samba - Dec 2016 - How to join join Ubuntu desktop to AD

On Thu, 8 Dec 2016 13:03:49 -0500
lingpanda101 via samba <samba at lists.samba.org> wrote:
> On 12/8/2016 12:52 PM, Rowland Penny via samba wrote:
> > On Thu, 8 Dec 2016 12:27:20 -0500
> > lingpanda101 via samba <samba at lists.samba.org> wrote:
> >
> >> I think I have a issue with ldconfig not finding winbind. I create
> >> the sym links and verified they exist. What am I missing? Thanks.
> >>
> >> ldconfig -v | grep "libnss_"
> >> /sbin/ldconfig.real: Path `/lib/x86_64-linux-gnu' given more
than
> >> once /sbin/ldconfig.real: Path `/usr/lib/x86_64-linux-gnu'
given
> >> more than
> >> once /sbin/ldconfig.real: /lib/x86_64-linux-gnu/ld-2.23.so is the
> >> dynamic linker, ignoring
> >>
> >>       libnss_mdns4_minimal.so.2 -> libnss_mdns4_minimal.so.2
> >>       libnss_files.so.2 -> libnss_files-2.23.so
> >>       libnss_nis.so.2 -> libnss_nis-2.23.so
> >>       libnss_mdns.so.2 -> libnss_mdns.so.2
> >>       libnss_dns.so.2 -> libnss_dns-2.23.so
> >>       libnss_nisplus.so.2 -> libnss_nisplus-2.23.so
> >>       libnss_mdns6_minimal.so.2 -> libnss_mdns6_minimal.so.2
> >>       libnss_compat.so.2 -> libnss_compat-2.23.so
> >>       libnss_mdns_minimal.so.2 -> libnss_mdns_minimal.so.2
> >>       libnss_hesiod.so.2 -> libnss_hesiod-2.23.so
> >>       libnss_mdns6.so.2 -> libnss_mdns6.so.2
> >>       libnss_mdns4.so.2 -> libnss_mdns4.so.2
> >>
> > What version of Samba are you using ? I got the impression you were
> > using the distro's packages, in which case you do not create the
> > symlinks, you just install the packages I referred to earlier.
> >
> > Rowland
> >
> 
> I compiled using 4.5.1.
> 
OK, you need to have these symlinks:

ln -s /usr/local/samba/lib/libnss_wins.so.2
/lib/x86_64-linux-gnu/libnss_wins.so.2
ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so

ln -s /usr/local/samba/lib/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_winbind.so.2
ln -s /usr/local/samba/lib/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_winbind.so

ln -s /usr/local/samba/lib/security/pam_winbind.so
/lib/x86_64-linux-gnu/security/pam_winbind.so

Then run 'ldconfig'

You will also have to create a file: /usr/share/pam-configs/winbind

Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
	[success=end default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE
cached_login try_first_pass
Auth-Initial:
	[success=end default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE
cached_login
Account-Type: Primary
Account:
	[success=end new_authtok_reqd=done default=ignore]	pam_winbind.so
Password-Type: Primary
Password:
	[success=end default=ignore]	pam_winbind.so use_authtok try_first_pass
Password-Initial:
	[success=end default=ignore]	pam_winbind.so
Session-Type: Additional
Session:
	optional			pam_winbind.so

Rowland

On 12/8/2016 1:14 PM, Rowland Penny via samba wrote:
> On Thu, 8 Dec 2016 13:03:49 -0500
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>
>> On 12/8/2016 12:52 PM, Rowland Penny via samba wrote:
>>> On Thu, 8 Dec 2016 12:27:20 -0500
>>> lingpanda101 via samba <samba at lists.samba.org> wrote:
>>>
>>>> I think I have a issue with ldconfig not finding winbind. I
create
>>>> the sym links and verified they exist. What am I missing?
Thanks.
>>>>
>>>> ldconfig -v | grep "libnss_"
>>>> /sbin/ldconfig.real: Path `/lib/x86_64-linux-gnu' given
more than
>>>> once /sbin/ldconfig.real: Path `/usr/lib/x86_64-linux-gnu'
given
>>>> more than
>>>> once /sbin/ldconfig.real: /lib/x86_64-linux-gnu/ld-2.23.so is
the
>>>> dynamic linker, ignoring
>>>>
>>>>        libnss_mdns4_minimal.so.2 ->
libnss_mdns4_minimal.so.2
>>>>        libnss_files.so.2 -> libnss_files-2.23.so
>>>>        libnss_nis.so.2 -> libnss_nis-2.23.so
>>>>        libnss_mdns.so.2 -> libnss_mdns.so.2
>>>>        libnss_dns.so.2 -> libnss_dns-2.23.so
>>>>        libnss_nisplus.so.2 -> libnss_nisplus-2.23.so
>>>>        libnss_mdns6_minimal.so.2 ->
libnss_mdns6_minimal.so.2
>>>>        libnss_compat.so.2 -> libnss_compat-2.23.so
>>>>        libnss_mdns_minimal.so.2 -> libnss_mdns_minimal.so.2
>>>>        libnss_hesiod.so.2 -> libnss_hesiod-2.23.so
>>>>        libnss_mdns6.so.2 -> libnss_mdns6.so.2
>>>>        libnss_mdns4.so.2 -> libnss_mdns4.so.2
>>>>
>>> What version of Samba are you using ? I got the impression you were
>>> using the distro's packages, in which case you do not create
the
>>> symlinks, you just install the packages I referred to earlier.
>>>
>>> Rowland
>>>
>> I compiled using 4.5.1.
>>
> OK, you need to have these symlinks:
>
> ln -s /usr/local/samba/lib/libnss_wins.so.2
/lib/x86_64-linux-gnu/libnss_wins.so.2
> ln -s /usr/local/samba/lib/libnss_wins.so.2
/lib/x86_64-linux-gnu/libnss_wins.so
>
> ln -s /usr/local/samba/lib/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_winbind.so.2
> ln -s /usr/local/samba/lib/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_winbind.so
>
> ln -s /usr/local/samba/lib/security/pam_winbind.so
/lib/x86_64-linux-gnu/security/pam_winbind.so
>
> Then run 'ldconfig'
>
> You will also have to create a file: /usr/share/pam-configs/winbind
>
> Name: Winbind NT/Active Directory authentication
> Default: yes
> Priority: 192
> Auth-Type: Primary
> Auth:
> 	[success=end default=ignore]	pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
> Auth-Initial:
> 	[success=end default=ignore]	pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login
> Account-Type: Primary
> Account:
> 	[success=end new_authtok_reqd=done default=ignore]	pam_winbind.so
> Password-Type: Primary
> Password:
> 	[success=end default=ignore]	pam_winbind.so use_authtok try_first_pass
> Password-Initial:
> 	[success=end default=ignore]	pam_winbind.so
> Session-Type: Additional
> Session:
> 	optional			pam_winbind.so
>
> Rowland
>
I will perform the additional steps. I should point out I do not see 
anything related to configuring Kerberos in the wiki. I have kept the 
default configuration. Thanks.

-- 
- James

On Thu, 8 Dec 2016 13:54:17 -0500
lingpanda101 via samba <samba at lists.samba.org> wrote:
> On 12/8/2016 1:14 PM, Rowland Penny via samba wrote:
> > On Thu, 8 Dec 2016 13:03:49 -0500
> > lingpanda101 via samba <samba at lists.samba.org> wrote:
> >
> >> On 12/8/2016 12:52 PM, Rowland Penny via samba wrote:
> >>> On Thu, 8 Dec 2016 12:27:20 -0500
> >>> lingpanda101 via samba <samba at lists.samba.org> wrote:
> >>>
> >>>> I think I have a issue with ldconfig not finding winbind.
I
> >>>> create the sym links and verified they exist. What am I
missing?
> >>>> Thanks.
> >>>>
> >>>> ldconfig -v | grep "libnss_"
> >>>> /sbin/ldconfig.real: Path `/lib/x86_64-linux-gnu'
given more than
> >>>> once /sbin/ldconfig.real: Path
`/usr/lib/x86_64-linux-gnu' given
> >>>> more than
> >>>> once /sbin/ldconfig.real: /lib/x86_64-linux-gnu/ld-2.23.so
is the
> >>>> dynamic linker, ignoring
> >>>>
> >>>>        libnss_mdns4_minimal.so.2 ->
libnss_mdns4_minimal.so.2
> >>>>        libnss_files.so.2 -> libnss_files-2.23.so
> >>>>        libnss_nis.so.2 -> libnss_nis-2.23.so
> >>>>        libnss_mdns.so.2 -> libnss_mdns.so.2
> >>>>        libnss_dns.so.2 -> libnss_dns-2.23.so
> >>>>        libnss_nisplus.so.2 -> libnss_nisplus-2.23.so
> >>>>        libnss_mdns6_minimal.so.2 ->
libnss_mdns6_minimal.so.2
> >>>>        libnss_compat.so.2 -> libnss_compat-2.23.so
> >>>>        libnss_mdns_minimal.so.2 ->
libnss_mdns_minimal.so.2
> >>>>        libnss_hesiod.so.2 -> libnss_hesiod-2.23.so
> >>>>        libnss_mdns6.so.2 -> libnss_mdns6.so.2
> >>>>        libnss_mdns4.so.2 -> libnss_mdns4.so.2
> >>>>
> >>> What version of Samba are you using ? I got the impression you
> >>> were using the distro's packages, in which case you do not
create
> >>> the symlinks, you just install the packages I referred to
earlier.
> >>>
> >>> Rowland
> >>>
> >> I compiled using 4.5.1.
> >>
> > OK, you need to have these symlinks:
> >
> > ln
> > -s /usr/local/samba/lib/libnss_wins.so.2
/lib/x86_64-linux-gnu/libnss_wins.so.2
> > ln
> > -s /usr/local/samba/lib/libnss_wins.so.2
/lib/x86_64-linux-gnu/libnss_wins.so
> >
> > ln
> > -s /usr/local/samba/lib/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_winbind.so.2
> > ln
> > -s /usr/local/samba/lib/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_winbind.so
> >
> > ln
> > -s /usr/local/samba/lib/security/pam_winbind.so
/lib/x86_64-linux-gnu/security/pam_winbind.so
> >
> > Then run 'ldconfig'
> >
> > You will also have to create a file: /usr/share/pam-configs/winbind
> >
> > Name: Winbind NT/Active Directory authentication
> > Default: yes
> > Priority: 192
> > Auth-Type: Primary
> > Auth:
> > 	[success=end default=ignore]	pam_winbind.so
> > krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
> > Auth-Initial: [success=end default=ignore]	pam_winbind.so
> > krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary
> > Account:
> > 	[success=end new_authtok_reqd=done default=ignore]
> > pam_winbind.so Password-Type: Primary
> > Password:
> > 	[success=end default=ignore]	pam_winbind.so
> > use_authtok try_first_pass Password-Initial:
> > 	[success=end default=ignore]	pam_winbind.so
> > Session-Type: Additional
> > Session:
> > 	optional			pam_winbind.so
> >
> > Rowland
> >
> 
> I will perform the additional steps. I should point out I do not see 
> anything related to configuring Kerberos in the wiki. I have kept the 
> default configuration. Thanks.
> 
Now I look at the domain member page, nor do I, but you only need the
same krb5.conf as on the DC:

[libdefaults]
	default_realm = SAMDOM.EXAMPLE.COM
	dns_lookup_realm = false
	dns_lookup_kdc = true

Rowland

On 08/12/2016 18:14, Rowland Penny wrote:
> OK, you need to have these symlinks:
>
> ln -s /usr/local/samba/lib/libnss_wins.so.2
/lib/x86_64-linux-gnu/libnss_wins.so.2
> ln -s /usr/local/samba/lib/libnss_wins.so.2
/lib/x86_64-linux-gnu/libnss_wins.so
>
> ln -s /usr/local/samba/lib/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_winbind.so.2
> ln -s /usr/local/samba/lib/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_winbind.so
Aside: the way I normally handle this is to configure the loader path. 
For example, to make the loader able to find all libraries in 
/usr/local/samba/lib I would do:

echo "/usr/local/samba/lib" >/etc/ld.so.conf.d/samba.conf
ldconfig

which is easier than symlinking individual libraries.

But I've not needed this with Samba. If the binaries were built in-situ, 
they know about the locations of the libraries they are linked against. e.g.

root at wrn-dc1:~# ldd /usr/local/samba/sbin/winbindd | head
     linux-vdso.so.1 =>  (0x00007ffceb92a000)
     libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 
(0x00007f93429b2000)
     libtevent-util.so.0 => /usr/local/samba/lib/libtevent-util.so.0 
(0x00007f93427af000)
     libMESSAGING-samba4.so => 
/usr/local/samba/lib/private/libMESSAGING-samba4.so (0x00007f93425a6000)
     libcliauth-samba4.so => 
/usr/local/samba/lib/private/libcliauth-samba4.so (0x00007f934238f000)
     libads-samba4.so => /usr/local/samba/lib/private/libads-samba4.so 
(0x00007f9342160000)
     libidmap-samba4.so => 
/usr/local/samba/lib/private/libidmap-samba4.so (0x00007f9341f4c000)
     libndr-samba4.so => /usr/local/samba/lib/private/libndr-samba4.so 
(0x00007f9341b7c000)
     libnss-info-samba4.so => 
/usr/local/samba/lib/private/libnss-info-samba4.so (0x00007f9341978000)
     libsamba-passdb.so.0 => /usr/local/samba/lib/libsamba-passdb.so.0 
(0x00007f93416f0000)

Regards,

Brian.

On Fri, 9 Dec 2016 18:06:53 +0000
Brian Candler via samba <samba at lists.samba.org> wrote:
> On 08/12/2016 18:14, Rowland Penny wrote:
> > OK, you need to have these symlinks:
> >
> > ln
> > -s /usr/local/samba/lib/libnss_wins.so.2
/lib/x86_64-linux-gnu/libnss_wins.so.2
> > ln
> > -s /usr/local/samba/lib/libnss_wins.so.2
/lib/x86_64-linux-gnu/libnss_wins.so
> >
> > ln
> > -s /usr/local/samba/lib/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_winbind.so.2
> > ln
> > -s /usr/local/samba/lib/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_winbind.so
> 
> Aside: the way I normally handle this is to configure the loader
> path. For example, to make the loader able to find all libraries in 
> /usr/local/samba/lib I would do:
> 
> echo "/usr/local/samba/lib" >/etc/ld.so.conf.d/samba.conf
> ldconfig
> 
> which is easier than symlinking individual libraries.
> 
> But I've not needed this with Samba. If the binaries were built
> in-situ, they know about the locations of the libraries they are
> linked against. e.g.
> 
> root at wrn-dc1:~# ldd /usr/local/samba/sbin/winbindd | head
>      linux-vdso.so.1 =>  (0x00007ffceb92a000)
>      libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 
> (0x00007f93429b2000)
>      libtevent-util.so.0 => /usr/local/samba/lib/libtevent-util.so.0 
> (0x00007f93427af000)
>      libMESSAGING-samba4.so => 
> /usr/local/samba/lib/private/libMESSAGING-samba4.so
> (0x00007f93425a6000) libcliauth-samba4.so => 
> /usr/local/samba/lib/private/libcliauth-samba4.so (0x00007f934238f000)
>      libads-samba4.so
> => /usr/local/samba/lib/private/libads-samba4.so (0x00007f9342160000)
>      libidmap-samba4.so => 
> /usr/local/samba/lib/private/libidmap-samba4.so (0x00007f9341f4c000)
>      libndr-samba4.so
> => /usr/local/samba/lib/private/libndr-samba4.so (0x00007f9341b7c000)
>      libnss-info-samba4.so => 
> /usr/local/samba/lib/private/libnss-info-samba4.so
> (0x00007f9341978000) libsamba-passdb.so.0
> => /usr/local/samba/lib/libsamba-passdb.so.0 (0x00007f93416f0000)
> 
> Regards,
> 
> Brian.
> 
Yes, Samba knows where they are, but nsswitch doesn't ;-)

Rowland