samba - Nov 2018 - getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?

The problem is that getenv does not return any AD domain users or groups. From
much research this seems to be because nsswitch is not setup for Samba.

I would really appreciate some assistance as I think this is my last hurdle for
actually being able to use this test file server.

Ubuntu server 18.04 - Samba installed and configured (almost)
Kerberos functioning. wbinfo --ping-dc successfully contacts domain server
Browse server from windows client sees printer share

The Libnss winbind Links Wiki says to do this:

# smbd -b | grep LIBDIR  >>> smdb... doesn't work but samba -b does
work
LIBDIR: /usr/local/samba/lib/
# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/
# ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_winbind.so
# ldconfig

Although as seen below there doesn't seem to be a LIBDIR entry, it seemed as
if it might be /usr/lib/x86_64-linux-gnu/samba so I ran the above ln commands
with this in mind. It didn't work. I also appended "files
windbind" to the 2 entries in nsswitch.conf.

~$ samba -b
Samba version: 4.7.6-Ubuntu
Build environment:
Paths:

BINDIR: /usr/bin
SBINDIR: /usr/sbin
CONFIGFILE: /etc/samba/smb.conf
NCALRPCDIR: /var/run/samba/ncalrpc
LOGFILEBASE: /var/log/samba
LMHOSTSFILE: /etc/samba/lmhosts
DATADIR: /usr/share
MODULESDIR: /usr/lib/x86_64-linux-gnu/samba
LOCKDIR: /var/run/samba
STATEDIR: /var/lib/samba
CACHEDIR: /var/cache/samba
PIDDIR: /var/run/samba
PRIVATE_DIR: /var/lib/samba/private
CODEPAGEDIR: /usr/share/samba/codepages
SETUPDIR: /usr/share/samba/setup
WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
It doesn't seem there is a LIBDIR. Not sure what to do about that. The
folder /usr/local/samba/lib does not exist.

~$ locate libnss_winbind
/lib/x86_64-linux-gnu/libnss_winbind.so.2
Samba config:

[global]
dns forwarder = my.DNS.ip.address
dns proxy = No
log file = /var/log/samba/log.%m
logging = syslog at 1 /var/log/samba/log.%m
map to guest = Bad User
max log size = 1000
panic action = /usr/share/samba/panic-action %d
realm = DOMAIN.COM
security = ADS
server role = member server
server string = %h server (Samba, Ubuntu)
template shell = /bin/bash
usershare allow guests = Yes
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind use default domain = Yes
workgroup = DOMAIN
idmap config DOMAIN : range = 50000-1000000
idmap config DOMAIN : backend = ad
idmap config * : range = 3000-7999
idmap config * : backend = tbd
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr

[printers]
browseable = No
comment = All Printers
create mask = 0700
path = /var/spool/samba
printable = Yes
[print$] comment = Printer Drivers path = /var/lib/samba/printers

-Barry

On Fri, 16 Nov 2018 02:08:45 +0000
"Barry D. Adkins via samba" <samba at lists.samba.org> wrote:
> The problem is that getenv does not return any AD domain users or
> groups. From much research this seems to be because nsswitch is not
> setup for Samba.
I take it you mean 'getent'
> 
> I would really appreciate some assistance as I think this is my last
> hurdle for actually being able to use this test file server.
> 
> Ubuntu server 18.04 - Samba installed and configured (almost)
> Kerberos functioning. wbinfo --ping-dc successfully contacts domain
> server Browse server from windows client sees printer share
> 
> The Libnss winbind Links Wiki says to do this:
> 
> # smbd -b | grep LIBDIR  >>> smdb... doesn't work 
On Ubuntu it wouldn't, but this should:

sudo smbd -b | grep LIBDIR
   LIBDIR: /usr/lib/x86_64-linux-gnu

> but samba -b does
> work LIBDIR: /usr/local/samba/lib/
> # ln
> -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/ #
> ln
> -s /lib/x86_64-linux-gnu/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_winbind.so
> # ldconfig
> 
> Although as seen below there doesn't seem to be a LIBDIR entry, it
> seemed as if it might be /usr/lib/x86_64-linux-gnu/samba so I ran the
> above ln commands with this in mind. It didn't work. I also appended
> "files windbind" to the 2 entries in nsswitch.conf.
> 
> ~$ samba -b
> Samba version: 4.7.6-Ubuntu
> Build environment:
> Paths:
> 
> BINDIR: /usr/bin
> SBINDIR: /usr/sbin
> CONFIGFILE: /etc/samba/smb.conf
> NCALRPCDIR: /var/run/samba/ncalrpc
> LOGFILEBASE: /var/log/samba
> LMHOSTSFILE: /etc/samba/lmhosts
> DATADIR: /usr/share
> MODULESDIR: /usr/lib/x86_64-linux-gnu/samba
> LOCKDIR: /var/run/samba
> STATEDIR: /var/lib/samba
> CACHEDIR: /var/cache/samba
> PIDDIR: /var/run/samba
> PRIVATE_DIR: /var/lib/samba/private
> CODEPAGEDIR: /usr/share/samba/codepages
> SETUPDIR: /usr/share/samba/setup
> WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
> NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
> It doesn't seem there is a LIBDIR. Not sure what to do about that.
> The folder /usr/local/samba/lib does not exist.
Now this is interesting, in your 'samba -b | grep LIBDIR' above, the
location is /usr/local/samba, yet it then changes to /var/lib/samba.

The Samba wiki is written from the point of view of a self compiled
Samba, where the default location for everything is /usr/local/samba,
the default location for most of Samba using the Ubuntu packages
is /var/lib/samba, so what are you using, a self compiled Samba, or
the Ubuntu packages ?
 
> 
> ~$ locate libnss_winbind
> /lib/x86_64-linux-gnu/libnss_winbind.so.2
Hmm, looks like Ubuntu packages.

Check if these three packages are installed: libpam-winbind libpam-krb5
libnss-winbind
> Samba config:
> 
> [global]
> dns forwarder = my.DNS.ip.address
Why have you got a line that should only be in a DC smb.conf ?
> dns proxy = No
> log file = /var/log/samba/log.%m
> logging = syslog at 1 /var/log/samba/log.%m
> map to guest = Bad User
> max log size = 1000
> panic action = /usr/share/samba/panic-action %d
> realm = DOMAIN.COM
> security = ADS
> server role = member server
> server string = %h server (Samba, Ubuntu)
> template shell = /bin/bash
> usershare allow guests = Yes
> winbind enum groups = Yes
> winbind enum users = Yes
You should only have the 'winbind enum' lines for testing purposes.
> winbind nss info = rfc2307
Replace the above line with:

idmap config DOMAIN : unix_nss_info = yes
> winbind use default domain = Yes
> workgroup = DOMAIN
> idmap config DOMAIN : range = 50000-1000000
Does the 'Domain Users' group have a gidNumber attribute containing a
number inside the range above ?
Do your users have a uidNumber attribute containing a unique number
inside the same range ?

Rowland

> The problem is that getenv does not return any AD domain users or
> groups. From much research this seems to be because nsswitch is not
> setup for Samba.
>>I take it you mean 'getent'
YES
> The Libnss winbind Links Wiki says to do this:
>
> # smbd -b | grep LIBDIR  >>> smdb... doesn't work
>>On Ubuntu it wouldn't, but this should:
>>sudo smbd -b | grep LIBDIR
>>   LIBDIR: /usr/lib/x86_64-linux-gnu
Glad I'm not a betting man, because I thought I did that and it didn't
work. Anyway it does now, probably me, working through all the setup, things
don't go exactly like the wiki's and other internet helpful articles.

This is what reports LIBDIR: /usr/lib/x86_64-linux-gnu
> # ln
> -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/ #
> ln
> -s /lib/x86_64-linux-gnu/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_winbind.so
> # ldconfig
I AM THINKING THESE ln COMMANDS ARE NOT NEEDED GIVEN THE LIBDIR IS
/usr/lib/x86_64linux-gnu   ???
>
> Although as seen below there doesn't seem to be a LIBDIR entry, it
> seemed as if it might be /usr/lib/x86_64-linux-gnu/samba so I ran the
> above ln commands with this in mind. It didn't work. I also appended
> "files windbind" to the 2 entries in nsswitch.conf.
>
> ~$ samba -b
> Samba version: 4.7.6-Ubuntu
> Build environment:
> Paths:
>
> BINDIR: /usr/bin
> SBINDIR: /usr/sbin
> CONFIGFILE: /etc/samba/smb.conf
> NCALRPCDIR: /var/run/samba/ncalrpc
> LOGFILEBASE: /var/log/samba
> LMHOSTSFILE: /etc/samba/lmhosts
> DATADIR: /usr/share
> MODULESDIR: /usr/lib/x86_64-linux-gnu/samba
> LOCKDIR: /var/run/samba
> STATEDIR: /var/lib/samba
> CACHEDIR: /var/cache/samba
> PIDDIR: /var/run/samba
> PRIVATE_DIR: /var/lib/samba/private
> CODEPAGEDIR: /usr/share/samba/codepages
> SETUPDIR: /usr/share/samba/setup
> WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
> NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
>>Now this is interesting, in your 'samba -b | grep LIBDIR' above,
the
>>location is /usr/local/samba, yet it then changes to /var/lib/samba.
The "above" you were looking at in my post was just me quoting what
the wiki mentioned.
>>The Samba wiki is written from the point of view of a self compiled
>>Samba, where the default location for everything is /usr/local/samba,
>>the default location for most of Samba using the Ubuntu packages
>>is /var/lib/samba, so what are you using, a self compiled Samba, or
>>the Ubuntu packages ?
I installed Ubuntu packages ineed.
>>Check if these three packages are installed: libpam-winbind libpam-krb5
>>libnss-winbind
Yes they are installed
> Samba config:
>
> [global]
> dns forwarder = my.DNS.ip.address
>>Why have you got a line that should only be in a DC smb.conf ?
I was following instructions from some web article.  I removed it based on your
comment.
> dns proxy = No
> log file = /var/log/samba/log.%m
> logging = syslog at 1 /var/log/samba/log.%m
> map to guest = Bad User
> max log size = 1000
> panic action = /usr/share/samba/panic-action %d
> realm = DOMAIN.COM
> security = ADS
> server role = member server
> server string = %h server (Samba, Ubuntu)
> template shell = /bin/bash
> usershare allow guests = Yes
> winbind enum groups = Yes
> winbind enum users = Yes
>>You should only have the 'winbind enum' lines for testing
purposes.
Noted
> winbind nss info = rfc2307
>>Replace the above line with:
>>idmap config DOMAIN : unix_nss_info = yes
Done
> winbind use default domain = Yes
> workgroup = DOMAIN
> idmap config DOMAIN : range = 50000-1000000
>>Does the 'Domain Users' group have a gidNumber attribute
containing a
>>number inside the range above ?
>>Do your users have a uidNumber attribute containing a unique number
>>inside the same range ?
Well, I'm not certain.  I used Windows System tools to examine SIDs on the
Domain Controller, but I have not found how or for sure if a SID can be
converted to a UID.
To be clear, getent passwd reports many entries, but NONE from Active Directory,
same for groups.

This whole "exercise" was begun because of the failure of this
command:
chown root:"Domain Admins" /srv/samba/filestore/
chown: invalid group: 'root:Domain Admins'

I created /srv/samba/filestore/ to share, and in fact it is shared, but I have
not been able to set permissions per this WIKI:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

It's still not working, but I will continue to research the SID/UID/GID
world.

Barry

> idmap config DOMAIN : range = 50000-1000000
>>Does the 'Domain Users' group have a gidNumber attribute
containing a
>>number inside the range above ?
>>Do your users have a uidNumber attribute containing a unique number
>>inside the same range ?
Well, I'm not certain.  I used Windows System tools to examine SIDs on the
Domain Controller, but I have not found how or for sure if a SID can be
converted to a UID.
To be clear, getent passwd reports many entries, but NONE from Active Directory,
same for groups.

This whole "exercise" was begun because of the failure of this
command:
chown root:"Domain Admins" /srv/samba/filestore/
chown: invalid group: 'root:Domain Admins'

I created /srv/samba/filestore/ to share, and in fact it is shared, but I have
not been able to set permissions per this WIKI:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Manpage for wbinfo
 -S|--sid-to-uid sid
           Convert a SID to a UNIX user id. If the SID does not correspond to a
UNIX user mapped
           by winbindd(8) then the operation will fail.

I used the wbinfo command with a SID from a domain user.  It fails which seems
to confirm that there is some missing link with winbindd as mentioned on the man
page.

result:
failed to call wbcStringToSid: WBC_ERR_INVALID_SID
could not convert sid S-1-5-21-346857055-4299993622516-4263914971-1113 to uid

Barry

> idmap config DOMAIN : range = 50000-1000000
SID was pasted wrong on previous posts.

wbinfo results:

:~$ wbinfo -K DomainUser1
Enter DomainUser1's password:
plaintext kerberos password authentication for [DomainUser1] succeeded
(requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_1000

:~$ wbinfo -K DomainUser2
Enter DomainUser2's password:
plaintext kerberos password authentication for [DomainUser2] succeeded
(requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_1000

:~$ wbinfo -i DomainUser1
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user DomainUser1

:~$ wbinfo -i DOMAIN\\DomainUser1
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user DOMAIN\DomainUser1

:~$ wbinfo -n DomainUser1
S-1-5-21-346857055-4293622516-4263914971-1113 SID_USER (1)

:~$ wbinfo -S S-1-5-21-346857055-4293622516-4263914971-1113
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-346857055-4293622516-4263914971-1113 to uid

Barry

I can confirm that I can connect with Windows clients to the FILESTORE share and
use it normally, but only as "Administrator" which works because I
have a user map file setup that means I'm connecting with root permissions.

I can set the share and folder permissions with Windows tools, and those
permissions stick in the mind of "Windows" but I suspect because
Ubuntu/Samba do not have a connection to the AD Users/Groups and thus the
settings made with Windows tools are failing to stick on the Linux box.

It does seem that if I can figure out the issues with the winbind setup or
whatever, then I'd be complete with the configuration.

Barry

On Sat, 17 Nov 2018 22:54:43 +0000
"Barry D. Adkins" <Barry at daram.com> wrote:
> 
> > The problem is that getenv does not return any AD domain users or
> > groups. From much research this seems to be because nsswitch is not
> > setup for Samba.
> 
> >>I take it you mean 'getent'
> YES
> 
> > The Libnss winbind Links Wiki says to do this:
> >
> > # smbd -b | grep LIBDIR  >>> smdb... doesn't work
> 
> >>On Ubuntu it wouldn't, but this should:
> 
> >>sudo smbd -b | grep LIBDIR
> >>   LIBDIR: /usr/lib/x86_64-linux-gnu
> 
> Glad I'm not a betting man, because I thought I did that and it
> didn't work. Anyway it does now, probably me, working through all the
> setup, things don't go exactly like the wiki's and other internet
> helpful articles.
What is wrong with the Samba wiki, what didn't go exactly like the
wiki ?
> 
> This is what reports LIBDIR: /usr/lib/x86_64-linux-gnu
> 
> > # ln
> > -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/ #
> > ln
> > -s /lib/x86_64-linux-gnu/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_winbind.so
> > # ldconfig
> 
> I AM THINKING THESE ln COMMANDS ARE NOT NEEDED GIVEN THE LIBDIR
> IS /usr/lib/x86_64linux-gnu   ???
Yes, you only need to carry out those commands if you compile Samba
yourself, there are usually distro packages to do it for you.
> 
> > Samba config:
> >
> > [global]
> > dns forwarder = my.DNS.ip.address
> 
> >>Why have you got a line that should only be in a DC smb.conf ?
> I was following instructions from some web article.  I removed it
> based on your comment.
I can only recommend following the Samba wiki, there are usually errors
on most web articles.
> > winbind use default domain = Yes
> > workgroup = DOMAIN
> > idmap config DOMAIN : range = 50000-1000000
> 
> >>Does the 'Domain Users' group have a gidNumber attribute
containing
> >>a number inside the range above ?
> >>Do your users have a uidNumber attribute containing a unique number
> >>inside the same range ?
> Well, I'm not certain.  I used Windows System tools to examine SIDs
> on the Domain Controller, but I have not found how or for sure if a
> SID can be converted to a UID. To be clear, getent passwd reports
> many entries, but NONE from Active Directory, same for groups.
If you are not certain if you have uidNumber & gidNumber attributes, I
am fairly sure you haven't, YOU have to add them.
> 
> This whole "exercise" was begun because of the failure of this
> command: chown root:"Domain Admins" /srv/samba/filestore/
> chown: invalid group: 'root:Domain Admins'
> 
> I created /srv/samba/filestore/ to share, and in fact it is shared,
> but I have not been able to set permissions per this WIKI:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> It's still not working, but I will continue to research the
> SID/UID/GID world.
Two different worlds, well sort of, the SID defines the Domain, but at
the end of the SID is the RID, this is a unique number that identifies
the AD object, it is meaningless to a Unix domain member.

To get a Unix UID or GID, there are two main methods, using the 'ad' or
'rid' winbind backends. The 'ad' backend relies on you adding
'uidNumber & gidNumber attributes to user & group objects in AD.
The 'rid' backend calculates the ID's from the 'RID', this
way you do
not need to add anything to AD, but note this will not work on a Samba
AD DC, it only works on Unix domain members.

Rowland

>What is wrong with the Samba wiki, what didn't go exactly like the wiki
?
https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC

Well take this wiki that I'm trying to follow to add the AD uid/gid to the
objects.  It's helpful and confusing, but maybe because I'm just not
informed enough.

I got the property pages to show in AD Users & Computers, but there is no
NIS Domain offered to select.  No guidance on that, unless I've done
something out of sequence that would have populated that.

It then Gives this guidance to perform before you use AD U & C... after it
has just led you down the path of using AD U & C.

# Defining the next UID/GID number to use
# Every time a UID/GID number is assigned using Active Directory Users and
Computers (ADUC), the next UID/GID number is stored inside the Active Directory.
By default, ADUC starts assigning UID and # GID numbers at 10000.

# If you setup a new Samba AD and want to use a different start value, you will
need to add the counting attributes before using ADUC for the first time:

# ldbedit -H /usr/local/samba/private/sam.ldb -b \
 
CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com

# msSFU30MaxUidNumber: 10000
# msSFU30MaxGidNumber: 10000

# With the same command you can change the values. E. g. if you require to start
UID numbers at 20000 and GIDs at 50000, adapt the values to your requirements:

# msSFU30MaxUidNumber: 20000
# msSFU30MaxGidNumber: 50000

I don't seem to find an "ldb" file anywhere and since we are using
an AD Domain, perhaps there shouldn't be one.

I wouldn't have gone looking for an "ldb" file except for this
wiki.

I'll continue to rummage around trying to figure out how to get an entry to
choose for the NIS Domain, although I'm not sure what it should be.  I would
guess it would be the same name as the AD Domain Name.  Looking over the above
ldbedit command it seems like it will create an entry of samdom.example.com  or
in my case would be samdom.domain.com  but is that what we really want/need to
do?

Barry