXAMPLE.COM
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
>
>> But to be safe I did rejoin domain
>>
>>
>>
>>              # net ads join -U administrator -S pdc.mydomain.com
>>              Enter administrator's password:
>>              Using short domain name -- MYDOMAIN
>>              Joined 'LINUX1' to dns domain
'mydomain.com'
>>              #
>>
>>              # net ads testjoin
>>              Join is OK
>>              #
>>
>>
>>
>> Set a uidNumber of 1000 for one of the user accounts and updated the
>> idmap range for MYDOMAIN to be from 100-1999.
>>
>> Still not luck.
>>
>>
> How have installed samba ?
> It is possible you now have a PAM problem
>   
>> Kinit indicates the machine account does exist
>>
>>          # kinit linux1
>>          Password for linux1 at MYDOMAIN.COM:  ^C
>>
>>
>> Since mapping for the child domain is working it indicates that the
>> idmap_tdb back is OK and that the problem may be with idmap_ad ?
>>
>>
>>          #smbd -b
>>          ....
>>
>>          --with Options:
>>              WITH_ADS
>>              WITH_AUTOMOUNT
>>              WITH_DNS_UPDATES
>>              WITH_PAM
>>              WITH_PAM_MODULES
>>              WITH_PROFILE
>>              WITH_PTHREADPOOL
>>              WITH_QUOTAS
>>              WITH_SENDFILE
>>              WITH_SYSLOG
>>              WITH_WINBIND
>>
>>          ...
>>          Builtin modules:
>>              vfs_posixacl auth_sam auth_winbind auth_domain
>> auth_builtin vfs_default nss_info_template idmap_tdb idmap_passdb
>> idmap_nss idmap_ldap
>>          #
>>
>>          Build Options:
>>          ...
>>              auth_netlogond_init
>>              auth_samba4_init
>>              auth_script_init
>>              auth_server_init
>>              auth_unix_init
>>              auth_wbc_init
>>              idmap_ad_init
>>              idmap_adex_init
>>              idmap_autorid_init
>>              idmap_hash_init
>>              idmap_rfc2307_init
>>              idmap_rid_init
>>              idmap_script_init
>>              idmap_tdb2_init
>>
>>          ....
>>
>>
>>
>> I could presumably use idmap_ldap to maintain a consistent mapping
>> across machines.    Since file servers serve users from both Windows
>> and Unix systems, it is important to make sure that the uidNumbers
>> and gidNumbers are consistent across machines and between Unix and
>> Samba.
> Winbind can do this, it just need setting up correctly ;-)
>
>>
>>
>> I am a little hesitant to try recompiling samba because then I am not
>> sure if nsswitch is calling the correct winbind files.
> It probably wouldn't, but agian these would need setting up, read the
> Samba wiki, all the required info is there.
>
> Rowland
>