On Wed, 20 Jun 2018 15:01:12 +0200 Bernd Markgraf <bernd.markgraf at med.ovgu.de> wrote:> > > > On the OS level everything works flawlessly (without using > > > winbind). > > > Login upon first try, kerberos ticket properly issued, uid/gid set > > > to the numbers provided from the LDAP (Samba DC) backend. > > Well, yes it would work to allow login to the computer, it is > > bypassing Samba and going direct to the info stored in AD. > That part works just as intended. > > > > I would simply expect smbd to use the uid/gid provided by whatever > > > backend if present in the user's data. > > Er no, smbd asks winbind for the info and if this doesn't know who > > the user is it fails, but after the user logs in, then it does. > In general I wouldn't care w hat mechanism is used to identify the > user... But as I see in the logfile that the user is > identified/authenticated via winbind: > [2018/06/20 > 14:28:15.299349, 5] ../source3/lib/username.c:159(Get_Pwnam_internals) > Get_Pwnam_internals did find user [markgrafb]! [2018/06/20 > 14:28:15.299447, 3] ../source3/auth/auth.c:249(auth_check_ntlm_password) > check_ntlm_password: winbind authentication for user [markgrafb] > succeeded > > I don't quite understand why it fails to find the user a few step > later. > > > > The only thing not working as expected is when I try to connect to > > > a share provided by smbd running on that machine. That takes two > > > login attempts. > > yes one fail and then success, I use winbind and just the success, > > no fails. > I would like to see that behaviour on my machine too ;-)Then just do what I do, use only winbind.> > > > > > What LDAP record ? You said the DC was a Samba AD DC, so I > > > > > take > > > > it you are referring to the users AD object. > > > Well, yes - assuming AD is just a fancy way to bundle > > > LDAP+Kerberos ;-) You can just use about any LDAP tools to > > > retrieve information from a Samba AD DC and see all attributes > > > set. > > Yes and any Unix domain client running winbind can do the same. the > > only place it doesn't fully work is on a Samba AD DC. > How would you retrieve any random attribute from the user object using > Samba cli tools?What 'random' attribute are we talking about here ? If you use winbind, it will obtain the username, home directory, shell etc. If you are talking about something like an email server, for instance, these usually can be set to use kerberos instead.> > > > > The only place I would use something like nslcd (I take it this > > > > is what you are using) is on a DC and only then to obtain the > > > > users homedir and shell from AD. > > > No, I'm not using nslcd. Solaris provides it's own set of tools > > > and clients for various name service backends. Usually the > > > different backends are accessed through nscd which deals with the > > > clients for the different types of name services. > > You cannot use nscd with winbind, their caches clash. > I don't. But how you go about when you would the the need to use > different name services on the same machine?Do you store your users & groups in several places ? if not, why would you need to use different name services ?> > > > > You have to run winbind, so why not use it fully ? > > > I already have > > > idmap config MD-DZNE:backend = ad > > > idmap config MD-DZNE:schema_mode = rfc2307 > > > idmap config MD-DZNE:range = 10000-999999 > > > > > > winbind nss info = rfc2307 > > > winbind use default domain = yes > > > winbind enum users = Yes > > > winbind enum groups = Yes > > > > No you haven't, there are no lines for the '*' domain. > As suggested I added > idmap config *:backend = tdb > idmap config *:range = 3000-7999 > > > > in my smb.conf and winbindd is running. > > > I just don't see why I should third party stuff to do user > > > authentication on the OS side when the system's own mechanisms > > > work just fine. And as long as I haven't figured out, why wbinfo > > > doesn't return the id's I assigned to the users I'd rather not > > > try to use winbind for unix logins on that machine. > > > > > > markgrafb.niihau ~ > wbinfo -i markgrafb > > > markgrafb:*:4294967295:4294967295::/home/markgrafb:/usr/bin/tcsh > > > markgrafb.niihau ~ > getent passwd markgrafb > > > markgrafb:x:10058:10001:Bernd > > > Markgraf:/home/markgrafb:/usr/bin/tcsh > > > > > > I would expect to see the same output from both commands. > > > > You should: > > > > rowland at devstation:~$ wbinfo -i rowland > > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > rowland at devstation:~$ getent passwd rowland > > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > That's what I would expect to see. But even after adding the lines for > the * domain and reloading the config I still see no difference. > Still the same output as before... > > > The only difference between your set up (apart for the OS) and mine, > > I use winbind and have a correctly set up smb.conf. > I should have a correctly setup smb.conf now too. I just don't use > winbindd to provide users on the OS level...Why not ? using it means you have only place to set up and maintain.> Where do I dig next?You could try reading this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland
On Wed, 2018-06-20 at 14:20 +0100, Rowland Penny via samba wrote:> On Wed, 20 Jun 2018 15:01:12 +0200 > Bernd Markgraf <bernd.markgraf at med.ovgu.de> wrote: > > I would like to see that behaviour on my machine too ;-) > > Then just do what I do, use only winbind.That's what I have now. pre-winbind (ldap in nsswitch.conf) root.niihau ~ # wbinfo --uid-info=10058 failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for uid 10058 root.niihau ~ # wbinfo -i markgrafb markgrafb:*:4294967295:4294967295::/home/markgrafb:/usr/bin/tcsh root.niihau ~ # getent passwd markgrafb markgrafb:x:10058:10001:Bernd Markgraf:/home/markgrafb:/usr/bin/tcsh root.niihau ~ # getent group pakan pakan::10066: I copied nss_winbind.so.1 and the pam module into the appropriate places and set nsswitch.conf to passwd: files winbind group: files winbind Now I get: root.niihau ~ # getent group pakan pakan:x:-1: root.niihau ~ # getent passwd markgrafb markgrafb:*:-1:-1::/home/markgrafb:/usr/bin/tcsh root.niihau ~ # wbinfo -i markgrafb markgrafb:*:4294967295:4294967295::/home/markgrafb:/usr/bin/tcsh root.niihau ~ # wbinfo --uid-info 10058 failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for uid 10058 So for now back to using LDAP so at least OS logins work and Samba shares can be used at the second connection attempt.> > How would you retrieve any random attribute from the user object > > using Samba cli tools? > > What 'random' attribute are we talking about here ? If you use > winbind, it will obtain the username, home directory, shell etc.That's more an academic question. The schema has enough room to store information and if that's not enough one can easily extend it and retrieve that information using ldapsearch or ldaplist...> If you are talking about something like an email server, for > instance, these usually can be set to use kerberos instead.There are various places were we used LDAP attributes in scripts to run jobs, though not need on this box at the moment, the need may arise.> > I don't. But how you go about when you would the the need to use > > different name services on the same machine? > > Do you store your users & groups in several places ? if not, why > would you need to use different name services ?Again more of the theoretical/academic question. But I already had the need to use different services at once in the past. Mostly in the transition times NIS->NIS+->LDAP. Again I wouldn't say it never happens and rule out the possibility to do so one day.> > I should have a correctly setup smb.conf now too. I just don't use > > winbindd to provide users on the OS level... > > Why not ? using it means you have only place to set up and maintain.LDAP+Kerberos on the OS level is a lot easier to maintain. Regular OS patches and things are sorted. Updating Samba to anything halfway recent involves building things from source unfortunately.> > Where do I dig next? > You could try reading this: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member >Apart from skipping the * lines in smb.conf that's what I used. Bernd
On Fri, 22 Jun 2018 13:38:14 +0200 Bernd Markgraf <bernd.markgraf at med.ovgu.de> wrote:> On Wed, 2018-06-20 at 14:20 +0100, Rowland Penny via samba wrote: > > On Wed, 20 Jun 2018 15:01:12 +0200 > > Bernd Markgraf <bernd.markgraf at med.ovgu.de> wrote: > > > I would like to see that behaviour on my machine too ;-) > > > > Then just do what I do, use only winbind. > That's what I have now. > pre-winbind (ldap in nsswitch.conf) > > root.niihau ~ # wbinfo --uid-info=10058 > failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for uid 10058 > root.niihau ~ # wbinfo -i markgrafb > markgrafb:*:4294967295:4294967295::/home/markgrafb:/usr/bin/tcsh > root.niihau ~ # getent passwd markgrafb > markgrafb:x:10058:10001:Bernd Markgraf:/home/markgrafb:/usr/bin/tcsh > root.niihau ~ # getent group pakan > pakan::10066: > > I copied nss_winbind.so.1 and the pam module into the appropriate > places and set nsswitch.conf to > > passwd: files winbind > group: files winbind > > Now I get: > root.niihau ~ # getent group pakan > pakan:x:-1: > root.niihau ~ # getent passwd markgrafb > markgrafb:*:-1:-1::/home/markgrafb:/usr/bin/tcsh > root.niihau ~ # wbinfo -i markgrafb > markgrafb:*:4294967295:4294967295::/home/markgrafb:/usr/bin/tcsh > root.niihau ~ # wbinfo --uid-info 10058 > failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for uid 10058 > > So for now back to using LDAP so at least OS logins work and Samba > shares can be used at the second connection attempt.You would need to run (as root) 'net cache flush' after changing to winbind.> > Do you store your users & groups in several places ? if not, why > > would you need to use different name services ? > Again more of the theoretical/academic question. But I already had the > need to use different services at once in the past. Mostly in the > transition times NIS->NIS+->LDAP. Again I wouldn't say it never > happens and rule out the possibility to do so one day.Er, you raised the possibility of using different name services, not I.> > > > I should have a correctly setup smb.conf now too. I just don't use > > > winbindd to provide users on the OS level... > > > > Why not ? using it means you have only place to set up and maintain. > LDAP+Kerberos on the OS level is a lot easier to maintain. Regular OS > patches and things are sorted. Updating Samba to anything halfway > recent involves building things from source unfortunately.This is indeed a problem, Samba is a rapidly moving target, but the fileserver components are really fairly stable.> > > > Where do I dig next? > > You could try reading this: > > > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > > Apart from skipping the * lines in smb.conf that's what I used.And you need those lines, without them, there is nowhere to store and allocate IDs for the 'Well known SIDs' All I can tell you is, With a correctly set up smb.conf on a Unix domain member, you do not need ldap for authentication, yes there may be times when you need to carry out an ldapsearch, but most of the time you can use kerberos instead. Rowland