Sérgio Basto
2019-Nov-26 14:26 UTC
[Samba] security = ads parameter not working in samba 4.9.5
On Tue, 2019-11-26 at 15:07 +0100, L.P.H. van Belle via samba wrote:> Hai, > > Please read : > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > And adjust your smb.conf, start with a minimal smb.conf then join and > then add optional extra settings.BTW , unfortunately I hadn't time to write about but see man idmap.ad , it have the right instructions ...> You current config is incomplete. > I suggest you carefully read this chapter.: Choose backend for id > mapping in winbindd > > > > Host is not configured as a member server. > > Invalid configuration. Exiting.... > ^^^ as it is saying, invalid config. > > A sample config for a domain member, with backend AD.. > You might want RID as backend, to read above links that tell more. > > > Config > [global] > > log level = 1 auth_audit:3 > > # > https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx > # > https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and > > # Obey the above rules from the links and avoid problems. > workgroup = NTDOM > security = ADS > realm = YOUR.REALM.HERE_IN_CAPS > netbios name = SERVER_HOSTNAME_IN_CAPS_MAX_15CHARS > > # set master browser for the network. > # preffered + domain master = guarantee master browser ( man > smb.conf ) > #preferred master = yes > #domain master = yes > > # Optional, set ip/interface names where to run samba. > interfaces = 192.168.0.10 127.0.0.1 > bind interfaces only = yes > > # Resolve netbios names over DNS. > # Your DNS/Resolving setup MUST be correct to make it work. > dns proxy = yes > > # Add and Update TLS Key > # If your having domain member, a correct certificate setup is > preffered. > #tls enabled = yes > #tls keyfile = /etc/ssl/private/host.key.pem > #tls certfile = /etc/sslcerts/host.cert.pem > #tls cafile = /etc/ssl/certs/ca.pem > > ## map id's outside to domain to tdb files. > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > ## map ids from the domain and (*) the range may not overlap ! > # choose the back end that fits your setup. > # https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends > idmap config NTDOM : backend = ad > idmap config NTDOM : range = 10000-3999999 > # Backend AD uses often, one or more of these 3 settings > idmap config NTDOM : schema_mode = rfc2307 > # optional > #idmap config NTDOM : unix_nss_info = yes > #idmap config NTDOM : unix_primary_group = yes > > # Most compatible setup. > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > # Renew the kerberos ticket its lifetime. > winbind refresh tickets = yes > > # remove NTDOM\ from the username > winbind use default domain = yes > > # Default = no, only set yes while testing. > winbind enum users = no > winbind enum groups = no > > # Enable offline logins > winbind offline logon = yes > > # The user Administrator workaround, without it you are unable to > set privileges > # Format in the file: !root = NTDOM\Administrator > NTDOM\administrator > username map = /etc/samba/samba_usermapping > > # Disable option to allow usershares to be created, when set > empty no error log messages. > usershare path > > # Disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > # For Windows ACL support on member file server, enabled globaly, > OBLIGATED > # For a mixed setup of rights, put this per share! > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > # Share Setting Globally > veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ > hide unreadable = yes > > ######## SHARE DEFINITIONS ################ > .. > > > Greetz, > > Louis > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sac > > Isilia via samba > > Verzonden: dinsdag 26 november 2019 14:41 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] security = ads parameter not working in samba > > 4.9.5 > > > > Hi Team, > > > > I need to join the server in AD domain using winbind . Below are > > the > > package version for reference. The server runs Debian 10 and > > the default > > install of samba is 4.9.5. > > > > ii samba 2:4.9.5+dfsg-5+deb10u1 > > amd64 SMB/CIFS file, print, and login server for Unix > > ii samba-common 2:4.9.5+dfsg-5+deb10u1 > > all common files used by both the Samba server and > > client > > > > ii winbind 2:4.9.5+dfsg-5+deb10u1 > > amd64 service to resolve user and group > > information from Windows > > NT servers > > > > I searched the internet and few samba mailing list and > > found that it was > > a bug and security = ads will produce error if you start winbind . > > The > > moment i put in smb.conf "security = user" the winbind starts > > successfully but the server is not joined to domain when i > > run the command > > net ads join -U xxx I get the below error. > > > > Host is not configured as a member server. > > Invalid configuration. Exiting.... > > Failed to join domain: This operation is only allowed for the > > PDC of the > > domain. > > > > I just couldn't find any solution to the above if samba runs on > > 4.9.5. > > Please help me so that I can join the server to AD domain. > > > > Below is my smb.conf > > ------------------------------------ > > [global] > > > > > > > > passdb backend = tdbsam > > security = user > > password server = 10.34.54.46 > > idmap config EMEA-MEDIA : backend = ad > > idmap config EMEA-MEDIA : range = 16777216-33554431 > > kerberos method = secrets and keytab > > client use spnego = yes > > client signing = yes > > winbind enum users = yes > > winbind enum groups = yes > > template homedir = /home/%D/%U > > template shell = /bin/bash > > client use spnego = yes > > client ntlmv2 auth = yes > > encrypt passwords = yes > > winbind use default domain = yes > > restrict anonymous = 2 > > domain master = no > > local master = no > > preferred master = no > > os level = 0 > > allow trusted domains = yes > > winbind nested groups = yes > > > > > > ; interfaces = 127.0.0.0/8 eth0 > > > > ; bind interfaces only = yes > > > > > > > > > > log file = /var/log/samba/log.%m > > > > max log size = 1000 > > > > logging = file > > > > panic action = /usr/share/samba/panic-action %d > > > > > > > > server role = standalone server > > > > obey pam restrictions = yes > > > > unix password sync = yes > > > > passwd program = /usr/bin/passwd %u > > passwd chat = *Enter\snew\s*\spassword:* %n\n > > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* > > . > > > > pam password change = yes > > > > map to guest = bad user > > > > > > > > ; logon path = \\%N\profiles\%U > > > > ; logon drive = H: > > > > ; logon script = logon.cmd > > > > ; add user script = /usr/sbin/adduser --quiet > > --disabled-password --gecos > > "" %u > > > > ; add machine script = /usr/sbin/useradd -g machines -c "%u > > machine > > account" -d /var/lib/samba -s /bin/false %u > > > > ; add group script = /usr/sbin/addgroup --force-badname %g > > > > > > ; include = /home/samba/etc/smb.conf.%m > > > > ; idmap config * : backend = tdb > > ; idmap config * : range = 3000-7999 > > ; idmap config YOURDOMAINHERE : backend = tdb > > ; idmap config YOURDOMAINHERE : range = 100000-999999 > > ; template shell = /bin/bash > > > > > > > > usershare allow guests = yes > > > > > > [homes] > > comment = Home Directories > > browseable = no > > > > read only = yes > > > > create mask = 0700 > > > > directory mask = 0700 > > > > valid users = %S > > > > ;[netlogon] > > ; comment = Network Logon Service > > ; path = /home/samba/netlogon > > ; guest ok = yes > > ; read only = yes > > > > ;[profiles] > > ; comment = Users profiles > > ; path = /home/samba/profiles > > ; guest ok = no > > ; browseable = no > > ; create mask = 0600 > > ; directory mask = 0700 > > > > [printers] > > comment = All Printers > > browseable = no > > path = /var/spool/samba > > printable = yes > > guest ok = no > > read only = yes > > create mask = 0700 > > > > [print$] > > comment = Printer Drivers > > path = /var/lib/samba/printers > > browseable = yes > > read only = yes > > guest ok = no > > ; write list = root, @lpadmin > > > > > > Regards > > Sachin Kumar > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > >-- S?rgio M. B.
Sérgio Basto
2019-Nov-27 11:03 UTC
[Samba] security = ads parameter not working in samba 4.9.5
On Tue, 2019-11-26 at 14:26 +0000, S?rgio Basto wrote:> On Tue, 2019-11-26 at 15:07 +0100, L.P.H. van Belle via samba wrote: > > Hai, > > > > Please read : > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > And adjust your smb.conf, start with a minimal smb.conf then join > > and > > then add optional extra settings. > > BTW , unfortunately I hadn't time to write about but see man idmap.ad > , > it have the right instructions ...Sorry I meant man idmap_ad. But checking again man is equal of https://wiki.samba.org/index.php/Idmap_config_ad in EXAMPLES of man page [1] Examples don't mention netbios name ... I did [2] which instead use workgroup I used netbios name and it is working but still don't know why or even if it correct . [2] [global] netbios name = REPO security = ADS workgroup = SAMDOM realm = SAMDOM.EXAMPLE.COM winbind use default domain = yes idmap config * : backend = tdb idmap config * : range = 1000000-1999999 idmap config REPO : backend = ad idmap config REPO : schema_mode = rfc2307 idmap config REPO : range = 10000-999999 idmap config REPO : unix_nss_info = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes template shell = /bin/false template homedir = /srv/samba/users/%U username map = /var/lib/samba/user.map [1] EXAMPLES The following example shows how to retrieve idmappings from our principal and trusted AD domains. If trusted domains are present id conflicts must be resolved beforehand, there is no guarantee on the order conflicting mappings would be resolved at this point. This example also shows how to leave a small non conflicting range for local id allocation that may be used in internal backends like BUILTIN. [global] workgroup = CORP idmap config * : backend = tdb idmap config * : range = 1000000-1999999 idmap config CORP : backend = ad idmap config CORP : range = 1000-999999> > You current config is incomplete. > > I suggest you carefully read this chapter.: Choose backend for id > > mapping in winbindd > > > > > > > Host is not configured as a member server. > > > Invalid configuration. Exiting.... > > ^^^ as it is saying, invalid config. > > > > A sample config for a domain member, with backend AD.. > > You might want RID as backend, to read above links that tell more. > > > > > > Config > > [global] > > > > log level = 1 auth_audit:3 > > > > # > > https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx > > # > > https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and > > > > # Obey the above rules from the links and avoid problems. > > workgroup = NTDOM > > security = ADS > > realm = YOUR.REALM.HERE_IN_CAPS > > netbios name = SERVER_HOSTNAME_IN_CAPS_MAX_15CHARS > > > > # set master browser for the network. > > # preffered + domain master = guarantee master browser ( man > > smb.conf ) > > #preferred master = yes > > #domain master = yes > > > > # Optional, set ip/interface names where to run samba. > > interfaces = 192.168.0.10 127.0.0.1 > > bind interfaces only = yes > > > > # Resolve netbios names over DNS. > > # Your DNS/Resolving setup MUST be correct to make it work. > > dns proxy = yes > > > > # Add and Update TLS Key > > # If your having domain member, a correct certificate setup is > > preffered. > > #tls enabled = yes > > #tls keyfile = /etc/ssl/private/host.key.pem > > #tls certfile = /etc/sslcerts/host.cert.pem > > #tls cafile = /etc/ssl/certs/ca.pem > > > > ## map id's outside to domain to tdb files. > > idmap config *:backend = tdb > > idmap config *:range = 2000-9999 > > > > ## map ids from the domain and (*) the range may not overlap ! > > # choose the back end that fits your setup. > > # https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends > > idmap config NTDOM : backend = ad > > idmap config NTDOM : range = 10000-3999999 > > # Backend AD uses often, one or more of these 3 settings > > idmap config NTDOM : schema_mode = rfc2307 > > # optional > > #idmap config NTDOM : unix_nss_info = yes > > #idmap config NTDOM : unix_primary_group = yes > > > > # Most compatible setup. > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > > > # Renew the kerberos ticket its lifetime. > > winbind refresh tickets = yes > > > > # remove NTDOM\ from the username > > winbind use default domain = yes > > > > # Default = no, only set yes while testing. > > winbind enum users = no > > winbind enum groups = no > > > > # Enable offline logins > > winbind offline logon = yes > > > > # The user Administrator workaround, without it you are unable > > to > > set privileges > > # Format in the file: !root = NTDOM\Administrator > > NTDOM\administrator > > username map = /etc/samba/samba_usermapping > > > > # Disable option to allow usershares to be created, when set > > empty no error log messages. > > usershare path > > > > # Disable printing completely > > load printers = no > > printing = bsd > > printcap name = /dev/null > > disable spoolss = yes > > > > # For Windows ACL support on member file server, enabled > > globaly, > > OBLIGATED > > # For a mixed setup of rights, put this per share! > > vfs objects = acl_xattr > > map acl inherit = yes > > store dos attributes = yes > > > > # Share Setting Globally > > veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ > > hide unreadable = yes > > > > ######## SHARE DEFINITIONS ################ > > .. > > > > > > Greetz, > > > > Louis > > > > > > > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sac > > > Isilia via samba > > > Verzonden: dinsdag 26 november 2019 14:41 > > > Aan: samba at lists.samba.org > > > Onderwerp: [Samba] security = ads parameter not working in samba > > > 4.9.5 > > > > > > Hi Team, > > > > > > I need to join the server in AD domain using winbind . Below are > > > the > > > package version for reference. The server runs Debian 10 and > > > the default > > > install of samba is 4.9.5. > > > > > > ii samba 2:4.9.5+dfsg-5+deb10u1 > > > amd64 SMB/CIFS file, print, and login server for Unix > > > ii samba-common 2:4.9.5+dfsg-5+deb10u1 > > > all common files used by both the Samba server and > > > client > > > > > > ii winbind 2:4.9.5+dfsg-5+deb10u1 > > > amd64 service to resolve user and group > > > information from Windows > > > NT servers > > > > > > I searched the internet and few samba mailing list and > > > found that it was > > > a bug and security = ads will produce error if you start winbind > > > . > > > The > > > moment i put in smb.conf "security = user" the winbind starts > > > successfully but the server is not joined to domain when i > > > run the command > > > net ads join -U xxx I get the below error. > > > > > > Host is not configured as a member server. > > > Invalid configuration. Exiting.... > > > Failed to join domain: This operation is only allowed for the > > > PDC of the > > > domain. > > > > > > I just couldn't find any solution to the above if samba runs on > > > 4.9.5. > > > Please help me so that I can join the server to AD domain. > > > > > > Below is my smb.conf > > > ------------------------------------ > > > [global] > > > > > > > > > > > > passdb backend = tdbsam > > > security = user > > > password server = 10.34.54.46 > > > idmap config EMEA-MEDIA : backend = ad > > > idmap config EMEA-MEDIA : range = 16777216-33554431 > > > kerberos method = secrets and keytab > > > client use spnego = yes > > > client signing = yes > > > winbind enum users = yes > > > winbind enum groups = yes > > > template homedir = /home/%D/%U > > > template shell = /bin/bash > > > client use spnego = yes > > > client ntlmv2 auth = yes > > > encrypt passwords = yes > > > winbind use default domain = yes > > > restrict anonymous = 2 > > > domain master = no > > > local master = no > > > preferred master = no > > > os level = 0 > > > allow trusted domains = yes > > > winbind nested groups = yes > > > > > > > > > ; interfaces = 127.0.0.0/8 eth0 > > > > > > ; bind interfaces only = yes > > > > > > > > > > > > > > > log file = /var/log/samba/log.%m > > > > > > max log size = 1000 > > > > > > logging = file > > > > > > panic action = /usr/share/samba/panic-action %d > > > > > > > > > > > > server role = standalone server > > > > > > obey pam restrictions = yes > > > > > > unix password sync = yes > > > > > > passwd program = /usr/bin/passwd %u > > > passwd chat = *Enter\snew\s*\spassword:* %n\n > > > *Retype\snew\s*\spassword:* %n\n > > > *password\supdated\ssuccessfully* > > > . > > > > > > pam password change = yes > > > > > > map to guest = bad user > > > > > > > > > > > > ; logon path = \\%N\profiles\%U > > > > > > ; logon drive = H: > > > > > > ; logon script = logon.cmd > > > > > > ; add user script = /usr/sbin/adduser --quiet > > > --disabled-password --gecos > > > "" %u > > > > > > ; add machine script = /usr/sbin/useradd -g machines -c "%u > > > machine > > > account" -d /var/lib/samba -s /bin/false %u > > > > > > ; add group script = /usr/sbin/addgroup --force-badname %g > > > > > > > > > ; include = /home/samba/etc/smb.conf.%m > > > > > > ; idmap config * : backend = tdb > > > ; idmap config * : range = 3000-7999 > > > ; idmap config YOURDOMAINHERE : backend = tdb > > > ; idmap config YOURDOMAINHERE : range = 100000-999999 > > > ; template shell = /bin/bash > > > > > > > > > > > > usershare allow guests = yes > > > > > > > > > [homes] > > > comment = Home Directories > > > browseable = no > > > > > > read only = yes > > > > > > create mask = 0700 > > > > > > directory mask = 0700 > > > > > > valid users = %S > > > > > > ;[netlogon] > > > ; comment = Network Logon Service > > > ; path = /home/samba/netlogon > > > ; guest ok = yes > > > ; read only = yes > > > > > > ;[profiles] > > > ; comment = Users profiles > > > ; path = /home/samba/profiles > > > ; guest ok = no > > > ; browseable = no > > > ; create mask = 0600 > > > ; directory mask = 0700 > > > > > > [printers] > > > comment = All Printers > > > browseable = no > > > path = /var/spool/samba > > > printable = yes > > > guest ok = no > > > read only = yes > > > create mask = 0700 > > > > > > [print$] > > > comment = Printer Drivers > > > path = /var/lib/samba/printers > > > browseable = yes > > > read only = yes > > > guest ok = no > > > ; write list = root, @lpadmin > > > > > > > > > Regards > > > Sachin Kumar > > > -- > > > To unsubscribe from this list go to the following URL and read > > > the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > >-- S?rgio M. B.
Rowland penny
2019-Nov-27 12:29 UTC
[Samba] security = ads parameter not working in samba 4.9.5
On 27/11/2019 11:03, S?rgio Basto via samba wrote:> Sorry I meant man idmap_ad. But checking again man is equal of > https://wiki.samba.org/index.php/Idmap_config_ad in EXAMPLES of man > page [1] > > Examples don't mention netbios name ... I did [2] which instead use > workgroup I used netbios name and it is working but still don't know > why or even if it correct .You do not need to set 'netbios name', it will be set for you from the hostname> > > > [2] > [global] > netbios name = REPO > security = ADS > workgroup = SAMDOM > realm = SAMDOM.EXAMPLE.COM > > winbind use default domain = yes > > idmap config * : backend = tdb > idmap config * : range = 1000000-1999999 > > idmap config REPO : backend = ad > idmap config REPO : schema_mode = rfc2307 > idmap config REPO : range = 10000-999999 > idmap config REPO : unix_nss_info = yesYou need to use the workgroup name, not the netbios name. There will be three domains on your Unix domain member: BUILTIN : Mostly used for the Well Known SIDs SAMDOM : Your AD domain REPO : a local domain and not really relevant> vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > template shell = /bin/false > template homedir = /srv/samba/users/%U > username map = /var/lib/samba/user.map > > > > [1] > EXAMPLES > The following example shows how to retrieve idmappings from our > principal and trusted AD domains. If trusted domains are present id > conflicts must be resolved beforehand, there is no guarantee on > the order conflicting mappings would be resolved at this point. > This example also shows how to leave a small non conflicting > range for local id allocation that may be used in internal backends > like BUILTIN. > > [global] > workgroup = CORP > > idmap config * : backend = tdb > idmap config * : range = 1000000-1999999 > > idmap config CORP : backend = ad > idmap config CORP : range = 1000-999999Rowland
Reasonably Related Threads
- security = ads parameter not working in samba 4.9.5
- security = ads parameter not working in samba 4.9.5
- security = ads parameter not working in samba 4.9.5
- security = ads parameter not working in samba 4.9.5
- security = ads parameter not working in samba 4.9.5