Alfonso Conner
2019-Apr-25 09:53 UTC
[Samba] Configured AD backend but getting different uid and gid
Hi, Thanks for the advice, I know these are already EOL but please bear with me on that. I also do use CentOS 7 and Windows 10 for further testing. Anyway, I found out is due to my "idmap DOMAIN : range" value in smb.conf was not set to the correct range. Another thing is libnss-winbind package must make sure to be installed properly. After these things are resolved, I managed to see the correct uid and gid. ;-) I have another problem and would like to know is there any configuration to trigger logon script when Domain User login to Linux Machine? My understanding if is for Windows, I can use RSAT, go to the User account properties-> Profile-> Logon script and put the file name. Appreciate for the advice. On Tue, Apr 23, 2019 at 4:09 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 23 Apr 2019 11:40:43 +0800 > Alfonso Conner via samba <samba at lists.samba.org> wrote: > > > Hi Samba Team, > > > > I hope I have sent my enquiries to the correct address list. > > Need advise and support from the team. Here's the summary of my > > issues. I try to provide as much details and information. > > > > Due to the business nature of my company, I have a mixture of Windows > > (XP, 7, 8/10 in future) and Linux RHEL workstations (5U6, 5U8, 5U11, > > 6/7 in future). > > I have an existing Samba PDC VM Server (CentOS 6.10) hosting for > > Windows Clients (XP, 7) > > I am tasked to research ways to allow Windows 10 PC to join Samba and > > followed the Classic Upgrade. > > This is done following the setup guide from Samba Wedsite and I am > > happy Windows 10 is able to join Samba AD with existing XP and 7 > > still able to login without issues. > > > > My next task is to join Linux workstations to Samba AD to centralize > > all login accounts. > > > > These accounts need to have the same uid and gid for access to > > exisitng file servers using the correct NFS and CIFS credentials. > > After study and decided using ad as backend would be the suitable > > choice for me. > > > > However, I have faced difficulties getting the same uid and gid for my > > domain users after my Linux workstations join Samba AD. > > > > > > Configurations as follows: > > > > Samba PDC > > Hostname: DC1 > > Workgroup: EXAMPLE.COM > > > > Samba version for classic upgrade: 4.8.5 > > Packages installed: gcc python-devel gnutls-devel libacl-devel > > openldap-devel pam-devel bind-utils krb5-workstation > > > > Samba AD smb.configuration > > Samba does not allow me to use same value for realm and workgroup > > [global] > > netbios name = DC1 > > realm = NEWEXAMPLE.COM > > server role = active directory domain controller > > workgroup = EXAMPLE.COM > > idmap_ldb:use rfc2307 = yes > > client max protocol = NT1 > > ldap server require strong auth = no > > template shell = /bin/bash > > template homedir = /home/%U > > > > Kerberos configuration > > [libdefaults] > > default_realm = NEWEXAMPLE.COM > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > No issues running wbinfo -u, wbinfo -g, getent passwd DOMAIN\\USER > > EXAMPLE.COM\administrator > > EXAMPLE.COM\krbtgt > > EXAMPLE.COM\guest > > EXAMPLE.COM\Users > > .. > > .. > > .. > > > > I cannot change my netbios name nor change my AD Server hostname as I > > found out my Linux member will have spnego invalid credentials error > > unabe to join AD Domain. > > > > Samba Domain member smb.conf using RHEL 5U11 for testing > > Packages installed: samba3x-winbind-3.6.23-6.el5 > > system-config-samba-1.2.41-5.el5 samba3x-client-3.6.23-6.el5 > > samba3x-swat-3.6.23-6.el5 samba3x-3.6.23-6.el5 > > > > member smb.conf > > Loaded services file OK. > > Server role: ROLE_DOMAIN_MEMBER > > Press enter to see a dump of your service definitions > > > > [global] > > workgroup = EXAMPLE.COM > > realm = NEWEXAMPLE.COM > > server string = Samba Server Version %v > > security = ADS > > username map = /etc/samba/user.map > > template homedir = /home/%U > > template shell = /bin/bash > > winbind enum users = Yes > > winbind enum groups = Yes > > winbind use default domain = Yes > > winbind nss info = rfc2307 > > winbind refresh tickets = Yes > > winbind offline logon = Yes > > idmap config NEWEXAMPLE.COM : unix_primary_group = yes > > idmap config NEWEXAMPLE.COM : unix_nss_info = yes > > idmap config NEWEXAMPLE.COM : range = 1001-9999 > > idmap config NEWEXAMPLE.COM : schema_mode = rfc2307 > > idmap config NEWEXAMPLE.COM : backend = ad > > idmap config * : range = 10001-99999 > > idmap config * : backend = tdb > > map acl inherit = Yes > > cups options = raw > > store dos attributes = Yes > > vfs objects = acl_xattr > > > > AD Member krb5.conf > > > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmind.log > > > > [libdefaults] > > default_realm = NEWEXAMPLE.COM > > dns_lookup_realm = false > > dns_lookup_kdc = true > > ticket_lifetime = 24h > > forwardable = yes > > > > [appdefaults] > > pam = { > > debug = false > > ticket_lifetime = 36000 > > renew_lifetime = 36000 > > forwardable = true > > krb4_convert = false > > } > > > > After joined to AD, I am able to get results from wbinfo and getent > > passwd but am getting Domain Users uid and gid starting from "*" > > range. Have ensured all Computers, Users and Groups have assigned uid > > and gid using RSAT from Windows 7 Client and able to see Attribute > > editor, Unix attributes. > > > > Please advise and appreciate for the response. > > el5 ? Samba 3.6.23 ? XP ? these are all EOL and more specifically > your smb.conf contains idmap config unknown to your Samba version. > > Your 'future' needs to be now. > > There is nothing intrinsically wrong with your conf files, they just > aren't for your old systems ;-) > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2019-Apr-25 10:47 UTC
[Samba] Configured AD backend but getting different uid and gid
On Thu, 25 Apr 2019 17:53:44 +0800 Alfonso Conner <c1581634 at gmail.com> wrote:> Hi, > > Thanks for the advice, I know these are already EOL but please bear > with me on that. I also do use CentOS 7 and Windows 10 for further > testing. Anyway, I found out is due to my "idmap DOMAIN : range" > value in smb.conf was not set to the correct range.Yes, that would do it ;-)> Another thing is libnss-winbind package must make sure to be installed > properly.If you want to use kerberos, you will also need libpam-krb5> After these things are resolved, I managed to see the correct uid and > gid. ;-) > > I have another problem and would like to know is there any > configuration to trigger logon script when Domain User login to Linux > Machine? My understanding if is for Windows, I can use RSAT, go to > the User account properties-> Profile-> Logon script and put the file > name.It all depends what you mean by 'logon script' ? If you mean something to create the users home directory, then yes, add: session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 to the end of /etc/pam.d/common-session If this isn't what you require, then can you please explain exactly what you do require. Rowland
Alfonso Conner
2019-Apr-26 01:58 UTC
[Samba] Configured AD backend but getting different uid and gid
Hi, Thank you for replying. User home directory creation is working without the need to edit /etc/pam.d/common-session The logon script I mentioned here is a in-house script to handle directory mounting for file server access, and create shortcut on the account desktop for different logins. On my Linux machines, currently all is done manually by local user account creation and by adding the command lines into individual home directory ~/.bash_profile I am happy to see after joining Samba AD, domain users able to login Linux machines. However, I need to find a way to take care of the mapping after the domain user log in. Best Regards On Thu, Apr 25, 2019 at 6:48 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Thu, 25 Apr 2019 17:53:44 +0800 > Alfonso Conner <c1581634 at gmail.com> wrote: > > > Hi, > > > > Thanks for the advice, I know these are already EOL but please bear > > with me on that. I also do use CentOS 7 and Windows 10 for further > > testing. Anyway, I found out is due to my "idmap DOMAIN : range" > > value in smb.conf was not set to the correct range. > > Yes, that would do it ;-) > > > Another thing is libnss-winbind package must make sure to be installed > > properly. > > If you want to use kerberos, you will also need libpam-krb5 > > > After these things are resolved, I managed to see the correct uid and > > gid. ;-) > > > > I have another problem and would like to know is there any > > configuration to trigger logon script when Domain User login to Linux > > Machine? My understanding if is for Windows, I can use RSAT, go to > > the User account properties-> Profile-> Logon script and put the file > > name. > > It all depends what you mean by 'logon script' ? > If you mean something to create the users home directory, then yes, add: > > session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 > > to the end of /etc/pam.d/common-session > > If this isn't what you require, then can you please explain exactly > what you do require. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
L.P.H. van Belle
2019-Apr-26 07:35 UTC
[Samba] Configured AD backend but getting different uid and gid
Hai, Now this part.> On my Linux machines, currently all is done manually by local > user account > creation and by adding the command lines into individual home > directory > ~/.bash_profileI dont know your system, but on my debian im adding things like that in /etc/profile.d/ Now its for every user, put your scripts in there, give "domain users" a GID. Make a match on the GID and make the program do what you want. This make sure this only runs for domain users. Somethink like that?> However, I need to find a way to take care of the > mapping after the domain user log in.You mean a domain users login on a linux member? I use CIFS/NFS auto mounting homedirs, i use NFSv4 (kerberized) and automounting currently. I'll make a small howto on howto setup the NFSv4 kerberised part, my current setup is stable and im can repeat it without problems. And as usual, it is pretty easy IF you know how. ;-) And is you "different gid/uid" problem also solved? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Alfonso Conner via samba > Verzonden: vrijdag 26 april 2019 3:58 > Aan: Rowland Penny > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Configured AD backend but getting > different uid and gid > > Hi, > > Thank you for replying. User home directory creation is > working without the > need to edit /etc/pam.d/common-session > The logon script I mentioned here is a in-house script to > handle directory > mounting for file server access, and create shortcut on the > account desktop > for different logins. > On my Linux machines, currently all is done manually by local > user account > creation and by adding the command lines into individual home > directory > ~/.bash_profile > I am happy to see after joining Samba AD, domain users able > to login Linux > machines. However, I need to find a way to take care of the > mapping after > the domain user log in. > > Best Regards > > > > > > On Thu, Apr 25, 2019 at 6:48 PM Rowland Penny via samba < > samba at lists.samba.org> wrote: > > > On Thu, 25 Apr 2019 17:53:44 +0800 > > Alfonso Conner <c1581634 at gmail.com> wrote: > > > > > Hi, > > > > > > Thanks for the advice, I know these are already EOL but > please bear > > > with me on that. I also do use CentOS 7 and Windows 10 for further > > > testing. Anyway, I found out is due to my "idmap DOMAIN : range" > > > value in smb.conf was not set to the correct range. > > > > Yes, that would do it ;-) > > > > > Another thing is libnss-winbind package must make sure to > be installed > > > properly. > > > > If you want to use kerberos, you will also need libpam-krb5 > > > > > After these things are resolved, I managed to see the > correct uid and > > > gid. ;-) > > > > > > I have another problem and would like to know is there any > > > configuration to trigger logon script when Domain User > login to Linux > > > Machine? My understanding if is for Windows, I can use RSAT, go to > > > the User account properties-> Profile-> Logon script and > put the file > > > name. > > > > It all depends what you mean by 'logon script' ? > > If you mean something to create the users home directory, > then yes, add: > > > > session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 > > > > to the end of /etc/pam.d/common-session > > > > If this isn't what you require, then can you please explain exactly > > what you do require. > > > > Rowland > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >