Rowland penny
2019-Nov-29 17:19 UTC
[Samba] security = ads parameter not working in samba 4.9.5
Lets start by removing this: krb5-server-1.15.1-37.el7_7.2.x86_64 And if it is installed on the DCs remove it from them as well. Not sure if I asked this, but where did you get the Samba packages from ? Can I also point out, when I ask for the output of the script in a post here, I mean here, not somewhere on the internet that can and will disappear. If needed, I can then review the output easily, I cannot, if it has disappeared, so, to make sure it doesn't disappear, here is your latest output: Collected config --- 2019-11-29-16:51 ----------- Hostname: estagiov2 DNS Domain: corp.local FQDN: estagiov2.corp.local ipaddress: 172.27.2.56 ----------- Kerberos SRV _kerberos._tcp.corp.local record verified ok, sample output: Server: 172.27.28.1 Address: 172.27.28.1#53 _kerberos._tcp.corp.local service = 0 100 88 aldc3.corp.local. _kerberos._tcp.corp.local service = 0 100 88 ccdc1.corp.local. _kerberos._tcp.corp.local service = 0 100 88 ccdc2.corp.local. Samba is running as a Unix domain member ----------- Checking file: /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" ----------- This computer is running an unknown distribution x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:50:56:9c:25:86 brd ff:ff:ff:ff:ff:ff inet 172.27.2.56/22 brd 172.27.3.255 scope global noprefixroute ens160 inet6 fe80::bbc2:13a4:154:7fb8/64 scope link noprefixroute ----------- Checking file: /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 172.27.2.56 estagiov2.corp.local estagiov2 ----------- Checking file: /etc/resolv.conf # Generated by NetworkManager search corp.local nameserver 172.27.28.1 nameserver 172.27.2.5 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = CORP.LOCAL dns_lookup_realm = false dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis #passwd: files winbind sss #shadow: files sss #group: files winbind sss passwd: files winbind shadow: files group: files winbind #initgroups: files sss #hosts: db files nisplus nis dns hosts: files dns myhostname # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: nisplus sss publickey: nisplus automount: files nisplus sss aliases: files nisplus ----------- Checking file: /etc/samba/smb.conf # See smb.conf.example for a more detailed config file or # read the smb.conf manpage. # Run 'testparm' to verify the config is correct after # you modified it. [global] #netbios name = ESTAGIOV2 workgroup = CORP realm = CORP.LOCAL security = ADS log file = /var/log/samba/%m.log log level = 9 winbind refresh tickets = Yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind use default domain = yes # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 1000000-1999999 # - You must set a DOMAIN backend configuration # idmap config for the SAMDOM domain idmap config CORP:backend = ad idmap config CORP:schema_mode = rfc2307 idmap config CORP:range = 10000-999999 idmap config CORP:unix_nss_info = yes # Template settings for login shell and home directory template shell = /bin/bash template homedir = /home/%U username map = /var/lib/samba/user.map # printing = cups # printcap name = cups # load printers = yes # cups options = raw [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes [printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @printadmin root force group = @printadmin create mask = 0664 directory mask = 0775 [] path = /srv/samba// read only = no ----------- Running as Unix domain member and user.map detected. Contents of /var/lib/samba/user.map !root = CORP\Administrator CORP\administrator Server Role is set to : auto ----------- Installed packages: samba-common-tools-4.10.10-2.el7.x86_64 samba-dc-libs-4.10.10-2.el7.x86_64 samba-dc-bind-dlz-4.10.10-2.el7.x86_64 samba-python-test-4.10.10-2.el7.x86_64 pyxattr-0.5.1-5.el7.x86_64 krb5-workstation-1.15.1-37.el7_7.2.x86_64 samba-python-4.10.10-2.el7.x86_64 samba-client-4.10.10-2.el7.x86_64 samba-4.10.10-2.el7.x86_64 samba-dc-4.10.10-2.el7.x86_64 samba-test-4.10.10-2.el7.x86_64 samba-winbind-krb5-locator-4.10.10-2.el7.x86_64 samba-winbind-clients-4.10.10-2.el7.x86_64 samba-pidl-4.10.10-2.el7.noarch krb5-server-1.15.1-37.el7_7.2.x86_64 samba-winbind-modules-4.10.10-2.el7.x86_64 samba-common-libs-4.10.10-2.el7.x86_64 samba-python-dc-4.10.10-2.el7.x86_64 libsmbclient-4.10.10-2.el7.x86_64 libacl-2.2.51-14.el7.x86_64 samba-libs-4.10.10-2.el7.x86_64 samba-test-libs-4.10.10-2.el7.x86_64 samba-krb5-printing-4.10.10-2.el7.x86_64 libattr-2.4.46-13.el7.x86_64 krb5-libs-1.15.1-37.el7_7.2.x86_64 acl-2.2.51-14.el7.x86_64 samba-common-4.10.10-2.el7.noarch samba-client-libs-4.10.10-2.el7.x86_64 samba-winbind-4.10.10-2.el7.x86_64 ----------- Rowland
Sérgio Basto
2019-Nov-29 18:17 UTC
[Samba] security = ads parameter not working in samba 4.9.5
On Fri, 2019-11-29 at 17:19 +0000, Rowland penny via samba wrote:> Lets start by removing this: krb5-server-1.15.1-37.el7_7.2.x86_64ATM I can't, it will remove all samba packages :)> And if it is installed on the DCs remove it from them as well.OK I will try remove krb5-server , Monday I will give you feedback> Not sure if I asked this, but where did you get the Samba packages > from ?my packages are made by me [1] but they are similar to Nico Kadel- Garcia rpms [2] [1] https://github.com/sergiomb2/sambaad The first patch is for disabling MIT Kerberos integration and enabling optional Heimdal Kerberos with Domain Controller functionality in the Redhat/Fedora package i.e. with MIT Kerberos we not have a fully functional PDC. [2] https://github.com/nkadel/samba4repo https://lists.samba.org/archive/samba/2019-October/226703.html> > Can I also point out, when I ask for the output of the script in a > post > here, I mean here, not somewhere on the internet that can and will > disappear. If needed, I can then review the output easily, I cannot, > if > it has disappeared, so, to make sure it doesn't disappear, here is > your > latest output:OK , /var/log/samba/winbindd.log as a lot of messages "Could not convert sid" NT_STATUS_NONE_MAPPED is very strange> Collected config --- 2019-11-29-16:51 ----------- > > Hostname: estagiov2 > DNS Domain: corp.local > FQDN: estagiov2.corp.local > ipaddress: 172.27.2.56 > > ----------- > > Kerberos SRV _kerberos._tcp.corp.local record verified ok, sample > output: > Server: 172.27.28.1 > Address: 172.27.28.1#53 > > _kerberos._tcp.corp.local service = 0 100 88 aldc3.corp.local. > _kerberos._tcp.corp.local service = 0 100 88 ccdc1.corp.local. > _kerberos._tcp.corp.local service = 0 100 88 ccdc2.corp.local. > Samba is running as a Unix domain member > > ----------- > Checking file: /etc/os-release > > NAME="CentOS Linux" > VERSION="7 (Core)" > ID="centos" > ID_LIKE="rhel fedora" > VERSION_ID="7" > PRETTY_NAME="CentOS Linux 7 (Core)" > ANSI_COLOR="0;31" > CPE_NAME="cpe:/o:centos:centos:7" > HOME_URL="https://www.centos.org/" > BUG_REPORT_URL="https://bugs.centos.org/" > > CENTOS_MANTISBT_PROJECT="CentOS-7" > CENTOS_MANTISBT_PROJECT_VERSION="7" > REDHAT_SUPPORT_PRODUCT="centos" > REDHAT_SUPPORT_PRODUCT_VERSION="7" > > ----------- > > > This computer is running an unknown distribution x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state > UP group default qlen 1000 > link/ether 00:50:56:9c:25:86 brd ff:ff:ff:ff:ff:ff > inet 172.27.2.56/22 brd 172.27.3.255 scope global noprefixroute > ens160 > inet6 fe80::bbc2:13a4:154:7fb8/64 scope link noprefixroute > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 > ::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6 > 172.27.2.56 estagiov2.corp.local estagiov2 > > ----------- > > Checking file: /etc/resolv.conf > > # Generated by NetworkManager > search corp.local > nameserver 172.27.28.1 > nameserver 172.27.2.5 > > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = CORP.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > ----------- > > Checking file: /etc/nsswitch.conf > > # > # /etc/nsswitch.conf > # > # An example Name Service Switch config file. This file should be > # sorted with the most-used services at the beginning. > # > # The entry '[NOTFOUND=return]' means that the search for an > # entry should stop if the search in the previous entry turned > # up nothing. Note that if the search failed due to some other reason > # (like no NIS server responding) then the search continues with the > # next entry. > # > # Valid entries include: > # > # nisplus Use NIS+ (NIS version 3) > # nis Use NIS (NIS version 2), also called > YP > # dns Use DNS (Domain Name Service) > # files Use the local files > # db Use the local database (.db) files > # compat Use NIS on compat mode > # hesiod Use Hesiod for user lookups > # [NOTFOUND=return] Stop searching if not found so far > # > > # To use db, put the "db" in front of "files" for entries you want to > be > # looked up first in the databases > # > # Example: > #passwd: db files nisplus nis > #shadow: db files nisplus nis > #group: db files nisplus nis > > #passwd: files winbind sss > #shadow: files sss > #group: files winbind sss > passwd: files winbind > shadow: files > group: files winbind > #initgroups: files sss > > #hosts: db files nisplus nis dns > hosts: files dns myhostname > > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc: nisplus [NOTFOUND=return] files > #ethers: nisplus [NOTFOUND=return] files > #netmasks: nisplus [NOTFOUND=return] files > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files sss > > netgroup: nisplus sss > > publickey: nisplus > > automount: files nisplus sss > aliases: files nisplus > > ----------- > > Checking file: /etc/samba/smb.conf > > # See smb.conf.example for a more detailed config file or > # read the smb.conf manpage. > # Run 'testparm' to verify the config is correct after > # you modified it. > > [global] > #netbios name = ESTAGIOV2 > workgroup = CORP > realm = CORP.LOCAL > security = ADS > log file = /var/log/samba/%m.log > log level = 9 > winbind refresh tickets = Yes > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind use default domain = yes > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use a read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 1000000-1999999 > > # - You must set a DOMAIN backend configuration > # idmap config for the SAMDOM domain > idmap config CORP:backend = ad > idmap config CORP:schema_mode = rfc2307 > idmap config CORP:range = 10000-999999 > idmap config CORP:unix_nss_info = yes > > # Template settings for login shell and home directory > template shell = /bin/bash > template homedir = /home/%U > username map = /var/lib/samba/user.map > > > # printing = cups > # printcap name = cups > # load printers = yes > # cups options = raw > > [homes] > comment = Home Directories > valid users = %S, %D%w%S > browseable = No > read only = No > inherit acls = Yes > > [printers] > comment = All Printers > path = /var/tmp > printable = Yes > create mask = 0600 > browseable = No > > [print$] > comment = Printer Drivers > path = /var/lib/samba/drivers > write list = @printadmin root > force group = @printadmin > create mask = 0664 > directory mask = 0775 > > [] > path = /srv/samba// > read only = no > > ----------- > > Running as Unix domain member and user.map detected. > > Contents of /var/lib/samba/user.map > > !root = CORP\Administrator CORP\administrator > > Server Role is set to : auto > > ----------- > > Installed packages: > samba-common-tools-4.10.10-2.el7.x86_64 > samba-dc-libs-4.10.10-2.el7.x86_64 > samba-dc-bind-dlz-4.10.10-2.el7.x86_64 > samba-python-test-4.10.10-2.el7.x86_64 > pyxattr-0.5.1-5.el7.x86_64 > krb5-workstation-1.15.1-37.el7_7.2.x86_64 > samba-python-4.10.10-2.el7.x86_64 > samba-client-4.10.10-2.el7.x86_64 > samba-4.10.10-2.el7.x86_64 > samba-dc-4.10.10-2.el7.x86_64 > samba-test-4.10.10-2.el7.x86_64 > samba-winbind-krb5-locator-4.10.10-2.el7.x86_64 > samba-winbind-clients-4.10.10-2.el7.x86_64 > samba-pidl-4.10.10-2.el7.noarch > krb5-server-1.15.1-37.el7_7.2.x86_64 > samba-winbind-modules-4.10.10-2.el7.x86_64 > samba-common-libs-4.10.10-2.el7.x86_64 > samba-python-dc-4.10.10-2.el7.x86_64 > libsmbclient-4.10.10-2.el7.x86_64 > libacl-2.2.51-14.el7.x86_64 > samba-libs-4.10.10-2.el7.x86_64 > samba-test-libs-4.10.10-2.el7.x86_64 > samba-krb5-printing-4.10.10-2.el7.x86_64 > libattr-2.4.46-13.el7.x86_64 > krb5-libs-1.15.1-37.el7_7.2.x86_64 > acl-2.2.51-14.el7.x86_64 > samba-common-4.10.10-2.el7.noarch > samba-client-libs-4.10.10-2.el7.x86_64 > samba-winbind-4.10.10-2.el7.x86_64 > > ----------- > > Rowland > > >-- S?rgio M. B.
Rowland penny
2019-Nov-29 18:33 UTC
[Samba] security = ads parameter not working in samba 4.9.5
On 29/11/2019 18:17, S?rgio Basto via samba wrote:> On Fri, 2019-11-29 at 17:19 +0000, Rowland penny via samba wrote: >> Lets start by removing this: krb5-server-1.15.1-37.el7_7.2.x86_64 > ATM I can't, it will remove all samba packages :)Then your packages are depending on the krb5-server package, which is MIT, which is experimental. This shouldn't be a problem on a Unix domain member, but there is absolutely no need for it. Are absolutely wedded to red-hat, it is so much easier with Debian based distros ;-) Rowland