Hello,
I'm building a samba share with Active Directory authentication, based
on samba wiki documentation.
I'm using Samba Version 4.7.6-Ubuntu (Ubuntu 18.04) and Windows Server 2019.
I added manually Unix fields in my AD users attributes (based on
https://wiki.samba.org/index.php/Installing_RSAT#Missing_Unix_Attributes_tab_in_ADUC_on_Windows_10_and_Windows_Server_2016)
I joined correctly the domain, I see my computer in my AD.
The problem is I can't list users/groups with getent command or get some
info with wbinfo.
The commands that work :
wbinfo -t returns "checking the trust secret for domain FOO via RPC
calls succeeded"
wbinfo -u correctly displays users
wbinfo -g correctly displays groups
wbinfo -D FOO
wbinfo -n FOO\\vincent shows me the SID
but wbinfo --user-sids=<SID> returns
failed to call wbcLookupUserSids: WBC_ERR_DOMAIN_NOT_FOUND
Could not get group SIDs for user SID
S-1-5-21-2816186202-4468957523-2022743653-4403
wbinfo -r FOO\\vincent returns
failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user FOO\vincent
I got these logs in winbindd.log :
[2019/04/26 10:11:27.061645, 1, pid=3586, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:468(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'FOO'
name : *
name : 'VINCENT'
flags : 0x00000008 (8)
[2019/04/26 10:11:27.061974, 1, pid=3586, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:468(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USER (1)
sid : *
sid :
S-1-5-21-2816186202-4468957523-2022743653-4403
result : NT_STATUS_OK
[2019/04/26 10:11:27.062006, 3, pid=3586, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/wb_queryuser.c:59(wb_queryuser_send)
wb_queryuser_send: My domain -- rejecting
S-1-5-21-2816186202-4468957523-2022743653-4403
[2019/04/26 10:11:27.062019, 5, pid=3586, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_getgroups.c:235(winbindd_getgroups_recv)
Could not convert sid S-1-5-21-2816186202-4468957523-2022743653-4403:
NT_STATUS_NO_SUCH_USER
What I am missing ?
Thanks in advance.
Vincent
------------------------------------------
Here are my config files:
/etc/krb5.conf
[libdefaults]
default_realm = FOO.LAB
dns_lookup_realm = false
dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
FOO.LAB = {
kdc = dc.test.lan
}
/etc/nsswitch.conf with
passwd: compat winbind
group: compat winbind
/etc/samba/user.map
!root = FOO\administrateur
/etc/samba/smb.conf
[global]
security = ADS
workgroup = FOO
realm = FOO.LAB
netbios name= share
log file = /var/log/samba/%m.log
log level = 10
preferred master = no
domain master = no
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the FOO domain
idmap config FOO:backend = ad
idmap config FOO:schema_mode = rfc2307
idmap config FOO:range = 10000-999999
idmap config FOO:unix_nss_info = yes
idmap config FOO:unix_primary_group = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U
username map = /etc/samba/user.map
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind trusted domains only = yes
winbind nss info = rfc2307
winbind expand groups = 4
server role = member server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
My first guess.. Your missing one of these i think. apt install libpam-winbind libnss-winbind libpam-krb5 Beside that, is exact my setting ;-) Ow. Ps, almost.> netbios name= share << set hostname but in CAPS..Max 15chars.> winbind enum users = yes > winbind enum groups = yesRemove them not really needed. Just with : getent passwd/group username/groupname Or id username> map to guest = bad userRemove that, thats asking for problems. After above changes, and if you still have problems, i suggest read : https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt If you do exact what there, you have a working setup. Read it and see whats diffent compaired to your setup. If you think to difficult or to much work, fine also, then get : https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Run it and post the output. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Vincent Ducot via samba > Verzonden: vrijdag 26 april 2019 10:40 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba with AD : SID rejected > > Hello, > I'm building a samba share with Active Directory authentication, based > on samba wiki documentation. > I'm using Samba Version 4.7.6-Ubuntu (Ubuntu 18.04) and > Windows Server 2019. > I added manually Unix fields in my AD users attributes (based on > https://wiki.samba.org/index.php/Installing_RSAT#Missing_Unix_ > Attributes_tab_in_ADUC_on_Windows_10_and_Windows_Server_2016) > I joined correctly the domain, I see my computer in my AD. > > The problem is I can't list users/groups with getent command > or get some > info with wbinfo. > > The commands that work : > wbinfo -t returns "checking the trust secret for domain FOO via RPC > calls succeeded" > wbinfo -u correctly displays users > wbinfo -g correctly displays groups > wbinfo -D FOO > wbinfo -n FOO\\vincent shows me the SID > > but wbinfo --user-sids=<SID> returns > failed to call wbcLookupUserSids: WBC_ERR_DOMAIN_NOT_FOUND > Could not get group SIDs for user SID > S-1-5-21-2816186202-4468957523-2022743653-4403 > > wbinfo -r FOO\\vincent returns > failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND > Could not get groups for user FOO\vincent > > I got these logs in winbindd.log : > > [2019/04/26 10:11:27.061645, 1, pid=3586, effective(0, 0), > real(0, 0)] > ../librpc/ndr/ndr.c:468(ndr_print_function_debug) > wbint_LookupName: struct wbint_LookupName > in: struct wbint_LookupName > domain : * > domain : 'FOO' > name : * > name : 'VINCENT' > flags : 0x00000008 (8) > [2019/04/26 10:11:27.061974, 1, pid=3586, effective(0, 0), > real(0, 0)] > ../librpc/ndr/ndr.c:468(ndr_print_function_debug) > wbint_LookupName: struct wbint_LookupName > out: struct wbint_LookupName > type : * > type : SID_NAME_USER (1) > sid : * > sid : > S-1-5-21-2816186202-4468957523-2022743653-4403 > result : NT_STATUS_OK > [2019/04/26 10:11:27.062006, 3, pid=3586, effective(0, 0), > real(0, 0), > class=winbind] > ../source3/winbindd/wb_queryuser.c:59(wb_queryuser_send) > wb_queryuser_send: My domain -- rejecting > S-1-5-21-2816186202-4468957523-2022743653-4403 > [2019/04/26 10:11:27.062019, 5, pid=3586, effective(0, 0), > real(0, 0), > class=winbind] > ../source3/winbindd/winbindd_getgroups.c:235(winbindd_getgroups_recv) > Could not convert sid > S-1-5-21-2816186202-4468957523-2022743653-4403: > NT_STATUS_NO_SUCH_USER > > What I am missing ? > Thanks in advance. > > Vincent > ------------------------------------------ > Here are my config files: > > /etc/krb5.conf > > [libdefaults] > default_realm = FOO.LAB > dns_lookup_realm = false > dns_lookup_kdc = true > > # The following krb5.conf variables are only for MIT Kerberos. > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > [realms] > FOO.LAB = { > kdc = dc.test.lan > } > > /etc/nsswitch.conf with > passwd: compat winbind > group: compat winbind > > /etc/samba/user.map > > !root = FOO\administrateur > > /etc/samba/smb.conf > > [global] > > security = ADS > workgroup = FOO > realm = FOO.LAB > netbios name= share > > log file = /var/log/samba/%m.log > log level = 10 > > preferred master = no > domain master = no > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use a read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > # - You must set a DOMAIN backend configuration > # idmap config for the FOO domain > idmap config FOO:backend = ad > idmap config FOO:schema_mode = rfc2307 > idmap config FOO:range = 10000-999999 > idmap config FOO:unix_nss_info = yes > idmap config FOO:unix_primary_group = yes > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > # Template settings for login shell and home directory > template shell = /bin/bash > template homedir = /home/%U > > username map = /etc/samba/user.map > > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind trusted domains only = yes > winbind nss info = rfc2307 > winbind expand groups = 4 > > server role = member server > obey pam restrictions = yes > unix password sync = yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > pam password change = yes > map to guest = bad user > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Fri, 26 Apr 2019 10:39:47 +0200 Vincent Ducot via samba <samba at lists.samba.org> wrote:> > [libdefaults] > default_realm = FOO.LABNow this could be a typo, but you show your REALM as 'FOO.LAB', which would mean your dns domain is 'foo.lab'> [realms] > FOO.LAB = { > kdc = dc.test.lan > }But your kdc's dns domain appears to be 'test.lan'> [global] > security = ADS > workgroup = FOO > realm = FOO.LAB > netbios name= share > > log file = /var/log/samba/%m.log > log level = 10 > > preferred master = no > domain master = no > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config FOO:backend = ad > idmap config FOO:schema_mode = rfc2307 > idmap config FOO:range = 10000-999999 > idmap config FOO:unix_nss_info = yes > idmap config FOO:unix_primary_group = yesFor the above to work, any users you want to be Unix users must have a uidNumber attribute containing a unique number inside the range set for the domain in smb.conf, in this case '10000-999999'. You will also need to give Domain users a gidNumber attribute containing a number inside the same range. Because you have also set 'unix_primary_group = yes', you can also give your users a gidNumber attribute containing the ID (gidNumber) of a group, this would then override the users Windows primary group (Domain Users), but only when logged into a Unix machine and not when connecting to a share.> winbind nss info = rfc2307You no longer use the line above> unix password sync = yesThe line above is no longer required, you cannot have domain users in /etc/passwd. Rowland
Hi, Louis, Rowland, thanks for you answer. @Louis All packages were installed. I change my config file following your advices, the problem is still here. I already followed guides from thctlo's github. @Rowland Yes, my dns domain was different, but answered also to test.lan. It's now set to 'kdc=dc.foo.lab' I have my user vincent with uidNumber 10010 and gidNumber 13010 (corresponding to Domain Users group). Getting SID from name (wbinfo -n) and name from SID (wbinfo -s) works . Commands with UID involved (wbinfo --sid-to-uid, wbinfo --uid-to-sid) work for my user vincent but not for the groups. Could it be a Windows problem ? Is there any changes in attributes between 2016 and 2019 ? (I use evaluation version of 2019, not yet a licence) Thanks in advance, Vincent Le 26/04/2019 à 14:29, Rowland Penny via samba a écrit :> On Fri, 26 Apr 2019 10:39:47 +0200 > Vincent Ducot via samba <samba at lists.samba.org> wrote: > >> [libdefaults] >> default_realm = FOO.LAB > Now this could be a typo, but you show your REALM as 'FOO.LAB', which > would mean your dns domain is 'foo.lab' > >> [realms] >> FOO.LAB = { >> kdc = dc.test.lan >> } > But your kdc's dns domain appears to be 'test.lan' > >> [global] >> security = ADS >> workgroup = FOO >> realm = FOO.LAB >> netbios name= share >> >> log file = /var/log/samba/%m.log >> log level = 10 >> >> preferred master = no >> domain master = no >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> idmap config * : backend = tdb >> idmap config * : range = 3000-7999 >> idmap config FOO:backend = ad >> idmap config FOO:schema_mode = rfc2307 >> idmap config FOO:range = 10000-999999 >> idmap config FOO:unix_nss_info = yes >> idmap config FOO:unix_primary_group = yes > For the above to work, any users you want to be Unix users must have > a uidNumber attribute containing a unique number inside the range set > for the domain in smb.conf, in this case '10000-999999'. > You will also need to give Domain users a gidNumber attribute > containing a number inside the same range. > Because you have also set 'unix_primary_group = yes', you can also give > your users a gidNumber attribute containing the ID (gidNumber) of a > group, this would then override the users Windows primary group (Domain > Users), but only when logged into a Unix machine and not when > connecting to a share. > > >> winbind nss info = rfc2307 > You no longer use the line above > >> unix password sync = yes > The line above is no longer required, you cannot have domain users > in /etc/passwd. > > Rowland > >