samba - Dec 2016 - How to join join Ubuntu desktop to AD

On Tue, 13 Dec 2016 14:57:59 -0500
lingpanda101 via samba <samba at lists.samba.org> wrote:
> On 12/12/2016 3:27 PM, lingpanda101 wrote:
> > On 12/11/2016 8:59 AM, Brian Candler via samba wrote:
> >> On 10/12/2016 16:25, Brian Candler wrote:
> >>> I think there's plenty of emphasis now, but I think there
is a
> >>> part which is misleading:
> >>>
> >>> > To enable Samba to retrieve user and group information
from
> >>> > Active 
> >>> Directory (AD):
> >>> >
> >>> > * Users must have at least the uidNumber and groups the
> >>> > gidNumber 
> >>> attribute set. 
> >>
> >> I'm so sorry: I misread this as "Users must have at least
the
> >> uidNumber and gidNumber attribute set", which is of course
*not*
> >> what it says.  Hence the text is accurate (if you read it
> >> correctly); it's my brain which is at fault.
> >>
> >> I do still think that the alternative text I gave is clearer - for
> >> my brain anyway :-)
> >>
> >> Regards,
> >>
> >> Brian.
> >>
> >>
> >
> > OK finally solved. Added to my smb.conf
> >
> >     'winbind use default domain = yes'
> >
> > Disabling Avahi and using the above was the issue.  Next to attempt 
> > actually signing in from the login screen and not via. SSH.
> >
> >
> >
> 
> Following the wiki and I'm stuck at 'Authenticating Domain Users
> Using PAM'. I see the section
> 
> If you have compiled Samba, you need to add a symbolic links. 
> Seepam_winbind Link 
> <https://wiki.samba.org/index.php/Pam_winbind_Link>for OS specific 
> information, where to place it.
> 
> 
> If I follow the link it appears to take me to a page similar to 
> 'libnss_winbind' linking. I don't see any difference. I ran 
Give that man a prize, the only difference between the 'Libnss winbind
Links' page and the 'Pam winbind Link' page is the title, they both
refer to setting up the libnss_winbind lib

I will fix it, not sure how because the links should probably all be on
one page.
> 'pam-auth-update' and made sure to enable Winbind NT/Active
Directory
> authentication. I did not manually edit pam config files. If I
> attempt to login with a domain account I get
> 
> user1 at DR210:/$ su domainuser
> 
> Password:
> 
> su: Authentication failure
> 
> 
> Any ideas? Thanks.
> 
> 
You need three extra links:

ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so
ln -s /usr/local/samba/lib/libnss_wins.so.2
/lib/x86_64-linux-gnu/libnss_wins.so.2
ln
-s /usr/local/samba/lib/security/pam_winbind.so
/lib/x86_64-linux-gnu/security/pam_winbind.so

You also need a file /usr/share/pam-configs/winbind

Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
	[success=end default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE
cached_login try_first_pass
Auth-Initial:
	[success=end default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE
cached_login
Account-Type: Primary
Account:
	[success=end new_authtok_reqd=done default=ignore]	pam_winbind.so
Password-Type: Primary
Password:
	[success=end default=ignore]	pam_winbind.so use_authtok try_first_pass
Password-Initial:
	[success=end default=ignore]	pam_winbind.so
Session-Type: Additional
Session:
	optional			pam_winbind.so

You will also need to install libpam-krb5

Finally check that the 'passwd' and 'group' lines in
/etc/nsswitch.conf
have 'winbind' in them.

Rowland

On 12/13/2016 3:38 PM, Rowland Penny via samba wrote:
> On Tue, 13 Dec 2016 14:57:59 -0500
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>
>> On 12/12/2016 3:27 PM, lingpanda101 wrote:
>>> On 12/11/2016 8:59 AM, Brian Candler via samba wrote:
>>>> On 10/12/2016 16:25, Brian Candler wrote:
>>>>> I think there's plenty of emphasis now, but I think
there is a
>>>>> part which is misleading:
>>>>>
>>>>>> To enable Samba to retrieve user and group information
from
>>>>>> Active
>>>>> Directory (AD):
>>>>>> * Users must have at least the uidNumber and groups the
>>>>>> gidNumber
>>>>> attribute set.
>>>> I'm so sorry: I misread this as "Users must have at
least the
>>>> uidNumber and gidNumber attribute set", which is of course
*not*
>>>> what it says.  Hence the text is accurate (if you read it
>>>> correctly); it's my brain which is at fault.
>>>>
>>>> I do still think that the alternative text I gave is clearer -
for
>>>> my brain anyway :-)
>>>>
>>>> Regards,
>>>>
>>>> Brian.
>>>>
>>>>
>>> OK finally solved. Added to my smb.conf
>>>
>>>      'winbind use default domain = yes'
>>>
>>> Disabling Avahi and using the above was the issue.  Next to attempt
>>> actually signing in from the login screen and not via. SSH.
>>>
>>>
>>>
>> Following the wiki and I'm stuck at 'Authenticating Domain
Users
>> Using PAM'. I see the section
>>
>> If you have compiled Samba, you need to add a symbolic links.
>> Seepam_winbind Link
>> <https://wiki.samba.org/index.php/Pam_winbind_Link>for OS
specific
>> information, where to place it.
>>
>>
>> If I follow the link it appears to take me to a page similar to
>> 'libnss_winbind' linking. I don't see any difference. I ran
> Give that man a prize, the only difference between the 'Libnss winbind
> Links' page and the 'Pam winbind Link' page is the title, they
both
> refer to setting up the libnss_winbind lib
>
> I will fix it, not sure how because the links should probably all be on
> one page.
>
>> 'pam-auth-update' and made sure to enable Winbind NT/Active
Directory
>> authentication. I did not manually edit pam config files. If I
>> attempt to login with a domain account I get
>>
>> user1 at DR210:/$ su domainuser
>>
>> Password:
>>
>> su: Authentication failure
>>
>>
>> Any ideas? Thanks.
>>
>>
> You need three extra links:
>
> ln -s /usr/local/samba/lib/libnss_wins.so.2
/lib/x86_64-linux-gnu/libnss_wins.so
> ln -s /usr/local/samba/lib/libnss_wins.so.2
/lib/x86_64-linux-gnu/libnss_wins.so.2
> ln
> -s /usr/local/samba/lib/security/pam_winbind.so
/lib/x86_64-linux-gnu/security/pam_winbind.so
>
> You also need a file /usr/share/pam-configs/winbind
>
> Name: Winbind NT/Active Directory authentication
> Default: yes
> Priority: 192
> Auth-Type: Primary
> Auth:
> 	[success=end default=ignore]	pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
> Auth-Initial:
> 	[success=end default=ignore]	pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login
> Account-Type: Primary
> Account:
> 	[success=end new_authtok_reqd=done default=ignore]	pam_winbind.so
> Password-Type: Primary
> Password:
> 	[success=end default=ignore]	pam_winbind.so use_authtok try_first_pass
> Password-Initial:
> 	[success=end default=ignore]	pam_winbind.so
> Session-Type: Additional
> Session:
> 	optional			pam_winbind.so
>
> You will also need to install libpam-krb5
>
> Finally check that the 'passwd' and 'group' lines in
/etc/nsswitch.conf
> have 'winbind' in them.
>
> Rowland
>
Rowland,

Success!

I'll post a few observations during this adventure.

Incorrect case on this page 
https://wiki.samba.org/index.php/Libnss_winbind_Links for smbd -B. 
Should be lowercase b.

smbd -b | grep LIBDIR
    LIBDIR: /usr/local/samba/lib/

I could not retrieve users or groups unless I added

'winbind use default domain = yes'

in my smb.conf file.  It's not listed in the wiki on this page 
https://wiki.samba.org/index.php/Idmap_config_ad as being optional or 
required. Did I do something wrong or should this be added to the wiki? 
Without it I would need to explicitly define it when using

id user1 at DOMAIN.LOCAL

I was unable to ping my DC when using it's FQDN. The fix was to disable 
Avahi in my nsswitch.conf file. This was due to using .local for my domain.

#hosts:          files mdns4_minimal [NOTFOUND=return] dns

hosts: files dns

Should this be added to the troubleshooting section of the wiki?

These three links also needed to be created. Not in the wiki that I seen.

ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so
ln -s /usr/local/samba/lib/libnss_wins.so.2
/lib/x86_64-linux-gnu/libnss_wins.so.2
ln -s /usr/local/samba/lib/security/pam_winbind.so
/lib/x86_64-linux-gnu/security/pam_winbind.so

I installed libpam-winbind that created this file

'/usr/share/pam-configs/winbind'

I didn't need to manually create as suggested. However doing so created 
the following file

'/lib/x86_64-linux-gnu/security/pam_winbind.so'

I had to rename and create the link you suggested.

ln -s /usr/local/samba/lib/security/pam_winbind.so
/lib/x86_64-linux-gnu/security/pam_winbind.so

Hopeful this helps others who attempt to join to Ubuntu. Now I will 
attempt to login from the GUI.



-- 
- James

On Wed, 14 Dec 2016 11:37:10 -0500
lingpanda101 via samba <samba at lists.samba.org> wrote:


> 
> Success!
> 
> I'll post a few observations during this adventure.
> 
> Incorrect case on this page 
> https://wiki.samba.org/index.php/Libnss_winbind_Links for smbd -B. 
> Should be lowercase b.
> 
> smbd -b | grep LIBDIR
>     LIBDIR: /usr/local/samba/lib/
Changed.
> 
> I could not retrieve users or groups unless I added
> 
> 'winbind use default domain = yes'
> 
> in my smb.conf file.  It's not listed in the wiki on this page 
> https://wiki.samba.org/index.php/Idmap_config_ad as being optional or 
> required. Did I do something wrong or should this be added to the
> wiki? Without it I would need to explicitly define it when using
> 
> id user1 at DOMAIN.LOCAL
What 'winbind use default domain' does is to make it so you do not need
the domain name in any call to getent etc. Without it, you would need
to run something like 'getent passwd SAMDOM\\rowland'. I will check
the wiki and if needs adding, I will do so.
> 
> I was unable to ping my DC when using it's FQDN. The fix was to
> disable Avahi in my nsswitch.conf file. This was due to using .local
> for my domain.
> 
> #hosts:          files mdns4_minimal [NOTFOUND=return] dns
> 
> hosts: files dns
> 
> Should this be added to the troubleshooting section of the wiki?
The wiki does tell you not to use .local, perhaps it needs to said more
forcefully ?
> 
> These three links also needed to be created. Not in the wiki that I
> seen.
> 
> ln
> -s /usr/local/samba/lib/libnss_wins.so.2
/lib/x86_64-linux-gnu/libnss_wins.so
> ln
> -s /usr/local/samba/lib/libnss_wins.so.2
/lib/x86_64-linux-gnu/libnss_wins.so.2
> ln
> -s /usr/local/samba/lib/security/pam_winbind.so
/lib/x86_64-linux-gnu/security/pam_winbind.so
> 
It did have them at one time, unfortunately an error crept in, but I
think it will be fixed very shortly.
> I installed libpam-winbind that created this file
> 
> '/usr/share/pam-configs/winbind'
> 
> I didn't need to manually create as suggested. However doing so
> created the following file
> 
> '/lib/x86_64-linux-gnu/security/pam_winbind.so'
> 
> I had to rename and create the link you suggested.
> 
> ln
> -s /usr/local/samba/lib/security/pam_winbind.so
/lib/x86_64-linux-gnu/security/pam_winbind.so
> 
The contents of libpam-winbind boils down to two files, the file I
posted and the .so file. The only problem with the way you did it, if
'libpam-winbind' gets updated, your .so link will get replaced and
this will probably lead to problems. I would suggest you remove the
package.
 
> Hopeful this helps others who attempt to join to Ubuntu. Now I will 
> attempt to login from the GUI.
This should work, well it works for me ;-)

Rowland