Rowland penny
2019-Nov-27 12:29 UTC
[Samba] security = ads parameter not working in samba 4.9.5
On 27/11/2019 11:03, S?rgio Basto via samba wrote:> Sorry I meant man idmap_ad. But checking again man is equal of > https://wiki.samba.org/index.php/Idmap_config_ad in EXAMPLES of man > page [1] > > Examples don't mention netbios name ... I did [2] which instead use > workgroup I used netbios name and it is working but still don't know > why or even if it correct .You do not need to set 'netbios name', it will be set for you from the hostname> > > > [2] > [global] > netbios name = REPO > security = ADS > workgroup = SAMDOM > realm = SAMDOM.EXAMPLE.COM > > winbind use default domain = yes > > idmap config * : backend = tdb > idmap config * : range = 1000000-1999999 > > idmap config REPO : backend = ad > idmap config REPO : schema_mode = rfc2307 > idmap config REPO : range = 10000-999999 > idmap config REPO : unix_nss_info = yesYou need to use the workgroup name, not the netbios name. There will be three domains on your Unix domain member: BUILTIN : Mostly used for the Well Known SIDs SAMDOM : Your AD domain REPO : a local domain and not really relevant> vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > template shell = /bin/false > template homedir = /srv/samba/users/%U > username map = /var/lib/samba/user.map > > > > [1] > EXAMPLES > The following example shows how to retrieve idmappings from our > principal and trusted AD domains. If trusted domains are present id > conflicts must be resolved beforehand, there is no guarantee on > the order conflicting mappings would be resolved at this point. > This example also shows how to leave a small non conflicting > range for local id allocation that may be used in internal backends > like BUILTIN. > > [global] > workgroup = CORP > > idmap config * : backend = tdb > idmap config * : range = 1000000-1999999 > > idmap config CORP : backend = ad > idmap config CORP : range = 1000-999999Rowland
Sac Isilia
2019-Nov-27 14:36 UTC
[Samba] security = ads parameter not working in samba 4.9.5
Hi Rowland,
I reconfigured my smb.conf taking reference from the link provided earlier
but still the winbind service is not able to start. Below is the output of
testparm.
root at esmad1apl01:~# testparm
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
ERROR: Do not use the 'ad' backend as the default idmap backend!
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m
logging = file
map to guest = Bad User
max log size = 1000
obey pam restrictions = Yes
pam password change = Yes
panic action = /usr/share/samba/panic-action %d
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd program = /usr/bin/passwd %u
realm = EMEA.MEDIA.GLOBAL.LOC
security = ADS
server role = standalone server
unix password sync = Yes
usershare allow guests = Yes
winbind use default domain = Yes
workgroup = EMEA-MEDIA
idmap config *: unix_nss_info = yes
idmap config * : schema_mode = rfc2307
idmap config * : range = 16777216-33554431
idmap config * : backend = ad
map acl inherit = Yes
vfs objects = acl_xattr
[homes]
browseable = No
comment = Home Directories
create mask = 0700
directory mask = 0700
valid users = %S
[printers]
browseable = No
comment = All Printers
create mask = 0700
path = /var/spool/samba
printable = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
I can see below logs in log.winbindd
Could not fetch our SID - did we join?
[2019/11/26 15:56:13.918337, 0]
../source3/winbindd/winbindd.c:1454(winbindd_register_handlers)
unable to initialize domain list
[2019/11/26 15:56:15.843545, 0]
../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with version
number 2
[2019/11/26 15:56:15.855817, 0]
../source3/winbindd/winbindd_util.c:1255(init_domain_list)
Could not fetch our SID - did we join?
[2019/11/26 15:56:15.855891, 0]
../source3/winbindd/winbindd.c:1454(winbindd_register_handlers)
unable to initialize domain list
[2019/11/26 15:57:05.637011, 0]
../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with version
number 2
[2019/11/26 15:57:05.647112, 0]
../source3/winbindd/winbindd_util.c:1255(init_domain_list)
Could not fetch our SID - did we join?
[2019/11/26 15:57:05.647198, 0]
../source3/winbindd/winbindd.c:1454(winbindd_register_handlers)
unable to initialize domain list
[2019/11/26 15:57:29.329423, 0]
../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with version
number 2
[2019/11/26 15:57:29.337077, 0]
../lib/util/become_daemon.c:138(daemon_ready)
daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready
to
serve connections
[2019/11/26 16:55:23.571022, 0]
../source3/winbindd/winbindd.c:244(winbindd_sig_term_handler)
Got sig[15] terminate (is_parent=1)
[2019/11/26 16:55:23.700798, 0] ../source3/winbindd/winbindd.c:1771(main)
main: FATAL: Invalid idmap backend ad configured as the default backend!
[2019/11/27 14:36:42.619638, 0] ../source3/winbindd/winbindd.c:1771(main)
main: FATAL: Invalid idmap backend ad configured as the default backend!
Regards
Sachin Kumar
On Wed, Nov 27, 2019 at 5:59 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 27/11/2019 11:03, S?rgio Basto via samba wrote:
> > Sorry I meant man idmap_ad. But checking again man is equal of
> > https://wiki.samba.org/index.php/Idmap_config_ad in EXAMPLES of man
> > page [1]
> >
> > Examples don't mention netbios name ... I did [2] which instead
use
> > workgroup I used netbios name and it is working but still don't
know
> > why or even if it correct .
> You do not need to set 'netbios name', it will be set for you from
the
> hostname
> >
> >
> >
> > [2]
> > [global]
> > netbios name = REPO
> > security = ADS
> > workgroup = SAMDOM
> > realm = SAMDOM.EXAMPLE.COM
> >
> > winbind use default domain = yes
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 1000000-1999999
> >
> > idmap config REPO : backend = ad
> > idmap config REPO : schema_mode = rfc2307
> > idmap config REPO : range = 10000-999999
> > idmap config REPO : unix_nss_info = yes
>
> You need to use the workgroup name, not the netbios name. There will be
> three domains on your Unix domain member:
>
> BUILTIN : Mostly used for the Well Known SIDs
>
> SAMDOM : Your AD domain
>
> REPO : a local domain and not really relevant
>
> > vfs objects = acl_xattr
> > map acl inherit = yes
> > store dos attributes = yes
> >
> > template shell = /bin/false
> > template homedir = /srv/samba/users/%U
> > username map = /var/lib/samba/user.map
> >
> >
> >
> > [1]
> > EXAMPLES
> > The following example shows how to retrieve idmappings from
our
> > principal and trusted AD domains. If trusted domains are present id
> > conflicts must be resolved beforehand, there is no guarantee
on
> > the order conflicting mappings would be resolved at this point.
> > This example also shows how to leave a small non conflicting
> > range for local id allocation that may be used in internal backends
> > like BUILTIN.
> >
> > [global]
> > workgroup = CORP
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 1000000-1999999
> >
> > idmap config CORP : backend = ad
> > idmap config CORP : range = 1000-999999
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Sérgio Basto
2019-Nov-27 15:30 UTC
[Samba] security = ads parameter not working in samba 4.9.5
On Wed, 2019-11-27 at 12:29 +0000, Rowland penny via samba wrote:> On 27/11/2019 11:03, S?rgio Basto via samba wrote: > > Sorry I meant man idmap_ad. But checking again man is equal of > > https://wiki.samba.org/index.php/Idmap_config_ad in EXAMPLES of man > > page [1] > > > > Examples don't mention netbios name ... I did [2] which instead use > > workgroup I used netbios name and it is working but still don't > > know > > why or even if it correct . > You do not need to set 'netbios name', it will be set for you from > the > hostname > > > > > > [2] > > [global] > > netbios name = REPO > > security = ADS > > workgroup = SAMDOM > > realm = SAMDOM.EXAMPLE.COM > > > > winbind use default domain = yes > > > > idmap config * : backend = tdb > > idmap config * : range = 1000000-1999999 > > > > idmap config REPO : backend = ad > > idmap config REPO : schema_mode = rfc2307 > > idmap config REPO : range = 10000-999999 > > idmap config REPO : unix_nss_info = yes > > You need to use the workgroup name, not the netbios name. There will > be > three domains on your Unix domain member: > > BUILTIN : Mostly used for the Well Known SIDs > > SAMDOM : Your AD domain > > REPO : a local domain and not really relevantHi, many thanks for the reply and it started to work but I had to use realm security = ADS workgroup = SAMDOM realm = SAMDOM.LOCAL idmap config * : backend = tdb idmap config * : range = 1000000-1999999 idmap config SAMDOM.LOCAL : backend = ad idmap config SAMDOM.LOCAL : schema_mode = rfc2307 idmap config SAMDOM.LOCAL : range = 10000-999999 idmap config SAMDOM.LOCAL : unix_nss_info = yes> > vfs objects = acl_xattr > > map acl inherit = yes > > store dos attributes = yes > > > > template shell = /bin/false > > template homedir = /srv/samba/users/%U > > username map = /var/lib/samba/user.map > > > > > > > > [1] > > EXAMPLES > > The following example shows how to retrieve idmappings from > > our > > principal and trusted AD domains. If trusted domains are present id > > conflicts must be resolved beforehand, there is no > > guarantee on > > the order conflicting mappings would be resolved at this point. > > This example also shows how to leave a small non > > conflicting > > range for local id allocation that may be used in internal backends > > like BUILTIN. > > > > [global] > > workgroup = CORP > > > > idmap config * : backend = tdb > > idmap config * : range = 1000000-1999999 > > > > idmap config CORP : backend = ad > > idmap config CORP : range = 1000-999999 > > Rowland > > >-- S?rgio M. B.
Rowland penny
2019-Nov-27 15:33 UTC
[Samba] security = ads parameter not working in samba 4.9.5
On 27/11/2019 14:36, Sac Isilia wrote:> Hi Rowland, > > I reconfigured my smb.conf taking reference from the link provided > earlier but still the winbind service is not able to start.Sorry, but no, you haven't ;-)> Below is the output of testparm. > > root at esmad1apl01:~# testparm > Registered MSG_REQ_POOL_USAGE > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > Load smb config files from /etc/samba/smb.conf > Processing section "[homes]" > Processing section "[printers]" > Processing section "[print$]" > Loaded services file OK. > ERROR: Do not use the 'ad' backend as the default idmap backend!The error message tells you what is wrong.> > Server role: ROLE_DOMAIN_MEMBER > > Press enter to see a dump of your service definitions > > # Global parameters > [global] > ? ? ? ? dedicated keytab file = /etc/krb5.keytab > ? ? ? ? kerberos method = secrets and keytab > ? ? ? ? log file = /var/log/samba/log.%m > ? ? ? ? logging = file > ? ? ? ? map to guest = Bad User > ? ? ? ? max log size = 1000 > ? ? ? ? obey pam restrictions = Yes > ? ? ? ? pam password change = Yes > ? ? ? ? panic action = /usr/share/samba/panic-action %d > ? ? ? ? passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > ? ? ? ? passwd program = /usr/bin/passwd %u > ? ? ? ? realm = EMEA.MEDIA.GLOBAL.LOC > ? ? ? ? security = ADS > ? ? ? ? server role = standalone server > ? ? ? ? unix password sync = Yes > ? ? ? ? usershare allow guests = Yes > ? ? ? ? winbind use default domain = Yes > ? ? ? ? workgroup = EMEA-MEDIA > ? ? ? ? idmap config *: unix_nss_info = yes > ? ? ? ? idmap config * : schema_mode = rfc2307 > ? ? ? ? idmap config * : range = 16777216-33554431 > ? ? ? ? idmap config * : backend = adThe 'idmap config' lines should be: ??????? idmap config * : backend = tdb ??????? idmap config * : range = 3000-7999 ??????? idmap config EMEA-MEDIA : backend = ad ??????? idmap config EMEA-MEDIA : range = 16777216-33554431 ??????? idmap config EMEA-MEDIA: unix_nss_info = yes ??????? idmap config EMEA-MEDIA : schema_mode = rfc2307 Of course, the 'EMEA-MEDIA' range would be better as '10000-999999' if you haven't added rfc2307 attributes to AD You must also remove these lines: ??????? server role = standalone server ??????? unix password sync = Yes You are running Samba as a Unix domain member, not as a standalone server and you cannot have the same usernames in AD and /etc/passwd, so how can you sync the passwords ? Rowland
Rowland penny
2019-Nov-27 15:51 UTC
[Samba] security = ads parameter not working in samba 4.9.5
On 27/11/2019 15:30, S?rgio Basto wrote:> On Wed, 2019-11-27 at 12:29 +0000, Rowland penny via samba wrote: >> On 27/11/2019 11:03, S?rgio Basto via samba wrote: >>> Sorry I meant man idmap_ad. But checking again man is equal of >>> https://wiki.samba.org/index.php/Idmap_config_ad in EXAMPLES of man >>> page [1] >>> >>> Examples don't mention netbios name ... I did [2] which instead use >>> workgroup I used netbios name and it is working but still don't >>> know >>> why or even if it correct . >> You do not need to set 'netbios name', it will be set for you from >> the >> hostname >>> >>> [2] >>> [global] >>> netbios name = REPO >>> security = ADS >>> workgroup = SAMDOM >>> realm = SAMDOM.EXAMPLE.COM >>> >>> winbind use default domain = yes >>> >>> idmap config * : backend = tdb >>> idmap config * : range = 1000000-1999999 >>> >>> idmap config REPO : backend = ad >>> idmap config REPO : schema_mode = rfc2307 >>> idmap config REPO : range = 10000-999999 >>> idmap config REPO : unix_nss_info = yes >> You need to use the workgroup name, not the netbios name. There will >> be >> three domains on your Unix domain member: >> >> BUILTIN : Mostly used for the Well Known SIDs >> >> SAMDOM : Your AD domain >> >> REPO : a local domain and not really relevant > > Hi, many thanks for the reply and it started to work but I had to use > realm > > security = ADS > workgroup = SAMDOM > realm = SAMDOM.LOCAL > idmap config * : backend = tdb > idmap config * : range = 1000000-1999999 > > idmap config SAMDOM.LOCAL : backend = ad > idmap config SAMDOM.LOCAL : schema_mode = rfc2307 > idmap config SAMDOM.LOCAL : range = 10000-999999 > idmap config SAMDOM.LOCAL : unix_nss_info = yesYou have something mis-configured somewhere, it MUST be workgroup, not realm. Please download this: https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh Run it on the Unix domain member and paste the ouput into a post, do not attach it, this list strips attachments. Rowland
Rowland penny
2019-Nov-28 10:27 UTC
[Samba] security = ads parameter not working in samba 4.9.5
On 28/11/2019 04:00, Sac Isilia wrote:> Hi Rowland , > > I tried running the script that you gave but it gave me below error. > > bash samba-collect-debug-info.sh > samba-output > kinit: Client's credentials have been revoked while getting initial > credentials >Okay, open the script in your favourite editor, go to line 60, it should be 'exit 1'. Comment this line by putting a '#' at the start, close and save and then run the script again ;-) Rowland
Sac Isilia
2019-Nov-29 11:28 UTC
[Samba] security = ads parameter not working in samba 4.9.5
Hi Rowland,
I get below error while running the script again.
bash samba-collect-debug-info.sh > samba-output
kinit: Client's credentials have been revoked while getting initial
credentials
cat samba-output
Please wait, collecting debug info.
Wrong password or kerberos REALM problems, exiting now.
Below is my /etc/krb5.conf
[libdefaults]
default_realm = EMEA.MEDIA.GLOBAL.LOC
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
MEDIA.GLOBAL.LOC = {
kdc = 10.11.137.100
default_domain = media.global.loc
admin_server = 10.11.137.100
}
EMEA.MEDIA.GLOBAL.LOC = {
kdc = 10.10.136.95
default_domain = media.global.loc
admin_server = 10.10.136.95
}
[domain_realm]
media.global.loc = MEDIA.GLOBAL.LOC
.media.global.loc = MEDIA.GLOBAL.LOC
.emea-media.global.loc = EMEA.MEDIA.GLOBAL.LOC
emea-media.global.loc = EMEA.MEDIA.GLOBAL.LOC
Regards
Sachin Kumar
On Thu, Nov 28, 2019 at 3:57 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 28/11/2019 04:00, Sac Isilia wrote:
> > Hi Rowland ,
> >
> > I tried running the script that you gave but it gave me below error.
> >
> > bash samba-collect-debug-info.sh > samba-output
> > kinit: Client's credentials have been revoked while getting
initial
> > credentials
> >
> Okay, open the script in your favourite editor, go to line 60, it should
> be 'exit 1'. Comment this line by putting a '#' at the
start, close and
> save and then run the script again ;-)
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>