samba - Apr 2018 - Issues post AD migration

Hi ,

We ran the classic upgrade and migrated the domain . We were then able to add a
Windows Server 2008R2 and dcpromo it.

Here are some of the issues we are seeing post migration

-          Pre the migration, the password backend was LDAP. We had some groups
that we had migrated into LDAP from TBD. These groups doesn't seem to have
come up in AD.

-          Any groups that were created in LDAP did show up in AD.

-          We have a member server which we joined to the AD using the following

net ads join -U administrator
Enter administrator's password:
Using short domain name -- TESTDOM
Joined 'fs01' to dns domain 'testdom.group'
net_update_dns_internal: Failed to connect to our DC!
DNS update failed!

Ran the samba_dnsupdate -verbose -all-names in the Samba 4  AD DC box and got
the following
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Failed update of 27 entries


-          Using a Windows 7 machine , we tried to access the shares in member
server and it fails with the following in the logs

user 'TESTDOM\pghimire' (from session setup) not permitted to access
this share (downloads)

The user is a member of a group who has permissions for the folder (in
smb.conf). This was one of the groups that didn't migrate to AD,  so we
setup the group in AD and added the user as a member.

Using smblient the user account is able to enumerate all the shares in the Samba
4 DC and the member server



-          Getent passwd does find the user

getent passwd "testdom\pghimire"

pghimire:*:3001:3002::/home/TESTDOM/pghimire:/bin/false


-          Even if we add the permissions for the user in smb.conf the above
still fails.

The following is the nsswitch.conf
#passwd:         compat
#group:          compat
shadow:          compat
passwd:         files winbind
group:          files winbind

The following is the member server's smb.conf

     netbios name = FS01
       security = ADS
       workgroup = TESTDOM
       realm = TESTDOM.GROUP
       idmap config * : backend = tdb
       idmap config * : range = 3000-7999
#       wins server = 192.168.1.18
        log level = 2 auth:5
        syslog = 0
        log file = /var/log/samba-ad-dc/log.%m
   winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes


Regards,

Praveen Ghimire

On Thu, 12 Apr 2018 06:47:45 +0000
Praveen Ghimire via samba <samba at lists.samba.org> wrote:
> Hi ,
> 
> We ran the classic upgrade and migrated the domain . We were then
> able to add a Windows Server 2008R2 and dcpromo it.
> 
> Here are some of the issues we are seeing post migration
> 
> -          Pre the migration, the password backend was LDAP. We had
> some groups that we had migrated into LDAP from TBD. These groups
> doesn't seem to have come up in AD.
> 
> -          Any groups that were created in LDAP did show up in AD.
> 
> -          We have a member server which we joined to the AD using
> the following
> 
> net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- TESTDOM
> Joined 'fs01' to dns domain 'testdom.group'
> net_update_dns_internal: Failed to connect to our DC!
> DNS update failed!
> 
> Ran the samba_dnsupdate -verbose -all-names in the Samba 4  AD DC box
> and got the following ; TSIG error with server: tsig verify failure
> Failed nsupdate: 2
> Failed update of 27 entries
> 
> 
> -          Using a Windows 7 machine , we tried to access the shares
> in member server and it fails with the following in the logs
> 
> user 'TESTDOM\pghimire' (from session setup) not permitted to
access
> this share (downloads)
> 
> The user is a member of a group who has permissions for the folder
> (in smb.conf). This was one of the groups that didn't migrate to AD,
> so we setup the group in AD and added the user as a member.
> 
> Using smblient the user account is able to enumerate all the shares
> in the Samba 4 DC and the member server
> 
> 
> 
> -          Getent passwd does find the user
> 
> getent passwd "testdom\pghimire"
> 
> pghimire:*:3001:3002::/home/TESTDOM/pghimire:/bin/false
> 
> 
> -          Even if we add the permissions for the user in smb.conf
> the above still fails.
> 
> The following is the nsswitch.conf
> #passwd:         compat
> #group:          compat
> shadow:          compat
> passwd:         files winbind
> group:          files winbind
> 
> The following is the member server's smb.conf
> 
>      netbios name = FS01
>        security = ADS
>        workgroup = TESTDOM
>        realm = TESTDOM.GROUP
>        idmap config * : backend = tdb
>        idmap config * : range = 3000-7999
> #       wins server = 192.168.1.18
>         log level = 2 auth:5
>         syslog = 0
>         log file = /var/log/samba-ad-dc/log.%m
>    winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> 
Your smb.conf isn't set up correctly, I would expect to see 'idmap
config' lines for 'TESTDOM'.
See here for more info:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

On Thu, 12 Apr 2018 10:48:04 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:
> Hi Rowland,
> 
> I added the following,  reloaded the samba configs, joined the member
> server to the AD domain again
> 
> [global]
>        netbios name = FS01
>        security = ADS
>        workgroup = TESTDOM
>        realm = TESTDOM.GROUP
>        idmap config * : backend = tdb
>        idmap config * : range = 3000-7999
>          winbind use default domain = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>         idmap config TESTDOM:backend = ad
>         idmap config TESTDOM:schema_mode = rfc2307
>         idmap config TESTDOM:range = 10000-999999
> 
> 
> I get the following
> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> [2018/04/12 20:20:34.389732,  0]
> passdb/lookup_sid.c:1684(get_primary_group_sid) Failed to find a Unix
> account for peteruser 'TESTDOM\pghimire' (from session setup) not
> permitted to access this share (data)
> 
> 
> Just to confirm getent is working
> getent group gives me all the groups in AD DC
> 
> allowed rodc password replication group:x:3012:
> enterprise read-only domain controllers:x:3013:
> denied rodc password replication group:x:3008:krbtgt
> read-only domain controllers:x:3014:
> group policy creator owners:x:3007:administrator
> ras and ias servers:x:3015:
> domain controllers:x:3016:
> enterprise admins:x:3009:administrator
> 
> 
> 
Hmm, where is 'Domain Users' and the groups are (rightly) being mapped
to the '*' domain.

Does 'Domain Users' have a 'gidNumber' attribute containing a
number
inside the '10000-999999' range ?
Do your users have a 'uidNumber' attribute containing a unique number
inside the same range ?

What version of Samba are you using ?
If it is less than 4.6.0 then you also need this line:

winbind nss info = rfc2307

From 4.6.0 it is replaced by:

idmap config TESTDOM : unix_nss_info

Rowland


= yes

Hi Rowland,

The issue seems to be due to the groups who decided not to show up in AD.
Strangely, even when we added the group with the same name in the AD, it
didn't resolv the issue.  Even though smb.conf dictates that the user have
to a member of a group with that name. Using getent group,  we can see the
group.  Does Samba hold on to the SID of the group somehow?

Is there a way to get those lost groups in AD;)





Regards,

Praveen Ghimire


-------- Original message --------
From: Rowland Penny via samba <samba at lists.samba.org>
Date: 12/04/2018 9:21 PM (GMT+10:00)
To: samba at lists.samba.org
Subject: Re: [Samba] Issues post AD migration

On Thu, 12 Apr 2018 10:48:04 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:
> Hi Rowland,
>
> I added the following,  reloaded the samba configs, joined the member
> server to the AD domain again
>
> [global]
>        netbios name = FS01
>        security = ADS
>        workgroup = TESTDOM
>        realm = TESTDOM.GROUP
>        idmap config * : backend = tdb
>        idmap config * : range = 3000-7999
>          winbind use default domain = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>         idmap config TESTDOM:backend = ad
>         idmap config TESTDOM:schema_mode = rfc2307
>         idmap config TESTDOM:range = 10000-999999
>
>
> I get the following
> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> [2018/04/12 20:20:34.389732,  0]
> passdb/lookup_sid.c:1684(get_primary_group_sid) Failed to find a Unix
> account for peteruser 'TESTDOM\pghimire' (from session setup) not
> permitted to access this share (data)
>
>
> Just to confirm getent is working
> getent group gives me all the groups in AD DC
>
> allowed rodc password replication group:x:3012:
> enterprise read-only domain controllers:x:3013:
> denied rodc password replication group:x:3008:krbtgt
> read-only domain controllers:x:3014:
> group policy creator owners:x:3007:administrator
> ras and ias servers:x:3015:
> domain controllers:x:3016:
> enterprise admins:x:3009:administrator
>
>
>
Hmm, where is 'Domain Users' and the groups are (rightly) being mapped
to the '*' domain.

Does 'Domain Users' have a 'gidNumber' attribute containing a
number
inside the '10000-999999' range ?
Do your users have a 'uidNumber' attribute containing a unique number
inside the same range ?

What version of Samba are you using ?
If it is less than 4.6.0 then you also need this line:

winbind nss info = rfc2307
>From 4.6.0 it is replaced by:
idmap config TESTDOM : unix_nss_info

Rowland


= yes

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________