Rowland penny
2019-Nov-28 20:32 UTC
[Samba] security = ads parameter not working in samba 4.9.5
On 28/11/2019 20:26, S?rgio Basto wrote:> On Thu, 2019-11-28 at 20:09 +0000, Rowland penny via samba wrote: >> On 28/11/2019 20:01, S?rgio Basto wrote: >>> This recommendation , why ? wiki say to add it [1] >>> [1] >>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Enable_Extended_ACL_Support_in_the_smb.conf_File >> Yes, but under it, in a bright orange warning box, it says this: >> >> On a Samba Active Directory (AD) domain controller (DC), extended >> ACL >> support is automatically enabled globally. You must not enable the >> support manually. >> >>> I tried these fixed , but noting change getent passwd and getent >>> group >>> stops to work soon as I change change /etc/samba/smb.conf with >>> WORKGROUP >>> >> Did you make all the changes on the DCs that I suggested ? > yesOK, then run the script you downloaded, on the Unix domain member and paste the output in to a post here. Rowland
Sérgio Basto
2019-Nov-29 16:57 UTC
[Samba] security = ads parameter not working in samba 4.9.5
On Thu, 2019-11-28 at 20:32 +0000, Rowland penny via samba wrote:> On 28/11/2019 20:26, S?rgio Basto wrote: > > On Thu, 2019-11-28 at 20:09 +0000, Rowland penny via samba wrote: > > > On 28/11/2019 20:01, S?rgio Basto wrote: > > > > This recommendation , why ? wiki say to add it [1] > > > > [1] > > > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Enable_Extended_ACL_Support_in_the_smb.conf_File > > > Yes, but under it, in a bright orange warning box, it says this: > > > > > > On a Samba Active Directory (AD) domain controller (DC), extended > > > ACL > > > support is automatically enabled globally. You must not enable > > > the > > > support manually. > > > > > > > I tried these fixed , but noting change getent passwd and > > > > getent > > > > group > > > > stops to work soon as I change change /etc/samba/smb.conf with > > > > WORKGROUP > > > > > > > Did you make all the changes on the DCs that I suggested ? > > yes > > OK, then run the script you downloaded, on the Unix domain member > and > paste the output in to a post here.CentOS Linux release 7.7.1908 (Core) [1] is a testing machine called estagiov2 [1] https://paste.centos.org/view/2d7551e8 nothing changed I send here winbindd.log [2] lots of Could not convert sid S-1-5-21-blabla : NT_STATUS_NO_SUCH_USER [2] https://paste.centos.org/view/a91c3708> Rowland > > > >-- S?rgio M. B.
Rowland penny
2019-Nov-29 17:19 UTC
[Samba] security = ads parameter not working in samba 4.9.5
Lets start by removing this: krb5-server-1.15.1-37.el7_7.2.x86_64
And if it is installed on the DCs remove it from them as well.
Not sure if I asked this, but where did you get the Samba packages from ?
Can I also point out, when I ask for the output of the script in a post
here, I mean here, not somewhere on the internet that can and will
disappear. If needed, I can then review the output easily, I cannot, if
it has disappeared, so, to make sure it doesn't disappear, here is your
latest output:
Collected config --- 2019-11-29-16:51 -----------
Hostname: estagiov2
DNS Domain: corp.local
FQDN: estagiov2.corp.local
ipaddress: 172.27.2.56
-----------
Kerberos SRV _kerberos._tcp.corp.local record verified ok, sample output:
Server: 172.27.28.1
Address: 172.27.28.1#53
_kerberos._tcp.corp.local service = 0 100 88 aldc3.corp.local.
_kerberos._tcp.corp.local service = 0 100 88 ccdc1.corp.local.
_kerberos._tcp.corp.local service = 0 100 88 ccdc2.corp.local.
Samba is running as a Unix domain member
-----------
Checking file: /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
-----------
This computer is running an unknown distribution x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
link/ether 00:50:56:9c:25:86 brd ff:ff:ff:ff:ff:ff
inet 172.27.2.56/22 brd 172.27.3.255 scope global noprefixroute ens160
inet6 fe80::bbc2:13a4:154:7fb8/64 scope link noprefixroute
-----------
Checking file: /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.27.2.56 estagiov2.corp.local estagiov2
-----------
Checking file: /etc/resolv.conf
# Generated by NetworkManager
search corp.local
nameserver 172.27.28.1
nameserver 172.27.2.5
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = CORP.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries
you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
#passwd: files winbind sss
#shadow: files sss
#group: files winbind sss
passwd: files winbind
shadow: files
group: files winbind
#initgroups: files sss
#hosts: db files nisplus nis dns
hosts: files dns myhostname
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: nisplus sss
publickey: nisplus
automount: files nisplus sss
aliases: files nisplus
-----------
Checking file: /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
#netbios name = ESTAGIOV2
workgroup = CORP
realm = CORP.LOCAL
security = ADS
log file = /var/log/samba/%m.log
log level = 9
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config CORP:backend = ad
idmap config CORP:schema_mode = rfc2307
idmap config CORP:range = 10000-999999
idmap config CORP:unix_nss_info = yes
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U
username map = /var/lib/samba/user.map
# printing = cups
# printcap name = cups
# load printers = yes
# cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775
[]
path = /srv/samba//
read only = no
-----------
Running as Unix domain member and user.map detected.
Contents of /var/lib/samba/user.map
!root = CORP\Administrator CORP\administrator
Server Role is set to : auto
-----------
Installed packages:
samba-common-tools-4.10.10-2.el7.x86_64
samba-dc-libs-4.10.10-2.el7.x86_64
samba-dc-bind-dlz-4.10.10-2.el7.x86_64
samba-python-test-4.10.10-2.el7.x86_64
pyxattr-0.5.1-5.el7.x86_64
krb5-workstation-1.15.1-37.el7_7.2.x86_64
samba-python-4.10.10-2.el7.x86_64
samba-client-4.10.10-2.el7.x86_64
samba-4.10.10-2.el7.x86_64
samba-dc-4.10.10-2.el7.x86_64
samba-test-4.10.10-2.el7.x86_64
samba-winbind-krb5-locator-4.10.10-2.el7.x86_64
samba-winbind-clients-4.10.10-2.el7.x86_64
samba-pidl-4.10.10-2.el7.noarch
krb5-server-1.15.1-37.el7_7.2.x86_64
samba-winbind-modules-4.10.10-2.el7.x86_64
samba-common-libs-4.10.10-2.el7.x86_64
samba-python-dc-4.10.10-2.el7.x86_64
libsmbclient-4.10.10-2.el7.x86_64
libacl-2.2.51-14.el7.x86_64
samba-libs-4.10.10-2.el7.x86_64
samba-test-libs-4.10.10-2.el7.x86_64
samba-krb5-printing-4.10.10-2.el7.x86_64
libattr-2.4.46-13.el7.x86_64
krb5-libs-1.15.1-37.el7_7.2.x86_64
acl-2.2.51-14.el7.x86_64
samba-common-4.10.10-2.el7.noarch
samba-client-libs-4.10.10-2.el7.x86_64
samba-winbind-4.10.10-2.el7.x86_64
-----------
Rowland