samba - Aug 2017 - Windows pre-requisites for login with winbind?

Yes indeed.... I know a lot about the Linux side, but Windows is a bit of a
mystery to me... and I have to confess to not knowing exactly how nss links
various directory services into the system.... hence my comment earlier with
"Password file entry" in quotes... I know it's not in the password
file, and is amalgamated into the password "map", via nss, but I'm
not sure what the correct terminology is for that.... "map" makes me
think NIS, but I guess it could be extended to other directory services now.

One thing I would ask, especially given your earlier assistance with my
configs... could you advise what would be required to allow logging in to
multiple domains.

Existing configs included at the end:-

As far as I can see, so long as it can look up the _kerberos._tcp.DOMAIN2
record, I should not need to add anything to krb5.conf...

For smb.conf, clearly I need to add:-

   idmap config DOMAIN2:backend = rid
   idmap config DOMAIN2:range = 500000-800000

But do I need to add anything else to make that happen?

Thanks again.

James

------------------------------------------------
$ cat krb5.conf | ./anon.sh 
[libdefaults]
	default_realm = DOMAIN.LOCAL
	dns_lookup_realm = false
	dns_lookup_kdc = true


$ cat smb.conf | ./anon.sh 
[global]
   workgroup = DOMAIN
   security = ADS
   realm = DOMAIN.LOCAL

   idmap config *:backend = tdb
   idmap config *:range = 4000-4999
   idmap config DOMAIN:backend = rid
   idmap config DOMAIN:range = 5000-300000

   winbind trusted domains only = no
   winbind use default domain = yes
   winbind refresh tickets = yes

   template shell = /bin/bash
   template homedir = /home/%D/%U




August 23, 2017 4:09 PM, "Rowland Penny via samba" <samba at
lists.samba.org> wrote:
> On Wed, 23 Aug 2017 14:39:19 +0000
> "A. James Lewis" <james at fsck.co.uk> wrote:
> 
>> OK, that is the answer, but can you explain what an "RID" is
from a
>> Windows perspective?... I had thought that the mapping was not a 1-1,
>> and it appears it is, once the idmap range is taken into account.
>> 
>> idmap config DOMAIN:range = 5000-300000
>> 
>> My UID's appear to be offset by 5000 from the RID... but I'd
love to
>> know exactly what RID is.
>> 
>> Many thanks tho, I probably should have tried increasing this cap
>> earlier!
>> 
>> James
> 
> Not a problem, as you may or may not know, Unix uses numeric IDs to
> identify users & groups and names to identify domains. For instance
> 'SAMDOM\rowland is a member of the SAMDOM domain with the id
'10000'.
> 
> Windows does something similar, it uses 'SID-RID' to identify users
and
> groups, in fact anything.
> 
> The SID identifies the domain and the RID identifies the object (which
> can be a user, group, etc)
> 
> A typical SID-RID will look like this:
> 
> S-1-5-21-1768301897-3342589593-1064908849-1107
> 
> The SID is the 'S-1-5-21-1768301897-3342589593-1064908849' part
> The RID is the last part '1107'
> 
> The SID is used extensively in the AD database and is always the same
> (in each AD)
> 
> The RID is unique to the object and is never reused.
> 
> I hope this helps you understand things a bit better.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

On Thu, 24 Aug 2017 10:55:26 +0000
"A. James Lewis" <james at fsck.co.uk> wrote:
> Yes indeed.... I know a lot about the Linux side, but Windows is a
> bit of a mystery to me... and I have to confess to not knowing
> exactly how nss links various directory services into the system....
> hence my comment earlier with "Password file entry" in quotes...
I
> know it's not in the password file, and is amalgamated into the
> password "map", via nss, but I'm not sure what the correct
> terminology is for that.... "map" makes me think NIS, but I guess
it
> could be extended to other directory services now.
> 
> One thing I would ask, especially given your earlier assistance with
> my configs... could you advise what would be required to allow
> logging in to multiple domains.
> 
> Existing configs included at the end:-
> 
> As far as I can see, so long as it can look up the
> _kerberos._tcp.DOMAIN2 record, I should not need to add anything to
> krb5.conf... 
> 
> For smb.conf, clearly I need to add:-
> 
>    idmap config DOMAIN2:backend = rid
>    idmap config DOMAIN2:range = 500000-800000
> 
> But do I need to add anything else to make that happen?
> 
> Thanks again.
> 
> James
> 
> ------------------------------------------------
> $ cat krb5.conf | ./anon.sh 
> [libdefaults]
> 	default_realm = DOMAIN.LOCAL
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
> 
> 
> $ cat smb.conf | ./anon.sh 
> [global]
>    workgroup = DOMAIN
>    security = ADS
>    realm = DOMAIN.LOCAL
> 
>    idmap config *:backend = tdb
>    idmap config *:range = 4000-4999
>    idmap config DOMAIN:backend = rid
>    idmap config DOMAIN:range = 5000-300000
> 
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind refresh tickets = yes
> 
>    template shell = /bin/bash
>    template homedir = /home/%D/%U
> 
In theory (wonderful thing, theory) you just need to setup a two way
trust between the two domains and then add the lines you propose,
restart Samba and it should work. It used to work with Samba3, but I
haven't tried it lately ;-)

Rowland

Well, network connectivity to the other DC would probably also be required...
and I don't have that currently... so there's the first hurdle... but
thanks for confirming that there's no other configuration required.

I'm slightly surprised that the smb.conf does not require the full realm
name like "DOMAIN2.LOCAL" somewhere in there.

James


August 24, 2017 12:14 PM, "Rowland Penny via samba" <samba at
lists.samba.org> wrote:
> On Thu, 24 Aug 2017 10:55:26 +0000
> "A. James Lewis" <james at fsck.co.uk> wrote:
> 
>> Yes indeed.... I know a lot about the Linux side, but Windows is a
>> bit of a mystery to me... and I have to confess to not knowing
>> exactly how nss links various directory services into the system....
>> hence my comment earlier with "Password file entry" in
quotes... I
>> know it's not in the password file, and is amalgamated into the
>> password "map", via nss, but I'm not sure what the
correct
>> terminology is for that.... "map" makes me think NIS, but I
guess it
>> could be extended to other directory services now.
>> 
>> One thing I would ask, especially given your earlier assistance with
>> my configs... could you advise what would be required to allow
>> logging in to multiple domains.
>> 
>> Existing configs included at the end:-
>> 
>> As far as I can see, so long as it can look up the
>> _kerberos._tcp.DOMAIN2 record, I should not need to add anything to
>> krb5.conf...
>> 
>> For smb.conf, clearly I need to add:-
>> 
>> idmap config DOMAIN2:backend = rid
>> idmap config DOMAIN2:range = 500000-800000
>> 
>> But do I need to add anything else to make that happen?
>> 
>> Thanks again.
>> 
>> James
>> 
>> ------------------------------------------------
>> $ cat krb5.conf | ./anon.sh
>> [libdefaults]
>> default_realm = DOMAIN.LOCAL
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> 
>> $ cat smb.conf | ./anon.sh
>> [global]
>> workgroup = DOMAIN
>> security = ADS
>> realm = DOMAIN.LOCAL
>> 
>> idmap config *:backend = tdb
>> idmap config *:range = 4000-4999
>> idmap config DOMAIN:backend = rid
>> idmap config DOMAIN:range = 5000-300000
>> 
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind refresh tickets = yes
>> 
>> template shell = /bin/bash
>> template homedir = /home/%D/%U
> 
> In theory (wonderful thing, theory) you just need to setup a two way
> trust between the two domains and then add the lines you propose,
> restart Samba and it should work. It used to work with Samba3, but I
> haven't tried it lately ;-)
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

On Thu, 24 Aug 2017 12:26:11 +0000
"A. James Lewis" <james at fsck.co.uk> wrote:
> Well, network connectivity to the other DC would probably also be
> required... and I don't have that currently... so there's the first
> hurdle... but thanks for confirming that there's no other
> configuration required.
> 
> I'm slightly surprised that the smb.conf does not require the full
> realm name like "DOMAIN2.LOCAL" somewhere in there.
> 
No you only need it for the realm the Unix domain member is joined to.

Rowland