Thanks to you and Louis for your guidance.
I really apologize for my lack of knowledge of AD and Samba; and I appreciate
your patience and willingness to help.
And I apologize for not trimming the reply - don't know how much to
retain...
The referenced document seems to be leveraging domain services that we're
not using.
We are only using AD user authentication to access shares on AIX.
No single sign-on, no user administration/manipulation anywhere, no printer
sharing.
Kerberos shouldn?t be required, which one might think also means the imap
settings shouldn?t be required.
Although they may eventually embrace NTP, is it not configured today; without
Kerberos, it isn?t required.
We're not wanting to save any user credentials necessary in AIX to acquire
access to the shares in AIX.
Testing DNS, everything is good until the "set type=SRV" _ldap_...
test; it fails.
Kerberos is not installed on AIX.
The server name (hostname) was changed from the old FQDN to the new FQDN, and
the /etc/hosts file was updated.
The security was changed from domain to ADS.
Testparm still reports the imap errors (see below).
# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
deadtime = 15
interfaces = lo eth0 172.21.10.2/255.255.0.0
load printers = No
local master = No
log file = /var/log/samba/log.%m
max log size = 50
realm = BOOST.COM
security = ADS
server string = Samba Server Version %v
workgroup = BOOST
idmap config domain : unix_nss_info = no
idmap config * : backend = tdb
case sensitive = Yes
cups options = raw
hide dot files = No
-----Original Message-----
From: Rowland penny <rpenny at samba.org>
Sent: Wednesday, February 5, 2020 4:36 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4.10.6-1 Configuration on AIX
On 05/02/2020 00:25, Bob Wyatt via samba wrote:> The below Globals section is reporting some testparm failures that
don't
> make sense to me.
>
> Perhaps someone could shine a light for me?
>
>
>
> This is a new installation - from 3.6.23 to 4.10.6-1.
>
> Necessitated by a Windows Server 2016 DC being installed.
>
>
> The following is the Global section.service of the config file as written:
>
> [global]
> workgroup = boost
> realm = boost.com
> server string = Samba Server Version %v
> interfaces = lo eth0 172.21.10.2/255.255.0.0
> case sensitive = Yes
> hide dot files = No
> log file = /var/log/samba/log.%m
> max log size = 50
> security = domain
Wrong security, it should be 'ADS' against an AD
domain> passdb backend = tdbsam
> encrypt passwords = yes
> deadtime = 15
> local master = no
> load printers = no
> cups options = raw
>
> I haven't found what needs to be done to resolve the idmap error(s).
Try reading our documentation:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
>
>
> At the time this was run, this server has not been added to the domain, and
> samba won't start on the server.
You need to fix your smb.conf, join the machine to the domain and start,
smbd and winbind, you can also optionally start nmbd.> The log file reports:
>
> # more log.smbd
>
> [2020/02/04 16:54:58.777558, 0] ../../source3/smbd/server.c:1788(main)
> smbd version 4.10.6 started.
> Copyright Andrew Tridgell and the Samba Team 1992-2019
> [2020/02/04 16:54:59.158430, 0]
> ../../source3/auth/auth_util.c:1386(make_new_session_info_guest)
> create_local_token failed: NT_STATUS_NO_MEMORY
> [2020/02/04 16:54:59.166165, 0] ../../source3/smbd/server.c:2047(main)
> ERROR: failed to setup guest info.
The above is because your smb.conf 'idmap config' lines are not set
correctly.
On 05/02/2020 20:00, Bob Wyatt wrote:> Thanks to you and Louis for your guidance. > I really apologize for my lack of knowledge of AD and Samba; and I appreciate your patience and willingness to help. > And I apologize for not trimming the reply - don't know how much to retain... > > The referenced document seems to be leveraging domain services that we're not using. > We are only using AD user authentication to access shares on AIX. > No single sign-on, no user administration/manipulation anywhere, no printer sharing. > > Kerberos shouldn?t be required, which one might think also means the imap settings shouldn?t be required.Perhaps you should tell Microsoft that ;-)> Although they may eventually embrace NTP, is it not configured today; without Kerberos, it isn?t required. > We're not wanting to save any user credentials necessary in AIX to acquire access to the shares in AIX.No, sorry, but your client needs to have the same time as the DC (+/- 5 mins), so if you haven't installed an NTP client, I suggest you do.> > Testing DNS, everything is good until the "set type=SRV" _ldap_... test; it fails. > Kerberos is not installed on AIX.Then install the AIX versions of the kerberos client packages, but do not install a kerberos server (kdc), that is on your DC.> > The server name (hostname) was changed from the old FQDN to the new FQDN, and the /etc/hosts file was updated. > The security was changed from domain to ADS. > > Testparm still reports the imap errors (see below).That is because you still haven't got the correct 'idmap config' lines. Do you have, or want to have rfc2307 attributes in AD, if so, read this: https://wiki.samba.org/index.php/Idmap_config_ad If haven't any rfc2307 attributes and do not want to add them, see here: https://wiki.samba.org/index.php/Idmap_config_rid
On Wednesday, 5 February 2020 13:11:27 PST Rowland penny via samba wrote:> No, sorry, but your client needs to have the same time as the DC (+/- 5 > mins), so if you haven't installed an NTP client, I suggest you do.Speaking of which, any suggestions on what's the best way to found out which NTP servers the client should be tuned to in AD DS? From what I understand, they are not necessarily the same hosts as the actual DCs, but I can't seem to find any specific info on how I can discover the NTP servers to use. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: <http://lists.samba.org/pipermail/samba/attachments/20200206/2255b902/signature.sig>
Thanks again for the continued help... Current thinking is using rid for the backend does not place any new administrative functions on the staff - agree? Begs questions of what is being written in smbpasswd, and do we have administrative work on AIX? Such as adding users and a group or two in the range specified for idmap? A mapping "table"? If rid is hands-off administration, that's likely the way they want to go. Going with rid - security is still ads? Thanks again! Bob Wyatt -----Original Message----- From: Rowland penny <rpenny at samba.org> Sent: Wednesday, February 5, 2020 4:11 PM To: sambalist <samba at lists.samba.org> Subject: Re: [Samba] Samba 4.10.6-1 Configuration on AIX On 05/02/2020 20:00, Bob Wyatt wrote:> Thanks to you and Louis for your guidance. > I really apologize for my lack of knowledge of AD and Samba; and I appreciate your patience and willingness to help. > And I apologize for not trimming the reply - don't know how much to retain... > > The referenced document seems to be leveraging domain services that we're not using. > We are only using AD user authentication to access shares on AIX. > No single sign-on, no user administration/manipulation anywhere, no printer sharing. > > Kerberos shouldn?t be required, which one might think also means the imap settings shouldn?t be required.Perhaps you should tell Microsoft that ;-)> Although they may eventually embrace NTP, is it not configured today; without Kerberos, it isn?t required. > We're not wanting to save any user credentials necessary in AIX to acquire access to the shares in AIX.No, sorry, but your client needs to have the same time as the DC (+/- 5 mins), so if you haven't installed an NTP client, I suggest you do.> > Testing DNS, everything is good until the "set type=SRV" _ldap_... test; it fails. > Kerberos is not installed on AIX.Then install the AIX versions of the kerberos client packages, but do not install a kerberos server (kdc), that is on your DC.> > The server name (hostname) was changed from the old FQDN to the new FQDN, and the /etc/hosts file was updated. > The security was changed from domain to ADS. > > Testparm still reports the imap errors (see below).That is because you still haven't got the correct 'idmap config' lines. Do you have, or want to have rfc2307 attributes in AD, if so, read this: https://wiki.samba.org/index.php/Idmap_config_ad If haven't any rfc2307 attributes and do not want to add them, see here: https://wiki.samba.org/index.php/Idmap_config_rid
Sorry... A couple more questions... I've installed krb5-libs and krb-workstation... this is all I need? I ask because the krb5 config file was not created on the system... One was "installed" to /opt/freeware/etc/krb5.conf, which could be copied over... Do I need to install samba-winbind-krb5-locator? Thank you for everything! Regards, Bob Wyatt -----Original Message----- From: Bob Wyatt <bwyatt_sub at comcast.net> Sent: Thursday, February 6, 2020 9:27 PM To: 'Rowland penny' <rpenny at samba.org>; 'sambalist' <samba at lists.samba.org> Subject: RE: [Samba] Samba 4.10.6-1 Configuration on AIX Thanks again for the continued help... Current thinking is using rid for the backend does not place any new administrative functions on the staff - agree? Begs questions of what is being written in smbpasswd, and do we have administrative work on AIX? Such as adding users and a group or two in the range specified for idmap? A mapping "table"? If rid is hands-off administration, that's likely the way they want to go. Going with rid - security is still ads? Thanks again! Bob Wyatt -----Original Message----- From: Rowland penny <rpenny at samba.org> Sent: Wednesday, February 5, 2020 4:11 PM To: sambalist <samba at lists.samba.org> Subject: Re: [Samba] Samba 4.10.6-1 Configuration on AIX On 05/02/2020 20:00, Bob Wyatt wrote:> Thanks to you and Louis for your guidance. > I really apologize for my lack of knowledge of AD and Samba; and I appreciate your patience and willingness to help. > And I apologize for not trimming the reply - don't know how much to retain... > > The referenced document seems to be leveraging domain services that we're not using. > We are only using AD user authentication to access shares on AIX. > No single sign-on, no user administration/manipulation anywhere, no printer sharing. > > Kerberos shouldn?t be required, which one might think also means the imap settings shouldn?t be required.Perhaps you should tell Microsoft that ;-)> Although they may eventually embrace NTP, is it not configured today; without Kerberos, it isn?t required. > We're not wanting to save any user credentials necessary in AIX to acquire access to the shares in AIX.No, sorry, but your client needs to have the same time as the DC (+/- 5 mins), so if you haven't installed an NTP client, I suggest you do.> > Testing DNS, everything is good until the "set type=SRV" _ldap_... test; it fails. > Kerberos is not installed on AIX.Then install the AIX versions of the kerberos client packages, but do not install a kerberos server (kdc), that is on your DC.> > The server name (hostname) was changed from the old FQDN to the new FQDN, and the /etc/hosts file was updated. > The security was changed from domain to ADS. > > Testparm still reports the imap errors (see below).That is because you still haven't got the correct 'idmap config' lines. Do you have, or want to have rfc2307 attributes in AD, if so, read this: https://wiki.samba.org/index.php/Idmap_config_ad If haven't any rfc2307 attributes and do not want to add them, see here: https://wiki.samba.org/index.php/Idmap_config_rid