On Tue, Mar 13, 2018 at 4:12 PM, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Tue, 13 Mar 2018 16:05:53 -0600 > Jeff Sadowski <jeff.sadowski at gmail.com> wrote: > >> On Tue, Mar 13, 2018 at 4:03 PM, Rowland Penny via samba >> <samba at lists.samba.org> wrote: >> > On Tue, 13 Mar 2018 15:57:35 -0600 >> > Jeff Sadowski <jeff.sadowski at gmail.com> wrote: >> > >> >> On Tue, Mar 13, 2018 at 12:54 PM, Rowland Penny via samba >> >> <samba at lists.samba.org> wrote: >> >> > On Tue, 13 Mar 2018 12:13:32 -0600 >> >> > Jeff Sadowski via samba <samba at lists.samba.org> wrote: >> >> > >> >> >> My smb.conf file looks like so >> >> >> >> >> >> [global] >> >> >> security = ads >> >> >> realm = MIND.UNM.EDU >> >> >> workgroup = MIND >> >> >> idmap config * : backend = tdb >> >> >> idmap config * : range = 2000-7999 >> >> >> idmap config MIND:backend = ad >> >> >> idmap config MIND:schema_mode = rfc2307 >> >> >> idmap config MIND:range = 8000-9999999 >> >> >> # added because 4.6+ no longer understands >> >> >> # winbind nss info = rfc2307 >> >> >> idmap config MIND:unix_nss_info = yes >> >> >> # left because 4.5- don’t understand >> >> >> # idmap config MIND:unix_nss_info = yes >> >> >> winbind nss info = rfc2307 >> >> > >> >> > OK, what version Samba are using on the Unix domain member ? >> >> > If you are using 4.6 (or later), remove the 'winbind nss info' >> >> > line. If you are still using 4.5, then remove the 'idmap config >> >> > MIND:unix_info' line. >> >> > >> >> I use both This config file is used across ubuntu 16.04 which has >> >> 4.3.11 And I am using Fedora 27 which has 4.7.5 >> >> I thought I could leave them both uncommented for both as they >> >> should throw out what they don't understand is that not correct? >> > >> > No, you should use one or the other (depending on the Samba >> > version), you cannot use both. >> > >> >> >> restrict anonymous = 2 >> >> >> #added the following 2 for the Badlock updates that change >> >> >> the defaults #to no longer work with my domain controllers >> >> >> ldap server require strong auth = no >> >> >> client ldap sasl wrapping = plain >> >> >> kerberos method = secrets and keytab >> >> > >> >> > If you had to add the above lines after the Badlock updates, >> >> > don't you think it is about time you fixed your DCs, it will be >> >> > more secure. I also cannot see the reason for adding them, the >> >> > first line only makes sense on a DC, the second turns off 'sign >> >> > & seal' and the third only makes Kerberos look >> >> > in /etc/krb5.keytab. >> >> > >> >> I'm not sure how to fix my DCs It may have been fixed with updates. >> >> Also if I do fix it I don't know if it will break my Network >> >> storage and how to roll back if it does. >> >> >> >> I commented out "ldap server require strong auth = no", "client >> >> ldap sasl wrapping = plain" and "kerberos method = secrets and >> >> keytab" and restarted the winbind service in Fedora and it still >> >> works. I can still ssh as a domain user and type a password. I >> >> will try in ubuntu later. >> >> >> >> Does that mean my domain is fixed? >> > >> > Probably >> > >> >> >> >> I still am not getting the correct group for my dstephenson user. >> >> With "id dstephenson" or "getent passwd dstephenson" >> >> >> >> With all those changes nothing seems to have changed. >> > >> > Have you run 'net cache flush' ? >> > >> Yeah that was in my script above > > Has your user logged in ? There were winbind changes in 4.6.0 that > meant that you get 'Domain Users as the primary group if the user > hasn't logged in, more info here: > > https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#winbind_changes > > Rowland >No and likely will not on that system. I will try with a test user that is also not reporting correctly.> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Tue, Mar 13, 2018 at 5:31 PM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> On Tue, Mar 13, 2018 at 4:12 PM, Rowland Penny via samba > <samba at lists.samba.org> wrote: >> On Tue, 13 Mar 2018 16:05:53 -0600 >> Jeff Sadowski <jeff.sadowski at gmail.com> wrote: >> >>> On Tue, Mar 13, 2018 at 4:03 PM, Rowland Penny via samba >>> <samba at lists.samba.org> wrote: >>> > On Tue, 13 Mar 2018 15:57:35 -0600 >>> > Jeff Sadowski <jeff.sadowski at gmail.com> wrote: >>> > >>> >> On Tue, Mar 13, 2018 at 12:54 PM, Rowland Penny via samba >>> >> <samba at lists.samba.org> wrote: >>> >> > On Tue, 13 Mar 2018 12:13:32 -0600 >>> >> > Jeff Sadowski via samba <samba at lists.samba.org> wrote: >>> >> > >>> >> >> My smb.conf file looks like so >>> >> >> >>> >> >> [global] >>> >> >> security = ads >>> >> >> realm = MIND.UNM.EDU >>> >> >> workgroup = MIND >>> >> >> idmap config * : backend = tdb >>> >> >> idmap config * : range = 2000-7999 >>> >> >> idmap config MIND:backend = ad >>> >> >> idmap config MIND:schema_mode = rfc2307 >>> >> >> idmap config MIND:range = 8000-9999999 >>> >> >> # added because 4.6+ no longer understands >>> >> >> # winbind nss info = rfc2307 >>> >> >> idmap config MIND:unix_nss_info = yes >>> >> >> # left because 4.5- don’t understand >>> >> >> # idmap config MIND:unix_nss_info = yes >>> >> >> winbind nss info = rfc2307 >>> >> > >>> >> > OK, what version Samba are using on the Unix domain member ? >>> >> > If you are using 4.6 (or later), remove the 'winbind nss info' >>> >> > line. If you are still using 4.5, then remove the 'idmap config >>> >> > MIND:unix_info' line. >>> >> > >>> >> I use both This config file is used across ubuntu 16.04 which has >>> >> 4.3.11 And I am using Fedora 27 which has 4.7.5 >>> >> I thought I could leave them both uncommented for both as they >>> >> should throw out what they don't understand is that not correct? >>> > >>> > No, you should use one or the other (depending on the Samba >>> > version), you cannot use both. >>> > >>> >> >> restrict anonymous = 2 >>> >> >> #added the following 2 for the Badlock updates that change >>> >> >> the defaults #to no longer work with my domain controllers >>> >> >> ldap server require strong auth = no >>> >> >> client ldap sasl wrapping = plain >>> >> >> kerberos method = secrets and keytab >>> >> > >>> >> > If you had to add the above lines after the Badlock updates, >>> >> > don't you think it is about time you fixed your DCs, it will be >>> >> > more secure. I also cannot see the reason for adding them, the >>> >> > first line only makes sense on a DC, the second turns off 'sign >>> >> > & seal' and the third only makes Kerberos look >>> >> > in /etc/krb5.keytab. >>> >> > >>> >> I'm not sure how to fix my DCs It may have been fixed with updates. >>> >> Also if I do fix it I don't know if it will break my Network >>> >> storage and how to roll back if it does. >>> >> >>> >> I commented out "ldap server require strong auth = no", "client >>> >> ldap sasl wrapping = plain" and "kerberos method = secrets and >>> >> keytab" and restarted the winbind service in Fedora and it still >>> >> works. I can still ssh as a domain user and type a password. I >>> >> will try in ubuntu later. >>> >> >>> >> Does that mean my domain is fixed? >>> > >>> > Probably >>> > >>> >> >>> >> I still am not getting the correct group for my dstephenson user. >>> >> With "id dstephenson" or "getent passwd dstephenson" >>> >> >>> >> With all those changes nothing seems to have changed. >>> > >>> > Have you run 'net cache flush' ? >>> > >>> Yeah that was in my script above >> >> Has your user logged in ? There were winbind changes in 4.6.0 that >> meant that you get 'Domain Users as the primary group if the user >> hasn't logged in, more info here: >> >> https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#winbind_changes >> >> Rowland >> > No and likely will not on that system. I will try with a test user > that is also not reporting correctly. >>Still not working right ldapu is a function I wrote to use ldapsearch ldapu jefftest|grep -ie uidnumber -e gidnumber uidNumber: 11507 gidNumber: 31025 even logging in as jefftest I get as follows jefftest::daddles { ~ }-> id jefftest uid=11507(jefftest) gid=8513(domain users) groups=8513(domain users),31025(jeffs_general_group),8918648(vpn_users),8000(staff),8004(research),31036(insightiq) P.S. Te ubuntu 16.04 machines are showing correctly. (Still need to mod the smb.conf's for them I want to try on non important machines first)>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba
On Tue, Mar 13, 2018 at 7:30 PM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> On Tue, Mar 13, 2018 at 5:31 PM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote: >> On Tue, Mar 13, 2018 at 4:12 PM, Rowland Penny via samba >> <samba at lists.samba.org> wrote: >>> On Tue, 13 Mar 2018 16:05:53 -0600 >>> Jeff Sadowski <jeff.sadowski at gmail.com> wrote: >>> >>>> On Tue, Mar 13, 2018 at 4:03 PM, Rowland Penny via samba >>>> <samba at lists.samba.org> wrote: >>>> > On Tue, 13 Mar 2018 15:57:35 -0600 >>>> > Jeff Sadowski <jeff.sadowski at gmail.com> wrote: >>>> > >>>> >> On Tue, Mar 13, 2018 at 12:54 PM, Rowland Penny via samba >>>> >> <samba at lists.samba.org> wrote: >>>> >> > On Tue, 13 Mar 2018 12:13:32 -0600 >>>> >> > Jeff Sadowski via samba <samba at lists.samba.org> wrote: >>>> >> > >>>> >> >> My smb.conf file looks like so >>>> >> >> >>>> >> >> [global] >>>> >> >> security = ads >>>> >> >> realm = MIND.UNM.EDU >>>> >> >> workgroup = MIND >>>> >> >> idmap config * : backend = tdb >>>> >> >> idmap config * : range = 2000-7999 >>>> >> >> idmap config MIND:backend = ad >>>> >> >> idmap config MIND:schema_mode = rfc2307 >>>> >> >> idmap config MIND:range = 8000-9999999 >>>> >> >> # added because 4.6+ no longer understands >>>> >> >> # winbind nss info = rfc2307 >>>> >> >> idmap config MIND:unix_nss_info = yes >>>> >> >> # left because 4.5- don’t understand >>>> >> >> # idmap config MIND:unix_nss_info = yes >>>> >> >> winbind nss info = rfc2307 >>>> >> > >>>> >> > OK, what version Samba are using on the Unix domain member ? >>>> >> > If you are using 4.6 (or later), remove the 'winbind nss info' >>>> >> > line. If you are still using 4.5, then remove the 'idmap config >>>> >> > MIND:unix_info' line. >>>> >> > >>>> >> I use both This config file is used across ubuntu 16.04 which has >>>> >> 4.3.11 And I am using Fedora 27 which has 4.7.5 >>>> >> I thought I could leave them both uncommented for both as they >>>> >> should throw out what they don't understand is that not correct? >>>> > >>>> > No, you should use one or the other (depending on the Samba >>>> > version), you cannot use both. >>>> > >>>> >> >> restrict anonymous = 2 >>>> >> >> #added the following 2 for the Badlock updates that change >>>> >> >> the defaults #to no longer work with my domain controllers >>>> >> >> ldap server require strong auth = no >>>> >> >> client ldap sasl wrapping = plain >>>> >> >> kerberos method = secrets and keytab >>>> >> > >>>> >> > If you had to add the above lines after the Badlock updates, >>>> >> > don't you think it is about time you fixed your DCs, it will be >>>> >> > more secure. I also cannot see the reason for adding them, the >>>> >> > first line only makes sense on a DC, the second turns off 'sign >>>> >> > & seal' and the third only makes Kerberos look >>>> >> > in /etc/krb5.keytab. >>>> >> > >>>> >> I'm not sure how to fix my DCs It may have been fixed with updates. >>>> >> Also if I do fix it I don't know if it will break my Network >>>> >> storage and how to roll back if it does. >>>> >> >>>> >> I commented out "ldap server require strong auth = no", "client >>>> >> ldap sasl wrapping = plain" and "kerberos method = secrets and >>>> >> keytab" and restarted the winbind service in Fedora and it still >>>> >> works. I can still ssh as a domain user and type a password. I >>>> >> will try in ubuntu later. >>>> >> >>>> >> Does that mean my domain is fixed? >>>> > >>>> > Probably >>>> > >>>> >> >>>> >> I still am not getting the correct group for my dstephenson user. >>>> >> With "id dstephenson" or "getent passwd dstephenson" >>>> >> >>>> >> With all those changes nothing seems to have changed. >>>> > >>>> > Have you run 'net cache flush' ? >>>> > >>>> Yeah that was in my script above >>> >>> Has your user logged in ? There were winbind changes in 4.6.0 that >>> meant that you get 'Domain Users as the primary group if the user >>> hasn't logged in, more info here: >>> >>> https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#winbind_changes >>> >>> Rowland >>> >> No and likely will not on that system. I will try with a test user >> that is also not reporting correctly. >>> > > Still not working right > > ldapu is a function I wrote to use ldapsearch > > ldapu jefftest|grep -ie uidnumber -e gidnumber > uidNumber: 11507 > gidNumber: 31025 > > even logging in as jefftest I get as follows > > jefftest::daddles { ~ }-> id jefftest > uid=11507(jefftest) gid=8513(domain users) groups=8513(domain > users),31025(jeffs_general_group),8918648(vpn_users),8000(staff),8004(research),31036(insightiq) >Interesting maybe I was running "net cache flush" the wrong way. I was doing it after stopping winbind then I would start winbind back up. Today I tried it without stopping winbind and logged in as jefftest. The jefftest account now correctly shows with id. jefftest::daddles { ~ }-> id jefftest uid=11507(jefftest) gid=31025(jeffs_general_group) groups=31025(jeffs_general_group),31036(insightiq),8004(research),8513(domain users),8000(staff),8918648(vpn_users)> P.S. Te ubuntu 16.04 machines are showing correctly. (Still need to > mod the smb.conf's for them I want to try on non important machines > first) > >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba