samba - Jul 2017 - Samba ADS-member-server: FQDNs in /etc/hosts

On Tue, 11 Jul 2017 12:05:28 +0200
"Stefan G. Weichinger" <lists at xunil.at> wrote:
> Am 2017-07-11 um 11:57 schrieb Rowland Penny:
> 
> > Remove this local Unix group, you cannot have a group (or a user)
> > in AD and /etc/group
> 
> ok, done
> 
> > Probably because '11029' isn't a 'RID', it will be
a uidNumber.
> > 
> > Try running this on your DC:
> > 
> > ldbsearch -H /path/to/sam.ldb -b "dc=secret,dc=at" -s sub
> > "(&(objectclass=group)(gidnumber=11029))"
> 
> 
> # Referral
> ref: ldap://secret.at/CN=Configuration,DC=secret,DC=at
> 
> # Referral
> ref: ldap://secret.at/DC=DomainDnsZones,DC=secret,DC=at
> 
> # Referral
> ref: ldap://secret.at/DC=ForestDnsZones,DC=secret,DC=at
> 
> # returned 3 records
> # 0 entries
> # 3 referrals
> 
> so not there ....
Try running this:

ldbsearch -H /path/to/sam.ldb -b "dc=secret,dc=at" -s sub
"(&(objectclass=user)(uidnumber=11029))"

This will check if it is a user.

Can you post the smb.conf from the DM (and the DC)

Rowland

Am 2017-07-11 um 12:16 schrieb Rowland Penny:
> Try running this:
> 
> ldbsearch -H /path/to/sam.ldb -b "dc=secret,dc=at" -s sub
> "(&(objectclass=user)(uidnumber=11029))"
> 
> This will check if it is a user.
Did so, no entry returned.

--

plus: please note that yesterday all users could work normally ....
> Can you post the smb.conf from the DM (and the DC)
DC:

root at pre01svdeb02:~# cat /etc/samba/smb.conf
# Global parameters
[global]
	workgroup = BUERO
	realm = secret.AT
	netbios name = DC
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes
	load printers = No
	printcap name = /dev/null
	log level = 2
	dns forwarder = 192.168.16.111

	# lph
	template shell = /bin/bash
	sdb:schema update allowed = no
	time server = yes
	usershare path 
[netlogon]
	path = /var/lib/samba/sysvol/secret.at/scripts
	read only = No
	acl_xattr:ignore system acls = Yes

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No
	acl_xattr:ignore system acls = Yes


----


DM:


root at pre01svdeb01:~# cat /etc/samba/smb.conf
# This file is managed remotely, all changes will be lost

[global]
workgroup = BUERO
realm = secret.AT
netbios name = SERVER

security = ADS
map to guest = Bad User
username map = /etc/samba/smbusers

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes

winbind trusted domains only = no
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes

winbind nss info = template
template shell = /usr/sbin/nologin

map untrusted to domain = Yes

# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999

# idmap config for domain BUERO
idmap config BUERO:backend = rid
idmap config BUERO:range = 10000-99999
idmap config BUERO:schema_mode = rfc2307

load printers = no
printing = bsd
printcap name = /dev/null

# turn off roaming profiles
logon path = ""
logon home = ""

#hosts allow = localhost 192.168.16. 172.32.99.

log level = 3

.... skipped shares, OK ?


thanks a lot ...

On Tue, 11 Jul 2017 12:22:36 +0200
"Stefan G. Weichinger" <lists at xunil.at> wrote:
> Am 2017-07-11 um 12:16 schrieb Rowland Penny:
> 
> > Try running this:
> > 
> > ldbsearch -H /path/to/sam.ldb -b "dc=secret,dc=at" -s sub
> > "(&(objectclass=user)(uidnumber=11029))"
> > 
> > This will check if it is a user.
> 
> Did so, no entry returned.
> 
> --
> 
> plus: please note that yesterday all users could work normally ....
> 
> > Can you post the smb.conf from the DM (and the DC)
> 
> DC:
> 
> root at pre01svdeb02:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> 	workgroup = BUERO
> 	realm = secret.AT
> 	netbios name = DC
> 	server role = active directory domain controller
> 	idmap_ldb:use rfc2307 = yes
> 	load printers = No
> 	printcap name = /dev/null
> 	log level = 2
> 	dns forwarder = 192.168.16.111
> 
> 	# lph
> 	template shell = /bin/bash
> 	sdb:schema update allowed = no
> 	time server = yes
> 	usershare path > 
> [netlogon]
> 	path = /var/lib/samba/sysvol/secret.at/scripts
> 	read only = No
> 	acl_xattr:ignore system acls = Yes
> 
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No
> 	acl_xattr:ignore system acls = Yes
> 
> 
> ----
> 
> 
> DM:
> 
> 
> root at pre01svdeb01:~# cat /etc/samba/smb.conf
> # This file is managed remotely, all changes will be lost
> 
> [global]
> workgroup = BUERO
> realm = secret.AT
> netbios name = SERVER
> 
> security = ADS
> map to guest = Bad User
> username map = /etc/samba/smbusers
> 
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
> 
> winbind trusted domains only = no
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> 
> winbind nss info = template
> template shell = /usr/sbin/nologin
> 
> map untrusted to domain = Yes
> 
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> 
> # idmap config for domain BUERO
> idmap config BUERO:backend = rid
> idmap config BUERO:range = 10000-99999
> idmap config BUERO:schema_mode = rfc2307
Well, that explains where '11029' is coming from, you are using the
'rid' backend. The users (or group) ID will be calculated using this
formula:

ID = RID - BASE_RID + LOW_RANGE_ID

BASE_RID is by default '0', so it becomes:

ID = RID + LOW_RANGE_ID

So, in your case it becomes

11029 = 1029 + 10000

Of course, using the 'rid' backend means that you do not need to add
anything to AD and you do not need this line in smb.conf:

  idmap config BUERO:schema_mode = rfc2307

Or you could just change 'idmap config BUERO:backend = rid' to
'idmap
config BUERO:backend = ad' and use the rfc2307 attributes in AD.

Rowland