samba - Sep 2018 - Fwd: Having problem with RID backend - must be missing something

----- On Sep 14, 2018, at 4:56 AM, Rowland Penny via samba samba at
lists.samba.org wrote:
> What OS ?
> If it is debian, do you have libpam_krb5 installed ?
It is CentOS 7.  I feel stupid because it was super simple. See Below.
> Having rfc2307 attributes in AD shouldn't affect the way the
'rid'
> backend works.
> 
I was thinking this as well.
> 
> Did you find it easy to understand ?
> 
I thought so but it wasn't working so I didn't know what to think.  
> there doesn't seem to be anything really wrong
And there wasn't!  
> What packages did you install to make Samba work ?
I didn't use RPMs or any pre-built packages - I downloaded
samba-latest.tar.gz and compiled from scratch.  If you're referring to OS
specific packages I followed the wiki on package requirements for building
samba.  My yum commands to install all the requirements were these:

yum -y groupinstall 'Development Tools'

yum -y install epel-release

yum -y install attr bind-utils docbook-style-xsl krb5-workstation \
       libsemanage-python libxslt perl-ExtUtils-MakeMaker \
       perl-Parse-Yapp policycoreutils-python perl-Test-Base \
       python2-crypto gnutls-devel libattr-devel keyutils-libs-devel \
       libacl-devel libaio-devel libblkid-devel libxml2-devel openldap-devel \
       pam-devel popt-devel python-devel readline-devel zlib-devel systemd-devel

So I compiled it with the options to create the systemd service files and it did
but I had to move them to the proper location to use them.  First time I tested
I manually started the services and forgot about enabling them to run with
system startup.  I had made some changes to config files and for some reason
unknown right now I rebooted the server.  I had only started the smb and nmb
daemons and not winbind.  It doesn't work very well if winbind is not
running if you want to use any backend for idmapping.  After enabling all three
services and making sure all three were running the RID backend works great as
configured.

I will take your advice on the kerberos lines though and take those out.  Not
using squid or anything like that.

If you have any suggestions on optimizations I could make on either the file
server of the DC that would be great.  My overall goal is I am creating a small
business server type solution with vmware and multiple VMs encompassing a domain
controller, file server, email server (using Zimbra), backup server, and vpn
server (using SoftEther) using all free and open source software.  My plan once
I get all the components together is to put together a website detailing the
setup so that others can benefit from this solution.  I'm sure there are
people looking for Microsoft alternatives that could benefit from having all the
steps in one place.

Thanks for your help!
Rich

On Fri, 14 Sep 2018 10:52:36 -0400 (EDT)
Rich Webb via samba <samba at lists.samba.org> wrote:
> ----- On Sep 14, 2018, at 4:56 AM, Rowland Penny via samba
> samba at lists.samba.org wrote:
> > What OS ?
> > If it is debian, do you have libpam_krb5 installed ?
> 
> It is CentOS 7.  I feel stupid because it was super simple. See Below.
> 
> > Having rfc2307 attributes in AD shouldn't affect the way the
'rid'
> > backend works.
> > 
> 
> I was thinking this as well.
> 
> > 
> > Did you find it easy to understand ?
> > 
> 
> I thought so but it wasn't working so I didn't know what to think.
Perhaps I need to add a note about sssd.
  
> 
> > there doesn't seem to be anything really wrong
> 
> And there wasn't!  
> 
> > What packages did you install to make Samba work ?
> 
> I didn't use RPMs or any pre-built packages - I downloaded
> samba-latest.tar.gz and compiled from scratch.  If you're referring
> to OS specific packages I followed the wiki on package requirements
> for building samba.  My yum commands to install all the requirements
> were these:
> 
> yum -y groupinstall 'Development Tools'
> 
> yum -y install epel-release
> 
> yum -y install attr bind-utils docbook-style-xsl krb5-workstation \
>        libsemanage-python libxslt perl-ExtUtils-MakeMaker \
>        perl-Parse-Yapp policycoreutils-python perl-Test-Base \
>        python2-crypto gnutls-devel libattr-devel keyutils-libs-devel \
>        libacl-devel libaio-devel libblkid-devel libxml2-devel
> openldap-devel \ pam-devel popt-devel python-devel readline-devel
> zlib-devel systemd-devel
> 
Okay, can only speak for debian, but you need the glue that connects
Samba to nsswitch (a link to how to set this up was on the domain
member page, but it wasn't obvious, hopefully it is now), see here:

https://wiki.samba.org/index.php/Libnss_winbind_Links
> So I compiled it with the options to create the systemd service files
> and it did but I had to move them to the proper location to use
> them.  First time I tested I manually started the services and forgot
> about enabling them to run with system startup.  I had made some
> changes to config files and for some reason unknown right now I
> rebooted the server.  I had only started the smb and nmb daemons and
> not winbind.  It doesn't work very well if winbind is not running if
> you want to use any backend for idmapping.  After enabling all three
> services and making sure all three were running the RID backend works
> great as configured. 
Do you have sssd installed, if so, make a decision, do you want too use
winbind or sssd ?

If sssd, stop using winbind and ignore the link above.
If winbind (which I suggest), stop using sssd
> 
> I will take your advice on the kerberos lines though and take those
> out.  Not using squid or anything like that.  
> 
> If you have any suggestions on optimizations I could make on either
> the file server of the DC that would be great.  My overall goal is I
> am creating a small business server type solution with vmware and
> multiple VMs encompassing a domain controller, file server, email
> server (using Zimbra), backup server, and vpn server (using
> SoftEther) using all free and open source software.  My plan once I
> get all the components together is to put together a website
> detailing the setup so that others can benefit from this solution.
> I'm sure there are people looking for Microsoft alternatives that
> could benefit from having all the steps in one place.  
There is a problem with using Centos as the base OS, you must compile
Samba, the default OS Samba packages cannot be used to create a DC

Rowland

----- On Sep 14, 2018, at 11:29 AM, Rowland Penny via samba samba at
lists.samba.org wrote:
> Perhaps I need to add a note about sssd.
Not sure what sssd is - I will research.
 
> Okay, can only speak for debian, but you need the glue that connects
> Samba to nsswitch (a link to how to set this up was on the domain
> member page, but it wasn't obvious, hopefully it is now), see here:
> 
> https://wiki.samba.org/index.php/Libnss_winbind_Links
> 
Yes, I didn't mention it but I did do this step
> 
> Do you have sssd installed, if so, make a decision, do you want too use
> winbind or sssd ?
> 
> If sssd, stop using winbind and ignore the link above.
> If winbind (which I suggest), stop using sssd
> 
I do not know the difference - I believe I'm using winbind now with the Rid
backend.
> There is a problem with using Centos as the base OS, you must compile
> Samba, the default OS Samba packages cannot be used to create a DC
Yes, that is how I did it - I compiled from source.  

Thanks,
Rich

On Fri, 14 Sep 2018 18:50:02 -0400 (EDT)
Rich Webb via samba <samba at lists.samba.org> wrote:
> ----- On Sep 14, 2018, at 11:29 AM, Rowland Penny via samba
> samba at lists.samba.org wrote:
> 
> > Perhaps I need to add a note about sssd.
> 
> Not sure what sssd is - I will research.
sssd is red-hats take on winbind (it actually uses some of the winbind
code), but it does more (not that it needs to)
>  
> > Okay, can only speak for debian, but you need the glue that connects
> > Samba to nsswitch (a link to how to set this up was on the domain
> > member page, but it wasn't obvious, hopefully it is now), see
here:
> > 
> > https://wiki.samba.org/index.php/Libnss_winbind_Links
> > 
> 
> Yes, I didn't mention it but I did do this step
Including modifying /etc/nsswitch.conf ?
> 
> > 
> > Do you have sssd installed, if so, make a decision, do you want too
> > use winbind or sssd ?
> > 
> > If sssd, stop using winbind and ignore the link above.
> > If winbind (which I suggest), stop using sssd
> > 
> 
> I do not know the difference - I believe I'm using winbind now with
> the Rid backend.
You would know, if you are sssd in the same way as the winbind 'rid'
backend, you will get very large ID's
> 
> > There is a problem with using Centos as the base OS, you must
> > compile Samba, the default OS Samba packages cannot be used to
> > create a DC
> 
> Yes, that is how I did it - I compiled from source.  
Exactly as per the Samba wiki using Heimdal instead of MIT ?

Rowland