samba - Jul 2018 - Samba 4.3.13 logon oddity on Solaris 10

On Fri, 22 Jun 2018 13:38:14 +0200
Bernd Markgraf <bernd.markgraf at med.ovgu.de> wrote:
> On Wed, 2018-06-20 at 14:20 +0100, Rowland Penny via samba wrote:
> > On Wed, 20 Jun 2018 15:01:12 +0200
> > Bernd Markgraf <bernd.markgraf at med.ovgu.de> wrote:
> > > I would like to see that behaviour on my machine too ;-)
> > 
> > Then just do what I do, use only winbind.
> That's what I have now.
> pre-winbind (ldap in nsswitch.conf)
> 
> root.niihau ~ # wbinfo --uid-info=10058
> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for uid 10058
> root.niihau ~ # wbinfo -i markgrafb
> markgrafb:*:4294967295:4294967295::/home/markgrafb:/usr/bin/tcsh
> root.niihau ~ # getent passwd markgrafb
> markgrafb:x:10058:10001:Bernd Markgraf:/home/markgrafb:/usr/bin/tcsh
> root.niihau ~ # getent group pakan
> pakan::10066:
> 
> I copied nss_winbind.so.1 and the pam module into the appropriate
> places and set nsswitch.conf to
> 
> passwd:     files winbind
> group:      files winbind
> 
> Now I get:
> root.niihau ~ # getent group pakan
> pakan:x:-1:
> root.niihau ~ # getent passwd markgrafb
> markgrafb:*:-1:-1::/home/markgrafb:/usr/bin/tcsh
> root.niihau ~ # wbinfo -i markgrafb
> markgrafb:*:4294967295:4294967295::/home/markgrafb:/usr/bin/tcsh
> root.niihau ~ # wbinfo --uid-info 10058
> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for uid 10058
> 
> So for now back to using LDAP so at least OS logins work and Samba
> shares can be used at the second connection attempt.
You would need to run (as root) 'net cache flush' after changing to
winbind.
> > Do you store your users & groups in several places ? if not, why
> > would you need to use different name services ?
> Again more of the theoretical/academic question. But I already had the
> need to use different services at once in the past. Mostly in the
> transition times NIS->NIS+->LDAP. Again I wouldn't say it never
> happens and rule out the possibility to do so one day.
Er, you raised the possibility of using different name services, not I.
> 
> > > I should have a correctly setup smb.conf now too. I just
don't use
> > > winbindd to provide users on the OS level... 
> > 
> > Why not ? using it means you have only place to set up and maintain.
> LDAP+Kerberos on the OS level is a lot easier to maintain. Regular OS
> patches and things are sorted. Updating Samba to anything halfway
> recent involves building things from source unfortunately.
This is indeed a problem, Samba is a rapidly moving target, but the
fileserver components are really fairly stable.
> 
> > > Where do I dig next?
> > You could try reading this:
> > 
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > 
> Apart from skipping the * lines in smb.conf that's what I used. 
And you need those lines, without them, there is nowhere to store and
allocate IDs for the 'Well known SIDs'

All I can tell you is, With a correctly set up smb.conf on a Unix
domain member, you do not need ldap for authentication, yes there may
be times when you need to carry out an ldapsearch, but most of the time
you can use kerberos instead.

Rowland

Do you agree that this is a valid smb.conf that should work:
[global]
       security = ADS
       encrypt passwords = yes
       workgroup = MD-DZNE
       realm = MAGDEBURG.DZNE.DS

       log file = /opt/samba4/var/log/%m.log
       log level = 1 

       idmap config *:backend = tdb
       idmap config *:range = 3000-7999
       idmap config MD-DZNE:backend = ad
       idmap config MD-DZNE:schema_mode = rfc2307
       idmap config MD-DZNE:range = 10000-999999

       winbind nss info = rfc2307
       winbind use default domain = yes
       winbind enum users = Yes
       winbind enum groups = Yes
       kerberos method = system keytab

> You would need to run (as root) 'net cache flush' after changing to
> winbind.
I've done that and I still see the same symptoms. All UID/GID are 
still -1.
> > > > Where do I dig next?
> > > 
> > > You could try reading this:
> > > 
> > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Mem
> > > ber
> > Apart from skipping the * lines in smb.conf that's what I used. 
> And you need those lines, without them, there is nowhere to store and
> allocate IDs for the 'Well known SIDs'
I already had those before my last mail. So if the above config should
work, where do I poke next to find out why it fails the authenticate 
users on the first connection attempt and why winbindd/wbinfo return
all UID/GID as -1
> All I can tell you is, With a correctly set up smb.conf on a Unix
> domain member, you do not need ldap for authentication, yes there may
> be times when you need to carry out an ldapsearch, but most of the
> time you can use kerberos instead.
Regardless of using LDAP directly or winbindd it fails to return the ID
numbers which are present in the user objects when I use Samba's tools.
If above config is valid and should work, it is a bug a would like to
see fixed and I am willing to help as much as I can with that.

  Bernd

On Mon, 02 Jul 2018 12:04:10 +0200
Bernd Markgraf <bernd.markgraf at med.ovgu.de> wrote:
> Do you agree that this is a valid smb.conf that should work:
> [global]
>        security = ADS
>        encrypt passwords = yes
>        workgroup = MD-DZNE
>        realm = MAGDEBURG.DZNE.DS
> 
>        log file = /opt/samba4/var/log/%m.log
>        log level = 1 
> 
>        idmap config *:backend = tdb
>        idmap config *:range = 3000-7999
>        idmap config MD-DZNE:backend = ad
>        idmap config MD-DZNE:schema_mode = rfc2307
>        idmap config MD-DZNE:range = 10000-999999
> 
>        winbind nss info = rfc2307
>        winbind use default domain = yes
>        winbind enum users = Yes
>        winbind enum groups = Yes
>        kerberos method = system keytab
> 
Provided that your users have a uidNumber attribute containing a unique
number inside the '10000-999999' range AND Domain Users has a gidNumber
attribute containing a number inside the same range, then, yes it is a
valid smb.conf. These attributes are not added automatically, you must
add them manually.

There are lines I would remove though:

encrypt passwords = yes # This a default setting

winbind enum users = Yes
winbind enum groups = Yes # These are not required and can slow things
down.
 
kerberos method = system keytab # you shouldn't really have this.

Rowland