Am 16.01.2018 um 17:26 schrieb Rowland Penny via samba:> On Tue, 16 Jan 2018 16:54:17 +0100 > Andreas Hauffe via samba <samba at lists.samba.org> wrote: > >> Ok, you are completely right. Here are the real numbers with changed >> user names: >> >> drwx------ 43 DOM\user1 DOM\domain-user 4096 Jan 10 08:00 >> user1 drwx------ 5 DOM\user2 DOM\domain-user 4096 Jan 11 >> 08:13 user2 drwx------ 92 DOM\user3 DOM\domain-user 4096 Jan >> 16 08:39 user3 drwx------ 3 133265 DOM\domain-user >> 4096 Sep 7 2015 user4 drwx------ 7 470055 >> DOM\domain-user 4096 Apr 30 2013 user5 drwx------ 12 DOM\user6 >> DOM\domain-user 4096 Jan 4 12:46 user6 drwx------ 51 >> DOM\user7 DOM\domain-user 4096 Jan 15 23:01 user7 >> drwx------ 2 95092 DOM\domain-user 4096 Jul 1 >> 2015 user8 drwx------ 3 DOM\user9 DOM\domain-user 4096 >> Jun 8 2015 user9 .... >> drwx------ 7 DOM\user200 DOM\domain-user 4096 Nov 6 2012 >> user200 >> >> > wbinfo --uid-info=133265 >> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND >> Could not get info for uid 133265 >> >> > wbinfo -i DOM\\user4 >> DOM\user4:*:133265:10513::/home/user4:/bin/bash >> >> After the last command (wbinfo -i DOM\\user4) also "wbinfo >> --uid-info=133265" shows the correct result and the "ls -l" list also >> list the user name instead of the uid. >> >> > One thing I have spotted: > > /etc/krb5.conf should be: > > [libdefaults] > default_realm = DOM2.DOM.TU-DRESDEN.DE > dns_lookup_realm = false > dns_lookup_kdc = true > > What is 'DOM2' ? > Is it a trusted domain ? > > As I said, you are using the 'rid' backend and adding users to AD > shouldn't affect how winbind works. Your user 'user4' must have the RID > '123265' and so should be available as a Unix user. > > I take it that the Unix domain member is using the DC as its dnd > nameserver. > > Rowland >Actually, it should be and is "DOM2.DOM.EXAMPLE.DE". And this domain (DOM2) is a subdomain of DOM.EXAMPLE.DE (bidirectional transitiv trust). At our university we have a parent domain "DOM.EXAMPLE.DE" were all the user accounts are hold/administered. Every department have a subdomain for their services. In our example case "DOM2.DOM.EXAMPLE.DE". The client and so the member server are member of "DOM2.DOM.EXAMPLE.DE". But most of the users are from "DOM.EXAMPLE.DE". And I checked, the RID of the user4 is 123265. Yes, the DC (actually both DCs) is the dns of the unix member server. -- Viele Grüße Andreas Hauffe Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge" ---------------------------------------------------------------------------------------------------- Technische Universität Dresden Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering D-01062 Dresden Germany phone : +49 (351) 463 38496 fax : +49 (351) 463 37263 mail : andreas.hauffe at tu-dresden.de Website : http://tu-dresden.de/mw/ilr/lft ---------------------------------------------------------------------------------------------------- Do you know our free laminate analysis code eLamX²? If not, please visit the following web address: http://www.elamx.de
On Tue, 16 Jan 2018 17:49:55 +0100 Andreas Hauffe via samba <samba at lists.samba.org> wrote:> > > Am 16.01.2018 um 17:26 schrieb Rowland Penny via samba: > > On Tue, 16 Jan 2018 16:54:17 +0100 > > Andreas Hauffe via samba <samba at lists.samba.org> wrote: > > > >> Ok, you are completely right. Here are the real numbers with > >> changed user names: > >> > >> drwx------ 43 DOM\user1 DOM\domain-user 4096 Jan 10 08:00 > >> user1 drwx------ 5 DOM\user2 DOM\domain-user 4096 Jan 11 > >> 08:13 user2 drwx------ 92 DOM\user3 DOM\domain-user 4096 > >> Jan 16 08:39 user3 drwx------ 3 133265 > >> DOM\domain-user 4096 Sep 7 2015 user4 drwx------ 7 470055 > >> DOM\domain-user 4096 Apr 30 2013 user5 drwx------ 12 DOM\user6 > >> DOM\domain-user 4096 Jan 4 12:46 user6 drwx------ 51 > >> DOM\user7 DOM\domain-user 4096 Jan 15 23:01 user7 > >> drwx------ 2 95092 DOM\domain-user 4096 Jul 1 > >> 2015 user8 drwx------ 3 DOM\user9 DOM\domain-user 4096 > >> Jun 8 2015 user9 .... > >> drwx------ 7 DOM\user200 DOM\domain-user 4096 Nov 6 2012 > >> user200 > >> > >> > wbinfo --uid-info=133265 > >> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND > >> Could not get info for uid 133265 > >> > >> > wbinfo -i DOM\\user4 > >> DOM\user4:*:133265:10513::/home/user4:/bin/bash > >> > >> After the last command (wbinfo -i DOM\\user4) also "wbinfo > >> --uid-info=133265" shows the correct result and the "ls -l" list > >> also list the user name instead of the uid. > >> > >> > > One thing I have spotted: > > > > /etc/krb5.conf should be: > > > > [libdefaults] > > default_realm = DOM2.DOM.TU-DRESDEN.DE > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > What is 'DOM2' ? > > Is it a trusted domain ? > > > > As I said, you are using the 'rid' backend and adding users to AD > > shouldn't affect how winbind works. Your user 'user4' must have the > > RID '123265' and so should be available as a Unix user. > > > > I take it that the Unix domain member is using the DC as its dnd > > nameserver. > > > > Rowland > > > Actually, it should be and is "DOM2.DOM.EXAMPLE.DE". And this domain > (DOM2) is a subdomain of DOM.EXAMPLE.DE (bidirectional transitiv > trust). At our university we have a parent domain "DOM.EXAMPLE.DE" > were all the user accounts are hold/administered. Every department > have a subdomain for their services. In our example case > "DOM2.DOM.EXAMPLE.DE". The client and so the member server are member > of "DOM2.DOM.EXAMPLE.DE". But most of the users are from > "DOM.EXAMPLE.DE". > > And I checked, the RID of the user4 is 123265. > > Yes, the DC (actually both DCs) is the dns of the unix member server. >Everything seems to be okay, the only thing that jumps to mind is time, are all the machines set to the same time plus or minus a few minutes ? Rowland
Hi Andreas, i'm sorry to jump on your thread as i can't really help you here. But as i have to setup an AD subdomain of a parent domain with the same requirements as yours apparently (aka parent domain managed by Windows server holds users/groups accounts on a distant location but the compute ressources and the GPO will be managed locally under a subdomain), i'm just wondering if you find any good documentation to help you setup your AD subdomain and if there's any gotcha to be aware of please :-) ? I'm new to this and it seems that the official wiki don't have a lot information on the current state of the "trust relationship" support on Samba 4 or on how to setup a subdomain of a parent domain Thanks a lot Regards, On Tue, Jan 16, 2018 at 5:49 PM, Andreas Hauffe via samba < samba at lists.samba.org> wrote:> > > Am 16.01.2018 um 17:26 schrieb Rowland Penny via samba: > >> On Tue, 16 Jan 2018 16:54:17 +0100 >> Andreas Hauffe via samba <samba at lists.samba.org> wrote: >> >> Ok, you are completely right. Here are the real numbers with changed >>> user names: >>> >>> drwx------ 43 DOM\user1 DOM\domain-user 4096 Jan 10 08:00 >>> user1 drwx------ 5 DOM\user2 DOM\domain-user 4096 Jan 11 >>> 08:13 user2 drwx------ 92 DOM\user3 DOM\domain-user 4096 Jan >>> 16 08:39 user3 drwx------ 3 133265 DOM\domain-user >>> 4096 Sep 7 2015 user4 drwx------ 7 470055 >>> DOM\domain-user 4096 Apr 30 2013 user5 drwx------ 12 DOM\user6 >>> DOM\domain-user 4096 Jan 4 12:46 user6 drwx------ 51 >>> DOM\user7 DOM\domain-user 4096 Jan 15 23:01 user7 >>> drwx------ 2 95092 DOM\domain-user 4096 Jul 1 >>> 2015 user8 drwx------ 3 DOM\user9 DOM\domain-user 4096 >>> Jun 8 2015 user9 .... >>> drwx------ 7 DOM\user200 DOM\domain-user 4096 Nov 6 2012 >>> user200 >>> >>> > wbinfo --uid-info=133265 >>> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND >>> Could not get info for uid 133265 >>> >>> > wbinfo -i DOM\\user4 >>> DOM\user4:*:133265:10513::/home/user4:/bin/bash >>> >>> After the last command (wbinfo -i DOM\\user4) also "wbinfo >>> --uid-info=133265" shows the correct result and the "ls -l" list also >>> list the user name instead of the uid. >>> >>> >>> One thing I have spotted: >> >> /etc/krb5.conf should be: >> >> [libdefaults] >> default_realm = DOM2.DOM.TU-DRESDEN.DE >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> What is 'DOM2' ? >> Is it a trusted domain ? >> >> As I said, you are using the 'rid' backend and adding users to AD >> shouldn't affect how winbind works. Your user 'user4' must have the RID >> '123265' and so should be available as a Unix user. >> >> I take it that the Unix domain member is using the DC as its dnd >> nameserver. >> >> Rowland >> >> Actually, it should be and is "DOM2.DOM.EXAMPLE.DE". And this domain > (DOM2) is a subdomain of DOM.EXAMPLE.DE (bidirectional transitiv trust). > At our university we have a parent domain "DOM.EXAMPLE.DE" were all the > user accounts are hold/administered. Every department have a subdomain for > their services. In our example case "DOM2.DOM.EXAMPLE.DE". The client and > so the member server are member of "DOM2.DOM.EXAMPLE.DE". But most of the > users are from "DOM.EXAMPLE.DE". > > And I checked, the RID of the user4 is 123265. > > Yes, the DC (actually both DCs) is the dns of the unix member server. > > > -- > Viele Grüße > Andreas Hauffe > Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge" > > ------------------------------------------------------------ > ---------------------------------------- > Technische Universität Dresden > Institut für Luft- und Raumfahrttechnik / Institute of Aerospace > Engineering > Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering > > D-01062 Dresden > Germany > > phone : +49 (351) 463 38496 > fax : +49 (351) 463 37263 > mail : andreas.hauffe at tu-dresden.de > Website : http://tu-dresden.de/mw/ilr/lft > ------------------------------------------------------------ > ---------------------------------------- > Do you know our free laminate analysis code eLamX²? If not, please visit > the following web address: > http://www.elamx.de > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi, yes, there are some things. But I have not found a nice complete documentation. One main point is the domain name as prefix of the username of the parent domain, e.g. "DOM\user1", you have to use. I was not able to get rid of it, as the client is member of the subdomain which is the default. So you can't use the "default domain" option in smb.conf. The backslash in the user name is a problem for some software, but other signs can be also a problem for other software. In krb5.conf you need a [realm] section, with rewrites (auth_to_local) rule for the principal names to local user names. All is quite simple, if you know the fact. Only with that you get kerberized services running. On Debian 9 file server (member server of the domain) I was not able to get NFS4 with Kerberos working until I changed from the default rpc.svcgssd to gssproxy for the NFS service. The first was working for subdomain user, but in case of parent domain user the rpc.svcgssd process got to 100% CPU load and a soft lockup of the kernel. With gsproxy and no other changes all is fine. These few things took me a lot of time. Andreas Am 19.01.2018 um 11:50 schrieb insrc via samba:> Hi Andreas, > > i'm sorry to jump on your thread as i can't really help you here. > But as i have to setup an AD subdomain of a parent domain with the same > requirements as yours apparently (aka parent domain managed by Windows > server holds users/groups accounts on a distant location but the compute > ressources and the GPO will be managed locally under a subdomain), i'm just > wondering if you find any good documentation to help you setup your AD > subdomain and if there's any gotcha to be aware of please :-) ? > > I'm new to this and it seems that the official wiki don't have a lot > information on the current state of the "trust relationship" support on > Samba 4 or on how to setup a subdomain of a parent domain > > Thanks a lot > Regards, > > > > On Tue, Jan 16, 2018 at 5:49 PM, Andreas Hauffe via samba < > samba at lists.samba.org> wrote: > >> >> Am 16.01.2018 um 17:26 schrieb Rowland Penny via samba: >> >>> On Tue, 16 Jan 2018 16:54:17 +0100 >>> Andreas Hauffe via samba <samba at lists.samba.org> wrote: >>> >>> Ok, you are completely right. Here are the real numbers with changed >>>> user names: >>>> >>>> drwx------ 43 DOM\user1 DOM\domain-user 4096 Jan 10 08:00 >>>> user1 drwx------ 5 DOM\user2 DOM\domain-user 4096 Jan 11 >>>> 08:13 user2 drwx------ 92 DOM\user3 DOM\domain-user 4096 Jan >>>> 16 08:39 user3 drwx------ 3 133265 DOM\domain-user >>>> 4096 Sep 7 2015 user4 drwx------ 7 470055 >>>> DOM\domain-user 4096 Apr 30 2013 user5 drwx------ 12 DOM\user6 >>>> DOM\domain-user 4096 Jan 4 12:46 user6 drwx------ 51 >>>> DOM\user7 DOM\domain-user 4096 Jan 15 23:01 user7 >>>> drwx------ 2 95092 DOM\domain-user 4096 Jul 1 >>>> 2015 user8 drwx------ 3 DOM\user9 DOM\domain-user 4096 >>>> Jun 8 2015 user9 .... >>>> drwx------ 7 DOM\user200 DOM\domain-user 4096 Nov 6 2012 >>>> user200 >>>> >>>> > wbinfo --uid-info=133265 >>>> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND >>>> Could not get info for uid 133265 >>>> >>>> > wbinfo -i DOM\\user4 >>>> DOM\user4:*:133265:10513::/home/user4:/bin/bash >>>> >>>> After the last command (wbinfo -i DOM\\user4) also "wbinfo >>>> --uid-info=133265" shows the correct result and the "ls -l" list also >>>> list the user name instead of the uid. >>>> >>>> >>>> One thing I have spotted: >>> /etc/krb5.conf should be: >>> >>> [libdefaults] >>> default_realm = DOM2.DOM.TU-DRESDEN.DE >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >>> >>> What is 'DOM2' ? >>> Is it a trusted domain ? >>> >>> As I said, you are using the 'rid' backend and adding users to AD >>> shouldn't affect how winbind works. Your user 'user4' must have the RID >>> '123265' and so should be available as a Unix user. >>> >>> I take it that the Unix domain member is using the DC as its dnd >>> nameserver. >>> >>> Rowland >>> >>> Actually, it should be and is "DOM2.DOM.EXAMPLE.DE". And this domain >> (DOM2) is a subdomain of DOM.EXAMPLE.DE (bidirectional transitiv trust). >> At our university we have a parent domain "DOM.EXAMPLE.DE" were all the >> user accounts are hold/administered. Every department have a subdomain for >> their services. In our example case "DOM2.DOM.EXAMPLE.DE". The client and >> so the member server are member of "DOM2.DOM.EXAMPLE.DE". But most of the >> users are from "DOM.EXAMPLE.DE". >> >> And I checked, the RID of the user4 is 123265. >> >> Yes, the DC (actually both DCs) is the dns of the unix member server. >> >> >> -- >> Viele Grüße >> Andreas Hauffe >> Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge" >> >> ------------------------------------------------------------ >> ---------------------------------------- >> Technische Universität Dresden >> Institut für Luft- und Raumfahrttechnik / Institute of Aerospace >> Engineering >> Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering >> >> D-01062 Dresden >> Germany >> >> phone : +49 (351) 463 38496 >> fax : +49 (351) 463 37263 >> mail : andreas.hauffe at tu-dresden.de >> Website : http://tu-dresden.de/mw/ilr/lft >> ------------------------------------------------------------ >> ---------------------------------------- >> Do you know our free laminate analysis code eLamX²? If not, please visit >> the following web address: >> http://www.elamx.de >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>-- Viele Grüße Andreas Hauffe Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge" ---------------------------------------------------------------------------------------------------- Technische Universität Dresden Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering D-01062 Dresden Germany phone : +49 (351) 463 38496 fax : +49 (351) 463 37263 mail : andreas.hauffe at tu-dresden.de Website : http://tu-dresden.de/mw/ilr/lft ---------------------------------------------------------------------------------------------------- Do you know our free laminate analysis code eLamX²? If not, please visit the following web address: http://www.elamx.de