On Tue, 19 Jun 2018 13:07:56 +0200 Bernd Markgraf <bernd.markgraf at med.ovgu.de> wrote:> On Tue, 2018-06-19 at 11:04 +0100, Rowland Penny via samba-technical > wrote: > > On Tue, 19 Jun 2018 11:12:11 +0200 > > Bernd Markgraf via samba-technical <samba-technical at lists.samba.org> > > wrote: > > > > > Hi, > > > > > > I just finished building Samba 4.3.13 on a Solaris 10 box and > > > successfully joined it to a domain. DC is Samba 4.3.13 on FreeBSD. > > > The OS itself uses LDAP+Kerberos to authenticate users on the Unix > > > level and that works just fine. > > > > Why are you using LDAP for authentication on a Unix domain member ? > Because it just works and is straightforward to set up and things like > ldaplist&co work. Until I resolved the open issue I'll just leave > things as they are.Yes, but its not working, is it, not at first anyway. Samba expects to use winbind and it is only half set up.> > One thing I forgot to mention in the previous mail - once logged into > a share files are indeed created with the correct owner/uidnumber as > stored in the user's LDAP record.What LDAP record ? You said the DC was a Samba AD DC, so I take it you are referring to the users AD object. The only place I would use something like nslcd (I take it this is what you are using) is on a DC and only then to obtain the users homedir and shell from AD. You have to run winbind, so why not use it fully ? Rowland
On Tue, 2018-06-19 at 12:44 +0100, Rowland Penny via samba wrote:> > > Why are you using LDAP for authentication on a Unix domain member > > > ? > > > > Because it just works and is straightforward to set up and things > > like ldaplist&co work. Until I resolved the open issue I'll just > > leave things as they are. > Yes, but its not working, is it, not at first anyway. Samba expects > to use winbind and it is only half set up.On the OS level everything works flawlessly (without using winbind). Login upon first try, kerberos ticket properly issued, uid/gid set to the numbers provided from the LDAP (Samba DC) backend. I would simply expect smbd to use the uid/gid provided by whatever backend if present in the user's data. The only thing not working as expected is when I try to connect to a share provided by smbd running on that machine. That takes two login attempts.> > One thing I forgot to mention in the previous mail - once logged > > into > > a share files are indeed created with the correct owner/uidnumber > > as > > stored in the user's LDAP record. > > What LDAP record ? You said the DC was a Samba AD DC, so I take it > you are referring to the users AD object.Well, yes - assuming AD is just a fancy way to bundle LDAP+Kerberos ;-) You can just use about any LDAP tools to retrieve information from a Samba AD DC and see all attributes set.> The only place I would use something like nslcd (I take it this is > what you are using) is on a DC and only then to obtain the users > homedir and shell from AD.No, I'm not using nslcd. Solaris provides it's own set of tools and clients for various name service backends. Usually the different backends are accessed through nscd which deals with the clients for the different types of name services.> You have to run winbind, so why not use it fully ?I already have idmap config MD-DZNE:backend = ad idmap config MD-DZNE:schema_mode = rfc2307 idmap config MD-DZNE:range = 10000-999999 winbind nss info = rfc2307 winbind use default domain = yes winbind enum users = Yes winbind enum groups = Yes in my smb.conf and winbindd is running. I just don't see why I should third party stuff to do user authentication on the OS side when the system's own mechanisms work just fine. And as long as I haven't figured out, why wbinfo doesn't return the id's I assigned to the users I'd rather not try to use winbind for unix logins on that machine. markgrafb.niihau ~ > wbinfo -i markgrafb markgrafb:*:4294967295:4294967295::/home/markgrafb:/usr/bin/tcsh markgrafb.niihau ~ > getent passwd markgrafb markgrafb:x:10058:10001:Bernd Markgraf:/home/markgrafb:/usr/bin/tcsh I would expect to see the same output from both commands. Bernd
On Tue, 19 Jun 2018 21:08:46 +0200 Bernd Markgraf <bernd.markgraf at med.ovgu.de> wrote:> On Tue, 2018-06-19 at 12:44 +0100, Rowland Penny via samba wrote: > > > > Why are you using LDAP for authentication on a Unix domain > > > > member ? > > > > > > Because it just works and is straightforward to set up and things > > > like ldaplist&co work. Until I resolved the open issue I'll just > > > leave things as they are. > > Yes, but its not working, is it, not at first anyway. Samba expects > > to use winbind and it is only half set up. > On the OS level everything works flawlessly (without using winbind). > Login upon first try, kerberos ticket properly issued, uid/gid set to > the numbers provided from the LDAP (Samba DC) backend.Well, yes it would work to allow login to the computer, it is bypassing Samba and going direct to the info stored in AD.> I would simply expect smbd to use the uid/gid provided by whatever > backend if present in the user's data.Er no, smbd asks winbind for the info and if this doesn't know who the user is it fails, but after the user logs in, then it does.> The only thing not working as expected is when I try to connect to a > share provided by smbd running on that machine. That takes two login > attempts.yes one fail and then success, I use winbind and just the success, no fails.> > > > One thing I forgot to mention in the previous mail - once logged > > > into > > > a share files are indeed created with the correct owner/uidnumber > > > as > > > stored in the user's LDAP record. > > > > What LDAP record ? You said the DC was a Samba AD DC, so I take it > > you are referring to the users AD object. > Well, yes - assuming AD is just a fancy way to bundle > LDAP+Kerberos ;-) You can just use about any LDAP tools to retrieve > information from a Samba AD DC and see all attributes set.Yes and any Unix domain client running winbind can do the same. the only place it doesn't fully work is on a Samba AD DC.> > > The only place I would use something like nslcd (I take it this is > > what you are using) is on a DC and only then to obtain the users > > homedir and shell from AD. > No, I'm not using nslcd. Solaris provides it's own set of tools and > clients for various name service backends. Usually the different > backends are accessed through nscd which deals with the clients for > the different types of name services.You cannot use nscd with winbind, their caches clash.> > > You have to run winbind, so why not use it fully ? > I already have > > idmap config MD-DZNE:backend = ad > idmap config MD-DZNE:schema_mode = rfc2307 > idmap config MD-DZNE:range = 10000-999999 > > winbind nss info = rfc2307 > winbind use default domain = yes > winbind enum users = Yes > winbind enum groups = YesNo you haven't, there are no lines for the '*' domain.> > in my smb.conf and winbindd is running. > I just don't see why I should third party stuff to do user > authentication on the OS side when the system's own mechanisms work > just fine. And as long as I haven't figured out, why wbinfo doesn't > return the id's I assigned to the users I'd rather not try to use > winbind for unix logins on that machine. > > markgrafb.niihau ~ > wbinfo -i markgrafb > markgrafb:*:4294967295:4294967295::/home/markgrafb:/usr/bin/tcsh > markgrafb.niihau ~ > getent passwd markgrafb > markgrafb:x:10058:10001:Bernd Markgraf:/home/markgrafb:/usr/bin/tcsh > > I would expect to see the same output from both commands.You should: rowland at devstation:~$ wbinfo -i rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash rowland at devstation:~$ getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash The only difference between your set up (apart for the OS) and mine, I use winbind and have a correctly set up smb.conf. Rowland