On Tue, Mar 13, 2018 at 12:54 PM, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Tue, 13 Mar 2018 12:13:32 -0600 > Jeff Sadowski via samba <samba at lists.samba.org> wrote: > >> My smb.conf file looks like so >> >> [global] >> security = ads >> realm = MIND.UNM.EDU >> workgroup = MIND >> idmap config * : backend = tdb >> idmap config * : range = 2000-7999 >> idmap config MIND:backend = ad >> idmap config MIND:schema_mode = rfc2307 >> idmap config MIND:range = 8000-9999999 >> # added because 4.6+ no longer understands >> # winbind nss info = rfc2307 >> idmap config MIND:unix_nss_info = yes >> # left because 4.5- don’t understand >> # idmap config MIND:unix_nss_info = yes >> winbind nss info = rfc2307 > > OK, what version Samba are using on the Unix domain member ? > If you are using 4.6 (or later), remove the 'winbind nss info' line. > If you are still using 4.5, then remove the 'idmap config > MIND:unix_info' line. >I use both This config file is used across ubuntu 16.04 which has 4.3.11 And I am using Fedora 27 which has 4.7.5 I thought I could leave them both uncommented for both as they should throw out what they don't understand is that not correct?>> winbind use default domain = yes >> # so that the users show up in getent >> winbind enum users = yes >> # so that the groups show up in getent >> winbind enum groups = yes > > You do not need the the two 'winbind enum' lines to gete 'getent' to > work, 'getent passwd username' & 'getent group groupname' will work > without them. >I commented out both enums Seems to work on my Fedora I'll try on ubuntu latter I could have sworn this was why I added them.>> restrict anonymous = 2 >> #added the following 2 for the Badlock updates that change the >> defaults #to no longer work with my domain controllers >> ldap server require strong auth = no >> client ldap sasl wrapping = plain >> kerberos method = secrets and keytab > > If you had to add the above lines after the Badlock updates, don't you > think it is about time you fixed your DCs, it will be more secure. I > also cannot see the reason for adding them, the first line only > makes sense on a DC, the second turns off 'sign & seal' and the third > only makes Kerberos look in /etc/krb5.keytab. >I'm not sure how to fix my DCs It may have been fixed with updates. Also if I do fix it I don't know if it will break my Network storage and how to roll back if it does. I commented out "ldap server require strong auth = no", "client ldap sasl wrapping = plain" and "kerberos method = secrets and keytab" and restarted the winbind service in Fedora and it still works. I can still ssh as a domain user and type a password. I will try in ubuntu later. Does that mean my domain is fixed? I still am not getting the correct group for my dstephenson user. With "id dstephenson" or "getent passwd dstephenson" With all those changes nothing seems to have changed.> Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Tue, 13 Mar 2018 15:57:35 -0600 Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> On Tue, Mar 13, 2018 at 12:54 PM, Rowland Penny via samba > <samba at lists.samba.org> wrote: > > On Tue, 13 Mar 2018 12:13:32 -0600 > > Jeff Sadowski via samba <samba at lists.samba.org> wrote: > > > >> My smb.conf file looks like so > >> > >> [global] > >> security = ads > >> realm = MIND.UNM.EDU > >> workgroup = MIND > >> idmap config * : backend = tdb > >> idmap config * : range = 2000-7999 > >> idmap config MIND:backend = ad > >> idmap config MIND:schema_mode = rfc2307 > >> idmap config MIND:range = 8000-9999999 > >> # added because 4.6+ no longer understands > >> # winbind nss info = rfc2307 > >> idmap config MIND:unix_nss_info = yes > >> # left because 4.5- don’t understand > >> # idmap config MIND:unix_nss_info = yes > >> winbind nss info = rfc2307 > > > > OK, what version Samba are using on the Unix domain member ? > > If you are using 4.6 (or later), remove the 'winbind nss info' line. > > If you are still using 4.5, then remove the 'idmap config > > MIND:unix_info' line. > > > I use both This config file is used across ubuntu 16.04 which has > 4.3.11 And I am using Fedora 27 which has 4.7.5 > I thought I could leave them both uncommented for both as they should > throw out what they don't understand is that not correct?No, you should use one or the other (depending on the Samba version), you cannot use both.> >> restrict anonymous = 2 > >> #added the following 2 for the Badlock updates that change the > >> defaults #to no longer work with my domain controllers > >> ldap server require strong auth = no > >> client ldap sasl wrapping = plain > >> kerberos method = secrets and keytab > > > > If you had to add the above lines after the Badlock updates, don't > > you think it is about time you fixed your DCs, it will be more > > secure. I also cannot see the reason for adding them, the first > > line only makes sense on a DC, the second turns off 'sign & seal' > > and the third only makes Kerberos look in /etc/krb5.keytab. > > > I'm not sure how to fix my DCs It may have been fixed with updates. > Also if I do fix it I don't know if it will break my Network storage > and how to roll back if it does. > > I commented out "ldap server require strong auth = no", "client ldap > sasl wrapping = plain" and "kerberos method = secrets and keytab" > and restarted the winbind service in Fedora and it still works. I can > still ssh as a domain user and type a password. I will try in ubuntu > later. > > Does that mean my domain is fixed?Probably> > I still am not getting the correct group for my dstephenson user. > With "id dstephenson" or "getent passwd dstephenson" > > With all those changes nothing seems to have changed.Have you run 'net cache flush' ? Rowland
On Tue, Mar 13, 2018 at 4:03 PM, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Tue, 13 Mar 2018 15:57:35 -0600 > Jeff Sadowski <jeff.sadowski at gmail.com> wrote: > >> On Tue, Mar 13, 2018 at 12:54 PM, Rowland Penny via samba >> <samba at lists.samba.org> wrote: >> > On Tue, 13 Mar 2018 12:13:32 -0600 >> > Jeff Sadowski via samba <samba at lists.samba.org> wrote: >> > >> >> My smb.conf file looks like so >> >> >> >> [global] >> >> security = ads >> >> realm = MIND.UNM.EDU >> >> workgroup = MIND >> >> idmap config * : backend = tdb >> >> idmap config * : range = 2000-7999 >> >> idmap config MIND:backend = ad >> >> idmap config MIND:schema_mode = rfc2307 >> >> idmap config MIND:range = 8000-9999999 >> >> # added because 4.6+ no longer understands >> >> # winbind nss info = rfc2307 >> >> idmap config MIND:unix_nss_info = yes >> >> # left because 4.5- don’t understand >> >> # idmap config MIND:unix_nss_info = yes >> >> winbind nss info = rfc2307 >> > >> > OK, what version Samba are using on the Unix domain member ? >> > If you are using 4.6 (or later), remove the 'winbind nss info' line. >> > If you are still using 4.5, then remove the 'idmap config >> > MIND:unix_info' line. >> > >> I use both This config file is used across ubuntu 16.04 which has >> 4.3.11 And I am using Fedora 27 which has 4.7.5 >> I thought I could leave them both uncommented for both as they should >> throw out what they don't understand is that not correct? > > No, you should use one or the other (depending on the Samba version), > you cannot use both. > >> >> restrict anonymous = 2 >> >> #added the following 2 for the Badlock updates that change the >> >> defaults #to no longer work with my domain controllers >> >> ldap server require strong auth = no >> >> client ldap sasl wrapping = plain >> >> kerberos method = secrets and keytab >> > >> > If you had to add the above lines after the Badlock updates, don't >> > you think it is about time you fixed your DCs, it will be more >> > secure. I also cannot see the reason for adding them, the first >> > line only makes sense on a DC, the second turns off 'sign & seal' >> > and the third only makes Kerberos look in /etc/krb5.keytab. >> > >> I'm not sure how to fix my DCs It may have been fixed with updates. >> Also if I do fix it I don't know if it will break my Network storage >> and how to roll back if it does. >> >> I commented out "ldap server require strong auth = no", "client ldap >> sasl wrapping = plain" and "kerberos method = secrets and keytab" >> and restarted the winbind service in Fedora and it still works. I can >> still ssh as a domain user and type a password. I will try in ubuntu >> later. >> >> Does that mean my domain is fixed? > > Probably > >> >> I still am not getting the correct group for my dstephenson user. >> With "id dstephenson" or "getent passwd dstephenson" >> >> With all those changes nothing seems to have changed. > > Have you run 'net cache flush' ? >Yeah that was in my script above> Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba