A. James Lewis
2017-Aug-23 13:27 UTC
[Samba] Windows pre-requisites for login with winbind?
I have to confess here, that on trying again, to get the error... I restarted everything to ensure there were no errant messages, and now installing libpam-krb5 does not cause a problem... the users are assigned a kerberos ticket when logging in which is nice too... I must thank you and Rowland both, since I have learned a lot about how Kerberos works in this process, and debugged some issues that would probably have bitten me in future. However, my original problem remains!... That problem is more clearly defined now, "Some users do not show up with 'getent passwd username', while most do." Those users can authenticate with Kerberos, and they are listed by wbinfo... but cannot log in, since they don't have a "password file entry". What I need to find out is how it is that some users can authenticate, and are listed by wbinfo... BUT do not get mapped into what would be the password map. Could it be that one side or the other is not supporting 32 bit UID's... how would I tell?... can I query what the output of IDMAP would be with something like wbinfo, rather than getent passwd... so that I can see if there is an issue here? How to go about debugging the IDMAP!?. James August 23, 2017 7:39 AM, "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > Wel at least you did find something. > This gets my attention. > >> I have tried installing libpam-krb5, and it adds the >> following line to common-,auth,passwd,account and session:- >> >> auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 >> >> However, with that configuration, no users can log in (could >> this be because the AD server had no RFC2307 unix >> extensions)... so I have removed the package, and now I'm >> back to the situation where only the 3 most recent users >> cannot log in. >> >> Note that the users who can't log in, can authenticate with kinit! > > This is strange, if you install the libpam-krb5, you should still be able to login. > What you can try here is run pam-auth-update > Only enable unix winbind ( and if installed kerberos ) and if really needed mkhomedir. > > Now add Rowland comment : >> Well, yes you probably have, that comes from the libpam-winbind package, >> you just need the 'glue' that comes from the libpam-krb5 package. > > pam-auth-update does this. > > And what kind of messages are you seeing in auth.log when you tried the krb5 option and users where > not able to login. > Any messages there? > And windows event id's ? > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: A. James Lewis [mailto:james at fsck.co.uk] >> Verzonden: dinsdag 22 augustus 2017 16:59 >> Aan: L.P.H. van Belle; samba at lists.samba.org >> Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind? >> >> August 22, 2017 2:32 PM, "L.P.H. van Belle via samba" >> <samba at lists.samba.org> wrote: >> >> You did not look right it should be there. >> >> # aptitude search libpam-krb5 >> p libpam-krb5 >> - PAM module for MIT Kerberos >> >> p libpam-krb5:i386 >> - PAM module for MIT Kerberos >> >> Not installed. >> >> https://packages.ubuntu.com/zesty/libpam-krb5 >> https://packages.ubuntu.com/artful/libpam-krb5 >> >> Check this folder to see if "winbind unix krb5" is there. >> ls /usr/share/pam-configs >> >> # ls /usr/share/pam-configs >> capability gnome-keyring mkhomedir systemd unix winbind >> >> And run pam-auth-update --force to update the files. >> ! Note, krb5 has by default set : minium_uid=1000 >> >> I have tried installing libpam-krb5, and it adds the >> following line to common-,auth,passwd,account and session:- >> >> auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 >> >> However, with that configuration, no users can log in (could >> this be because the AD server had no RFC2307 unix >> extensions)... so I have removed the package, and now I'm >> back to the situation where only the 3 most recent users >> cannot log in. >> >> Note that the users who can't log in, can authenticate with kinit! >> >> Greetz, >> >> Louis >> >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens A. >> James Lewis via samba >> Verzonden: dinsdag 22 augustus 2017 15:02 >> Aan: Rowland Penny; samba at lists.samba.org >> Onderwerp: Re: [Samba] Windows pre-requisites for login >> with winbind? >> >> I have krb5-config krb5-user, but not libpam-krb5... I'm >> slightly fuzzy about how this works, but I thought the >> interaction with kerberos was implemented via winbind, so I >> wasn't expecting this package to be installed... certainly >> there is no dependency that has pulled it in. >> >> James >> >> August 22, 2017 1:15 PM, "Rowland Penny via samba" >> <samba at lists.samba.org> wrote: >> >> On Tue, 22 Aug 2017 12:01:20 +0000 >> "A. James Lewis via samba" <samba at lists.samba.org> wrote: >> >> Indeed!... you are correct... this does appear to be the kerberos >> issue uncovered by Rowlands pointing out that I should not >> need to be >> manually defining "kdc =", in my krb5.conf.... so with >> that resolved, >> I'm hoping we can also find the cause of my original problem. >> >> Incidentally, this was my solution to upgrading Samba on my 17.04 >> test server, I think moving to 17.10 will ultimately have >> to be the >> solution, but this let me carry on debugging this problem quickly. >> >> apt-get remove libnss-winbind libpam-winbind samba winbind apt-get >> autoremove cd /etc/apt/ sed -i "s,zesty,artful,g" sources.list >> apt-get install samba libnss-winbind libpam-winbind winbind sed -i >> "s,artful,zesty,g" sources.list apt-get update apt-get dist-upgrade >> >> James >> >> Do you also have the following packages installed: >> >> libpam-krb5 krb5-config krb5-user >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> -- >> A. James Lewis (james at fsck.co.uk) >> "Engineering does not require science. Science helps a lot >> but people >> built perfectly good brick walls long before they knew why >> cement works." >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> -- >> A. James Lewis (james at fsck.co.uk) >> "Engineering does not require science. Science helps a lot but people >> built perfectly good brick walls long before they knew why >> cement works." > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
Rowland Penny
2017-Aug-23 14:21 UTC
[Samba] Windows pre-requisites for login with winbind?
On Wed, 23 Aug 2017 13:27:01 +0000 "A. James Lewis via samba" <samba at lists.samba.org> wrote:> I have to confess here, that on trying again, to get the error... I > restarted everything to ensure there were no errant messages, and now > installing libpam-krb5 does not cause a problem... the users are > assigned a kerberos ticket when logging in which is nice too... > > I must thank you and Rowland both, since I have learned a lot about > how Kerberos works in this process, and debugged some issues that > would probably have bitten me in future. > > However, my original problem remains!... > > That problem is more clearly defined now, "Some users do not show up > with 'getent passwd username', while most do."This is very strange, you are now using the 'rid' backend, so all your users (and groups) in AD should be shown by 'getent passwd username'. As long as they are in AD with a RID, idmap_rid should map the RID to a Unix ID and as long as the ID is inside the range set in smb.conf for the domain, they should be returned. Thinking about it, I wonder if this is the problem ? Try sticking another 0 onto the end of the 'DOMAIN' high range. if that doesn't work, run this command: wbinfo -n rowland | awk -F '-' '{print $8}' | awk '{print $1}' Replace 'rowland' with your missing username, the output will be the users RID, this plus '5000' should be inside '5000-10000'> > Those users can authenticate with Kerberos, and they are listed by > wbinfo... but cannot log in, since they don't have a "password file > entry".The users shouldn't have a "password file entry", everything should come from AD via winbind.> > What I need to find out is how it is that some users can > authenticate, and are listed by wbinfo... BUT do not get mapped into > what would be the password map. > > Could it be that one side or the other is not supporting 32 bit > UID's... how would I tell?... can I query what the output of IDMAP > would be with something like wbinfo, rather than getent passwd... so > that I can see if there is an issue here? > > How to go about debugging the IDMAP!?.Is there anything in either the Unix logs or the Windows event logs ? Is there anything strange about the missing usernames, any accents, start with a number, that sort of thing. Rowland
A. James Lewis
2017-Aug-23 14:39 UTC
[Samba] Windows pre-requisites for login with winbind?
OK, that is the answer, but can you explain what an "RID" is from a Windows perspective?... I had thought that the mapping was not a 1-1, and it appears it is, once the idmap range is taken into account. idmap config DOMAIN:range = 5000-300000 My UID's appear to be offset by 5000 from the RID... but I'd love to know exactly what RID is. Many thanks tho, I probably should have tried increasing this cap earlier! James August 23, 2017 3:26 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:> On Wed, 23 Aug 2017 13:27:01 +0000 > "A. James Lewis via samba" <samba at lists.samba.org> wrote: > >> I have to confess here, that on trying again, to get the error... I >> restarted everything to ensure there were no errant messages, and now >> installing libpam-krb5 does not cause a problem... the users are >> assigned a kerberos ticket when logging in which is nice too... >> >> I must thank you and Rowland both, since I have learned a lot about >> how Kerberos works in this process, and debugged some issues that >> would probably have bitten me in future. >> >> However, my original problem remains!... >> >> That problem is more clearly defined now, "Some users do not show up >> with 'getent passwd username', while most do." > > This is very strange, you are now using the 'rid' backend, so all your > users (and groups) in AD should be shown by 'getent passwd username'. > As long as they are in AD with a RID, idmap_rid should map the RID to a > Unix ID and as long as the ID is inside the range set in smb.conf for > the domain, they should be returned. Thinking about it, I wonder if > this is the problem ? Try sticking another 0 onto the end of the > 'DOMAIN' high range. if that doesn't work, run this command: > > wbinfo -n rowland | awk -F '-' '{print $8}' | awk '{print $1}' > > Replace 'rowland' with your missing username, the output will be the > users RID, this plus '5000' should be inside '5000-10000' > >> Those users can authenticate with Kerberos, and they are listed by >> wbinfo... but cannot log in, since they don't have a "password file >> entry". > > The users shouldn't have a "password file entry", everything should > come from AD via winbind. > >> What I need to find out is how it is that some users can >> authenticate, and are listed by wbinfo... BUT do not get mapped into >> what would be the password map. >> >> Could it be that one side or the other is not supporting 32 bit >> UID's... how would I tell?... can I query what the output of IDMAP >> would be with something like wbinfo, rather than getent passwd... so >> that I can see if there is an issue here? >> >> How to go about debugging the IDMAP!?. > > Is there anything in either the Unix logs or the Windows event logs ? > Is there anything strange about the missing usernames, any accents, > start with a number, that sort of thing. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
Rowland Penny
2017-Aug-23 15:06 UTC
[Samba] Windows pre-requisites for login with winbind?
On Wed, 23 Aug 2017 14:39:19 +0000 "A. James Lewis" <james at fsck.co.uk> wrote:> OK, that is the answer, but can you explain what an "RID" is from a > Windows perspective?... I had thought that the mapping was not a 1-1, > and it appears it is, once the idmap range is taken into account. > > idmap config DOMAIN:range = 5000-300000 > > My UID's appear to be offset by 5000 from the RID... but I'd love to > know exactly what RID is. > > Many thanks tho, I probably should have tried increasing this cap > earlier! > > JamesNot a problem, as you may or may not know, Unix uses numeric IDs to identify users & groups and names to identify domains. For instance 'SAMDOM\rowland is a member of the SAMDOM domain with the id '10000'. Windows does something similar, it uses 'SID-RID' to identify users and groups, in fact anything. The SID identifies the domain and the RID identifies the object (which can be a user, group, etc) A typical SID-RID will look like this: S-1-5-21-1768301897-3342589593-1064908849-1107 The SID is the 'S-1-5-21-1768301897-3342589593-1064908849' part The RID is the last part '1107' The SID is used extensively in the AD database and is always the same (in each AD) The RID is unique to the object and is never reused. I hope this helps you understand things a bit better. Rowland
A. James Lewis
2017-Aug-24 10:55 UTC
[Samba] Windows pre-requisites for login with winbind?
Yes indeed.... I know a lot about the Linux side, but Windows is a bit of a mystery to me... and I have to confess to not knowing exactly how nss links various directory services into the system.... hence my comment earlier with "Password file entry" in quotes... I know it's not in the password file, and is amalgamated into the password "map", via nss, but I'm not sure what the correct terminology is for that.... "map" makes me think NIS, but I guess it could be extended to other directory services now. One thing I would ask, especially given your earlier assistance with my configs... could you advise what would be required to allow logging in to multiple domains. Existing configs included at the end:- As far as I can see, so long as it can look up the _kerberos._tcp.DOMAIN2 record, I should not need to add anything to krb5.conf... For smb.conf, clearly I need to add:- idmap config DOMAIN2:backend = rid idmap config DOMAIN2:range = 500000-800000 But do I need to add anything else to make that happen? Thanks again. James ------------------------------------------------ $ cat krb5.conf | ./anon.sh [libdefaults] default_realm = DOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true $ cat smb.conf | ./anon.sh [global] workgroup = DOMAIN security = ADS realm = DOMAIN.LOCAL idmap config *:backend = tdb idmap config *:range = 4000-4999 idmap config DOMAIN:backend = rid idmap config DOMAIN:range = 5000-300000 winbind trusted domains only = no winbind use default domain = yes winbind refresh tickets = yes template shell = /bin/bash template homedir = /home/%D/%U August 23, 2017 4:09 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:> On Wed, 23 Aug 2017 14:39:19 +0000 > "A. James Lewis" <james at fsck.co.uk> wrote: > >> OK, that is the answer, but can you explain what an "RID" is from a >> Windows perspective?... I had thought that the mapping was not a 1-1, >> and it appears it is, once the idmap range is taken into account. >> >> idmap config DOMAIN:range = 5000-300000 >> >> My UID's appear to be offset by 5000 from the RID... but I'd love to >> know exactly what RID is. >> >> Many thanks tho, I probably should have tried increasing this cap >> earlier! >> >> James > > Not a problem, as you may or may not know, Unix uses numeric IDs to > identify users & groups and names to identify domains. For instance > 'SAMDOM\rowland is a member of the SAMDOM domain with the id '10000'. > > Windows does something similar, it uses 'SID-RID' to identify users and > groups, in fact anything. > > The SID identifies the domain and the RID identifies the object (which > can be a user, group, etc) > > A typical SID-RID will look like this: > > S-1-5-21-1768301897-3342589593-1064908849-1107 > > The SID is the 'S-1-5-21-1768301897-3342589593-1064908849' part > The RID is the last part '1107' > > The SID is used extensively in the AD database and is always the same > (in each AD) > > The RID is unique to the object and is never reused. > > I hope this helps you understand things a bit better. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."