samba - Jun 2019 - Fwd: Re: Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication

Is it possible to make start DOMAIN range from 500 instead of 10000 ?

I realized that all my gid are in range 500 to 600 and not in range 
10000 - 14999
I thought? DOMAIN range 10000 - 14999 was reserved for DOMAIN users



-------- Message transf?r? --------
Sujet?: 	Re: [Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
Date?: 	Tue, 18 Jun 2019 16:25:39 -0300
De?: 	Edouard Guign? via samba <samba at lists.samba.org>
R?pondre ??: 	Edouard Guign? <eguigne at pasteur-cayenne.fr>
Pour?: 	samba at lists.samba.org



And What about Domain Admins gid ? Should also be in the DOMAIN range ?

Le 18/06/2019 ? 16:07, Rowland penny via samba a ?crit?:
> On 18/06/2019 19:49, Edouard Guign? via samba wrote:
>> ?gidNumber for 'Domain Users' is 513
>>
>> not in range? '10000-14999' of uidNumber
>>
>> Is it a problem ?
>
> Oh yes, ALL user uidNumber's and Domain Users gidNumber MUST be inside 
> the DOMAIN range you set in smb.conf, if they aren't, all your users 
> WILL be ignored by Samba.
>
> Find the next available gidNumber in AD and change the 'Domain
User'
> gidNumber to this and I am very sure everything will then work.
>
> Rowland
>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 18/06/2019 20:41, Edouard Guign? via samba wrote:
> Is it possible to make start DOMAIN range from 500 instead of 10000 ?
Classicupgrade ?
>
> I realized that all my gid are in range 500 to 600 and not in range 
> 10000 - 14999
Looks like you are going to have to use 500 for your lower DOMAIN range 
start, but this will mean that you will not be able to have any local 
Unix users and could have problems with potential local system users or 
groups if their Unix ID is 500 or above.
> I thought? DOMAIN range 10000 - 14999 was reserved for DOMAIN users
No, you can use the same range for groups and users, the user with ID 
'10000' will never be mistaken for the group with the ID '10000'

Have you read these Samba wiki pages:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

https://wiki.samba.org/index.php/Idmap_config_ad

Rowland

Hello,

I performed a test in order to get access to my samba share with 
winbindd (and not sssd).

For that,

1. I change the gid of domain users from 513 to 15513 (to match with the 
domain range 10000 - 14999)
And verify my test user is part of 15513

2. Stop sssd and change nsswitch.conf like this :
/passwd:???? files winbind//
//shadow:???? files//
//group:????? files //winbind//
/

3. Restart winbindd and smb, with # net cache flush

Unfortunatly, I still cannot mount the share on my win7 test workstation.

In log, I found :
myw7worstation.log
/2019/06/19 11:15:15.806577,? 1] 
../source3/smbd/service.c:521(make_connection_snum)//
//? create_connection_session_info failed: NT_STATUS_ACCESS_DENIED//
//[2019/06/19 11:15:25.288729,? 1] 
../source3/smbd/service.c:521(make_connection_snum)//
//? create_connection_session_info failed: NT_STATUS_ACCESS_DENIED//
//[2019/06/19 11:17:04.348099,? 1] 
../source3/smbd/service.c:521(make_connection_snum)//
//? create_connection_session_info failed: NT_STATUS_ACCESS_DENIED/

log.winbindd-idmap
/[2019/06/18 14:43:16.926952,? 1] 
../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)//
//? tdb(/var/lib/samba/winbindd_idmap.tdb): tdb_transaction_commit: 
transaction error pending//
//[2019/06/18 14:43:16.926982,? 1] 
../source3/winbindd/idmap_tdb_common.c:138(idmap_tdb_common_allocate_id)//
//? Error allocating a new GID//
//[2019/06/18 14:43:16.927123,? 1] 
../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)//
//? tdb(/var/lib/samba/winbindd_idmap.tdb): tdb_transaction_commit: 
transaction error pending//
//[2019/06/18 14:43:16.927140,? 1] 
../source3/winbindd/idmap_tdb_common.c:138(idmap_tdb_common_allocate_id)//
//? Error allocating a new GID//
//[2019/06/18 14:46:23.754692,? 0] 
../source3/winbindd/winbindd.c:239(winbindd_sig_term_handler)/

 From my win7 test workstation, The samba share is mounted with a script 
at logon, with the "net use" command, the command does not work

and when I try to mount the share manually (same syntax than the one in 
the logon script), I get :
net use S: \\mysambaserver\groups /user:MYDOMAIN\usertest
"invalid password for \\mysambaserver\groups"

(I am sure of the password)

What could be wrong ?
In my smb.cnf, I set valid users = @"utilisateurs du domaine at
MYDOMAIN.LOCAL"
Can be the reason ?

Edouard

Le 18/06/2019 ? 17:06, Rowland penny via samba a ?crit?:
> On 18/06/2019 20:41, Edouard Guign? via samba wrote:
>> Is it possible to make start DOMAIN range from 500 instead of 10000 ?
> Classicupgrade ?
>>
>> I realized that all my gid are in range 500 to 600 and not in range 
>> 10000 - 14999
> Looks like you are going to have to use 500 for your lower DOMAIN 
> range start, but this will mean that you will not be able to have any 
> local Unix users and could have problems with potential local system 
> users or groups if their Unix ID is 500 or above.
>
>> I thought? DOMAIN range 10000 - 14999 was reserved for DOMAIN users
>
> No, you can use the same range for groups and users, the user with ID 
> '10000' will never be mistaken for the group with the ID
'10000'
>
> Have you read these Samba wiki pages:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> https://wiki.samba.org/index.php/Idmap_config_ad
>
> Rowland
>