samba - Jan 2019 - I have issue in configuring file servers with AD integration.

Hi,

I am configuring file servers with AD integration with referring below
link. I am able to get AD user name and group by running this command
wbinfo -u and wbinfo -g but when I run getent passwd and getent group I am
unable to see in the list. Please help me to understand where I am doing
wrong.

https://www.teknophiles.com/2016/11/14/linux-file-servers-in-a-windows-domain/

Environment  Details are:
OS : Ubuntu 18.04
SAMBA : Version 4.7.6-Ubuntu

Thanks,
Venkat

On Tue, 8 Jan 2019 03:23:24 +0530
venkat ramu via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I am configuring file servers with AD integration with referring below
> link. I am able to get AD user name and group by running this command
> wbinfo -u and wbinfo -g but when I run getent passwd and getent group
> I am unable to see in the list. Please help me to understand where I
> am doing wrong.
> 
>
https://www.teknophiles.com/2016/11/14/linux-file-servers-in-a-windows-domain/
Well, the first thing you did wrong was to follow that webpage, it was
borked when it was written and it is even more borked now ;-)

It doesn't even tell you to install the 'attr' package, it
doesn't
tell you how to configure smb.conf correctly or show you an example.
> 
> Environment  Details are:
> OS : Ubuntu 18.04
> SAMBA : Version 4.7.6-Ubuntu
You can obtain Samba 4.9.4 packages here:

http://apt.van-belle.nl/

In the mean time, can you post the contents of the following files:

/etc/hostname
/etc/hosts
/etc/resolv.conf
/etc/krb5.conf
/etc/samba/smb.conf (with all the commented lines removed)
/etc/nsswitch.conf

What packages did you actually install ?

Webmin is okay, but the 'samba' part is a bit old.

Rowland

On Tue, 8 Jan 2019 09:38:54 +0530
venkat ramu <ramut123 at gmail.com> wrote:
> Hi Rowland,
> 
> Please find the attached requested details. also Could you please
> share right document for the SAMBA configuration with AD
> authentication for file server. Thank you the help.
> 
> Thanks,
> Venkat
OK, you have a choice here, you can either do what I do, which is make
the network settings work for me (this involves removing netplan) or
try and work with the OS, for the latter, see here (at the bottom):

https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt

I am sure that Louis will correct any differences between a DC setup
and a Unix domain member ;-)

If you follow how I do it, remove netplan and then make /etc/hosts look
like this:

127.0.0.1       localhost
<UBUNTU-BASE IP>       ubuntu-base.testlab.com ubuntu-base

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

make /etc/resolv.conf look like this:

search testlab.com
nameserver 192.168.0.81

/etc/krb5.conf only needs to contain this:

[libdefaults]
default_realm = TESTLAB.COM
dns_lookup_realm = false
dns_lookup_kdc = true

I would suggest you make your smb.conf look like this:

[global]
        workgroup = TESTLAB
        security = ADS
        realm = TESTLAB.COM
        server string = %h server (Samba, Ubuntu)

        winbind use default domain = yes
        winbind expand groups = 2

        ## map ids outside of domain to tdb files.
        idmap config * : backend = tdb
        idmap config * : range = 2000-9999
        ## map ids from the domain  the ranges may not overlap !
        idmap config TESTLAB : backend = rid
        idmap config TESTLAB : range = 10000-20000

        template shell = /bin/bash
        domain master = no
        local master = no
        preferred master = no
        os level = 20

        # user Administrator workaround, without it you are unable to set
privileges
        username map = /etc/samba/user.map

        # For ACL support on domain member
        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes

        max log size = 1000
        log file = /var/log/samba/log.%m
        syslog = 0
        log level = 3 passdb:5 auth:5
        panic action = /usr/share/samba/panic-action %d

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers

It assumes you haven't added anything to AD and will use the winbind
'rid' backend.

You will also have to create /etc/samba/user.map with this content:

!root = TESTLAB\Administrator

Rowland

Thanks Rowland, I will try with your option and will let you know.

Thanks,
Venkat

On Tue, Jan 8, 2019 at 3:13 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 8 Jan 2019 09:38:54 +0530
> venkat ramu <ramut123 at gmail.com> wrote:
>
> > Hi Rowland,
> >
> > Please find the attached requested details. also Could you please
> > share right document for the SAMBA configuration with AD
> > authentication for file server. Thank you the help.
> >
> > Thanks,
> > Venkat
>
> OK, you have a choice here, you can either do what I do, which is make
> the network settings work for me (this involves removing netplan) or
> try and work with the OS, for the latter, see here (at the bottom):
>
>
>
https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt
>
> I am sure that Louis will correct any differences between a DC setup
> and a Unix domain member ;-)
>
> If you follow how I do it, remove netplan and then make /etc/hosts look
> like this:
>
> 127.0.0.1       localhost
> <UBUNTU-BASE IP>       ubuntu-base.testlab.com ubuntu-base
>
> # The following lines are desirable for IPv6 capable hosts
> ::1     ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> make /etc/resolv.conf look like this:
>
> search testlab.com
> nameserver 192.168.0.81
>
> /etc/krb5.conf only needs to contain this:
>
> [libdefaults]
> default_realm = TESTLAB.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> I would suggest you make your smb.conf look like this:
>
> [global]
>         workgroup = TESTLAB
>         security = ADS
>         realm = TESTLAB.COM
>         server string = %h server (Samba, Ubuntu)
>
>         winbind use default domain = yes
>         winbind expand groups = 2
>
>         ## map ids outside of domain to tdb files.
>         idmap config * : backend = tdb
>         idmap config * : range = 2000-9999
>         ## map ids from the domain  the ranges may not overlap !
>         idmap config TESTLAB : backend = rid
>         idmap config TESTLAB : range = 10000-20000
>
>         template shell = /bin/bash
>         domain master = no
>         local master = no
>         preferred master = no
>         os level = 20
>
>         # user Administrator workaround, without it you are unable to set
> privileges
>         username map = /etc/samba/user.map
>
>         # For ACL support on domain member
>         vfs objects = acl_xattr
>         map acl inherit = Yes
>         store dos attributes = Yes
>
>         max log size = 1000
>         log file = /var/log/samba/log.%m
>         syslog = 0
>         log level = 3 passdb:5 auth:5
>         panic action = /usr/share/samba/panic-action %d
>
> [printers]
>    comment = All Printers
>    browseable = no
>    path = /var/spool/samba
>    printable = yes
>    create mask = 0700
>
> [print$]
>    comment = Printer Drivers
>    path = /var/lib/samba/printers
>
> It assumes you haven't added anything to AD and will use the winbind
> 'rid' backend.
>
> You will also have to create /etc/samba/user.map with this content:
>
> !root = TESTLAB\Administrator
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba