samba - Apr 2019 - Configured AD backend but getting different uid and gid

Hi,

Thank you for replying. User home directory creation is working without the
need to edit /etc/pam.d/common-session
The logon script I mentioned here is a in-house script to handle directory
mounting for file server access, and create shortcut on the account desktop
for different logins.
On my Linux machines, currently all is done manually by local user account
creation and by adding the command lines into individual home directory
~/.bash_profile
I am happy to see after joining Samba AD, domain users able to login Linux
machines. However, I need to find a way to take care of the mapping after
the domain user log in.

Best Regards





On Thu, Apr 25, 2019 at 6:48 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 25 Apr 2019 17:53:44 +0800
> Alfonso Conner <c1581634 at gmail.com> wrote:
>
> > Hi,
> >
> > Thanks for the advice, I know these are already EOL but please bear
> > with me on that. I also do use CentOS 7 and Windows 10 for further
> > testing. Anyway, I found out is due to my "idmap DOMAIN :
range"
> > value in smb.conf was not set to the correct range.
>
> Yes, that would do it ;-)
>
> > Another thing is libnss-winbind package must make sure to be installed
> > properly.
>
> If you want to use kerberos, you will also need libpam-krb5
>
> > After these things are resolved, I managed to see the correct uid and
> > gid. ;-)
> >
> > I have another problem and would like to know is there any
> > configuration to trigger logon script when Domain User login to Linux
> > Machine? My understanding if is for Windows, I can use RSAT, go to
> > the User account properties-> Profile-> Logon script and put the
file
> > name.
>
> It all depends what you mean by 'logon script' ?
> If you mean something to create the users home directory, then yes, add:
>
> session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
>
> to the end of /etc/pam.d/common-session
>
> If this isn't what you require, then can you please explain exactly
> what you do require.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Fri, 26 Apr 2019 09:58:28 +0800
Alfonso Conner <c1581634 at gmail.com> wrote:
> Hi,
> 
> Thank you for replying. User home directory creation is working
> without the need to edit /etc/pam.d/common-session
> The logon script I mentioned here is a in-house script to handle
> directory mounting for file server access, and create shortcut on the
> account desktop for different logins.
> On my Linux machines, currently all is done manually by local user
> account creation and by adding the command lines into individual home
> directory ~/.bash_profile
> I am happy to see after joining Samba AD, domain users able to login
> Linux machines. However, I need to find a way to take care of the
> mapping after the domain user log in.
> 
Back to PAM again ;-)
try searching for 'pam-mount'
With this you can mount directories for users as and when they login.

Rowland

Hai, 

Since im in a very good mooth today. 

I'll tell how I did setup NFSv4 and CIFS kerberozed mounts these days (with
systemd)

I saw a lot of howto's on the internet, that are not correct or just not
working.
.. Ps you want cifs? Change the nfs/spn to cifs and change the mounts to cifs. 
After that, should be almost the same. ( note, needs to be tested, i dont use
it.. yet. )

Now this is tested AND in production on my Debian Jessie/Stretch and Ubuntu
18.04 servers
I hope you guys can decrypt my setup. ;-) 


- Im assuming Samba is already setup and this is a MEMBER server. 

I did check if the members did have an A and PTR record in the dns.

All servers have as setup base this. 
hostname.int.dom.tld  A + PTR (+ optional CNAME, cname for example for a
webserver,
Use cname www to hostname and you can use the kerberized logins on the cname. 

And i use this part of samba to make this work with a samba AD backend
configured.
All users have primary group "Domain Users" and i did assigned a GID
to it.

smb.conf needs: (again might work with different settings also, but this is what
i use and i know it does work.)
    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab
    winbind refresh tickets = yes
    winbind use default domain = yes	# i use this so dont need any translation
of dom\ dom\\ to only username.
    idmap config AD-DOM : unix_primary_group = yes 
    idmap config AD-DOM : unix_nss_info = yes    

[users]
    # NOTE1: direct access here, on this server, for the windows clients. 
    browseable = yes
    # This path could/should be normaly /home/users, that saves a mount bind...
Explained below.
    path = /home/samba/users
    read only = no
    acl_xattr:ignore system acl = yes


I'll show my setup of NFSv4 kerberize and automounting,  which is in
production for 3 years now.
After a lot of changes in the setup, i can now say, this as shown below, works
great.

On my linux servers, where i login with ssh (SSO) kerberos, i end up in the
homedir /home/users/MyUserName/
And might be done a bit better, that is for later, this is working good for now.


THE SETUP OF SAMBA and USERSHOMEDIR AND THE NFS SERVER.. 
- based on Samba member 
apt install samba winbind samba-dsdb-modules samba-vfs-modules krb5-user acl
attr libpam-krb5 libpam-winbind libnss-winbind ldb-tools bind9utils
This give everything you need for samba as member. 

NFS 
apt install nfs-kernel-server nfs4-acl-tools

Edit : /etc/default/nfs-kernel-server 
Set NEED_SVCGSSD="yes" 

# create the folder with the correct user/group/rights. 
install -o nobody -g nogroup -m 1777 -d /exports
install -o nobody -g nogroup -m 1777 -d /exports/users

# This is NFSv3 and 4 compliant and supports all security options. 
Edit /etc/exports 
/exports        
192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)
/exports/users  
192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)

Now, this might be a bit off. 
Now my real users homedir on member1 is : /home/samba/users/ ( users folders
here )
But i use on ALL my server /home/users as mount point, and this is set as
homedir in AD. ( unix/NIS extensions)
Yes, including member1 


These directories are created through ADUC, where i put the user homedir in this
format.
Homedir: \\servername.fqdn\users\%username% 
This path is set to /home/samba/users 

Howto configure this, use a domain join windows PC, configure the share as
DOMIN\Administrator and folder rights and ..
DONT TOUCH IT WITH CHMOD! EVER! If you do you risk losing your windows ACL's

Any other user, outside samba-ad, is in /home as normal on linux.

The mount-bind export to map /home/samba/users to /exports/users for the NFS
export.

The systemd mounter for it. ( ONLY on nfs server ) 
# /etc/systemd/system/exports-users.mount
[Unit]
Description=Used for NFS (/exports/users)
Wants=network-online.target

[Mount]
What=/home/samba/users
Where=/exports/users
Type=none
Options=bind

[Install]
WantedBy=multi-user.target

systemctl enable export-users.mount 
systemctl start export-users.mount 
And i need the same mount bind for the homedir /home/users. Because in my UNIX
extenstions i defined homedir : /home/users.

The mount for the folder, we enter after login with SSH.(the homedir)  
# ONLY on NFS Server, the NFS client server get bit diffent set.

# /etc/systemd/system/home-users.mount
[Unit]
Description=NFS export (/home/users)
Wants=network-online.target

[Mount]
What=/home/samba/users
Where=/home/users
Type=none
Options=bind

[Install]
WantedBy=multi-user.target


# Note, above homedir setup : This can be done more easy, but when i started
samba4 5 years ago,
# I did not know what i know now. ;-)

# you need to have the NFS SPN/UPN and root/  << this make your
automounted homedir mount as user.
kinit Administrator
net ads keytab add root/$(hostname -f) -k
net ads keytab add nfs/$(hostname -f) -k

Now this added root and nfs to the LOCAL keytab file. 
You need to add these spns also in the AD. 
Which i do through ADUC, simple goto the computer object, tab Atribute editor. 
Lookup servicePrincipleName and add: 
root/fq.domname.tld
nfs/fq.domname.tld 
Dont add the REALM not needed. 

NOTE ! Yes you can do this with samba-tool also, i know.  
There is a BUT here.. If i add with samba tool i dont get them in
/etc/krb5.keytab at least not consistantly.
Thats something for later on. 

systemctl restart nfs-server

Export the nfs server settings. 
exportfs -rv

And i always advice, to clear logs, do a reboot and check logs again. 
Repeat/fix untill you server is free of any error. 

And your NFS SERVER/ SAMBA MEMBER server is ready
END OF MEMBER1 

------------------------------------------------------

MEMBER2 : Next NFS CLIENT / SAMBA MEMBER setup. 
The shorted version here, is the auth-only setup, you can add the rest
yourself..  ;-)
This setup covers ssh login and nfs(v4 krb5) automounted homedir. 

The client setup. 
smb.conf , same as above. ( execpt the netbios name ofcourse thats the HOSTNAME
IN CAPS. )

# Note, this example give you server+ssh+kerberos+nfsclient and SSO login, samba
shares, well, see wiki ;-)
apt install winbind krb5-user acl attr libpam-krb5 libpam-winbind libnss-winbind
bind9utils nfs-common nfs4-acl-tools

( Do note, for shares add : samba samba-dsdb-modules samba-vfs-modules , see the
line for member1, you can use that also. )

Now same as every other member, join the domain, and start winbind. 
kinit Administrator
net ads keytab add root/$(hostname -f) -k
net ads keytab add nfs/$(hostname -f) -k

Now this added root and nfs to the LOCAL keytab file. 
You need to add these spns also in the AD. 
Which i do through ADUC, simple goto the computer object, tab Atribute editor. 
Lookup servicePrincipleName and add: 
root/fq.domname.tld
nfs/fq.domname.tld 

First i know i need the homedir to exist. 
mkdir /home/users 

I need nfs client to use kerberos.
Edit /etc/default/nfs-common 
Set : NEED_GSSD=yes

I want to be able to login (sso) on ssh.
Add at the end of /etc/ssh/sshd_config 
# Use Dns for kerberos auth
UseDNS yes

# Enable kerberos GSSAPI tickets
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes

systemctl restart ssh


Now i can login, i need the homedir. 
Adding the Systemd mount/automount settings. 

# /etc/systemd/system/home-users.mount
[Unit]
Description=User Homes

[Mount]
What=member1.your.domain.tld:/users
Where=/home/users
Type=nfs4
# sec options: sys krb5 krb5i krb5p
Options=sec=krb5p
# Auto unmount after 2.5 min. 
TimeoutSec=150

[Install]
WantedBy=multi-user.target


And the automount part.

# /etc/systemd/system/home-users.automount
[Unit]
Description=Automount Home-Users

[Automount]
Where=/home/users

[Install]
WantedBy=multi-user.target

systemctl enable home-users.automount 
systemctl start home-users.automount 

Edit /etc/default/nfs-common 
Set : NEED_GSSD=yes


Run : pam-auth-update --force 
So you can login with winbind/kerberos. 

systemctl daemon-reload
systemctl restart nfs-client

Test mount. 
And test the mount. 
mount member1.your.domain.tld:/users /home/users -t nfs4 -o sec=krb5
Umount /home/users 
Teset automount 
Just:  ls /home/user 
Do you see your users. 
Dont get scared if you only see : root:root as user/owner, that should be fine. 
IF you created the homedir from within windows. 
Then you see this for example. 
drwxrwx---+  13 root  root         4096 Sep 26  2015 username

Check the "real" rights: ( which for me results in ).
getfacl /home/users/username 
getfacl: Removing leading '/' from absolute path names
# file: home/users/username
# owner: username
# group: root
user::rwx
user:root:rwx
user:username:rwx
group::---
group:root:---
group:BUILTIN\134administrators:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:username:rwx
default:group::---
default:group:root:---
default:group:BUILTIN\134administrators:rwx
default:mask::rwx
default:other::---

This results in a private homedir, not even accessable for user root, but it is
for BUILTIN\administrators
And, keep in mind that "Domain Admins" is member of
"BUILTIN\Administrators" by default
So this environment (/home/user) is locked out for linux admins but allows
Windows Admins.

Now, Clear logs, Reboot, check/fix reboot and its ready.
And last few small notes. 

For systemd and mount/automount 
If you homedir base is : /home/users
Then you mount is : systemctl enable home-users.(auto)mount  

If you homedir is : /srv/users 
Then you mount is : systemctl enable srv-users.(auto)mount  
The path MUST reflex to the service name. 

Multiple domains or $(ls /home/user) shows only nobody/nogroup.
Then try edit : /etc/idmapd.conf
Configure: 
Domain = internal.dom.tld
Local-Realm = YOUR.REALM.TLD 
( which is often you dnsdomain but in CAPS ) 



Good luck, questions, i'll probaly responce after the weekend, 
It kingsday tomorrow and then i probaly cant write or talk within a few hours..
 :-/ << that reprecents me at that time i think. On it side.. 

Ow and know, im dislectis so i might have missed something above but, after 3x
reread, i think its ok.
If not, if you quick, im available for about 1 1/4 hours as of this mail hits
the list.



Greetz, 

Louis

On Fri, 26 Apr 2019 09:58:28 +0800
Alfonso Conner <c1581634 at gmail.com> wrote:
> Hi,
> 
> Thank you for replying. User home directory creation is working
> without the need to edit /etc/pam.d/common-session
Being a red-hat based OS, it is probably using something similar
> The logon script I mentioned here is a in-house script to handle
> directory mounting for file server access, and create shortcut on the
> account desktop for different logins.
This is possible, I know Louis has mentioned pam-mount, but there is
also pam-script and this will probably do what you want.
 
> On my Linux machines, currently all is done manually by local user
> account creation 
You don't need to and shouldn't create a local Unix user account, you
just make your Domain users into Unix users by setting up smb.conf
correctly.
>and by adding the command lines into individual home
> directory ~/.bash_profile
Once your users have logged in, ~/.bash_profile should be available.
> I am happy to see after joining Samba AD, domain users able to login
> Linux machines. However, I need to find a way to take care of the
> mapping after the domain user log in.
This is Unix, there are several ways you can do this, the problem will
be finding the way that works for you ;-)

Rowland

Hi,

Yes. All should be good. Thank you.

Regards

On Mon, Apr 29, 2019 at 2:58 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 26 Apr 2019 09:58:28 +0800
> Alfonso Conner <c1581634 at gmail.com> wrote:
>
> > Hi,
> >
> > Thank you for replying. User home directory creation is working
> > without the need to edit /etc/pam.d/common-session
>
> Being a red-hat based OS, it is probably using something similar
>
> > The logon script I mentioned here is a in-house script to handle
> > directory mounting for file server access, and create shortcut on the
> > account desktop for different logins.
>
> This is possible, I know Louis has mentioned pam-mount, but there is
> also pam-script and this will probably do what you want.
>
> > On my Linux machines, currently all is done manually by local user
> > account creation
>
> You don't need to and shouldn't create a local Unix user account,
you
> just make your Domain users into Unix users by setting up smb.conf
> correctly.
>
> >and by adding the command lines into individual home
> > directory ~/.bash_profile
>
> Once your users have logged in, ~/.bash_profile should be available.
>
> > I am happy to see after joining Samba AD, domain users able to login
> > Linux machines. However, I need to find a way to take care of the
> > mapping after the domain user log in.
>
> This is Unix, there are several ways you can do this, the problem will
> be finding the way that works for you ;-)
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>