samba - Feb 2017 - Samba AD domain member with SSSD: ACL not work

Have you seen : 

( centos/redhat )
https://outsideit.net/realmd-sssd-ad-authentication/ 

( debian/ubuntu ) 
http://www.alandmoore.com/blog/2015/05/06/joining-debian-8-to-active-directory/

but i must say, i havent tested/tried these, i dont use sssd.
But i think these are usefull for you to read at least.

If you use the debian variant, you may need to install also :
One or more of these : libnss-sss libpam-sss libsss-idmap0 libsss-sudo

But same as Rowland is saying, you get better support at the sssd list. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dario Lesca via
> samba
> Verzonden: dinsdag 14 februari 2017 18:08
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba AD domain member with SSSD: ACL not work
> 
> Il giorno mar, 14/02/2017 alle 16.13 +0000, Rowland Penny via samba ha
> scritto:
> > Have you modified /etc/nsswitch.conf ?
> No:
> > passwd:     files sss
> > shadow:     files sss
> > group:      files sss
> 
> for default nsswitch.conf is configure to use sssd
> 
> > If you haven't, then you are not using winbind, you are using
sssd.
> Yes. I use sssd, If this is not a problem for samba.
> 
> > In which case you should remove the 'idmap config' lines from
> > smb.conf.
> 
> Ok, now I have remove this 4 lines, restart smb and test: ACLs still
> not work.
> 
> > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:   *****
> > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:
> > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:   Samba name server
> SAMBA-DATI is now a local master browser for workgroup SRL on subnet
> 192.168.1.5
> > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:
> > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:   *****
> > feb 14 17:45:44 samba-dati.srl.local smbd[3369]: [2017/02/14
> 17:45:44.973268,  0]
> ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists)
> > feb 14 17:45:44 samba-dati.srl.local
> smbd[3369]:   create_canon_ace_lists: unable to map SID S-1-5-21-
> 347198863-3916504048-2821235790-1213 to uid or gid.
> 
> The error still exist
> 
> > You should also try asking on the sssd users mailing list for help,
> > because if you are not using winbind for authentication, this is
> > probably where your problem lies.
> 
> Ok, but my question now is: it's possible to use samba in conjunction
> to sssd?
> 
> or this kind of configuration is not allowed or not fully tested or
> supported by samba team?
> 
> > If you want use winbind instead of sssd, you will need to turn sssd
> > off.
> 
> Ok, this way it's another possible solution, if I am not able to
> configure samba + sssd
> 
> 
> Many Thanks
> 
> 
> --
> Dario Lesca
> (inviato dal mio Linux Fedora 25 Workstation)
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Il giorno mer, 15/02/2017 alle 08.42 +0100, L.P.H. van Belle via samba
ha scritto:
> Have you seen : 
> 
> ( centos/redhat )
> https://outsideit.net/realmd-sssd-ad-authentication/ 
> 
> ( debian/ubuntu ) 
> http://www.alandmoore.com/blog/2015/05/06/joining-debian-8-to-active-
> directory/
Thank Luis, Thank Rowland.

Yes, I have read this howto, and many others.
None show howro setup correctly ACLs with SSSD.
Nobody talk about ACLs + SSSD.

Then I came to the conclusion that samba + sssd + acls are not working
yet.
> but i must say, i havent tested/tried these, i dont use sssd.
> But i think these are usefull for you to read at least.
> 
> If you use the debian variant, you may need to install also :
> One or more of these : libnss-sss libpam-sss libsss-idmap0 libsss-
> sudo
> 
> But same as Rowland is saying, you get better support at the sssd
> list. 
> 
.... or use winbind, as I have always done with samba3

Then Yesterday in 5 minutes I installed, configured and activated
winbind and now all work fine.

IMHO: probably it would be useful write in some howto that "samba AD
Member based on sssd have some problem with ACLs (not work yet)", so
that others users like me do not waste time (2 days) attempt to make
them work.

Many thanks to all

Dario

> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dario
> > Lesca via
> > samba
> > Verzonden: dinsdag 14 februari 2017 18:08
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Samba AD domain member with SSSD: ACL not
> > work
> > 
> > Il giorno mar, 14/02/2017 alle 16.13 +0000, Rowland Penny via samba
> > ha
> > scritto:
> > > Have you modified /etc/nsswitch.conf ?
> > 
> > No:
> > > passwd:     files sss
> > > shadow:     files sss
> > > group:      files sss
> > 
> > for default nsswitch.conf is configure to use sssd
> > 
> > > If you haven't, then you are not using winbind, you are using
> > > sssd.
> > 
> > Yes. I use sssd, If this is not a problem for samba.
> > 
> > > In which case you should remove the 'idmap config' lines
from
> > > smb.conf.
> > 
> > Ok, now I have remove this 4 lines, restart smb and test: ACLs
> > still
> > not work.
> > 
> > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:   *****
> > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:
> > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:   Samba name
> > > server
> > 
> > SAMBA-DATI is now a local master browser for workgroup SRL on
> > subnet
> > 192.168.1.5
> > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:
> > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:   *****
> > > feb 14 17:45:44 samba-dati.srl.local smbd[3369]: [2017/02/14
> > 
> > 17:45:44.973268,  0]
> > ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists)
> > > feb 14 17:45:44 samba-dati.srl.local
> > 
> > smbd[3369]:   create_canon_ace_lists: unable to map SID S-1-5-21-
> > 347198863-3916504048-2821235790-1213 to uid or gid.
> > 
> > The error still exist
> > 
> > > You should also try asking on the sssd users mailing list for
> > > help,
> > > because if you are not using winbind for authentication, this is
> > > probably where your problem lies.
> > 
> > Ok, but my question now is: it's possible to use samba in
> > conjunction
> > to sssd?
> > 
> > or this kind of configuration is not allowed or not fully tested or
> > supported by samba team?
> > 
> > > If you want use winbind instead of sssd, you will need to turn
> > > sssd
> > > off.
> > 
> > Ok, this way it's another possible solution, if I am not able to
> > configure samba + sssd
> > 
> > 
> > Many Thanks
> > 
> > 
> > --
> > Dario Lesca
> > (inviato dal mio Linux Fedora 25 Workstation)
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
-- 
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

On Wed, 15 Feb 2017 09:45:59 +0100
Dario Lesca via samba <samba at lists.samba.org> wrote:
> 
> Then Yesterday in 5 minutes I installed, configured and activated
> winbind and now all work fine.
> 
> IMHO: probably it would be useful write in some howto that "samba AD
> Member based on sssd have some problem with ACLs (not work yet)", so
> that others users like me do not waste time (2 days) attempt to make
> them work.
> 
In a way we do, by not mentioning sssd on the Samba wiki ;-)
What is shown on the wiki is known to work.

At least your problems have shown that winbind works.

Rowland

Il giorno mer, 15/02/2017 alle 09.45 +0100, Dario Lesca via samba ha
scritto:
> Then Yesterday in 5 minutes I installed, configured and activated
> winbind and now all work fine.
Ok, ACLs now work, but I now it's appeared another problem.

I can only access to my samba+winbind server from Windows Server AD DC
and from itself (smbclient -Uadministrator -L server-dati).

If I try to access to it from a windows PC into domain (\\server-dati)
do not access and require a user and password

If I try to access it via smbclient from samba on another Linux PC (es.
my notebook) not in domain I can access only if I specify the
domain+user like this:
> smbclient -Usrl\\administrator%pwd //server-dati/dati
If I do not specify the domain but only user, I do not access and show
this error:
> smbclient -Uadministrator%pwd //server-dati/dati -d3
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384)
> Processing section "[global]"
> added interface lo ip=::1 bcast>
netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface enp10s0 ip=192.168.1.195 bcast=192.168.1.255
> netmask=255.255.255.0
> Client started (version 4.5.5).
> resolve_lmhosts: Attempting lmhosts lookup for name server-dati<0x20>
> resolve_wins: WINS server resolution selected and no WINS servers
> listed.
> resolve_hosts: Attempting host lookup for name server-dati<0x20>
> Connecting to 192.168.1.5 at port 445
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
> SPNEGO login failed: Logon failure
> session setup failed: NT_STATUS_LOGON_FAILURE
This is my smb.conf [global] session:
> # Global parameters
> [global]
>         realm = SRL.LOCAL
>         workgroup = SRL
>         domain master = No
>         local master = No
>         preferred master = No
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         load printers = No
>         printcap name = /dev/null
>         client signing = if_required
>         password server = tx150s8.srl.local
>         security = ADS
>         template homedir = /u/samba/home/%U
>         template shell = /sbin/nologin
>         winbind use default domain = Yes
>         idmap config srl:schema_mode = rfc2307
>         idmap config srl:range = 100000-199999
>         idmap config srl:backend = tdb
>         idmap config * : range = 10000-99999
>         idmap config * : backend = tdb
>         store dos attributes = Yes
>         cups options = raw
>         acl allow execute always = Yes
>         map acl inherit = Yes
>         hosts allow = 127. 192.168.1.
>         vfs objects = acl_xattr
> 
This is my kbd5.conf
> # Configuration snippets may be placed in this directory as well
> #includedir /etc/krb5.conf.d/
> 
> #includedir /var/lib/sss/pubconf/krb5.include.d/
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  dns_lookup_realm = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>  rdns = false
>  default_ccache_name = KEYRING:persistent:%{uid}
> 
>  default_realm = SRL.LOCAL
>  # dns_lookup_kdc = false
> [realms]
>  SRL.LOCAL = {
>  # kdc = tx150s8.srl.local
>  # admin_server = tx150s8.srl.local
>  }
> 
> [domain_realm]
>  srl.local = SRL.LOCAL
>  .srl.local = SRL.LOCAL
> 
Any suggest is appreciated 

Many thanks

-- 
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)