Hello Rowland, Am 14.10.2016 um 18:18 schrieb Rowland Penny via samba:> On Fri, 14 Oct 2016 17:52:33 +0200 > Udo Willke via samba <samba at lists.samba.org> wrote: > > >> However it is not very specific as to what permissions should >> actually be configured: "Go to the "Security" tab, click the "Edit" >> button and configure the desired Windows ACLs". >> > What it means is, you need to add/change the users and groups and set > permissions to meet your requirements. > >>> Also, when you changed the ranges in smb.conf, have you changed th >>> uidNumber & gidNumber attributes in AD ? >> Not necessary in my opinion as I only modified the "overkill" range >> of the * domain (100000 - 2^32 -1) . >> >> BTW: There is no range checking in the code. I started with 2^32 >> 4294967296 as the upper limit and the mapping didn't work at all. >> Discovered later in the logs the range was parsed into "range >> 100000-0". >> >> Two questions: >> >> 1) Do you agree with the directions given by L.P.H. van Belle: Create >> new user "Admin" and remove all the already filled in accounts (much >> like in the screenshot on the >> <https://wiki.samba.org/index.php/Shares_with_Windows_ACLs> page? > This is up to you, by doing what Louis is suggesting, is security > through obscurity. It means that anybody trying to get into your system > has to know (or obtain by whatever means) not only the password, they > also have to know the username to go with it. > As for removing the accounts, you need to decide just who has access > and how much access they have, this may mean removing, altering or > adding accounts. > > >> 2) Can you elaborate on this? >> > i think I just did ;-) > >> I have removed the rfc2307-IDs now. I guess going to the "Unix >> Attributes" tab in ADUC and setting "NIS Domain" to "none" is >> sufficient? >> >> --> No, it should show your domain name. >> >> Hmm, the "NIS Domain" setting is a drop-down menu. When I choose >> mydomain (in lower case this time) a UID Number is automatically >> assigned, when I choose <none> the fields are greyed out. So "no >> uidNumber" and "should show your domain name" don't work at the same >> time. Or should I choose mydomain and delete the remaining field >> entries? > If the windows machine that ADUC is running on is joined to the domain, > it normally allows you to set the domain on the 'Unix Attributes' tab > and setting this, fills in all the other boxes (uidNumber etc)Sorry for asking this twice, I just wanted to see if I understood everything correctly. So, to summarize the discussion: System accounts should not have rfc2307 IDs, only (unprivileged) users should. The Administrator account is the exception. It can be mapped to root trough the "username map" directive Today, I followed the wiki page <https://wiki.samba.org/index.php/User_home_drives> with all the prerequisites. Unfortunately, the automatic home folder creation still does not work. So I checked all my logs and I guess I have another problem with DDNS and DHCP: Oct 17 16:15:41 addc01 named[6074]: samba_dlz: starting transaction on zone 6.168.192.in-addr.arpa Oct 17 16:15:41 addc01 named[6074]: samba_dlz: spnego update failed Oct 17 16:15:41 addc01 named[6074]: client 127.0.0.1#59487/key rndc-key: updating zone '6.168.192.in-addr.arpa/NONE': update failed: rejected by secure update (REFUSED) Oct 17 16:15:41 addc01 named[6074]: samba_dlz: cancelling transaction on zone 6.168.192.in-addr.arpa Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPREQUEST for 192.168.6.56 from 00:0c:29:3c:4c:bc (Admin-PC) via ens32 Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPACK on 192.168.6.56 to 00:0c:29:3c:4c:bc (Admin-PC) via ens32 Oct 17 16:15:41 addc01 dhcpd[6062]: Unable to add reverse map from 56.6.168.192.in-addr.arpa. to Admin-PC.mydomain.lan: REFUSED This translates into missing PTR records of my two virtual PCs in the DNS (configured to get their IPs over DHCP). Can this be related to my first problem or has this other side effects? When I run the command samba_dnsupdate --verbose --all-names everything looks fine. Is this an known issue/mistake in the configuration? Best regards Udo> > Rowland >
See inline comments: On Mon, 17 Oct 2016 17:14:43 +0200 Udo Willke via samba <samba at lists.samba.org> wrote:> So, to summarize the discussion: > > System accounts should not have rfc2307 IDs, only (unprivileged) > users should. The Administrator account is the exception. It can be > mapped to root trough the "username map" directiveBasically yes, you can also give Domain Admins a gidNumber and then make any users you want to be admins, members of this group.> > Today, I followed the wiki page > <https://wiki.samba.org/index.php/User_home_drives> with all the > prerequisites. Unfortunately, the automatic home folder creation > still does not work.Just followed it myself and it does work against a Samba fileserver. Where do you expect the home directory to be created ? Is it on a Samba machine and if so what have you got in smb.conf ?> So I checked all my logs and I guess I have > another problem with DDNS and DHCP: > > Oct 17 16:15:41 addc01 named[6074]: samba_dlz: starting transaction > on zone 6.168.192.in-addr.arpa > Oct 17 16:15:41 addc01 named[6074]: samba_dlz: spnego update failed > Oct 17 16:15:41 addc01 named[6074]: client 127.0.0.1#59487/key > rndc-key: updating zone '6.168.192.in-addr.arpa/NONE': update failed: > rejected by secure update (REFUSED) > Oct 17 16:15:41 addc01 named[6074]: samba_dlz: cancelling transaction > on zone 6.168.192.in-addr.arpa > Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPREQUEST for 192.168.6.56 from > 00:0c:29:3c:4c:bc (Admin-PC) via ens32 > Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPACK on 192.168.6.56 to > 00:0c:29:3c:4c:bc (Admin-PC) via ens32 > Oct 17 16:15:41 addc01 dhcpd[6062]: Unable to add reverse map from > 56.6.168.192.in-addr.arpa. to Admin-PC.mydomain.lan: REFUSED >Are you running the dhcp server on the DC along with Bind9 ? If so, please post your dhcpd.conf> This translates into missing PTR records of my two virtual PCs in the > DNS (configured to get their IPs over DHCP). Can this be related to > my first problem or has this other side effects? >Not having reverse records isn't go to help, but I don't think this is your problem. Rowland
Hello Rowland, Am 17.10.2016 um 18:06 schrieb Rowland Penny via samba:> See inline comments: > > On Mon, 17 Oct 2016 17:14:43 +0200 > Udo Willke via samba <samba at lists.samba.org> wrote: > >> So, to summarize the discussion: >> >> System accounts should not have rfc2307 IDs, only (unprivileged) >> users should. The Administrator account is the exception. It can be >> mapped to root trough the "username map" directive > Basically yes, you can also give Domain Admins a gidNumber and then > make any users you want to be admins, members of this group. > >> Today, I followed the wiki page >> <https://wiki.samba.org/index.php/User_home_drives> with all the >> prerequisites. Unfortunately, the automatic home folder creation >> still does not work. > Just followed it myself and it does work against a Samba fileserver.Hmm, then I must be doing it wrong somehow ... :-[> > Where do you expect the home directory to be created ?On the Samba member server as defined in the [home] share definition (and also as defined in the user profile (home drive/home share))> Is it on a Samba machine and if so what have you got in smb.conf ?Here comes my smb.conf of the member server == file server [global] netbios name = FILESERVER2 security = ADS workgroup = MYDOMAIN realm = MYDOMAIN.LAN server string = Virtual Server log level = 5 log file = /var/log/samba/%m.log password server = 192.168.6.8 dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab username map = /etc/samba/user.map ;; Use settings from AD for login shell and home directory winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = no winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes winbind cache time = 60 ;; Default idmap config used for BUILTIN and local accounts/groups idmap config * : backend = tdb idmap config * : range = 2000-9999 ;; idmap config for domain MYDOMAIN idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : schema_mode = rfc2307 idmap config MYDOMAIN : range = 10000-99999 vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes template homedir = /var/share/samba/homes/%U [home] path = /var/share/samba/homes guest ok = no read only = no browseable = yes [profiles] path = /var/share/samba/profiles read only = no store dos attributes = yes create mask = 0600 directory mask = 0700 guest ok = no profile acls = yes csc policy = disable> >> So I checked all my logs and I guess I have >> another problem with DDNS and DHCP: >> >> Oct 17 16:15:41 addc01 named[6074]: samba_dlz: starting transaction >> on zone 6.168.192.in-addr.arpa >> Oct 17 16:15:41 addc01 named[6074]: samba_dlz: spnego update failed >> Oct 17 16:15:41 addc01 named[6074]: client 127.0.0.1#59487/key >> rndc-key: updating zone '6.168.192.in-addr.arpa/NONE': update failed: >> rejected by secure update (REFUSED) >> Oct 17 16:15:41 addc01 named[6074]: samba_dlz: cancelling transaction >> on zone 6.168.192.in-addr.arpa >> Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPREQUEST for 192.168.6.56 from >> 00:0c:29:3c:4c:bc (Admin-PC) via ens32 >> Oct 17 16:15:41 addc01 dhcpd[6062]: DHCPACK on 192.168.6.56 to >> 00:0c:29:3c:4c:bc (Admin-PC) via ens32 >> Oct 17 16:15:41 addc01 dhcpd[6062]: Unable to add reverse map from >> 56.6.168.192.in-addr.arpa. to Admin-PC.mydomain.lan: REFUSED >> > Are you running the dhcp server on the DC along with Bind9 ?Yes, I do.> If so, please post your dhcpd.confThis is my dhcpd.conf include "/etc/dhcp/ddns-keys/rndc.key"; update-static-leases on; allow unknown-clients; use-host-decl-names on; default-lease-time 3600; zone mydomain.lan. { primary 127.0.0.1; # This server is the primary DNS server for the zone key rndc-key; # Use the key we defined earlier for dynamic updates } zone 6.168.192.in-addr.arpa. { primary 127.0.0.1; # This server is the primary reverse DNS server for the zone key rndc-key; # Use the key we defined earlier for dynamic updates } subnet 192.168.6.0 netmask 255.255.255.0 { range 192.168.6.16 192.168.6.63; authoritative; option subnet-mask 255.255.255.0; option routers 192.168.6.1; option domain-name-servers 192.168.6.8; option domain-name "mydomain.lan"; ddns-domainname "mydomain.lan."; # ddns-rev-domainname "6.168.192.in-addr.arpa."; ddns-rev-domainname "in-addr.arpa."; } ddns-update-style interim; max-lease-time 7200; authoritative; log-facility local7; My intention was to have static addresses for the DC(s) an the file server(s) from 192.168.6.1 - 192.168.6.15 and use DHCP for the Windows 7 Workstations (easier to roll out). Best regards Udo> >> This translates into missing PTR records of my two virtual PCs in the >> DNS (configured to get their IPs over DHCP). Can this be related to >> my first problem or has this other side effects? >> > Not having reverse records isn't go to help, but I don't think this is > your problem. > > Rowland >