Hey guys, sorry for the (no subject) message. I copy/pasted from a previous email and missed the subject. I really appreciate the quick feedback! I'm hoping to produce a series of blog posts that are guaranteed to work (on Debian 9 at least) and produce the ultimate Samba-powered Active Directory environment. On Fri, Mar 1, 2019 at 9:04 AM L.P.H. van Belle via samba <samba at lists.samba.org> wrote: [snip]> few minor points. > > REALM="ad.onthefive.com" > Realm always in CAPS, this prevens problems with other programs. Most program's expect REALM in CAPS. > For example postfix expect REALM in CAPS.I agree with you, however: 1) The Samba Wiki [1] uses lowercase:> Realm --realm Kerberos realm. This is also used as the AD DNS > domain. For example: samdom.example.com.2) samba-tool seems to do the "right thing" and capitalize this string where required. My generated smb.conf has: [global] netbios name = SAMBA-DC realm = AD.ONTHEFIVE.COM workgroup = ONTHEFIVE While the generated krb5.conf has: [libdefaults] default_realm = AD.ONTHEFIVE.COM dns_lookup_realm = false dns_lookup_kdc = true Since "--realm" is kind of a dual-use parameter, I'm inclined to leave it lowercase.> I suggest you add a note here that the DNS-domain and REALM are 2 differnt things. > And the other sidenote on this is, often the dns-domain == REALM ( but in caps )Yes, this is a great point. Does the term "REALM" apply to anything besides Kerberos?> > The krb5.conf. mv /etc/krb5.conf /etc/krb5.conf.old > The default from debian, if you enter the REALM in CAPS at install is sufficient. > Not really needed but not wrong.The krb5.conf file generated during "samba-tool provision" contains only what I've shown above. The Debian file has a lot of other stuff, including various *.MIT.EDU [realms]. I felt it was better to trust "samba-tool" than the Debian maintainers :-)> I also suggest, add a check if the reverse zone exists.Can you elaborate? Are you suggesting to check for a reverse DNS entry for the IP address of the DC? [snip]> apt install ssh-krb5 libpam-krb5 libnss-winbind libpam-winbind > > That configures 1-2 paramaters in sshd_config and gives you direct the ability to login with kerberos. > Note, not accounting for the missing "templates" paramters. > > Default: template homedir = /home/%D/%U > Default: template shell = /bin/false > (man smb.conf) > And how are the homedirs created, through ADUC or mk_homedir > > Needed on the DC's with logins and members that used RID setup also set in /etc/nsswitch.conf > passwd: compat winbind > group: compat winbindI actually wrote a subsequent blog post, where I set up all of the winbind configuration: https://jonathonreinhart.com/posts/blog/2019/02/26/configuring-winbind-on-a-samba-ad-dc-on-debian-9 I did not include kerberos login, however, so thank you for that! Setting uidNumber, gidNumber, etc. from Microsoft tools is deprecated, so I plan to put together some solution to automatically assign them during/after user creation, e.g. - https://serverfault.com/q/764185/55544 - https://serverfault.com/q/484908/55544 I used pam_mkhomedir to create the home directory on the DC. Correct me if I'm wrong, but winbind (on a Samba DC) can **only** use "template homedir" and "template shell", and will not respect the RFC 2307 attributes in LDAP. Is that correct?> If i may suggest. Go through these. > https://github.com/thctlo/samba4/tree/master/howtos > These are a bit older, im working on the update and nice layouts etc. > Its my git link, most thing your wanting/ask are in my scripts. > > For example, what i dont see on the site is the check on /etc/hosts > If you installed with dhcp you need to change 127.0.1.1 to the real ip of the server in /etc/hostsThanks for that reference; I will check them out. In general, I prefer DHCP reservations over static IP addresses, and in fact, that's how my current DC is running. But if it's safer, I will change to use a static IP address, and update /etc/hosts, etc. [snip]> > Is what I'm attempting to do a valid operation? Or is it weird that > > realmd is trying to "join" the DC to the domain? > > No, not strange, but realmd is "joining" the AD-DC and its trying that with member settings. > That wont work on the DC itself ofcourse.I abandoned the idea of using Realmd on the DC itself. I'm still hoping to use Realmd + SSSD on my other Linux servers, like I have with Microsoft Active Directory.> Greetz, > > LouisThanks again for your input! Jonathon [1] https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Parameter_Explanation
On Sat, 2 Mar 2019 17:57:41 -0500 Jonathon Reinhart via samba <samba at lists.samba.org> wrote:> On Fri, Mar 1, 2019 at 9:04 AM L.P.H. van Belle via samba > <samba at lists.samba.org> wrote: > [snip] > > few minor points. > > > > REALM="ad.onthefive.com" > > Realm always in CAPS, this prevens problems with other programs. > > Most program's expect REALM in CAPS. For example postfix expect > > REALM in CAPS. > > I agree with you, however: > > 1) The Samba Wiki [1] uses lowercase:It doesn't any more.> > > I suggest you add a note here that the DNS-domain and REALM are 2 > > differnt things. And the other sidenote on this is, often the > > dns-domain == REALM ( but in caps )Whilst a REALM and a dns domain are different things, one relies on the other and to look at the only difference is the case.> > Yes, this is a great point. Does the term "REALM" apply to anything > besides Kerberos?Not to my knowledge.> > I also suggest, add a check if the reverse zone exists. > > Can you elaborate? Are you suggesting to check for a reverse DNS entry > for the IP address of the DC?Yes, I think he does.> > [snip] > > apt install ssh-krb5 libpam-krb5 libnss-winbind libpam-winbind > > > > That configures 1-2 paramaters in sshd_config and gives you direct > > the ability to login with kerberos. Note, not accounting for the > > missing "templates" paramters. > > > > Default: template homedir = /home/%D/%U > > Default: template shell = /bin/false > > (man smb.conf) > > And how are the homedirs created, through ADUC or mk_homedir > > > > Needed on the DC's with logins and members that used RID setup also > > set in /etc/nsswitch.conf passwd: compat winbind > > group: compat winbind > > I actually wrote a subsequent blog post, where I set up all of the > winbind configuration: > https://jonathonreinhart.com/posts/blog/2019/02/26/configuring-winbind-on-a-samba-ad-dc-on-debian-9I will go and read it.> > I did not include kerberos login, however, so thank you for that! > > Setting uidNumber, gidNumber, etc. from Microsoft tools is > deprecated, so I plan to put together some solution to automatically > assign them during/after user creation, e.g. > > - https://serverfault.com/q/764185/55544 > - https://serverfault.com/q/484908/55544Adding RFC2307 to a user was never automatic on ADUC, you had to use the 'Unix Attributes' tab and it is this that has been removed.> > I used pam_mkhomedir to create the home directory on the DC. > > Correct me if I'm wrong, but winbind (on a Samba DC) can **only** use > "template homedir" and "template shell", and will not respect the RFC > 2307 attributes in LDAP. Is that correct?Yes and no ;-) If you use the 'rid' backend, you must use the template lines. If you use the 'ad' backend, then the RFC2307 attributes in AD will be used.> In general, I prefer DHCP reservations over static IP addresses, and > in fact, that's how my current DC is running. But if it's safer, I > will change to use a static IP address, and update /etc/hosts, etc.Provided your DC's always have the same ipaddress, it doesn't matter how they are set, static settings just ensures this.> > [snip] > > > Is what I'm attempting to do a valid operation? Or is it weird > > > that realmd is trying to "join" the DC to the domain? > > > > No, not strange, but realmd is "joining" the AD-DC and its trying > > that with member settings. That wont work on the DC itself ofcourse. > > I abandoned the idea of using Realmd on the DC itself. I'm still > hoping to use Realmd + SSSD on my other Linux servers, like I have > with Microsoft Active Directory.This is your decision, but be aware that Samba does not provide them, so cannot support them. Rowland
On Sun, Mar 3, 2019 at 5:14 AM Rowland Penny via samba <samba at lists.samba.org> wrote: [snip]> > Correct me if I'm wrong, but winbind (on a Samba DC) can **only** use > > "template homedir" and "template shell", and will not respect the RFC > > 2307 attributes in LDAP. Is that correct? > > Yes and no ;-) > > If you use the 'rid' backend, you must use the template lines. If you > use the 'ad' backend, then the RFC2307 attributes in AD will be used.I'm asking about Winbindd on the DC itself, where, as I understand it, there is no choice of idmap backend. The Samba Wiki [1] says:> ... setting up an ID mapping back end, such as ad (RFC2307) or rid, in > the smb.conf file is not supported an [sic] can cause the samba > service to fail. > On a Samba Active Directory DC, Winbindd always reads the user IDs > (UID) and group IDs (GID) from the values set in the uidNumber and > gidNumber attributes set in the AD objects.That page goes on to say:> On a Samba DC, only the winbind template mode is supported.This doesn't seem to agree with what you've said; it strongly implies that Winbindd, on a Samba DC, will never use the homeDirectory and loginShell attributes. This mailing list post from 2015 [2] seems to agree. While we're on the topic, I've noticed that passing --use-rfc2307 to `samba-tool domain provision` causes smb.conf to include this option: idmap_ldb:use rfc2307 = yes That option is not documented in smb.conf [3]. Furthermore, this Samba Wiki page [4] says about that option:> It is recommended not to use those mappings on the DCs. The default > idmap ldb mechanism is fine for domain controllers and less error > prone.Which seems completely incorrect, given that the option was added during AD provisioning. I appreciate your help in clearing up some of this contradictory information! Jonathon [1] https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC#Identity_Mapping_on_a_Samba_Domain_Controller [2] https://lists.samba.org/archive/samba/2015-June/192072.html [3] https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html [4] https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#RFC2307_on_AD_Domain_Controllers