samba - Aug 2019 - Problems with NIS Server on Samba 4

Hi,
>How are you trying to create the Unix (RFC2307) attributes ?
I am following the article:
https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC

Open ADUC.
Right-click to a user account and choose properties.
Navigate to the "UNIX Attributes" tab.
>Also, what do you mean by 'it doesn't bother any NIS server' ?
Sorry, Google translated it wrong.
Did you mean: Not appear the domain name to select in the NIS Domain field.
>Do you mean that the RFC2307 attributes are not being used ?
No. Do I need change my smb.conf from:

# Global parameters
[global]
 workgroup = EMPRESA
 realm = EMPRESA.COM.BR
 netbios name = EMPRESA
 server role = active directory domain controller
 dns forwarder = 192.168.1.1
 ldap server require strong auth = no

[netlogon]
 path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts
 read only = No

[sysvol]
 path = /usr/local/samba/var/locks/sysvol
 read only = No
 acl_xattr:ignore system acls = yes

To

# Global parameters
[global]
 workgroup = EMPRESA
 realm = EMPRESA.COM.BR
 netbios name = EMPRESA
 server role = active directory domain controller
 dns forwarder = 192.168.1.1
 idmap_ldb:use rfc2307 = yes
 ldap server require strong auth = no

[netlogon]
 path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts
 read only = No

[sysvol]
 path = /usr/local/samba/var/locks/sysvol
 read only = No
 acl_xattr:ignore system acls = yes

Regards,

M?rcio Bacci

Em seg, 19 de ago de 2019 ?s 09:46, Rowland penny via samba <
samba at lists.samba.org> escreveu:
> On 19/08/2019 13:36, Marcio Demetrio Bacci via samba wrote:
> > Hi,
> >
> > I am having problems for users to authenticate to the Windows Server
2008
> > file server, so I checked that the Samba DC Unix attributes are not
> > enabled.
> >
> > I am trying to create Unix attributes on Samba, but it doesn't
bother any
> > NIS server to select.
>
> How are you trying to create the Unix (RFC2307) attributes ?
>
> Also, what do you mean by 'it doesn't bother any NIS server' ?
>
> Do you mean that the RFC2307 attributes are not being used ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 19/08/2019 15:12, Marcio Demetrio Bacci wrote:
> Hi,
> >How are you trying to create the Unix (RFC2307) attributes ?
> I am following the article: 
>
https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC
>
> Open ADUC.
> Right-click to a user account and choose properties.
> Navigate to the "UNIX Attributes" tab.
Do you have the IDMU server installed on the Windows DC
?
>
> >Also, what do you mean by 'it doesn't bother any NIS
server' ?
> Sorry, Google translated it wrong.
> Did you mean: Not appear the domain name to select in the NIS Domain 
> field.
>
> >Do you mean that the RFC2307 attributes are not being used ?
> No.
OK
> Do I need change my smb.conf from:
>
> # Global parameters
> [global]
> ?workgroup = EMPRESA
> ?realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR>
> ?netbios name = EMPRESA
> ?server role = active directory domain controller
> ?dns forwarder = 192.168.1.1
> ?ldap server require strong auth = no
>
> [netlogon]
> ?path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts 
> <http://empresa.com.br/scripts>
> ?read only = No
>
> [sysvol]
> ?path = /usr/local/samba/var/locks/sysvol
> ?read only = No
> ?acl_xattr:ignore system acls = yes
>
> To
>
> # Global parameters
> [global]
> ?workgroup = EMPRESA
> ?realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR>
> ?netbios name = EMPRESA
> ?server role = active directory domain controller
> ?dns forwarder = 192.168.1.1
> ?idmap_ldb:use rfc2307 = yes
> ?ldap server require strong auth = no
>
> [netlogon]
> ?path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts 
> <http://empresa.com.br/scripts>
> ?read only = No
>
> [sysvol]
> ?path = /usr/local/samba/var/locks/sysvol
> ?read only = No
> ?acl_xattr:ignore system acls = yes
>
Ah, I think I see the problem, If I remember correctly, you joined the 
the Samba DC to a Windows DC and if you didn't have IDMU installed on 
the Windows DC, you wouldn't get the required objects in AD created on 
the Samba DC either.

All the RFC2307 attributes are in the AD schema by default, so they are 
available for use.

You have a few options:

Check if IDMU is installed and install it if not.

Install the ypServ30.ldif on the Samba DC 
(/usr/share/samba/setup/ypServ30.ldif), see here:

https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_the_NIS_Extensions

Write your own script using ldbmodify or ldapmodify to add the uidNumber 
& gidNumber attributes.

You should be aware that even if you do any of the above, your users 
will still get Domain Users as their primary group on the DC.

To get your AD users to show on your Samba AD DC, you need to have 
libnss-winbind. libpam-krb5 & libpam-winbind installed and ensure the 
'passwd' & 'group' lines in /etc/nsswitch.conf look like
this:

passwd:???????? compat winbind
group:????????? compat winbind

If you do the above, you should get your users & groups without doing 
any of the above, but the IDs will be in the '3000000' range.

Rowland

My "adman" tool can also assign uidNumber / gidNumber:

https://gitlab.com/JonathonReinhart/adman

On Mon, Aug 19, 2019 at 10:52 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 19/08/2019 15:12, Marcio Demetrio Bacci wrote:
> > Hi,
> > >How are you trying to create the Unix (RFC2307) attributes ?
> > I am following the article:
> >
>
https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC
> >
> > Open ADUC.
> > Right-click to a user account and choose properties.
> > Navigate to the "UNIX Attributes" tab.
> Do you have the IDMU server installed on the Windows DC ?
> >
> > >Also, what do you mean by 'it doesn't bother any NIS
server' ?
> > Sorry, Google translated it wrong.
> > Did you mean: Not appear the domain name to select in the NIS Domain
> > field.
> >
> > >Do you mean that the RFC2307 attributes are not being used ?
> > No.
> OK
> > Do I need change my smb.conf from:
> >
> > # Global parameters
> > [global]
> >  workgroup = EMPRESA
> >  realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR>
> >  netbios name = EMPRESA
> >  server role = active directory domain controller
> >  dns forwarder = 192.168.1.1
> >  ldap server require strong auth = no
> >
> > [netlogon]
> >  path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts
> > <http://empresa.com.br/scripts>
> >  read only = No
> >
> > [sysvol]
> >  path = /usr/local/samba/var/locks/sysvol
> >  read only = No
> >  acl_xattr:ignore system acls = yes
> >
> > To
> >
> > # Global parameters
> > [global]
> >  workgroup = EMPRESA
> >  realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR>
> >  netbios name = EMPRESA
> >  server role = active directory domain controller
> >  dns forwarder = 192.168.1.1
> >  idmap_ldb:use rfc2307 = yes
> >  ldap server require strong auth = no
> >
> > [netlogon]
> >  path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts
> > <http://empresa.com.br/scripts>
> >  read only = No
> >
> > [sysvol]
> >  path = /usr/local/samba/var/locks/sysvol
> >  read only = No
> >  acl_xattr:ignore system acls = yes
> >
> Ah, I think I see the problem, If I remember correctly, you joined the
> the Samba DC to a Windows DC and if you didn't have IDMU installed on
> the Windows DC, you wouldn't get the required objects in AD created on
> the Samba DC either.
>
> All the RFC2307 attributes are in the AD schema by default, so they are
> available for use.
>
> You have a few options:
>
> Check if IDMU is installed and install it if not.
>
> Install the ypServ30.ldif on the Samba DC
> (/usr/share/samba/setup/ypServ30.ldif), see here:
>
>
>
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_the_NIS_Extensions
>
> Write your own script using ldbmodify or ldapmodify to add the uidNumber
> & gidNumber attributes.
>
> You should be aware that even if you do any of the above, your users
> will still get Domain Users as their primary group on the DC.
>
> To get your AD users to show on your Samba AD DC, you need to have
> libnss-winbind. libpam-krb5 & libpam-winbind installed and ensure the
> 'passwd' & 'group' lines in /etc/nsswitch.conf look
like this:
>
> passwd:         compat winbind
> group:          compat winbind
>
> If you do the above, you should get your users & groups without doing
> any of the above, but the IDs will be in the '3000000' range.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hi,
>Ah, I think I see the problem, If I remember correctly, you joined the
>the Samba DC to a Windows DC and if you didn't have IDMU installed on
>the Windows DC, you wouldn't get the required objects in AD created on
>the Samba DC either.
Really, IDMU was not installed.


There is the file ypServ30.ldif
ls /usr/share/samba/setup/
...
 ypServ30.ldif

But, I believe the extension is not enabled:

ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br cn
search error - No such Base DN:
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br


This way, Do I need to install NIS (apt-get install nis) or only Replace
the variables in LDIF file with the domain distinguished name (DN), NetBIOS
name, and the NIS domain ?

Regards,

M?rcio Bacci

Em seg, 19 de ago de 2019 ?s 11:53, Rowland penny via samba <
samba at lists.samba.org> escreveu:
> On 19/08/2019 15:12, Marcio Demetrio Bacci wrote:
> > Hi,
> > >How are you trying to create the Unix (RFC2307) attributes ?
> > I am following the article:
> >
>
https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC
> >
> > Open ADUC.
> > Right-click to a user account and choose properties.
> > Navigate to the "UNIX Attributes" tab.
> Do you have the IDMU server installed on the Windows DC ?
> >
> > >Also, what do you mean by 'it doesn't bother any NIS
server' ?
> > Sorry, Google translated it wrong.
> > Did you mean: Not appear the domain name to select in the NIS Domain
> > field.
> >
> > >Do you mean that the RFC2307 attributes are not being used ?
> > No.
> OK
> > Do I need change my smb.conf from:
> >
> > # Global parameters
> > [global]
> >  workgroup = EMPRESA
> >  realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR>
> >  netbios name = EMPRESA
> >  server role = active directory domain controller
> >  dns forwarder = 192.168.1.1
> >  ldap server require strong auth = no
> >
> > [netlogon]
> >  path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts
> > <http://empresa.com.br/scripts>
> >  read only = No
> >
> > [sysvol]
> >  path = /usr/local/samba/var/locks/sysvol
> >  read only = No
> >  acl_xattr:ignore system acls = yes
> >
> > To
> >
> > # Global parameters
> > [global]
> >  workgroup = EMPRESA
> >  realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR>
> >  netbios name = EMPRESA
> >  server role = active directory domain controller
> >  dns forwarder = 192.168.1.1
> >  idmap_ldb:use rfc2307 = yes
> >  ldap server require strong auth = no
> >
> > [netlogon]
> >  path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts
> > <http://empresa.com.br/scripts>
> >  read only = No
> >
> > [sysvol]
> >  path = /usr/local/samba/var/locks/sysvol
> >  read only = No
> >  acl_xattr:ignore system acls = yes
> >
> Ah, I think I see the problem, If I remember correctly, you joined the
> the Samba DC to a Windows DC and if you didn't have IDMU installed on
> the Windows DC, you wouldn't get the required objects in AD created on
> the Samba DC either.
>
> All the RFC2307 attributes are in the AD schema by default, so they are
> available for use.
>
> You have a few options:
>
> Check if IDMU is installed and install it if not.
>
> Install the ypServ30.ldif on the Samba DC
> (/usr/share/samba/setup/ypServ30.ldif), see here:
>
>
>
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_the_NIS_Extensions
>
> Write your own script using ldbmodify or ldapmodify to add the uidNumber
> & gidNumber attributes.
>
> You should be aware that even if you do any of the above, your users
> will still get Domain Users as their primary group on the DC.
>
> To get your AD users to show on your Samba AD DC, you need to have
> libnss-winbind. libpam-krb5 & libpam-winbind installed and ensure the
> 'passwd' & 'group' lines in /etc/nsswitch.conf look
like this:
>
> passwd:         compat winbind
> group:          compat winbind
>
> If you do the above, you should get your users & groups without doing
> any of the above, but the IDs will be in the '3000000' range.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>