Hello, I am trying to configure samba on a Centos 7.5 linux server ( Samba 4.8.3 ) to share files stored on that server to a set of windows PCs running win7 and win10. Some facts: - the linux server is NOT the domain controller but it successfully joined the domain ( realm join ...). - we have a few linux servers on which we will want to configure samba in a similar way to share files. - the actual active directory service runs on a windows server. Users can get authenticated both on windows and linux from it. I tried various settings in smb.conf on the linux server without success (i.e. it is not possible to mount the share on windows). I am not an expert and I am seeking a good smb.conf file in which I could fill the blanks to get the job done (i.e. sharing files from a server using ADs authentication). Is it possible to find a good smb.conf sample to fullfill our needs ? Thank you ! Gilbert
On Thu, 13 Dec 2018 03:39:49 +0000 Gilbert Soucy via samba <samba at lists.samba.org> wrote:> Hello, > > I am trying to configure samba on a Centos 7.5 linux server ( Samba > 4.8.3 ) to share files stored on that server to a set of windows PCs > running win7 and win10. > > Some facts: > > - the linux server is NOT the domain controller but it successfully > joined the domain ( realm join ...). > - we have a few linux servers on which we will want to configure > samba in a similar way to share files. > - the actual active directory service runs on a windows server. Users > can get authenticated both on windows and linux from it. > > I tried various settings in smb.conf on the linux server without > success (i.e. it is not possible to mount the share on windows). I am > not an expert and I am seeking a good smb.conf file in which I could > fill the blanks to get the job done (i.e. sharing files from a > server using ADs authentication). > > Is it possible to find a good smb.conf sample to fullfill our needs ? > > Thank you ! > > GilbertHave you tried reading the Samba wiki ? https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland
On Thu, 13 Dec 2018 19:10:38 -0500 Gilbert Soucy <gsoucy at 36pix.com> wrote:> Hello, > > I was able to follow most of the steps in the wiki but I seem to > have an issue with winbind : > > wbinfo --ping-dc > > is failing with: > > [root at tungsten-2 samba]# wbinfo --ping-dc > checking the NETLOGON for domain[-not available-] dc connection to "" > failed failed to call wbcPingDc: WBC_ERR_NOT_IMPLEMENTED > > > > Why is that all wrong since I was able to join the domain ? > How to fix that ? > > Also, just to confirm, do I need to touch sssd at all ? Should it be > running, with any specific config ?Well, in my opinion, 'yum remove sssd' would be a very good idea ;-) You do not need sssd, it isn't a Samba product and, as such, it isn't supported here.> > See my config and details below. > > Thanks > > Gilbert > > ==============================================> > I have been able to join the domain: > > [root at server samba]# net ads join -U admin > Enter admin's password: > Using short domain name -- DOMAIN > Joined 'SERVER' to dns domain 'DOMAIN'Is your short domain name (aka workgroup) really the same as your dns domain ?> > > I can list the domain users on the windows AD server: > > [root at tungsten-2 samba]# net ads user > > Administrator > user1 > user2 > ... > > > Here is my smb.conf file > > [global] > security = ADS > workgroup = DOMAIN > realm = DOMAIN.COM > > log file = /var/log/samba/log.%m > log level = 2 > > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use a read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 0-499Why are you using '0-499' for the '*' domain ? The '*' domain is for the 'Well Known SIDs' and anything outside the 'DOMAIN' domain, you are using the same numbers as the Unix system users & groups. Can I suggest you read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member> # - You must set a DOMAIN backend configuration > # idmap config for the SAMDOM domain > idmap config DOMAIN:backend = ad > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 500-20000 > idmap config DOMAIN:unix_nss_info = yes >Again, why '500-20000' ? You have removed the possibility of having any local Unix users. Have you added any uidNumber & gidNumber attributes to AD ?> [Share] > comment = Share > path = /share > hide dot files = no > dos filemode = yes > inherit acls = yes > inherit permissions = yes > create mode = 0664 > directory mode = 0775 > directory mask = 0775 > force create mode = 0664 > force directory mode = 0775 > force group = lab > vfs objects = recycle > recycle: keeptree = yes > recycle: versions = yes > recycle:directory_mode = 770 > recycle:touch_mtime = yes > guest ok = YesYou really would be better off using Windows ACL's and setting these from a Windows computer.> > > In my /etc/nsswitch.conf file (and I restarted all services after > the edit) > > passwd: files sss winbind > shadow: files sss > group: files sss winbindRemove all the 'sss'> > > > The output of realm list::Pointless here, 'realmd' isn't a Samba product, so we wouldn't know a good one from a bad one and you do not need it anyway.
On Fri, 14 Dec 2018 07:59:20 -0500 Gilbert Soucy <gsoucy at 36pix.com> wrote:> Thanks for the reply. > > I removed sssd and updated nssswitch.conf: > > passwd: files winbind > shadow: files > group: files winbind > > I redid the steps in the wiki and I am still having a problem with > wbinfo > > [root at server samba]# net ads testjoin > Join is OK > > > > [root at server samba]# wbinfo --ping-dc > *checking the NETLOGON for domain[-not available-] dc connection to "" > failed* > *failed to call wbcPingDc: WBC_ERR_NOT_IMPLEMENTED* > > > Why is it that wbinfo cannot find the domain name ? >I do not known, I may be able to comment further if you answer my questions: Is your short domain name (aka workgroup) really the same as your dns domain ? Why are you using '0-499' for the '*' domain ? The '*' domain is for the 'Well Known SIDs' and anything outside the 'DOMAIN' domain, you are using the same numbers as the Unix system users & groups. Again, why '500-20000' for the 'DOMAIN' domain ? You have removed the possibility of having any local Unix users. Have you added any uidNumber & gidNumber attributes to AD ? Rowland
On Fri, 14 Dec 2018 08:15:04 -0500 Gilbert Soucy <gsoucy at 36pix.com> wrote:> >> Is your short domain name (aka workgroup) really the same as your > >> dns domain ? > > No, I replace some strings before replying for confidentiality and I > made a typo there. > Here is the output: > > [root at server samba]# net ads join -U user > Enter use's password: > Using short domain name -- DOMAIN > Joined 'SERVER' to dns domain 'domain.com' > > >Why are you using '0-499' for the '*' domain ? > >The '*' domain is for the 'Well Known SIDs' and anything outside the > '>DOMAIN' domain, you are using the same numbers as the Unix system > >users & groups. > > > >Again, why '500-20000' for the 'DOMAIN' domain ? > > I am trying to update an existing system that was running on ldap and > has exsting users and files. > The users were defined in that range. It seems not obvious to change > the id of all files and folders. > Is it an issue ? I can try to change the id in smb.conf for a test > but my back compatibility issue will still be there. > >Yes it is an issue. As I said, 0-500 is reserved for Unix system users and groups (it's actually 0-999) so you cannot use these numbers for AD Was the old ldap machine also a Samba PDC ? If so, then use classicupgrade. Better still, set up a new AD domain and transfer your users, groups and data to this. Rowland
On Fri, 14 Dec 2018 10:47:42 -0500 Gilbert Soucy <gsoucy at 36pix.com> wrote:> Thanks for the help. > > > Yes it is an issue. > > > > As I said, 0-500 is reserved for Unix system users and groups (it's > > actually 0-999) so you cannot use these numbers for AD > > I changed smb.conf to follow the range rules. I dont expect to see my > users below 3000 but *wbinfo --ping-dc * should work, isnt it ? > It is still failing the same way. > > Is there any log that would give more info ?It should work, lets start again with a few questions ;-) what is in /etc/hostname what is in /etc/hosts what is in /etc/krb5.conf> > > Was the old ldap machine also a Samba PDC ? > > If so, then use classicupgrade. > > I see that it is not reversible so I am a bit scared to try it.Yes, if your clients see the AD DC, there is no going back, but most people do the classicupgrade in a test network first.> > > Better still, set up a new AD domain and transfer your users, groups > > and data to this. > > In some sense, we are doing that now. We created a brand new domain > and AD server ( windows ). Previously the domain controller was > samba-ldap on Linux. > We wish to transfer the users by preserving their uids and guids (we > will enter them by hand in the windows AD server).And there is your problem, if you want to use the 'ad' backend on the Unix domain members, you need to create the users & groups first, along with the required uidNumber & gidNumber attributes.> > We have first successfully connected a smb service on a VM runing > centos 7.4. What we are trying now is a clone of a production machine > to see whether we can really > switch a production machine. And it is not as smooth.It wouldn't be without users & groups.> > We have many servers and shares on other servers that also need to > have the same user ids. Creating new ids would be more painful.I would take the pain and create users & groups with uidNumber & gidNumber attributes containing numbers from '10000'> However, is it really what prevents > *wbinfo --ping-dc* from working now ? I set up smb.conf as per the > spec and it cannot connect. Is it because of the user range ? Can we > know the low level reason > why it is not connecting ?Is there a firewall in the way ? Rowland
On Fri, 14 Dec 2018 12:50:28 -0500 Gilbert Soucy <gsoucy at 36pix.com> wrote:> Hello, > > We made some progress. I checked all the packaged installed and there > was still an sssd tool installed. > > After removing that package, the ping is now working: > > [root at server samba]# wbinfo --ping-dc > checking the NETLOGON for domain[DOMAIN] dc connection to > "DC1.domain.com" succeededThat would probably do it, sssd has its own version of a Samba winbind lib.> > > However, we still cannot list the users: > > [root at server samba]# getent passwd DOMAIN\\t3500 > [root at server samba]# >Try adding 'winbind use default domain = yes' Restart Samba and then try it like this: getent passwd t3500 If that doesn't work, change your 'idmap config' lines to these: idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config DOMAIN:backend = rid idmap config DOMAIN:range = 10000-999999 This is just for a test, if 'getent' now works, the problem lines in AD, if it doesn't work, it is an OS problem.> > Can we get more info now as to why it is not working ? I cannot see > anything intetresting in the logs. > > You will find the answers to your questions below. > > ==============> > > what is in /etc/hostname > > [root at server samba]# cat /etc/hostname > server > > ===========> > > what is in /etc/hosts > > [root at server samba]# cat /etc/hosts > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 > ::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6 > 192.168.1.21 adserver.domain.com adserver > 192.168.1.68 server.domain.com server >You do not need the 'adserver' line Rowland
On Fri, 14 Dec 2018 15:27:27 -0500 Gilbert Soucy <gsoucy at 36pix.com> wrote:> Wow, we made some good progress. We can see the users and actually > mount a share on windows. Only issue: the uids and guids are wrong. > This is because of the backend : rip, I suppose. > > >Try adding 'winbind use default domain = yes' > >Restart Samba and then try it like this: > > > > getent passwd t3500 > > That did not help. > > >If that doesn't work, change your 'idmap config' lines to these: > > > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > idmap config DOMAIN:backend = *rid* > > idmap config DOMAIN:range = 10000-999999 > > The rid helped: > > [root at server samba]# id DOMAIN\\user > uid=1611(DOMAIN\user) gid=1013(DOMAIN\domain users) > groups=1013(DOMAIN\domain > users),1611(DOMAIN\gsoucy),1610(DOMAIN\sudoers),3104(DOMAIN\@dmin),1607(DOMAIN\test),1620(DOMAIN\labtest),1621(DOMAIN),1622(DOMAIN\lab) > > but the ids are not what we wrote as uids and guids in the AD > interface (windows). > > Nevertheless encouraging. Any idea on why the *ad* back end does not > work ?As I said, it was only a test, it shows that there is connectivity to your AD DC, but the ID's are not what I expected. The 'rid' backend works by calculating the ID from the user or group RID It use this formula: ID = RID - BASE_RID + LOW_RANGE_ID The 'BASE_RID' defaults to '0', so it becomes: ID = RID + LOW_RANGE_ID The 'LOW_RANGE' is what is set in smb.conf: ID = RID - BASE_RID + 10000 So all the users and groups should be '10000' or above. Did you restart Samba and also run 'net cache flush' For the 'ad' winbind backend to work, your users MUST have a uidNumber attribute containing a unique number inside the range you have set for the 'DOMAIN' in smb.conf (10000-999999). The users primary group MUST also have a gidNumber containing a number inside the same range. This means that unless you have 'idmap config DOMAIN:unix_primary_group = yes' set in smb.conf (only from Samba 4.6.0), you MUST give Domain Users a gidNumber. If you do have the line and are using Samba >= 4.6.0, you must give the user a gidNumber attribute containing the gidNumber of the group that you require to be the users Unix primary group, if you do not add the users gidNumber attribute, it falls back to Domain Users, so again, this must have a gidNumber. Rowland