samba - Apr 2019 - Configured AD backend but getting different uid and gid

Hi Samba Team,

I hope I have sent my enquiries to the correct address list.
Need advise and support from the team. Here's the summary of my issues.
I try to provide as much details and information.

Due to the business nature of my company, I have a mixture of Windows (XP,
7, 8/10 in future) and Linux RHEL workstations (5U6, 5U8, 5U11, 6/7 in
future).
I have an existing Samba PDC VM Server (CentOS 6.10) hosting for Windows
Clients (XP, 7)
I am tasked to research ways to allow Windows 10 PC to join Samba and
followed the Classic Upgrade.
This is done following the setup guide from Samba Wedsite and I am happy
Windows 10 is able to join Samba AD with existing XP and 7 still able to
login without issues.

My next task is to join Linux workstations to Samba AD to centralize all
login accounts.

These accounts need to have the same uid and gid for access to exisitng
file servers using the correct NFS and CIFS credentials.
After study and decided using ad as backend would be the suitable choice
for me.

However, I have faced difficulties getting the same uid and gid for my
domain users after my Linux workstations join Samba AD.


Configurations as follows:

Samba PDC
Hostname: DC1
Workgroup: EXAMPLE.COM

Samba version for classic upgrade: 4.8.5
Packages installed: gcc python-devel gnutls-devel libacl-devel
openldap-devel pam-devel bind-utils krb5-workstation

Samba AD smb.configuration
Samba does not allow me to use same value for realm and workgroup
[global]
        netbios name = DC1
        realm = NEWEXAMPLE.COM
        server role = active directory domain controller
        workgroup = EXAMPLE.COM
        idmap_ldb:use rfc2307 = yes
        client max protocol = NT1
        ldap server require strong auth = no
        template shell = /bin/bash
        template homedir = /home/%U

Kerberos configuration
[libdefaults]
        default_realm = NEWEXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

No issues running wbinfo -u, wbinfo -g, getent passwd DOMAIN\\USER
EXAMPLE.COM\administrator
EXAMPLE.COM\krbtgt
EXAMPLE.COM\guest
EXAMPLE.COM\Users
..
..
..

I cannot change my netbios name nor change my AD Server hostname as I found
out my Linux member will have spnego invalid credentials error unabe to
join AD Domain.

Samba Domain member smb.conf using RHEL 5U11 for testing
Packages installed: samba3x-winbind-3.6.23-6.el5
system-config-samba-1.2.41-5.el5 samba3x-client-3.6.23-6.el5
samba3x-swat-3.6.23-6.el5 samba3x-3.6.23-6.el5

member smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
        workgroup = EXAMPLE.COM
        realm = NEWEXAMPLE.COM
        server string = Samba Server Version %v
        security = ADS
        username map = /etc/samba/user.map
        template homedir = /home/%U
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        winbind offline logon = Yes
        idmap config NEWEXAMPLE.COM : unix_primary_group = yes
        idmap config NEWEXAMPLE.COM : unix_nss_info = yes
        idmap config NEWEXAMPLE.COM : range = 1001-9999
        idmap config NEWEXAMPLE.COM : schema_mode = rfc2307
        idmap config NEWEXAMPLE.COM : backend = ad
        idmap config * : range = 10001-99999
        idmap config * : backend = tdb
        map acl inherit = Yes
        cups options = raw
        store dos attributes = Yes
        vfs objects = acl_xattr

AD Member krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = NEWEXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

After joined to AD, I am able to get results from wbinfo and getent passwd
but am getting Domain Users uid and gid starting from "*" range.
Have ensured all Computers, Users and Groups have assigned uid and gid
using RSAT from Windows 7 Client and able to see Attribute editor, Unix
attributes.

Please advise and appreciate for the response.

On Tue, 23 Apr 2019 11:40:43 +0800
Alfonso Conner via samba <samba at lists.samba.org> wrote:
>  Hi Samba Team,
> 
> I hope I have sent my enquiries to the correct address list.
> Need advise and support from the team. Here's the summary of my
> issues. I try to provide as much details and information.
> 
> Due to the business nature of my company, I have a mixture of Windows
> (XP, 7, 8/10 in future) and Linux RHEL workstations (5U6, 5U8, 5U11,
> 6/7 in future).
> I have an existing Samba PDC VM Server (CentOS 6.10) hosting for
> Windows Clients (XP, 7)
> I am tasked to research ways to allow Windows 10 PC to join Samba and
> followed the Classic Upgrade.
> This is done following the setup guide from Samba Wedsite and I am
> happy Windows 10 is able to join Samba AD with existing XP and 7
> still able to login without issues.
> 
> My next task is to join Linux workstations to Samba AD to centralize
> all login accounts.
> 
> These accounts need to have the same uid and gid for access to
> exisitng file servers using the correct NFS and CIFS credentials.
> After study and decided using ad as backend would be the suitable
> choice for me.
> 
> However, I have faced difficulties getting the same uid and gid for my
> domain users after my Linux workstations join Samba AD.
> 
> 
> Configurations as follows:
> 
> Samba PDC
> Hostname: DC1
> Workgroup: EXAMPLE.COM
> 
> Samba version for classic upgrade: 4.8.5
> Packages installed: gcc python-devel gnutls-devel libacl-devel
> openldap-devel pam-devel bind-utils krb5-workstation
> 
> Samba AD smb.configuration
> Samba does not allow me to use same value for realm and workgroup
> [global]
>         netbios name = DC1
>         realm = NEWEXAMPLE.COM
>         server role = active directory domain controller
>         workgroup = EXAMPLE.COM
>         idmap_ldb:use rfc2307 = yes
>         client max protocol = NT1
>         ldap server require strong auth = no
>         template shell = /bin/bash
>         template homedir = /home/%U
> 
> Kerberos configuration
> [libdefaults]
>         default_realm = NEWEXAMPLE.COM
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> 
> No issues running wbinfo -u, wbinfo -g, getent passwd DOMAIN\\USER
> EXAMPLE.COM\administrator
> EXAMPLE.COM\krbtgt
> EXAMPLE.COM\guest
> EXAMPLE.COM\Users
> ..
> ..
> ..
> 
> I cannot change my netbios name nor change my AD Server hostname as I
> found out my Linux member will have spnego invalid credentials error
> unabe to join AD Domain.
> 
> Samba Domain member smb.conf using RHEL 5U11 for testing
> Packages installed: samba3x-winbind-3.6.23-6.el5
> system-config-samba-1.2.41-5.el5 samba3x-client-3.6.23-6.el5
> samba3x-swat-3.6.23-6.el5 samba3x-3.6.23-6.el5
> 
> member smb.conf
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
> 
> [global]
>         workgroup = EXAMPLE.COM
>         realm = NEWEXAMPLE.COM
>         server string = Samba Server Version %v
>         security = ADS
>         username map = /etc/samba/user.map
>         template homedir = /home/%U
>         template shell = /bin/bash
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind use default domain = Yes
>         winbind nss info = rfc2307
>         winbind refresh tickets = Yes
>         winbind offline logon = Yes
>         idmap config NEWEXAMPLE.COM : unix_primary_group = yes
>         idmap config NEWEXAMPLE.COM : unix_nss_info = yes
>         idmap config NEWEXAMPLE.COM : range = 1001-9999
>         idmap config NEWEXAMPLE.COM : schema_mode = rfc2307
>         idmap config NEWEXAMPLE.COM : backend = ad
>         idmap config * : range = 10001-99999
>         idmap config * : backend = tdb
>         map acl inherit = Yes
>         cups options = raw
>         store dos attributes = Yes
>         vfs objects = acl_xattr
> 
> AD Member krb5.conf
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = NEWEXAMPLE.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = true
>  ticket_lifetime = 24h
>  forwardable = yes
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> After joined to AD, I am able to get results from wbinfo and getent
> passwd but am getting Domain Users uid and gid starting from "*"
> range. Have ensured all Computers, Users and Groups have assigned uid
> and gid using RSAT from Windows 7 Client and able to see Attribute
> editor, Unix attributes.
> 
> Please advise and appreciate for the response.
el5 ? Samba 3.6.23 ? XP ? these are all EOL and more specifically
your smb.conf contains idmap config unknown to your Samba version.

Your 'future' needs to be now.

There is nothing intrinsically wrong with your conf files, they just
aren't for your old systems ;-)

Rowland

Hi,

Thanks for the advice, I know these are already EOL but please bear with me
on that. I also do use CentOS 7 and Windows 10 for further testing. Anyway,
I found out is due to my "idmap DOMAIN : range" value in smb.conf was
not
set to the correct range.
Another thing is libnss-winbind package must make sure to be installed
properly.
After these things are resolved, I managed to see the correct uid and gid.
;-)

I have another problem and would like to know is there any configuration to
trigger logon script when Domain User login to Linux Machine?
My understanding if is for Windows, I can use RSAT, go to the User account
properties-> Profile-> Logon script and put the file name.

Appreciate for the advice.

On Tue, Apr 23, 2019 at 4:09 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 23 Apr 2019 11:40:43 +0800
> Alfonso Conner via samba <samba at lists.samba.org> wrote:
>
> >  Hi Samba Team,
> >
> > I hope I have sent my enquiries to the correct address list.
> > Need advise and support from the team. Here's the summary of my
> > issues. I try to provide as much details and information.
> >
> > Due to the business nature of my company, I have a mixture of Windows
> > (XP, 7, 8/10 in future) and Linux RHEL workstations (5U6, 5U8, 5U11,
> > 6/7 in future).
> > I have an existing Samba PDC VM Server (CentOS 6.10) hosting for
> > Windows Clients (XP, 7)
> > I am tasked to research ways to allow Windows 10 PC to join Samba and
> > followed the Classic Upgrade.
> > This is done following the setup guide from Samba Wedsite and I am
> > happy Windows 10 is able to join Samba AD with existing XP and 7
> > still able to login without issues.
> >
> > My next task is to join Linux workstations to Samba AD to centralize
> > all login accounts.
> >
> > These accounts need to have the same uid and gid for access to
> > exisitng file servers using the correct NFS and CIFS credentials.
> > After study and decided using ad as backend would be the suitable
> > choice for me.
> >
> > However, I have faced difficulties getting the same uid and gid for my
> > domain users after my Linux workstations join Samba AD.
> >
> >
> > Configurations as follows:
> >
> > Samba PDC
> > Hostname: DC1
> > Workgroup: EXAMPLE.COM
> >
> > Samba version for classic upgrade: 4.8.5
> > Packages installed: gcc python-devel gnutls-devel libacl-devel
> > openldap-devel pam-devel bind-utils krb5-workstation
> >
> > Samba AD smb.configuration
> > Samba does not allow me to use same value for realm and workgroup
> > [global]
> >         netbios name = DC1
> >         realm = NEWEXAMPLE.COM
> >         server role = active directory domain controller
> >         workgroup = EXAMPLE.COM
> >         idmap_ldb:use rfc2307 = yes
> >         client max protocol = NT1
> >         ldap server require strong auth = no
> >         template shell = /bin/bash
> >         template homedir = /home/%U
> >
> > Kerberos configuration
> > [libdefaults]
> >         default_realm = NEWEXAMPLE.COM
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = true
> >
> > No issues running wbinfo -u, wbinfo -g, getent passwd DOMAIN\\USER
> > EXAMPLE.COM\administrator
> > EXAMPLE.COM\krbtgt
> > EXAMPLE.COM\guest
> > EXAMPLE.COM\Users
> > ..
> > ..
> > ..
> >
> > I cannot change my netbios name nor change my AD Server hostname as I
> > found out my Linux member will have spnego invalid credentials error
> > unabe to join AD Domain.
> >
> > Samba Domain member smb.conf using RHEL 5U11 for testing
> > Packages installed: samba3x-winbind-3.6.23-6.el5
> > system-config-samba-1.2.41-5.el5 samba3x-client-3.6.23-6.el5
> > samba3x-swat-3.6.23-6.el5 samba3x-3.6.23-6.el5
> >
> > member smb.conf
> > Loaded services file OK.
> > Server role: ROLE_DOMAIN_MEMBER
> > Press enter to see a dump of your service definitions
> >
> > [global]
> >         workgroup = EXAMPLE.COM
> >         realm = NEWEXAMPLE.COM
> >         server string = Samba Server Version %v
> >         security = ADS
> >         username map = /etc/samba/user.map
> >         template homedir = /home/%U
> >         template shell = /bin/bash
> >         winbind enum users = Yes
> >         winbind enum groups = Yes
> >         winbind use default domain = Yes
> >         winbind nss info = rfc2307
> >         winbind refresh tickets = Yes
> >         winbind offline logon = Yes
> >         idmap config NEWEXAMPLE.COM : unix_primary_group = yes
> >         idmap config NEWEXAMPLE.COM : unix_nss_info = yes
> >         idmap config NEWEXAMPLE.COM : range = 1001-9999
> >         idmap config NEWEXAMPLE.COM : schema_mode = rfc2307
> >         idmap config NEWEXAMPLE.COM : backend = ad
> >         idmap config * : range = 10001-99999
> >         idmap config * : backend = tdb
> >         map acl inherit = Yes
> >         cups options = raw
> >         store dos attributes = Yes
> >         vfs objects = acl_xattr
> >
> > AD Member krb5.conf
> >
> > [logging]
> >  default = FILE:/var/log/krb5libs.log
> >  kdc = FILE:/var/log/krb5kdc.log
> >  admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> >  default_realm = NEWEXAMPLE.COM
> >  dns_lookup_realm = false
> >  dns_lookup_kdc = true
> >  ticket_lifetime = 24h
> >  forwardable = yes
> >
> > [appdefaults]
> >  pam = {
> >    debug = false
> >    ticket_lifetime = 36000
> >    renew_lifetime = 36000
> >    forwardable = true
> >    krb4_convert = false
> >  }
> >
> > After joined to AD, I am able to get results from wbinfo and getent
> > passwd but am getting Domain Users uid and gid starting from
"*"
> > range. Have ensured all Computers, Users and Groups have assigned uid
> > and gid using RSAT from Windows 7 Client and able to see Attribute
> > editor, Unix attributes.
> >
> > Please advise and appreciate for the response.
>
> el5 ? Samba 3.6.23 ? XP ? these are all EOL and more specifically
> your smb.conf contains idmap config unknown to your Samba version.
>
> Your 'future' needs to be now.
>
> There is nothing intrinsically wrong with your conf files, they just
> aren't for your old systems ;-)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>