Alfonso Conner
2019-Apr-26 01:58 UTC
[Samba] Configured AD backend but getting different uid and gid
Hi, Thank you for replying. User home directory creation is working without the need to edit /etc/pam.d/common-session The logon script I mentioned here is a in-house script to handle directory mounting for file server access, and create shortcut on the account desktop for different logins. On my Linux machines, currently all is done manually by local user account creation and by adding the command lines into individual home directory ~/.bash_profile I am happy to see after joining Samba AD, domain users able to login Linux machines. However, I need to find a way to take care of the mapping after the domain user log in. Best Regards On Thu, Apr 25, 2019 at 6:48 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Thu, 25 Apr 2019 17:53:44 +0800 > Alfonso Conner <c1581634 at gmail.com> wrote: > > > Hi, > > > > Thanks for the advice, I know these are already EOL but please bear > > with me on that. I also do use CentOS 7 and Windows 10 for further > > testing. Anyway, I found out is due to my "idmap DOMAIN : range" > > value in smb.conf was not set to the correct range. > > Yes, that would do it ;-) > > > Another thing is libnss-winbind package must make sure to be installed > > properly. > > If you want to use kerberos, you will also need libpam-krb5 > > > After these things are resolved, I managed to see the correct uid and > > gid. ;-) > > > > I have another problem and would like to know is there any > > configuration to trigger logon script when Domain User login to Linux > > Machine? My understanding if is for Windows, I can use RSAT, go to > > the User account properties-> Profile-> Logon script and put the file > > name. > > It all depends what you mean by 'logon script' ? > If you mean something to create the users home directory, then yes, add: > > session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 > > to the end of /etc/pam.d/common-session > > If this isn't what you require, then can you please explain exactly > what you do require. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2019-Apr-26 08:16 UTC
[Samba] Configured AD backend but getting different uid and gid
On Fri, 26 Apr 2019 09:58:28 +0800 Alfonso Conner <c1581634 at gmail.com> wrote:> Hi, > > Thank you for replying. User home directory creation is working > without the need to edit /etc/pam.d/common-session > The logon script I mentioned here is a in-house script to handle > directory mounting for file server access, and create shortcut on the > account desktop for different logins. > On my Linux machines, currently all is done manually by local user > account creation and by adding the command lines into individual home > directory ~/.bash_profile > I am happy to see after joining Samba AD, domain users able to login > Linux machines. However, I need to find a way to take care of the > mapping after the domain user log in. >Back to PAM again ;-) try searching for 'pam-mount' With this you can mount directories for users as and when they login. Rowland
L.P.H. van Belle
2019-Apr-26 13:39 UTC
[Samba] Howto NFSv4 and kerberized mounts debian/ubuntu
Hai, Since im in a very good mooth today. I'll tell how I did setup NFSv4 and CIFS kerberozed mounts these days (with systemd) I saw a lot of howto's on the internet, that are not correct or just not working. .. Ps you want cifs? Change the nfs/spn to cifs and change the mounts to cifs. After that, should be almost the same. ( note, needs to be tested, i dont use it.. yet. ) Now this is tested AND in production on my Debian Jessie/Stretch and Ubuntu 18.04 servers I hope you guys can decrypt my setup. ;-) - Im assuming Samba is already setup and this is a MEMBER server. I did check if the members did have an A and PTR record in the dns. All servers have as setup base this. hostname.int.dom.tld A + PTR (+ optional CNAME, cname for example for a webserver, Use cname www to hostname and you can use the kerberized logins on the cname. And i use this part of samba to make this work with a samba AD backend configured. All users have primary group "Domain Users" and i did assigned a GID to it. smb.conf needs: (again might work with different settings also, but this is what i use and i know it does work.) kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab winbind refresh tickets = yes winbind use default domain = yes # i use this so dont need any translation of dom\ dom\\ to only username. idmap config AD-DOM : unix_primary_group = yes idmap config AD-DOM : unix_nss_info = yes [users] # NOTE1: direct access here, on this server, for the windows clients. browseable = yes # This path could/should be normaly /home/users, that saves a mount bind... Explained below. path = /home/samba/users read only = no acl_xattr:ignore system acl = yes I'll show my setup of NFSv4 kerberize and automounting, which is in production for 3 years now. After a lot of changes in the setup, i can now say, this as shown below, works great. On my linux servers, where i login with ssh (SSO) kerberos, i end up in the homedir /home/users/MyUserName/ And might be done a bit better, that is for later, this is working good for now. THE SETUP OF SAMBA and USERSHOMEDIR AND THE NFS SERVER.. - based on Samba member apt install samba winbind samba-dsdb-modules samba-vfs-modules krb5-user acl attr libpam-krb5 libpam-winbind libnss-winbind ldb-tools bind9utils This give everything you need for samba as member. NFS apt install nfs-kernel-server nfs4-acl-tools Edit : /etc/default/nfs-kernel-server Set NEED_SVCGSSD="yes" # create the folder with the correct user/group/rights. install -o nobody -g nogroup -m 1777 -d /exports install -o nobody -g nogroup -m 1777 -d /exports/users # This is NFSv3 and 4 compliant and supports all security options. Edit /etc/exports /exports 192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p) /exports/users 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p) Now, this might be a bit off. Now my real users homedir on member1 is : /home/samba/users/ ( users folders here ) But i use on ALL my server /home/users as mount point, and this is set as homedir in AD. ( unix/NIS extensions) Yes, including member1 These directories are created through ADUC, where i put the user homedir in this format. Homedir: \\servername.fqdn\users\%username% This path is set to /home/samba/users Howto configure this, use a domain join windows PC, configure the share as DOMIN\Administrator and folder rights and .. DONT TOUCH IT WITH CHMOD! EVER! If you do you risk losing your windows ACL's Any other user, outside samba-ad, is in /home as normal on linux. The mount-bind export to map /home/samba/users to /exports/users for the NFS export. The systemd mounter for it. ( ONLY on nfs server ) # /etc/systemd/system/exports-users.mount [Unit] Description=Used for NFS (/exports/users) Wants=network-online.target [Mount] What=/home/samba/users Where=/exports/users Type=none Options=bind [Install] WantedBy=multi-user.target systemctl enable export-users.mount systemctl start export-users.mount And i need the same mount bind for the homedir /home/users. Because in my UNIX extenstions i defined homedir : /home/users. The mount for the folder, we enter after login with SSH.(the homedir) # ONLY on NFS Server, the NFS client server get bit diffent set. # /etc/systemd/system/home-users.mount [Unit] Description=NFS export (/home/users) Wants=network-online.target [Mount] What=/home/samba/users Where=/home/users Type=none Options=bind [Install] WantedBy=multi-user.target # Note, above homedir setup : This can be done more easy, but when i started samba4 5 years ago, # I did not know what i know now. ;-) # you need to have the NFS SPN/UPN and root/ << this make your automounted homedir mount as user. kinit Administrator net ads keytab add root/$(hostname -f) -k net ads keytab add nfs/$(hostname -f) -k Now this added root and nfs to the LOCAL keytab file. You need to add these spns also in the AD. Which i do through ADUC, simple goto the computer object, tab Atribute editor. Lookup servicePrincipleName and add: root/fq.domname.tld nfs/fq.domname.tld Dont add the REALM not needed. NOTE ! Yes you can do this with samba-tool also, i know. There is a BUT here.. If i add with samba tool i dont get them in /etc/krb5.keytab at least not consistantly. Thats something for later on. systemctl restart nfs-server Export the nfs server settings. exportfs -rv And i always advice, to clear logs, do a reboot and check logs again. Repeat/fix untill you server is free of any error. And your NFS SERVER/ SAMBA MEMBER server is ready END OF MEMBER1 ------------------------------------------------------ MEMBER2 : Next NFS CLIENT / SAMBA MEMBER setup. The shorted version here, is the auth-only setup, you can add the rest yourself.. ;-) This setup covers ssh login and nfs(v4 krb5) automounted homedir. The client setup. smb.conf , same as above. ( execpt the netbios name ofcourse thats the HOSTNAME IN CAPS. ) # Note, this example give you server+ssh+kerberos+nfsclient and SSO login, samba shares, well, see wiki ;-) apt install winbind krb5-user acl attr libpam-krb5 libpam-winbind libnss-winbind bind9utils nfs-common nfs4-acl-tools ( Do note, for shares add : samba samba-dsdb-modules samba-vfs-modules , see the line for member1, you can use that also. ) Now same as every other member, join the domain, and start winbind. kinit Administrator net ads keytab add root/$(hostname -f) -k net ads keytab add nfs/$(hostname -f) -k Now this added root and nfs to the LOCAL keytab file. You need to add these spns also in the AD. Which i do through ADUC, simple goto the computer object, tab Atribute editor. Lookup servicePrincipleName and add: root/fq.domname.tld nfs/fq.domname.tld First i know i need the homedir to exist. mkdir /home/users I need nfs client to use kerberos. Edit /etc/default/nfs-common Set : NEED_GSSD=yes I want to be able to login (sso) on ssh. Add at the end of /etc/ssh/sshd_config # Use Dns for kerberos auth UseDNS yes # Enable kerberos GSSAPI tickets GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange yes GSSAPIStoreCredentialsOnRekey yes systemctl restart ssh Now i can login, i need the homedir. Adding the Systemd mount/automount settings. # /etc/systemd/system/home-users.mount [Unit] Description=User Homes [Mount] What=member1.your.domain.tld:/users Where=/home/users Type=nfs4 # sec options: sys krb5 krb5i krb5p Options=sec=krb5p # Auto unmount after 2.5 min. TimeoutSec=150 [Install] WantedBy=multi-user.target And the automount part. # /etc/systemd/system/home-users.automount [Unit] Description=Automount Home-Users [Automount] Where=/home/users [Install] WantedBy=multi-user.target systemctl enable home-users.automount systemctl start home-users.automount Edit /etc/default/nfs-common Set : NEED_GSSD=yes Run : pam-auth-update --force So you can login with winbind/kerberos. systemctl daemon-reload systemctl restart nfs-client Test mount. And test the mount. mount member1.your.domain.tld:/users /home/users -t nfs4 -o sec=krb5 Umount /home/users Teset automount Just: ls /home/user Do you see your users. Dont get scared if you only see : root:root as user/owner, that should be fine. IF you created the homedir from within windows. Then you see this for example. drwxrwx---+ 13 root root 4096 Sep 26 2015 username Check the "real" rights: ( which for me results in ). getfacl /home/users/username getfacl: Removing leading '/' from absolute path names # file: home/users/username # owner: username # group: root user::rwx user:root:rwx user:username:rwx group::--- group:root:--- group:BUILTIN\134administrators:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:username:rwx default:group::--- default:group:root:--- default:group:BUILTIN\134administrators:rwx default:mask::rwx default:other::--- This results in a private homedir, not even accessable for user root, but it is for BUILTIN\administrators And, keep in mind that "Domain Admins" is member of "BUILTIN\Administrators" by default So this environment (/home/user) is locked out for linux admins but allows Windows Admins. Now, Clear logs, Reboot, check/fix reboot and its ready. And last few small notes. For systemd and mount/automount If you homedir base is : /home/users Then you mount is : systemctl enable home-users.(auto)mount If you homedir is : /srv/users Then you mount is : systemctl enable srv-users.(auto)mount The path MUST reflex to the service name. Multiple domains or $(ls /home/user) shows only nobody/nogroup. Then try edit : /etc/idmapd.conf Configure: Domain = internal.dom.tld Local-Realm = YOUR.REALM.TLD ( which is often you dnsdomain but in CAPS ) Good luck, questions, i'll probaly responce after the weekend, It kingsday tomorrow and then i probaly cant write or talk within a few hours.. :-/ << that reprecents me at that time i think. On it side.. Ow and know, im dislectis so i might have missed something above but, after 3x reread, i think its ok. If not, if you quick, im available for about 1 1/4 hours as of this mail hits the list. Greetz, Louis
Rowland Penny
2019-Apr-29 06:57 UTC
[Samba] Configured AD backend but getting different uid and gid
On Fri, 26 Apr 2019 09:58:28 +0800 Alfonso Conner <c1581634 at gmail.com> wrote:> Hi, > > Thank you for replying. User home directory creation is working > without the need to edit /etc/pam.d/common-sessionBeing a red-hat based OS, it is probably using something similar> The logon script I mentioned here is a in-house script to handle > directory mounting for file server access, and create shortcut on the > account desktop for different logins.This is possible, I know Louis has mentioned pam-mount, but there is also pam-script and this will probably do what you want.> On my Linux machines, currently all is done manually by local user > account creationYou don't need to and shouldn't create a local Unix user account, you just make your Domain users into Unix users by setting up smb.conf correctly.>and by adding the command lines into individual home > directory ~/.bash_profileOnce your users have logged in, ~/.bash_profile should be available.> I am happy to see after joining Samba AD, domain users able to login > Linux machines. However, I need to find a way to take care of the > mapping after the domain user log in.This is Unix, there are several ways you can do this, the problem will be finding the way that works for you ;-) Rowland
Alfonso Conner
2019-Apr-30 01:06 UTC
[Samba] Configured AD backend but getting different uid and gid
Hi, Yes. All should be good. Thank you. Regards On Mon, Apr 29, 2019 at 2:58 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 26 Apr 2019 09:58:28 +0800 > Alfonso Conner <c1581634 at gmail.com> wrote: > > > Hi, > > > > Thank you for replying. User home directory creation is working > > without the need to edit /etc/pam.d/common-session > > Being a red-hat based OS, it is probably using something similar > > > The logon script I mentioned here is a in-house script to handle > > directory mounting for file server access, and create shortcut on the > > account desktop for different logins. > > This is possible, I know Louis has mentioned pam-mount, but there is > also pam-script and this will probably do what you want. > > > On my Linux machines, currently all is done manually by local user > > account creation > > You don't need to and shouldn't create a local Unix user account, you > just make your Domain users into Unix users by setting up smb.conf > correctly. > > >and by adding the command lines into individual home > > directory ~/.bash_profile > > Once your users have logged in, ~/.bash_profile should be available. > > > I am happy to see after joining Samba AD, domain users able to login > > Linux machines. However, I need to find a way to take care of the > > mapping after the domain user log in. > > This is Unix, there are several ways you can do this, the problem will > be finding the way that works for you ;-) > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Possibly Parallel Threads
- Configured AD backend but getting different uid and gid
- Configured AD backend but getting different uid and gid
- Configured AD backend but getting different uid and gid
- Configured AD backend but getting different uid and gid
- Configured AD backend but getting different uid and gid