Hi all, my goal is to have samba (ubuntu 16.04 samba 4.3.11) validating internal user (just the user presents on /etc/passwd) on an existing AD 2008R2. I am making a fresh install and I did it using winbind, but this component puzzle me with id mapping, so I am trying to avoid the use of winbind. Unfortunately, when I stop winbind I got always NT_STATUS_NO_LOGON_SERVERS; it seems like samba is not able to reach the PDC; digging with tcpdump shows the usage of only port 445 by samba, while winbind use also 135 and 88 ... Any clue? thank you. Daniele Bernazzi
On Wed, 24 May 2017 08:25:57 +0200 (CEST) Daniele Bernazzi via samba <samba at lists.samba.org> wrote:> Hi all, my goal is to have samba (ubuntu 16.04 samba 4.3.11) > validating internal user (just the user presents on /etc/passwd) on > an existing AD 2008R2. I am making a fresh install and I did it using > winbind, but this component puzzle me with id mapping, so I am trying > to avoid the use of winbind. Unfortunately, when I stop winbind I got > always NT_STATUS_NO_LOGON_SERVERS; it seems like samba is not able to > reach the PDC; digging with tcpdump shows the usage of only port 445 > by samba, while winbind use also 135 and 88 ... Any clue? thank you. > > Daniele Bernazzi >Not sure I understand what you are saying, but you seem to be saying you have a Windows 2008R2 server running as an AD DC, is this correct ? If this is correct, your plan to validate users that are in /etc/passwd isn't going to work. You cannot have users in /etc/passwd and AD, if they are in /etc/passwd they are local users and have nothing to do with AD and if they are in AD, they are AD users but can also be local users. If your computer is joined to the domain, you need to use winbind, so just what problems did you have ? Rowland
On Wed, 24 May 2017 12:08:09 +0200 (CEST) Daniele Bernazzi <daniele at ao-siena.toscana.it> wrote:> Hi Rowland, I did a reply to the list (just to the list, not to all) > some hours ago, but I can't see it on the thread, so I am resend it > just to you: > > Thank you Rowland for your prompt reply. For what I read is possible > to use samba without winbind: > See: > https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html > > There is this note in that doc: > If winbindd is not running, smbd (which calls winbindd) will fall > back to using purely local information from /etc/passwd > and /etc/group and no dynamic mapping will be used. On an operating > system that has been enabled with the NSS, the resolution of user and > group information will be accomplished via NSS. > > I whish to restrict access just to users presents in /etc/passwd. > With winbind I have to adopt some workarounds to meet the unix uid > with windows sid and I am trying to avoid it > > DanieleIt sounds like you are trying to set up a standalone server, so see here: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server On this type of Samba server you need the users in /etc/passwd, but they still need to be Samba users. So you will need to create any users that you want to connect and ensure they have the same password as the windows user e.g. windows user 'fred' with the password 'password' will need to be created as the Unix user 'fred' with the password 'password' on the standalone server, you will then need to make the Unix user 'fred' a Samba user with the password 'password' If the windows user changes their password, then the Unix & Samba passwords will need to be changed. Where as, a Unix Domain member , only has the username and password stored in one place, AD. Rowland
On 05/24/2017 09:04 AM, Rowland Penny via samba wrote:> On Wed, 24 May 2017 08:25:57 +0200 (CEST) > Daniele Bernazzi via samba <samba at lists.samba.org> wrote: > >> Hi all, my goal is to have samba (ubuntu 16.04 samba 4.3.11) >> validating internal user (just the user presents on /etc/passwd) on >> an existing AD 2008R2. I am making a fresh install and I did it using >> winbind, but this component puzzle me with id mapping, so I am trying >> to avoid the use of winbind. Unfortunately, when I stop winbind I got >> always NT_STATUS_NO_LOGON_SERVERS; it seems like samba is not able to >> reach the PDC; digging with tcpdump shows the usage of only port 445 >> by samba, while winbind use also 135 and 88 ... Any clue? thank you. >> >> Daniele Bernazzi >> > > Not sure I understand what you are saying, but you seem to be saying > you have a Windows 2008R2 server running as an AD DC, is this correct ? > > If this is correct, your plan to validate users that are in /etc/passwd > isn't going to work. You cannot have users in /etc/passwd and AD, if > they are in /etc/passwd they are local users and have nothing to do > with AD and if they are in AD, they are AD users but can also be local > users. > > If your computer is joined to the domain, you need to use winbind, so > just what problems did you have ? > > Rowland >Thank you Rowland for your prompt reply. For what I read is possible to use samba without winbind: See: https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html There is this note in that doc: If winbindd is not running, smbd (which calls winbindd) will fall back to using purely local information from /etc/passwd and /etc/group and no dynamic mapping will be used. On an operating system that has been enabled with the NSS, the resolution of user and group information will be accomplished via NSS. I whish to restrict access just to users presents in /etc/passwd. With winbind I have to adopt some workarounds to meet the unix uid with windows sid and I am trying to avoid it Daniele
> Da: "Rowland Penny" <rpenny at samba.org> > A: samba at lists.samba.org > Cc: "Daniele Bernazzi" <daniele at ao-siena.toscana.it> > Inviato: Mercoledì, 24 maggio 2017 12:45:56 > Oggetto: Re: [Samba] samba 4 in AD 2008R2 without winbind > > On Wed, 24 May 2017 12:08:09 +0200 (CEST) > Daniele Bernazzi <daniele at ao-siena.toscana.it> wrote: > > > Hi Rowland, I did a reply to the list (just to the list, not to all) > > some hours ago, but I can't see it on the thread, so I am resend it > > just to you: > > > > Thank you Rowland for your prompt reply. For what I read is possible > > to use samba without winbind: > > See: > > https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html > > > > There is this note in that doc: > > If winbindd is not running, smbd (which calls winbindd) will fall > > back to using purely local information from /etc/passwd > > and /etc/group and no dynamic mapping will be used. On an operating > > system that has been enabled with the NSS, the resolution of user and > > group information will be accomplished via NSS. > > > > I whish to restrict access just to users presents in /etc/passwd. > > With winbind I have to adopt some workarounds to meet the unix uid > > with windows sid and I am trying to avoid it > > > > Daniele > > It sounds like you are trying to set up a standalone server, so see > here: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server > > On this type of Samba server you need the users in /etc/passwd, but > they still need to be Samba users. So you will need to create any users > that you want to connect and ensure they have the same password as the > windows user > > e.g. windows user 'fred' with the password 'password' will need to be > created as the Unix user 'fred' with the password 'password' on the > standalone server, you will then need to make the Unix user 'fred' a > Samba user with the password 'password' > > If the windows user changes their password, then the Unix & Samba > passwords will need to be changed. > > Where as, a Unix Domain member , only has the username and password > stored in one place, AD. > > Rowland > > >So far for standalone server, Rowland, but is not possible to authenticate (just autenticate) on active directory? This configuration is now working on another server with samba 3 ... access is allowed to users declared in /etc/passwd (these users do not have a unix password) and the client use transparently the password they supplied at login time. I am not able to reply this configuration in samba 4 thank you