On Tue, Mar 13, 2018 at 4:03 PM, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Tue, 13 Mar 2018 15:57:35 -0600 > Jeff Sadowski <jeff.sadowski at gmail.com> wrote: > >> On Tue, Mar 13, 2018 at 12:54 PM, Rowland Penny via samba >> <samba at lists.samba.org> wrote: >> > On Tue, 13 Mar 2018 12:13:32 -0600 >> > Jeff Sadowski via samba <samba at lists.samba.org> wrote: >> > >> >> My smb.conf file looks like so >> >> >> >> [global] >> >> security = ads >> >> realm = MIND.UNM.EDU >> >> workgroup = MIND >> >> idmap config * : backend = tdb >> >> idmap config * : range = 2000-7999 >> >> idmap config MIND:backend = ad >> >> idmap config MIND:schema_mode = rfc2307 >> >> idmap config MIND:range = 8000-9999999 >> >> # added because 4.6+ no longer understands >> >> # winbind nss info = rfc2307 >> >> idmap config MIND:unix_nss_info = yes >> >> # left because 4.5- don’t understand >> >> # idmap config MIND:unix_nss_info = yes >> >> winbind nss info = rfc2307 >> > >> > OK, what version Samba are using on the Unix domain member ? >> > If you are using 4.6 (or later), remove the 'winbind nss info' line. >> > If you are still using 4.5, then remove the 'idmap config >> > MIND:unix_info' line. >> > >> I use both This config file is used across ubuntu 16.04 which has >> 4.3.11 And I am using Fedora 27 which has 4.7.5 >> I thought I could leave them both uncommented for both as they should >> throw out what they don't understand is that not correct? > > No, you should use one or the other (depending on the Samba version), > you cannot use both. > >> >> restrict anonymous = 2 >> >> #added the following 2 for the Badlock updates that change the >> >> defaults #to no longer work with my domain controllers >> >> ldap server require strong auth = no >> >> client ldap sasl wrapping = plain >> >> kerberos method = secrets and keytab >> > >> > If you had to add the above lines after the Badlock updates, don't >> > you think it is about time you fixed your DCs, it will be more >> > secure. I also cannot see the reason for adding them, the first >> > line only makes sense on a DC, the second turns off 'sign & seal' >> > and the third only makes Kerberos look in /etc/krb5.keytab. >> > >> I'm not sure how to fix my DCs It may have been fixed with updates. >> Also if I do fix it I don't know if it will break my Network storage >> and how to roll back if it does. >> >> I commented out "ldap server require strong auth = no", "client ldap >> sasl wrapping = plain" and "kerberos method = secrets and keytab" >> and restarted the winbind service in Fedora and it still works. I can >> still ssh as a domain user and type a password. I will try in ubuntu >> later. >> >> Does that mean my domain is fixed? > > Probably > >> >> I still am not getting the correct group for my dstephenson user. >> With "id dstephenson" or "getent passwd dstephenson" >> >> With all those changes nothing seems to have changed. > > Have you run 'net cache flush' ? >Yeah that was in my script above> Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Tue, 13 Mar 2018 16:05:53 -0600 Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> On Tue, Mar 13, 2018 at 4:03 PM, Rowland Penny via samba > <samba at lists.samba.org> wrote: > > On Tue, 13 Mar 2018 15:57:35 -0600 > > Jeff Sadowski <jeff.sadowski at gmail.com> wrote: > > > >> On Tue, Mar 13, 2018 at 12:54 PM, Rowland Penny via samba > >> <samba at lists.samba.org> wrote: > >> > On Tue, 13 Mar 2018 12:13:32 -0600 > >> > Jeff Sadowski via samba <samba at lists.samba.org> wrote: > >> > > >> >> My smb.conf file looks like so > >> >> > >> >> [global] > >> >> security = ads > >> >> realm = MIND.UNM.EDU > >> >> workgroup = MIND > >> >> idmap config * : backend = tdb > >> >> idmap config * : range = 2000-7999 > >> >> idmap config MIND:backend = ad > >> >> idmap config MIND:schema_mode = rfc2307 > >> >> idmap config MIND:range = 8000-9999999 > >> >> # added because 4.6+ no longer understands > >> >> # winbind nss info = rfc2307 > >> >> idmap config MIND:unix_nss_info = yes > >> >> # left because 4.5- don’t understand > >> >> # idmap config MIND:unix_nss_info = yes > >> >> winbind nss info = rfc2307 > >> > > >> > OK, what version Samba are using on the Unix domain member ? > >> > If you are using 4.6 (or later), remove the 'winbind nss info' > >> > line. If you are still using 4.5, then remove the 'idmap config > >> > MIND:unix_info' line. > >> > > >> I use both This config file is used across ubuntu 16.04 which has > >> 4.3.11 And I am using Fedora 27 which has 4.7.5 > >> I thought I could leave them both uncommented for both as they > >> should throw out what they don't understand is that not correct? > > > > No, you should use one or the other (depending on the Samba > > version), you cannot use both. > > > >> >> restrict anonymous = 2 > >> >> #added the following 2 for the Badlock updates that change > >> >> the defaults #to no longer work with my domain controllers > >> >> ldap server require strong auth = no > >> >> client ldap sasl wrapping = plain > >> >> kerberos method = secrets and keytab > >> > > >> > If you had to add the above lines after the Badlock updates, > >> > don't you think it is about time you fixed your DCs, it will be > >> > more secure. I also cannot see the reason for adding them, the > >> > first line only makes sense on a DC, the second turns off 'sign > >> > & seal' and the third only makes Kerberos look > >> > in /etc/krb5.keytab. > >> > > >> I'm not sure how to fix my DCs It may have been fixed with updates. > >> Also if I do fix it I don't know if it will break my Network > >> storage and how to roll back if it does. > >> > >> I commented out "ldap server require strong auth = no", "client > >> ldap sasl wrapping = plain" and "kerberos method = secrets and > >> keytab" and restarted the winbind service in Fedora and it still > >> works. I can still ssh as a domain user and type a password. I > >> will try in ubuntu later. > >> > >> Does that mean my domain is fixed? > > > > Probably > > > >> > >> I still am not getting the correct group for my dstephenson user. > >> With "id dstephenson" or "getent passwd dstephenson" > >> > >> With all those changes nothing seems to have changed. > > > > Have you run 'net cache flush' ? > > > Yeah that was in my script aboveHas your user logged in ? There were winbind changes in 4.6.0 that meant that you get 'Domain Users as the primary group if the user hasn't logged in, more info here: https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#winbind_changes Rowland
On Tue, Mar 13, 2018 at 4:12 PM, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Tue, 13 Mar 2018 16:05:53 -0600 > Jeff Sadowski <jeff.sadowski at gmail.com> wrote: > >> On Tue, Mar 13, 2018 at 4:03 PM, Rowland Penny via samba >> <samba at lists.samba.org> wrote: >> > On Tue, 13 Mar 2018 15:57:35 -0600 >> > Jeff Sadowski <jeff.sadowski at gmail.com> wrote: >> > >> >> On Tue, Mar 13, 2018 at 12:54 PM, Rowland Penny via samba >> >> <samba at lists.samba.org> wrote: >> >> > On Tue, 13 Mar 2018 12:13:32 -0600 >> >> > Jeff Sadowski via samba <samba at lists.samba.org> wrote: >> >> > >> >> >> My smb.conf file looks like so >> >> >> >> >> >> [global] >> >> >> security = ads >> >> >> realm = MIND.UNM.EDU >> >> >> workgroup = MIND >> >> >> idmap config * : backend = tdb >> >> >> idmap config * : range = 2000-7999 >> >> >> idmap config MIND:backend = ad >> >> >> idmap config MIND:schema_mode = rfc2307 >> >> >> idmap config MIND:range = 8000-9999999 >> >> >> # added because 4.6+ no longer understands >> >> >> # winbind nss info = rfc2307 >> >> >> idmap config MIND:unix_nss_info = yes >> >> >> # left because 4.5- don’t understand >> >> >> # idmap config MIND:unix_nss_info = yes >> >> >> winbind nss info = rfc2307 >> >> > >> >> > OK, what version Samba are using on the Unix domain member ? >> >> > If you are using 4.6 (or later), remove the 'winbind nss info' >> >> > line. If you are still using 4.5, then remove the 'idmap config >> >> > MIND:unix_info' line. >> >> > >> >> I use both This config file is used across ubuntu 16.04 which has >> >> 4.3.11 And I am using Fedora 27 which has 4.7.5 >> >> I thought I could leave them both uncommented for both as they >> >> should throw out what they don't understand is that not correct? >> > >> > No, you should use one or the other (depending on the Samba >> > version), you cannot use both. >> > >> >> >> restrict anonymous = 2 >> >> >> #added the following 2 for the Badlock updates that change >> >> >> the defaults #to no longer work with my domain controllers >> >> >> ldap server require strong auth = no >> >> >> client ldap sasl wrapping = plain >> >> >> kerberos method = secrets and keytab >> >> > >> >> > If you had to add the above lines after the Badlock updates, >> >> > don't you think it is about time you fixed your DCs, it will be >> >> > more secure. I also cannot see the reason for adding them, the >> >> > first line only makes sense on a DC, the second turns off 'sign >> >> > & seal' and the third only makes Kerberos look >> >> > in /etc/krb5.keytab. >> >> > >> >> I'm not sure how to fix my DCs It may have been fixed with updates. >> >> Also if I do fix it I don't know if it will break my Network >> >> storage and how to roll back if it does. >> >> >> >> I commented out "ldap server require strong auth = no", "client >> >> ldap sasl wrapping = plain" and "kerberos method = secrets and >> >> keytab" and restarted the winbind service in Fedora and it still >> >> works. I can still ssh as a domain user and type a password. I >> >> will try in ubuntu later. >> >> >> >> Does that mean my domain is fixed? >> > >> > Probably >> > >> >> >> >> I still am not getting the correct group for my dstephenson user. >> >> With "id dstephenson" or "getent passwd dstephenson" >> >> >> >> With all those changes nothing seems to have changed. >> > >> > Have you run 'net cache flush' ? >> > >> Yeah that was in my script above > > Has your user logged in ? There were winbind changes in 4.6.0 that > meant that you get 'Domain Users as the primary group if the user > hasn't logged in, more info here: > > https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#winbind_changes > > Rowland >No and likely will not on that system. I will try with a test user that is also not reporting correctly.> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba