I am setting up a CentOS 7 system as a file server within an AD domain, following the following Red Hat documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers Here is some information that likely complicates things: - we have a number of users and groups with sub-1000 uid or gid numbers which can't easily be addressed - the system is integrated into a OpenLDAP service but UNIX attributes are replicated to AD from OpenLDAP so uid and gid values match across all users and groups - the system's samba shares are themselves NFS-mounted from a ZFS file server -------------------------------------------------------------------------------- Thus far I've done the following: 1. installed packages - realmd oddjob-mkhomedir oddjob samba-winbind-clients samba-winbind samba-common-tools samba samba-winbind-krb5-locator 2. joined the AD domain with "realm join" and the --automatic-id-mapping=no option, as we wish to use uidNumber and gidNumber attributes we've added to users and groups in AD 3. at this point I attempted to query AD records but couldn't, so I updated /etc/krb5.conf to set the default realm and to add the "dns_lookup_kdc true" option, which allowed me to kinit successfully but still not see records 4. I added the following two idmap configuration options to /etc/samba/smb.conf and was then able to retrieve user and group records from AD, but the group members aren't included: idmap config BSOE : unix_nss_info = yes idmap config BSOE : unix_primary_group = yes # getent passwd BSOE\\eshell BSOE\eshell:*:3392:325::/soe/eshell:/bin/bash # getent group "BSOE\\staff-group" BSOE\staff-group:x:552: 5. I've found that querying some groups returns no information, perhaps because of low gidNumber values (BSOE\staff-group has gidNumber 552): # getent group "BSOE\\staff-group" # 6. I tried changing the idmap config range from 500-999999 to 100-999999 but it doesn't seem to affect these queries. -------------------------------------------------------------------------------- Some things appear to be working properly. I can "su - BSOE\\eshell" and I am able to mount and access the NFS directories appropriately. "id eshell" and "id BSOE\\eshell" return the same information. I can also successfully authenticate to samba with my AD account, but then I am told that there are no available shares. I'm guessing that this is related to the NSS group issues I'm having. Why can't I see the members of some groups? How do I debug this behavior? Why isn't samba able to mount the NFS shares after a user has authenticated when I can do so in a shell by becoming that user on the samba host? Thanks in advance for any help you can provide.
On 09/07/2019 18:38, Eric Shell via samba wrote:> I am setting up a CentOS 7 system as a file server within an AD domain, > following the following Red Hat documentation: > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers > > Here is some information that likely complicates things: > > - we have a number of users and groups with sub-1000 uid or gid numbers > which can't easily be addressed > - the system is integrated into a OpenLDAP service but UNIX attributes are > replicated to AD from OpenLDAP so uid and gid values match across all users > and groups > - the system's samba shares are themselves NFS-mounted from a ZFS file > server > > -------------------------------------------------------------------------------- > > Thus far I've done the following: > > 1. installed packages - realmd oddjob-mkhomedir oddjob > samba-winbind-clients samba-winbind samba-common-tools samba > samba-winbind-krb5-locator > 2. joined the AD domain with "realm join" and the --automatic-id-mapping=no > option, as we wish to use uidNumber and gidNumber attributes we've added to > users and groups in AD > 3. at this point I attempted to query AD records but couldn't, so I updated > /etc/krb5.conf to set the default realm and to add the "dns_lookup_kdc > true" option, which allowed me to kinit successfully but still not see > records > 4. I added the following two idmap configuration options to > /etc/samba/smb.conf and was then able to retrieve user and group records > from AD, but the group members aren't included: > > idmap config BSOE : unix_nss_info = yes > idmap config BSOE : unix_primary_group = yes > > # getent passwd BSOE\\eshell > BSOE\eshell:*:3392:325::/soe/eshell:/bin/bash > # getent group "BSOE\\staff-group" > BSOE\staff-group:x:552: > > 5. I've found that querying some groups returns no information, perhaps > because of low gidNumber values (BSOE\staff-group has gidNumber 552): > > # getent group "BSOE\\staff-group" > # > > 6. I tried changing the idmap config range from 500-999999 to 100-999999 > but it doesn't seem to affect these queries. > > -------------------------------------------------------------------------------- > > Some things appear to be working properly. I can "su - BSOE\\eshell" and I > am able to mount and access the NFS directories appropriately. "id eshell" > and "id BSOE\\eshell" return the same information. I can also successfully > authenticate to samba with my AD account, but then I am told that there are > no available shares. I'm guessing that this is related to the NSS group > issues I'm having. > > Why can't I see the members of some groups? How do I debug this behavior? > > Why isn't samba able to mount the NFS shares after a user has authenticated > when I can do so in a shell by becoming that user on the samba host? > > Thanks in advance for any help you can provide.Lets start with the easiest part, can you post your smb.conf Rowland
Ugh, I knew I forgot something. Here is smb.conf: --- [global] kerberos method = system keytab template homedir = /soe/%U workgroup = BSOE template shell = /bin/bash security = ads realm = AD.SOE.UCSC.EDU idmap config BSOE : schema_mode = rfc2307 idmap config BSOE : range = 100-999999 idmap config BSOE : backend = ad idmap config BSOE : unix_nss_info = yes idmap config BSOE : unix_primary_group = yes idmap config * : range = 10000000-10999999 idmap config * : backend = tdb winbind use default domain = no winbind refresh tickets = yes winbind offline logon = yes winbind enum groups = no winbind enum users = no ################################################################################ # You should not define any shares in this file directly, use shares.conf. # ################################################################################ include = /etc/samba/shares.conf --- Here's an example of one of the share configurations from shares.conf, which are uniform: --- [backups] path = /notbackedup/backups comment = Window Servers Backups create mask = 0640 directory mask = 0750 force create mode = 0640 force directory mode = 0750 force group = backups valid users = +BSOE\backups-group +backups On Tue, Jul 9, 2019 at 10:59 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 09/07/2019 18:38, Eric Shell via samba wrote: > > I am setting up a CentOS 7 system as a file server within an AD domain, > > following the following Red Hat documentation: > > > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers > > > > Here is some information that likely complicates things: > > > > - we have a number of users and groups with sub-1000 uid or gid numbers > > which can't easily be addressed > > - the system is integrated into a OpenLDAP service but UNIX attributes > are > > replicated to AD from OpenLDAP so uid and gid values match across all > users > > and groups > > - the system's samba shares are themselves NFS-mounted from a ZFS file > > server > > > > > -------------------------------------------------------------------------------- > > > > Thus far I've done the following: > > > > 1. installed packages - realmd oddjob-mkhomedir oddjob > > samba-winbind-clients samba-winbind samba-common-tools samba > > samba-winbind-krb5-locator > > 2. joined the AD domain with "realm join" and the > --automatic-id-mapping=no > > option, as we wish to use uidNumber and gidNumber attributes we've added > to > > users and groups in AD > > 3. at this point I attempted to query AD records but couldn't, so I > updated > > /etc/krb5.conf to set the default realm and to add the "dns_lookup_kdc > > true" option, which allowed me to kinit successfully but still not see > > records > > 4. I added the following two idmap configuration options to > > /etc/samba/smb.conf and was then able to retrieve user and group records > > from AD, but the group members aren't included: > > > > idmap config BSOE : unix_nss_info = yes > > idmap config BSOE : unix_primary_group = yes > > > > # getent passwd BSOE\\eshell > > BSOE\eshell:*:3392:325::/soe/eshell:/bin/bash > > # getent group "BSOE\\staff-group" > > BSOE\staff-group:x:552: > > > > 5. I've found that querying some groups returns no information, perhaps > > because of low gidNumber values (BSOE\staff-group has gidNumber 552): > > > > # getent group "BSOE\\staff-group" > > # > > > > 6. I tried changing the idmap config range from 500-999999 to 100-999999 > > but it doesn't seem to affect these queries. > > > > > -------------------------------------------------------------------------------- > > > > Some things appear to be working properly. I can "su - BSOE\\eshell" > and I > > am able to mount and access the NFS directories appropriately. "id > eshell" > > and "id BSOE\\eshell" return the same information. I can also > successfully > > authenticate to samba with my AD account, but then I am told that there > are > > no available shares. I'm guessing that this is related to the NSS group > > issues I'm having. > > > > Why can't I see the members of some groups? How do I debug this > behavior? > > > > Why isn't samba able to mount the NFS shares after a user has > authenticated > > when I can do so in a shell by becoming that user on the samba host? > > > > Thanks in advance for any help you can provide. > > Lets start with the easiest part, can you post your smb.conf > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Eric Shell BSOE Technical Staff eshell at ucsc.edu 831 459 4919 Baskin Engineering, Room 313
In centos there is also /etc/pam.d/system-auth (and another file I cant remember) there is a restriction to only allow uids>1000 maybe this is part of your problem? Regards Am 9. Juli 2019 19:38:22 MESZ schrieb Eric Shell via samba <samba at lists.samba.org>:>I am setting up a CentOS 7 system as a file server within an AD domain, >following the following Red Hat documentation: > >https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers > >Here is some information that likely complicates things: > >- we have a number of users and groups with sub-1000 uid or gid numbers >which can't easily be addressed >- the system is integrated into a OpenLDAP service but UNIX attributes >are >replicated to AD from OpenLDAP so uid and gid values match across all >users >and groups >- the system's samba shares are themselves NFS-mounted from a ZFS file >server > >-------------------------------------------------------------------------------- > >Thus far I've done the following: > >1. installed packages - realmd oddjob-mkhomedir oddjob >samba-winbind-clients samba-winbind samba-common-tools samba >samba-winbind-krb5-locator >2. joined the AD domain with "realm join" and the >--automatic-id-mapping=no >option, as we wish to use uidNumber and gidNumber attributes we've >added to >users and groups in AD >3. at this point I attempted to query AD records but couldn't, so I >updated >/etc/krb5.conf to set the default realm and to add the "dns_lookup_kdc >>true" option, which allowed me to kinit successfully but still not see >records >4. I added the following two idmap configuration options to >/etc/samba/smb.conf and was then able to retrieve user and group >records >from AD, but the group members aren't included: > >idmap config BSOE : unix_nss_info = yes >idmap config BSOE : unix_primary_group = yes > ># getent passwd BSOE\\eshell >BSOE\eshell:*:3392:325::/soe/eshell:/bin/bash ># getent group "BSOE\\staff-group" >BSOE\staff-group:x:552: > >5. I've found that querying some groups returns no information, perhaps >because of low gidNumber values (BSOE\staff-group has gidNumber 552): > ># getent group "BSOE\\staff-group" ># > >6. I tried changing the idmap config range from 500-999999 to >100-999999 >but it doesn't seem to affect these queries. > >-------------------------------------------------------------------------------- > >Some things appear to be working properly. I can "su - BSOE\\eshell" >and I >am able to mount and access the NFS directories appropriately. "id >eshell" >and "id BSOE\\eshell" return the same information. I can also >successfully >authenticate to samba with my AD account, but then I am told that there >are >no available shares. I'm guessing that this is related to the NSS >group >issues I'm having. > >Why can't I see the members of some groups? How do I debug this >behavior? > >Why isn't samba able to mount the NFS shares after a user has >authenticated >when I can do so in a shell by becoming that user on the samba host? > >Thanks in advance for any help you can provide.-- Dr. Christian Naumer Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, Ludger Roedder Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen