samba - Nov 2019 - security = ads parameter not working in samba 4.9.5

On 27/11/2019 23:57, S?rgio Basto wrote:
> Thank you for the warning :) [1] , I'm fighting the same problem but I
> have a different configuration that I never told you before , I'm
> running my centos 7 packages (very similar to other fellows) [2] where
> DC1 , DC2 and DC3 are running SambaAD, samba-4.8.8-2.el7.x86_64 with
> BIND9_DLZ (bind-9.11.4-9.P2.el7.x86_64) .
First things first, remove sssd, it is not supported with Samba.

Next, stop network manager altering /etc/resolv.conf

Make /etc/hosts look like this:

127.0.0.1?? localhost
::1???????? localhost
172.27.28.1 ccdc1.corp.local

Just change the DCs info to match the DC it is on

/etc/resolv.conf should look like this:

search corp.local
nameserver 172.27.2.1

Again match the IP to the DC.

Remove these lines from smb.conf:

 ??????????? vfs objects = acl_xattr
 ??????????? map acl inherit = yes
 ??????????? store dos attributes = yes

You are breaking Samba by having them.

Make /etc/named.conf look like this:

options {
 ??? directory?????? "/var/named";
 ??? dump-file?????? "/var/named/data/cache_dump.db";
 ??? statistics-file "/var/named/data/named_stats.txt";
 ??? memstatistics-file "/var/named/data/named_mem_stats.txt";
 ??? notify no;
 ??? empty-zones-enable no;
 ??? allow-query { any; };
 ??? allow-query-cache { any; };
 ??? forwarders { 8.8.8.8; 8.8.4.4; };
 ??? allow-transfer { none; };
 ??? dnssec-validation no;
 ??? dnssec-enable no;
 ??? dnssec-lookaside no;
 ??? listen-on port 53 { 172.27.28.1; 127.0.0.1; };
 ??? listen-on-v6 port 53 { ::1;};
 ??? tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

};

logging {
 ??? channel default_debug {
 ???????? file "data/named.run";
 ???????? severity dynamic;
 ??? };
};

zone "." IN {
 ??? type hint;
 ??? file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/var/lib/samba/bind-dns/named.conf";

The howto you ultimately linked to tells you to open ports 1024:5000 in 
the firewall, thinks is now incorrect, you need to open ports 49152-65535
> REPO server is Domain_Member [3] with Idmap_config_ad, of DOMAIN corp
> and I'm testing with SambaAD-4.10.9 or 10 .
>
> What else ?
> getent passwd and getent group just works with previous configuration
> and stop when I set the workgroup in idmap when you wrote "it MUST be
> workgroup not realm"
>
>
> Notes on script :
> Centos 7 dns configuration is on /etc/named.conf not in
> /etc/bind/named.conf I had to hack a little the script and for dpkg -l,
> I replaced with rpm -qa
>
>
> [1]
> https://paste.centos.org/view/8d205024
> https://paste.centos.org/view/bba5f6c4
>
> [2]
> https://copr.fedorainfracloud.org/coprs/sergiomb/SambaAD/
>
> [3]
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
Fix your DCs and see how you go on ;-)

Rowland

On Thu, 2019-11-28 at 10:21 +0000, Rowland penny via samba
wrote:
> On 27/11/2019 23:57, S?rgio Basto wrote:
> > Thank you for the warning :) [1] , I'm fighting the same problem
> > but I
> > have a different configuration that I never told you before , I'm
> > running my centos 7 packages (very similar to other fellows) [2]
> > where
> > DC1 , DC2 and DC3 are running SambaAD, samba-4.8.8-2.el7.x86_64
> > with
> > BIND9_DLZ (bind-9.11.4-9.P2.el7.x86_64) .
> 
> First things first, remove sssd, it is not supported with Samba.
> 
> Next, stop network manager altering /etc/resolv.conf
> 
> Make /etc/hosts look like this:
> 
> 127.0.0.1   localhost
> ::1         localhost
> 172.27.28.1 ccdc1.corp.local
> 
> Just change the DCs info to match the DC it is on
> 
> /etc/resolv.conf should look like this:
> 
> search corp.local
> nameserver 172.27.2.1
> 
> Again match the IP to the DC.
> 
> Remove these lines from smb.conf:
> 
>              vfs objects = acl_xattr
>              map acl inherit = yes
>              store dos attributes = yes
> 
> You are breaking Samba by having them.
This recommendation , why ? wiki say to add it [1] 
[1]
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Enable_Extended_ACL_Support_in_the_smb.conf_File


I tried these fixed , but noting change getent passwd and getent group
stops to work soon as I change change /etc/samba/smb.conf with
WORKGROUP
> Make /etc/named.conf look like this:
> 
> options {
>      directory       "/var/named";
>      dump-file       "/var/named/data/cache_dump.db";
>      statistics-file "/var/named/data/named_stats.txt";
>      memstatistics-file "/var/named/data/named_mem_stats.txt";
>      notify no;
>      empty-zones-enable no;
>      allow-query { any; };
>      allow-query-cache { any; };
>      forwarders { 8.8.8.8; 8.8.4.4; };
>      allow-transfer { none; };
>      dnssec-validation no;
>      dnssec-enable no;
>      dnssec-lookaside no;
>      listen-on port 53 { 172.27.28.1; 127.0.0.1; };
>      listen-on-v6 port 53 { ::1;};
>      tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> 
> };
> 
> logging {
>      channel default_debug {
>           file "data/named.run";
>           severity dynamic;
>      };
> };
> 
> zone "." IN {
>      type hint;
>      file "named.ca";
> };
> 
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
> include "/var/lib/samba/bind-dns/named.conf";
> 
> The howto you ultimately linked to tells you to open ports 1024:5000
> in 
> the firewall, thinks is now incorrect, you need to open ports 49152-
> 65535
> 
> > REPO server is Domain_Member [3] with Idmap_config_ad, of DOMAIN
> > corp
> > and I'm testing with SambaAD-4.10.9 or 10 .
> > 
> > What else ?
> > getent passwd and getent group just works with previous
> > configuration
> > and stop when I set the workgroup in idmap when you wrote "it
MUST
> > be
> > workgroup not realm"
> > 
> > 
> > Notes on script :
> > Centos 7 dns configuration is on /etc/named.conf not in
> > /etc/bind/named.conf I had to hack a little the script and for dpkg
> > -l,
> > I replaced with rpm -qa
> > 
> > 
> > [1]
> > https://paste.centos.org/view/8d205024
> > https://paste.centos.org/view/bba5f6c4
> > 
> > [2]
> > https://copr.fedorainfracloud.org/coprs/sergiomb/SambaAD/
> > 
> > [3]
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > 
> Fix your DCs and see how you go on ;-)
> 
> Rowland
> 
> 
> 
-- 
S?rgio M. B.

On 28/11/2019 20:01, S?rgio Basto wrote:
> This recommendation , why ? wiki say to add it [1]
> [1]
>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Enable_Extended_ACL_Support_in_the_smb.conf_File
Yes, but under it, in a bright orange warning box, it says this:

On a Samba Active Directory (AD) domain controller (DC), extended ACL 
support is automatically enabled globally. You must not enable the 
support manually.
> I tried these fixed , but noting change getent passwd and getent group
> stops to work soon as I change change /etc/samba/smb.conf with
> WORKGROUP
>
Did you make all the changes on the DCs that I suggested ?

Rowland