Chris Alavoine
2017-Nov-07 15:47 UTC
[Samba] Attempting a trust between Samba and Windows AD DC
Hi Rowland, Thanks for the swift response. I'm not married to SSSD and am happy to use the best tool for the job, but was just looking for some general advice on my situation. I'll post on the sssd-users mailing as well. Thanks, Chris. On 7 November 2017 at 15:38, Rowland Penny <rpenny at samba.org> wrote:> On Tue, 7 Nov 2017 15:06:55 +0000 > Chris Alavoine via samba <samba at lists.samba.org> wrote: > > > Hi all, > > > > We are about to integrate a large number of users into our > > organisation and I've been tasked with attempting to allow said users > > access to our internal systems which are controlled from 10 x Samba > > 4.6.3 DC's across several sites. > > > > All Samba DC's are running either Ubuntu 14.04 or 16.04. > > > > Replication works nicely between these DC's and this system has been > > relatively stable for some time now. We use BIND_DLZ as our DNS > > backend. > > > > The new users will be being created on a Windows Server 2016 AD DC > > and I've created a trust between the 2 domains (which has validated > > at both ends). wbinfo returns useful information for each domain and > > I've got SSSD working from a member server. I can assign rights to a > > share on a member server from the trusted domain and all looks good. > > However, I am unable to access the shares on our member servers > > (fileservers) as one of the new external users. It feels like I'm > > quite close but I am either missing something very obvious or going > > about it in the wrong way. > > > > All member servers are running Ubuntu and at least Samba 4.6.3 (some > > of them newer). I've created a test member server for me to test > > things out on. I am currently testing with SSSD as it allows multiple > > domains to be declared. My smb.conf currently looks like this: > > > > [global] > > netbios name = FS-006 > > security = ADS > > realm = EXAMPLE.COM > > workgroup = EXAMPLE > > > > allow trusted domains = yes > > > > log file = /var/log/samba/%m.log > > > > kerberos method = secrets and keytab > > > > idmap config *:backend = tdb > > idmap config *:range = 500-2000 > > idmap config EXAMPLE:backend = ad > > idmap config EXAMPLE:schema_mode = rfc2307 > > idmap config EXAMPLE:range = 10000-9999999 > > idmap config EXTERNAL:backend = ad > > idmap config EXTERNAL:schema_mode = rfc2307 > > idmap config EXTERNAL:range = 10000000-99999999999 > > If you are running sssd and using it for authentication, then the above > 'idmap config' is useless. > If you want to continue using sssd, then can I suggest asking on the > sssd-users mailing list, sssd has nothing to do with Samba. > > Rowland >-- ACS (Alavoine Computer Services Ltd) Chris Alavoine mob +44 (0)7724 710 730 www.alavoinecs.co.uk http://twitter.com/#!/alavoinecs http://www.linkedin.com/pub/chris-alavoine/39/606/192
Rowland Penny
2017-Nov-07 16:14 UTC
[Samba] Attempting a trust between Samba and Windows AD DC
On Tue, 7 Nov 2017 15:47:16 +0000 Chris Alavoine <chrisa at acs-info.co.uk> wrote:> Hi Rowland, > > Thanks for the swift response. > > I'm not married to SSSD and am happy to use the best tool for the > job, but was just looking for some general advice on my situation. >I cannot help you with sssd, I haven't used it for quite a few years now. I am willing to try to help you with your problem, but you are going to have to remove sssd first ;-) If you do remove sssd, check what packages are removed and then reinstall any that have 'winbind' in their names, but don't also contain 'sss' Rowland
Chris Alavoine
2017-Nov-15 17:27 UTC
[Samba] Attempting a trust between Samba and Windows AD DC
Hi all,
I didn't have much luck getting SSSD to work so I'm currently testing
out
the following:
Built a new member server from source on Ubuntu 16.04. I used the following
./configure statement:
./configure --enable-fhs --prefix=/usr --sysconfdir=/etc
--localstatedir=/var --libdir=/usr/lib/x86_64-linux-gnu
This seems to install nicely onto Ubuntu and puts everything in the right
place. Winbind works well which is what I've always had problems with in
the past.
My current smb.conf on the Domain member looks like this:
[global]
netbios name = FS-007
security = ADS
workgroup = EXAMPLE
realm = ADS.EXAMPLE.COM
log file = /var/log/samba/%m.log
log level = 7
idmap config * : backend = tdb
idmap config * : range = 200-499
idmap config EXAMPLE:backend = ad
idmap config EXAMPLE:schema_mode = rfc2307
idmap config EXAMPLE:range = 500-400000
idmap config EXAMPLE:unix_nss_info = yes
idmap config EXAMPLE:unix_primary_group = yes
idmap config EXTERNAL : backend = rid
idmap config EXTERNAL : range = 400001-99999999
winbind nss info = template
template shell = /bin/bash
template homedir = /home/%U
# allow trusted domains = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
# kerberos method = secrets and keytab
client signing = yes
client use spnego = yes
vfs objects = acl_xattr,full_audit
server signing = mandatory
# VFS settings
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = notice
map acl inherit = yes
store dos attributes = yes
##SHARES
[test]
path = /data/test/
read only = no
This gives me good connectivity on the EXAMPLE domain, wbinfo and getent
work nicely and are returning correct values.
Not much luck getting EXTERNAL domain to work though. A trust exists
between the two forests and Kerberos and DNS are all working ok.
"wbinfo -u --domain EXTERNAL" returns users as does "wbinfo -g
--domain
EXTERNAL" return groups. However, I cannot get getent to give me anything.
The EXAMPLE domain is a group of Samba 4.6.3 DC's (about 10 of them, all
replicating ok).
The EXTERNAL domain is a new Windows AD DC running Windows Server 2008 R2,
I've also added a new Samba 4.7.2 to this domain which is replicating
nicely.
I've tried both rid and ad on the EXTERNAL domain with no luck.
I've installed Server for NIS on the Windows Server 2008 R2 AD DC and added
NIS info there (this was for testing using ad on idmap), but no joy.
Any pointers most appreciated.
Thanks,
Chris.
On 7 November 2017 at 15:47, Chris Alavoine <chrisa at acs-info.co.uk>
wrote:
> Hi Rowland,
>
> Thanks for the swift response.
>
> I'm not married to SSSD and am happy to use the best tool for the job,
but
> was just looking for some general advice on my situation.
>
> I'll post on the sssd-users mailing as well.
>
> Thanks,
> Chris.
>
> On 7 November 2017 at 15:38, Rowland Penny <rpenny at samba.org>
wrote:
>
>> On Tue, 7 Nov 2017 15:06:55 +0000
>> Chris Alavoine via samba <samba at lists.samba.org> wrote:
>>
>> > Hi all,
>> >
>> > We are about to integrate a large number of users into our
>> > organisation and I've been tasked with attempting to allow
said users
>> > access to our internal systems which are controlled from 10 x
Samba
>> > 4.6.3 DC's across several sites.
>> >
>> > All Samba DC's are running either Ubuntu 14.04 or 16.04.
>> >
>> > Replication works nicely between these DC's and this system
has been
>> > relatively stable for some time now. We use BIND_DLZ as our DNS
>> > backend.
>> >
>> > The new users will be being created on a Windows Server 2016 AD DC
>> > and I've created a trust between the 2 domains (which has
validated
>> > at both ends). wbinfo returns useful information for each domain
and
>> > I've got SSSD working from a member server. I can assign
rights to a
>> > share on a member server from the trusted domain and all looks
good.
>> > However, I am unable to access the shares on our member servers
>> > (fileservers) as one of the new external users. It feels like
I'm
>> > quite close but I am either missing something very obvious or
going
>> > about it in the wrong way.
>> >
>> > All member servers are running Ubuntu and at least Samba 4.6.3
(some
>> > of them newer). I've created a test member server for me to
test
>> > things out on. I am currently testing with SSSD as it allows
multiple
>> > domains to be declared. My smb.conf currently looks like this:
>> >
>> > [global]
>> > netbios name = FS-006
>> > security = ADS
>> > realm = EXAMPLE.COM
>> > workgroup = EXAMPLE
>> >
>> > allow trusted domains = yes
>> >
>> > log file = /var/log/samba/%m.log
>> >
>> > kerberos method = secrets and keytab
>> >
>> > idmap config *:backend = tdb
>> > idmap config *:range = 500-2000
>> > idmap config EXAMPLE:backend = ad
>> > idmap config EXAMPLE:schema_mode = rfc2307
>> > idmap config EXAMPLE:range = 10000-9999999
>> > idmap config EXTERNAL:backend = ad
>> > idmap config EXTERNAL:schema_mode = rfc2307
>> > idmap config EXTERNAL:range = 10000000-99999999999
>>
>> If you are running sssd and using it for authentication, then the above
>> 'idmap config' is useless.
>> If you want to continue using sssd, then can I suggest asking on the
>> sssd-users mailing list, sssd has nothing to do with Samba.
>>
>> Rowland
>>
>
>
>
> --
> ACS (Alavoine Computer Services Ltd)
> Chris Alavoine
> mob +44 (0)7724 710 730 <07724%20710730>
> www.alavoinecs.co.uk
> http://twitter.com/#!/alavoinecs
> http://www.linkedin.com/pub/chris-alavoine/39/606/192
>
--
ACS (Alavoine Computer Services Ltd)
Chris Alavoine
mob +44 (0)7724 710 730
www.alavoinecs.co.uk
http://twitter.com/#!/alavoinecs
http://www.linkedin.com/pub/chris-alavoine/39/606/192
Chris Alavoine
2017-Nov-17 09:52 UTC
[Samba] Attempting a trust between Samba and Windows AD DC
Hey all,
Just updating on my progress.
I've managed to get this working using winbind and a two-way forest trust,
BUT I needed to join the domain member to the Windows AD side to get all
things working (this may be peculiar to my setup as my Samba4 side was
classic-upgraded from Samba3 and has been running for over 9 years...)
My final Domain Member smb.conf looked like this:
[global]
netbios name = FS-007
security = ADS
workgroup = ADS
realm = ADS.EXTERNAL.COM
log file = /var/log/samba/%m.log
log level = 3
idmap config * : backend = tdb
idmap config * : range = 200-499
idmap config SAMBA4:backend = ad
idmap config SAMBA4:schema_mode = rfc2307
idmap config SAMBA4:range = 500-999999
idmap config SAMBA4:unix_nss_info = yes
idmap config SAMBA4:unix_primary_group = yes
idmap config ADS:backend = ad
idmap config ADS:schema_mode = rfc2307
idmap config ADS:range = 1000000-9999999
idmap config ADS:unix_nss_info = yes
idmap config ADS:unix_primary_group = yes
client signing = yes
client use spnego = yes
vfs objects = acl_xattr,full_audit
server signing = mandatory
# VFS settings
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = notice
map acl inherit = yes
store dos attributes = yes
[test]
path = /data/test
read only = no
I used kinit and net ads join to join the EXTERNAL domain. I also added NIS
domain and IP details to Computer object in ADUC on UNIX attribs tab (not
sure if this is important or not).
My krb5.conf looked like this:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SAMBA4.EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
[realms]
SAMBA4.EXAMPLE.COM = {
kdc = 192.168.32.2
kdc = 192.168.32.3
}
ADS.EXTERNAL.COM = {
kdc = 192.168.32.101
}
Obviously, the ranges were important and I had to enable UNIX stuff on the
Windows AD and make sure that my UNIX attribs matched my chosen range for
the EXTERNAL domain but very pleased that this is working.
This has been running for 24 hours so I'll continue to monitor as I have
heard of trust problems appearing over time.
Am also going to try and build using Windows Server 2016 as the Windows AD
DC as this would be nicer to manage than 2008 (and more secure).
Cheers,
c:)
On 15 November 2017 at 17:27, Chris Alavoine <chrisa at acs-info.co.uk>
wrote:
> Hi all,
>
> I didn't have much luck getting SSSD to work so I'm currently
testing out
> the following:
>
> Built a new member server from source on Ubuntu 16.04. I used the
> following ./configure statement:
>
> ./configure --enable-fhs --prefix=/usr --sysconfdir=/etc
> --localstatedir=/var --libdir=/usr/lib/x86_64-linux-gnu
>
> This seems to install nicely onto Ubuntu and puts everything in the right
> place. Winbind works well which is what I've always had problems with
in
> the past.
>
> My current smb.conf on the Domain member looks like this:
>
> [global]
> netbios name = FS-007
> security = ADS
> workgroup = EXAMPLE
> realm = ADS.EXAMPLE.COM
>
> log file = /var/log/samba/%m.log
> log level = 7
>
> idmap config * : backend = tdb
> idmap config * : range = 200-499
>
> idmap config EXAMPLE:backend = ad
> idmap config EXAMPLE:schema_mode = rfc2307
> idmap config EXAMPLE:range = 500-400000
> idmap config EXAMPLE:unix_nss_info = yes
> idmap config EXAMPLE:unix_primary_group = yes
>
> idmap config EXTERNAL : backend = rid
> idmap config EXTERNAL : range = 400001-99999999
>
> winbind nss info = template
> template shell = /bin/bash
> template homedir = /home/%U
>
> # allow trusted domains = yes
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> # kerberos method = secrets and keytab
>
> client signing = yes
> client use spnego = yes
>
>
> vfs objects = acl_xattr,full_audit
> server signing = mandatory
>
> # VFS settings
> full_audit:prefix = %u|%I|%m|%S
> full_audit:success = mkdir rename unlink rmdir pwrite
> full_audit:failure = none
> full_audit:facility = local7
> full_audit:priority = notice
>
> map acl inherit = yes
> store dos attributes = yes
>
>
> ##SHARES
>
> [test]
> path = /data/test/
> read only = no
>
>
> This gives me good connectivity on the EXAMPLE domain, wbinfo and getent
> work nicely and are returning correct values.
>
> Not much luck getting EXTERNAL domain to work though. A trust exists
> between the two forests and Kerberos and DNS are all working ok.
>
> "wbinfo -u --domain EXTERNAL" returns users as does "wbinfo
-g --domain
> EXTERNAL" return groups. However, I cannot get getent to give me
anything.
>
> The EXAMPLE domain is a group of Samba 4.6.3 DC's (about 10 of them,
all
> replicating ok).
>
> The EXTERNAL domain is a new Windows AD DC running Windows Server 2008 R2,
> I've also added a new Samba 4.7.2 to this domain which is replicating
> nicely.
>
> I've tried both rid and ad on the EXTERNAL domain with no luck.
>
> I've installed Server for NIS on the Windows Server 2008 R2 AD DC and
> added NIS info there (this was for testing using ad on idmap), but no joy.
>
> Any pointers most appreciated.
>
> Thanks,
> Chris.
>
>
>
> On 7 November 2017 at 15:47, Chris Alavoine <chrisa at
acs-info.co.uk> wrote:
>
>> Hi Rowland,
>>
>> Thanks for the swift response.
>>
>> I'm not married to SSSD and am happy to use the best tool for the
job,
>> but was just looking for some general advice on my situation.
>>
>> I'll post on the sssd-users mailing as well.
>>
>> Thanks,
>> Chris.
>>
>> On 7 November 2017 at 15:38, Rowland Penny <rpenny at samba.org>
wrote:
>>
>>> On Tue, 7 Nov 2017 15:06:55 +0000
>>> Chris Alavoine via samba <samba at lists.samba.org> wrote:
>>>
>>> > Hi all,
>>> >
>>> > We are about to integrate a large number of users into our
>>> > organisation and I've been tasked with attempting to allow
said users
>>> > access to our internal systems which are controlled from 10 x
Samba
>>> > 4.6.3 DC's across several sites.
>>> >
>>> > All Samba DC's are running either Ubuntu 14.04 or 16.04.
>>> >
>>> > Replication works nicely between these DC's and this
system has been
>>> > relatively stable for some time now. We use BIND_DLZ as our
DNS
>>> > backend.
>>> >
>>> > The new users will be being created on a Windows Server 2016
AD DC
>>> > and I've created a trust between the 2 domains (which has
validated
>>> > at both ends). wbinfo returns useful information for each
domain and
>>> > I've got SSSD working from a member server. I can assign
rights to a
>>> > share on a member server from the trusted domain and all looks
good.
>>> > However, I am unable to access the shares on our member
servers
>>> > (fileservers) as one of the new external users. It feels like
I'm
>>> > quite close but I am either missing something very obvious or
going
>>> > about it in the wrong way.
>>> >
>>> > All member servers are running Ubuntu and at least Samba 4.6.3
(some
>>> > of them newer). I've created a test member server for me
to test
>>> > things out on. I am currently testing with SSSD as it allows
multiple
>>> > domains to be declared. My smb.conf currently looks like this:
>>> >
>>> > [global]
>>> > netbios name = FS-006
>>> > security = ADS
>>> > realm = EXAMPLE.COM
>>> > workgroup = EXAMPLE
>>> >
>>> > allow trusted domains = yes
>>> >
>>> > log file = /var/log/samba/%m.log
>>> >
>>> > kerberos method = secrets and keytab
>>> >
>>> > idmap config *:backend = tdb
>>> > idmap config *:range = 500-2000
>>> > idmap config EXAMPLE:backend = ad
>>> > idmap config EXAMPLE:schema_mode = rfc2307
>>> > idmap config EXAMPLE:range = 10000-9999999
>>> > idmap config EXTERNAL:backend = ad
>>> > idmap config EXTERNAL:schema_mode = rfc2307
>>> > idmap config EXTERNAL:range = 10000000-99999999999
>>>
>>> If you are running sssd and using it for authentication, then the
above
>>> 'idmap config' is useless.
>>> If you want to continue using sssd, then can I suggest asking on
the
>>> sssd-users mailing list, sssd has nothing to do with Samba.
>>>
>>> Rowland
>>>
>>
>>
>>
>> --
>> ACS (Alavoine Computer Services Ltd)
>> Chris Alavoine
>> mob +44 (0)7724 710 730 <07724%20710730>
>> www.alavoinecs.co.uk
>> http://twitter.com/#!/alavoinecs
>> http://www.linkedin.com/pub/chris-alavoine/39/606/192
>>
>
>
>
> --
> ACS (Alavoine Computer Services Ltd)
> Chris Alavoine
> mob +44 (0)7724 710 730 <07724%20710730>
> www.alavoinecs.co.uk
> http://twitter.com/#!/alavoinecs
> http://www.linkedin.com/pub/chris-alavoine/39/606/192
>
--
ACS (Alavoine Computer Services Ltd)
Chris Alavoine
mob +44 (0)7724 710 730
www.alavoinecs.co.uk
http://twitter.com/#!/alavoinecs
http://www.linkedin.com/pub/chris-alavoine/39/606/192