samba - Jan 2019 - Troubleshooting help?

I probably should have lead with this, but I did not create or deploy this
particular setup, I was charged with keeping it going after the main person
left.  I have zero experience with Samba or Centrify, or I should say *had* no
experience until this.

So, I frankly have very little idea of what most of these options are for or why
they're set the way they are.  I can certainly edit per your suggestions and
see if it helps at all.  I have noticed that as people are getting window
pop-ups asking them to enter their credentials (which they shouldn't get of
course), I'm seeing a corresponding error in the log.smbd file that says
"lookup_name_smbconf for <domain>\<user> failed", so
I'm trying to see if I can find anything more specific about what might be
causing that issue.

Also, I do have samba-winbind-4.8.3 installed and winbind appears to be running
(ps -ef |grep winbind returns two lines of "/usr/sbin/winbindd -s
/etc/centrifydc/smb2.conf"). As to why this is using Centrify vice any
other product, I cannot speak to that.
Thanks much!
Scott

________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland Penny
via samba <samba at lists.samba.org>
Sent: Monday, January 28, 2019 8:35 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Troubleshooting help?

On Mon, 28 Jan 2019 17:19:03 +0000
Scott Z. <sudz28 at hotmail.com> wrote:
> Thank you Rowland!  I guess that's part of my confusion, I'm not
sure
> how to best debug where Centrify ends and Samba begins.  But if these
> log.smbd errors indicate Centrify vice Samba, I'm good with that.  My
> global smb.conf is (didn't bother with the commented out stuff):
I have added some comments to your smb.conf:

[global]
security = ADS
realm = <our domain name>
workgroup = <our workgroup name>
netbios name = <the server name> <-- don't really need this
machine password timeout = 0 <-- Why is this turned off ?
passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb <-- you don need
anything after 'tdbsam', but you do not need the whole line, it is the
default setting
kerberos method = secrets and keytab
server signing = auto <-- bad idea to set this
client ntlmv2 auth = yes <-- Default setting
ntlm auth = yes <-- do you really want to use
client use spnego = yes <-- Default setting
template shell = /bin/bash
winbind use default domain = Yes
winbind enum users = No <-- Default setting
winbind enum groups = No <-- Default setting
winbind nested groups = Yes <-- Default setting
idmap cache time = 0 <-- this turns winbind's cache off
idmap config * : backend = tdb
idmap config * : range = 1000 - 200000000 <-- bad range, you cannot have any
local Unix users
idmap config * : base_tdb = 0 <-- what is this ??
enable core files = false <-- if Samba crashes, you will not get any core
dumps
log level = 2

Or to put it another way, it only needs to be this:

[global]
security = ADS
realm = <our domain name>
workgroup = <our workgroup name>
kerberos method = secrets and keytab
template shell = /bin/bash
winbind use default domain = Yes
idmap config * : backend = tdb
idmap config * : range = 1000 - 200000000
log level = 2

If this was a normal Samba Unix domain member
it would also have (at least) these two lines:

idmap config <our workgroup name> : backend = rid
idmap config <our workgroup name> : range = 2000000001 - 300000000

You are using Samba 4.8.3, so you need to have winbind running, so now
we come to the big question:

Why do you feel you need Centrify instead of winbind ?

What does it give you that Samba + winbind doesn't ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Mon, 28 Jan 2019 19:53:29 +0000
Scott Z. <sudz28 at hotmail.com> wrote:
> I probably should have lead with this, but I did not create or deploy
> this particular setup, I was charged with keeping it going after the
> main person left.  I have zero experience with Samba or Centrify, or
> I should say *had* no experience until this.
> 
> So, I frankly have very little idea of what most of these options are
> for or why they're set the way they are.  I can certainly edit per
> your suggestions and see if it helps at all.  I have noticed that as
> people are getting window pop-ups asking them to enter their
> credentials (which they shouldn't get of course), I'm seeing a
> corresponding error in the log.smbd file that says
> "lookup_name_smbconf for <domain>\<user> failed", so
I'm trying to
> see if I can find anything more specific about what might be causing
> that issue.
> 
> Also, I do have samba-winbind-4.8.3 installed and winbind appears to
> be running (ps -ef |grep winbind returns two lines of
> "/usr/sbin/winbindd -s /etc/centrifydc/smb2.conf"). As to why
this is
> using Centrify vice any other product, I cannot speak to that. Thanks
> much! Scott
> 
What is your AD DC ?
What is in /etc/centrifydc/smb2.conf ?

I wouldn't mess with the smb.conf, you might make things worse.

Is your version of Centrify a paid for version, if so, it might be
worth asking Centrify for help.

Because you are using Centrify, I have no idea what ID range you are
using or how it is calculated/set, if I did, I may have been able to
tell you how to set smb.conf up for winbind.

Just how much data and how many users are we talking about ?

What do you use the Unix domain member (that is what it appears to
be) for ?

Rowland

On Mon, 28 Jan 2019 23:00:21 +0000
Scott Z. <sudz28 at hotmail.com> wrote:
> What is your AD DC ? - Users log in to the domain but I don't really
> have an insight into that piece.  For my VM, my understanding is that
> so long as it can verify the user requesting access to the share has
> a valid login and are in the correct Active Roles group, they should
> be able to access the share.
> 
> What is in /etc/centrifydc/smb2.conf ?  Looks like:
> [global]
>     winbindd socket directory = /run/samba/winbindd2
>     include = /etc/smb.conf
> 
> I am indeed engaging with some Centrify support folks.  The only rub
> is, we're running Centos 7.6 on our server and they don't
officially
> support Centos (only Red Hat Linux) so they keep telling us we need
> to switch over to Red Hat if we want full support.  That's not going
> to happen, but they're at least trying to be helpful.
> 
If they support RHEL, then they must be able to support Centos. Centos
is RHEL recompiled with the names changed.

Centrify seems to be running Samba in a way that we cannot support.

I could tell you how to 'rip' Centrify out of your setup, but there
are problems with doing this, the main one is that your users will
undoubtedly end up with different numeric ID's.

I personally do not see why anybody would pay to use Centrify, when
winbind will do the same thing for free.

Rowland