samba - Jun 2019 - Samba winbind on redhat 7

This way is so easier...

Thank you Rowland

Le 20/06/2019 ? 14:01, Rowland penny via samba a ?crit?:
> On 20/06/2019 17:54, Edouard Guign? via samba wrote:
>> My idea is to replace default "cifs_idmap_sss.so" plugin by 
>> "idmapwb.so" winbind plugin, in order to SSSD becomes a
client of
>> winbind.
>> To avoid to change nsswitch.conf :
>> passwd:???? files sss
>> shadow:???? files sss
>> group:????? files sss
>>
>> into
>>
>> passwd:???? files winbind
>> shadow:???? files winbind
>> group:????? files winbind
>>
>> because I need an other access in sftp, this is using default sssd.
>>
>> I tried mix copnfiguration like :
>> passwd:???? files sss winbind? (or files winbind sss)
>> shadow:???? files sss winbind (or files winbind sss)
>> group:????? files sss winbind (or files winbind sss)
>>
>> which gave poor result, very slow access to the share especially when 
>> click on security tab on windows 7.
>>
>>
>> Le 20/06/2019 ? 13:32, Rowland penny via samba a ?crit?:
>>> On 20/06/2019 17:19, Edouard Guign? via samba wrote:
>>>> Hello,
>>>>
>>>> I am reading RHEL 7 docs concerning samba integration, and I
found
>>>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index#winbind
>>>>
>>>>
>>>> "4.2.4. Switching Between SSSD and Winbind for SMB Share
Access
>>>> This procedure describes how you can switch between SSSD and 
>>>> Winbind plug-ins that are used for accessing SMB shares from
SSSD
>>>> clients. "
>>>>
>>>> Who is responsible for the developpement of the "Winbind
plug-in"
>>>> used for accessing SMB shares from SSSD clients ?
>>>> Samba team or RHEL SSSD team ?
>
> Make sure smb.conf is set up correctly
>
> authconfig --enablekrb5 --enablewinbind --enablewinbindauth 
> --enablemkhomedir --update
>
> Check that the passwd, group and shadow lines in /etc/nsswitch.conf 
> look like this:
>
> passwd:???? files winbind
> group:????? files winbind
>
> shadow:?? files
>
> yum remove sssd*
>
> You should be good to go
>
>

Hello,

I am facing 2 issues now.
The first one is the more critical for me...

1. When I switch from sssd to winbind with :
# authconfig --enablekrb5 --enablewinbind --enablewinbindauth 
--enablemkhomedir --update

My sftp access did not work. Does it change the way to pass the login ?
I used to connect in sftp with userlogin / userpassword

//var/log/secure ://
/

/Jun 21 11:08:31 [localhost] sshd[17379]: Invalid user sftpuser from 
x.x.x.x port 50187//
//Jun 21 11:08:31 [localhost] sshd[17379]: input_userauth_request: 
invalid user sftpuser [preauth]//
//Jun 21 11:08:31 [localhost] sshd[17379]: pam_unix(sshd:auth): check 
pass; user unknown//
//Jun 21 11:08:31 [localhost] sshd[17379]: pam_unix(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=myhost.mydomain.fr//
//Jun 21 11:08:32 [localhost] sshd[17379]: Failed password for invalid 
user sftpusert from x.x.x.x port 50187 ssh2/

Do I need now to pass MYDOMAIN\userlogin / userpassword or something 
like that ?
How can I check the correct syntax ?
I would like to use userlogin / userpassword for sftp access.


2. Concerning the samba share :
I set permissions for the share "groups" located on /var/datashared
for
"domain admins" (rwx) and "domain users" (r-x)
/var]# getfacl datashared/
# file: datashared/
# owner: root
# group: root
user::rwx
group::r-x
group:MYDOMAIN\134admins\040du\040domaine:rwx
group://MYDOMAIN\134utilisateurs\040du\040domaine:r-x
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group://MYDOMAIN\134admins\040du\040domaine:rwx
default:mask::rwx
default:other::---/

/+ # chmod 0770 /var/datashared/

As you can see acls for "Domain users" are not in default acls

I create a TESTIT folder (on /var/datashared) ; the owner of the is user 
"MYDOMAIN\mydomainadmin"
"mydomainadmin" is part of the "domain admins" group.
/# getfacl TESTIT///
//# file: TESTIT///
//*# owner: MYDOMAIN\*//*mydomainadmin
# group: *//*MYDOMAIN**\134admins\040du\040domaine*
user::rwx
group::r-x
*group:*//*MYDOMAIN**\134admins\040du\040domaine:rwx*
mask::rwx
other::---
default:user::rwx
default:group::r-x
*default:group:*//*MYDOMAIN*//*\134admins\040du\040domaine:rwx*//
//default:mask::rwx//
//default:other::---/

I connect as mydomainadmin on Windows 7, and start to change acls :
I remove "everybody"
and
add group "informatique" with "total control" to security
tab of TESTIT

On linux, it shows :
/# getfacl TESTIT///
//# file: TESTIT///
//*# owner: *//*MYDOMAIN\*//*mydomainadmin
# group: *//*MYDOMAIN**\134admins\040du\040domaine*
user::rwx
user://*MYDOMAIN*\//*mydomainadmin*:rwx
group::rwx
*group:*//*MYDOMAIN\134admins\040du\040domaine:rwx
group:*//*MYDOMAIN**\134informatique:rwx*
mask::rwx
other::---
default:user::rwx
*default:user:*//*MYDOMAIN\*//*mydomainadmin**:rwx*
default:group::r-x
*default:group:*//*MYDOMAIN\134admins\040du\040domaine:rwx
default:group:*//*MYDOMAIN*//*\134informatique:rwx*//
//default:mask::rwx//
//default:other::---/

Now, I logon in windows 7 as *usertest *(*primary group is "Domain 
users" *and is part of the group "informatique").
I create a folder TEST in TESTIT and a file test.txt in TESTIT.
I get this acls on TEST folder :
/# getfacl TEST/
# file: TEST/
*# owner: **MYDOMAIN**\**usertest **
**# group: **MYDOMAIN**\134utilisateurs\040du\040domaine*
user::rwx
user:*MYDOMAIN*\usertest :rwx
group::r-x
*group:**MYDOMAIN**\134admins\040du\040domaine:rwx**
**group:**MYDOMAIN**\134utilisateurs\040du\040domaine:r-x**
**group:**MYDOMAIN**\134informatique:rwx*
mask::rwx
other::---
default:user::rwx
*default:user:**MYDOMAIN**\**usertest **:rwx*
default:group::r-x
*default:group:**MYDOMAIN**\134admins\040du\040domaine:rwx**
**default:group:**MYDOMAIN**\134utilisateurs\040du\040domaine:r-x**
**default:group:**MYDOMAIN**\134informatique:rwx*
default:mask::rwx
default:other::---/

Why "*group:MYDOMAIN\134utilisateurs\040du\040domaine:r-x*" and 
"*default:group:MYDOMAIN\134utilisateurs\040du\040domaine:r-x*" are
added ?
I was expected to not get these acls... concerning "domain users" but 
the folder TESTIT have no default "Domain users" acls.
Don't want them...
Is there a way to remove this ??

Thank you for all your help,

Edouard

Le 20/06/2019 ? 14:16, Edouard Guign? via samba a
?crit?:
> This way is so easier...
>
> Thank you Rowland
>
> Le 20/06/2019 ? 14:01, Rowland penny via samba a ?crit?:
>> On 20/06/2019 17:54, Edouard Guign? via samba wrote:
>>> My idea is to replace default "cifs_idmap_sss.so" plugin
by
>>> "idmapwb.so" winbind plugin, in order to SSSD becomes a
client of
>>> winbind.
>>> To avoid to change nsswitch.conf :
>>> passwd:???? files sss
>>> shadow:???? files sss
>>> group:????? files sss
>>>
>>> into
>>>
>>> passwd:???? files winbind
>>> shadow:???? files winbind
>>> group:????? files winbind
>>>
>>> because I need an other access in sftp, this is using default sssd.
>>>
>>> I tried mix copnfiguration like :
>>> passwd:???? files sss winbind? (or files winbind sss)
>>> shadow:???? files sss winbind (or files winbind sss)
>>> group:????? files sss winbind (or files winbind sss)
>>>
>>> which gave poor result, very slow access to the share especially 
>>> when click on security tab on windows 7.
>>>
>>>
>>> Le 20/06/2019 ? 13:32, Rowland penny via samba a ?crit?:
>>>> On 20/06/2019 17:19, Edouard Guign? via samba wrote:
>>>>> Hello,
>>>>>
>>>>> I am reading RHEL 7 docs concerning samba integration, and
I found
>>>>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index#winbind
>>>>>
>>>>>
>>>>> "4.2.4. Switching Between SSSD and Winbind for SMB
Share Access
>>>>> This procedure describes how you can switch between SSSD
and
>>>>> Winbind plug-ins that are used for accessing SMB shares
from SSSD
>>>>> clients. "
>>>>>
>>>>> Who is responsible for the developpement of the
"Winbind plug-in"
>>>>> used for accessing SMB shares from SSSD clients ?
>>>>> Samba team or RHEL SSSD team ?
>>
>> Make sure smb.conf is set up correctly
>>
>> authconfig --enablekrb5 --enablewinbind --enablewinbindauth 
>> --enablemkhomedir --update
>>
>> Check that the passwd, group and shadow lines in /etc/nsswitch.conf 
>> look like this:
>>
>> passwd:???? files winbind
>> group:????? files winbind
>>
>> shadow:?? files
>>
>> yum remove sssd*
>>
>> You should be good to go
>>
>>
>

On 21/06/2019 15:39, Edouard Guign? via samba wrote:
> Hello,
>
> I am facing 2 issues now.
> The first one is the more critical for me...
>
> 1. When I switch from sssd to winbind with :
> # authconfig --enablekrb5 --enablewinbind --enablewinbindauth 
> --enablemkhomedir --update
>
> My sftp access did not work. Does it change the way to pass the login ?
> I used to connect in sftp with userlogin / userpassword
>
> //var/log/secure ://
> /
>
> /Jun 21 11:08:31 [localhost] sshd[17379]: Invalid user sftpuser from 
> x.x.x.x port 50187//
> //Jun 21 11:08:31 [localhost] sshd[17379]: input_userauth_request: 
> invalid user sftpuser [preauth]//
> //Jun 21 11:08:31 [localhost] sshd[17379]: pam_unix(sshd:auth): check 
> pass; user unknown//
> //Jun 21 11:08:31 [localhost] sshd[17379]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=myhost.mydomain.fr//
> //Jun 21 11:08:32 [localhost] sshd[17379]: Failed password for invalid 
> user sftpusert from x.x.x.x port 50187 ssh2/
>
> Do I need now to pass MYDOMAIN\userlogin / userpassword or something 
> like that ?
> How can I check the correct syntax ?
> I would like to use userlogin / userpassword for sftp access.
>
Do you only have one domain and no trusted domains ?

If so add this line to smb.conf and restart Samba:

winbind use default domain = yes

This will change 'MYDOMAIN\userlogin' to just 'userlogin'

There is one gotcha though, it does not work on a Samba AD DC.

Rowland