samba - Jun 2020 - net ads status stripped output

Hi all,

I have successfully joined a Ubuntu 20.04 (focal) machine to a
Active Directory domain using ADS. Running the `net ads status` command
does not output the information that I expect.

This is an example of running `net ads status` on a Ubuntu 20.04
(focal) machine running Samba version 4.11.6-Ubuntu.

# net ads status
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
userAccountControl: 4096
sAMAccountName: VB-LNXMARKLIND1$
dNSHostName: vb-lnxmarklind1.example.com
servicePrincipalName: RestrictedKrbHost/VB-LNXMARKLIND1
servicePrincipalName: HOST/VB-LNXMARKLIND1
servicePrincipalName: RestrictedKrbHost/VB-LNXMARKLIND1.example.com
servicePrincipalName: HOST/VB-LNXMARKLIND1.example.com
msDS-SupportedEncryptionTypes: 31

This is an example of running `net ads status` on a Ubuntu 18.04
(bionic) machine running Samba version 4.7.6-Ubuntu.

# net ads status
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: PC35864-1931
description: SE
distinguishedName: CN=PC35864-1931,OU=Clients,OU=SE,OU=Example,DC=example,DC=com
instanceType: 4
whenCreated: 20190801125845.0Z
whenChanged: 20200513124018.0Z
uSNCreated: 395716025
memberOf: CN=radgroup,OU=Groups,OU=SE,OU=Example,DC=example,DC=com
uSNChanged: 424497188
name: PC35864-1931
objectGUID: 06df8355-2b1f-417b-acaa-9a25b51df1fc
userAccountControl: 69632
codePage: 0
countryCode: 0
lastLogon: 132344471312139041
localPolicyFlags: 0
pwdLastSet: 132091379258085988
primaryGroupID: 515
objectSid: S-1-5-21-1801674531-113007714-682003330-67625
accountExpires: 9223372036854775807
logonCount: 13
sAMAccountName: PC35864-1931$
sAMAccountType: 805306369
operatingSystem: Linux Client
operatingSystemVersion: Ubuntu bionic
operatingSystemServicePack: Samba 4.7.6-Ubuntu
dNSHostName: pc35864-1931.se.example.com
managedBy: CN=John Doe,OU=Users,OU=SE,OU=Example,DC=example,DC=com
userPrincipalName: host/pc35864-1931.se.example.com at EXAMPLE.COM
servicePrincipalName: HOST/pc35864-1931.se.example.com
servicePrincipalName: HOST/PC35864-1931
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=com
isCriticalSystemObject: FALSE
dSCorePropagationData: 20190801130024.0Z
dSCorePropagationData: 20190801130024.0Z
dSCorePropagationData: 20190801130024.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132338463131471292
msDS-SupportedEncryptionTypes: 31

If we compare these two commands there are a lot of missing LDAP
attributes for the first command run on Ubuntu 20.04 running Samba
version 4.11.6-Ubuntu.

Both machines were joined to the same Active Directory domain using the
following command.

command

This is Samba config being used (displayed using testparm command).

# testparm 
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Can't find include file /etc/samba/local_shares.conf
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
	client ldap sasl wrapping = seal
	disable netbios = Yes
	kerberos method = secrets and keytab
	lm announce = No
	logging = syslog at 1 file
	realm = EXAMPLE.COM
	restrict anonymous = 2
	security = ADS
	server min protocol = NT1
	template shell = /bin/bash
	winbind expand groups = 2
	winbind offline logon = Yes
	winbind refresh tickets = Yes
	winbind separator = +
	winbind use default domain = Yes
	workgroup = EXAMPLENET
	idmap config * : range = 300000-400000
	idmap config examplenet:unix_nss_info = yes
	idmap config examplenet:gid = 120-65535
	idmap config examplenet:uid = 120-65535
	idmap config examplenet:default = yes
	idmap config examplenet:range = 200-30000
	idmap config examplenet:backend = ad
	idmap config * : backend = tdb
	include = /etc/samba/local_shares.conf

Note: I have substituted the domain which I'm using with
"example.com"
and the AD domain with "EXAMPLENET" for policy reasons.

Cheers!

--
Markus

On 03/06/2020 10:39, Markus Lindberg via samba wrote:
> Hi all,
>
> I have successfully joined a Ubuntu 20.04 (focal) machine to a
> Active Directory domain using ADS. Running the `net ads status` command
> does not output the information that I expect.
>
> This is an example of running `net ads status` on a Ubuntu 20.04
> (focal) machine running Samba version 4.11.6-Ubuntu.
Are you running this as a 'normal' user ?

I get something similar when run as a normal user, but if I run it as 
myself (member of Domain Admins), I get 464 lines.
> This is Samba config being used (displayed using testparm command).
>
> # testparm
>
> [global]
> 	
> 	server min protocol = NT1
Why 'NT1' ?
> 	idmap config * : range = 300000-400000
> 	idmap config examplenet:unix_nss_info = yes
> 	idmap config examplenet:gid = 120-65535
> 	idmap config examplenet:uid = 120-65535
> 	idmap config examplenet:default = yes
> 	idmap config examplenet:range = 200-30000
> 	idmap config examplenet:backend = ad
> 	idmap config * : backend = tdb
Where did you get 'idmap config examplenet:gid = 120-65535' line from ?

Same goes for the 'uid' version as well.

'idmap config examplenet:default = yes' does not exist

Why are you using the range '200-30000' ?

Have you added any uidNumber and gidNumber attributes to AD ?
> 	include = /etc/samba/local_shares.conf
>
What is in the include file ?

Rowland

On 03/06/2020 12:44, Markus Lindberg wrote:
> I guess I'm running it as a 'normal' user as it is not a member
of the
> 'Domain Admins' group. Though worth noting this does work on Ubuntu
> 18.04 running Samba version 4.7.6-Ubuntu. Has there been some added
> restrictions when running `net ads status`? In my case I think I'm
> authenticating using a Kerberos ticket using a (service) account which
> has some additional access apart from a 'normal' domain user. To
> re-illitterate, this worked before.
There have been numerous updates between 4.7.x and 4.11.x, any of these 
could have caused the change.
>
>> This is Samba config being used (displayed using testparm command).
>>
>> # testparm
>>
>> [global]
>>
>>        server min protocol = NT1
> Why 'NT1' ?
You never explained why you are using 'NT1'
> Not sure but I can update these options.
I hope by 'update' you mean 'remove' ;-)
>>> Why are you using the range '200-30000' ?
> Same thing, I'm not sure, but I will update this one as well.
>
>>> Have you added any uidNumber and gidNumber attributes to AD ?
> No since we are not using Samba to authenticate any users on the Ubuntu
> machines. We only use Samba to join the computer to the Active Directory
> domain.
Reading between the lines, it sounds like you are using sssd, if so, you 
need to configure smb.conf to use idmap_sss and have no shares. You 
cannot use sssd with Samba >= 4.8.0 and have shares.

If you are going to use idmap_ad (backend = ad), then you must add 
uidNumber and gidNumber attributes to AD
>
>>        include = /etc/samba/local_shares.conf
>>
>>> What is in the include file ?
> This file is empty and is intended as a config for users to maintain
> since the main ("smb.conf") config is maintained by a
configuration
> manager (CFEngine). For example if a user wants to setup a share.
This is wrong as well, for that you should be using
usershares
>
> I will most likely update the config to reflect the recommended options
> from the wiki [1].
>
> [1]
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba
Definitely read that, there is a lot of good info in it (and it will 
save me typing it again) ;-)

Rowland

On 03/06/2020 15:38, Markus Lindberg wrote:
> Nope, we are using good old local accounts added to passwd and shadow.
Users added to /etc/passwd on an AD joined machine are just local users 
and you cannot have the same username in /etc/passwd and
AD.
> Does this apply _even_ if I'm using Samba to authenticate any users? I
> do not fully comprehed how Samba works, which I need to read up on. Is
> it perhaps used if a user mounts a network share via cifs?
If you use the winbind 'ad' backend, you must add a unique uidNumber to 
your users in AD (which, as I said, must not exist in /etc/passwd), you 
must also add a gidNumber attribute to Domain Users. All of these 
numbers must be inside the DOMAIN range you set in smb.conf, for 
instance, if your line is:

idmap config SAMDOM : range = 10000-999999

All the numbers must be inside '10000-999999' and you can have a user 
with the same uidNumber as a groups gidNumber. i.e. a users uidNumber 
could be '10000' and the group Domain Users could have the gidNumber 
'10000'.

If you do not want to add anything to AD, you could use the rid backend, 
but you would need to use exactly the same smb.conf on all Unix 
machines. The part about not having users & groups in /etc/passwd & 
/etc/group and in AD would still apply though.

Rowland

On 04/06/2020 07:57, Markus Lindberg wrote:
>> Nope, we are using good old local accounts added to passwd and shadow.
>>> Users added to /etc/passwd on an AD joined machine are just local
users
>>> and you cannot have the same username in /etc/passwd and AD.
> That is fair.
>
>> Does this apply _even_ if I'm using Samba to authenticate any
users? I
>> do not fully comprehed how Samba works, which I need to read up on. Is
>> it perhaps used if a user mounts a network share via cifs?
>>> If you use the winbind 'ad' backend, you must add a unique
uidNumber to
>>> your users in AD (which, as I said, must not exist in /etc/passwd),
you
>>> must also add a gidNumber attribute to Domain Users. All of these
>>> numbers must be inside the DOMAIN range you set in smb.conf, for
>>> instance, if your line is:
> I mistyped. What I meant to type is, does this apply _even_ if I'm
*not*
> using Samba to authenticate any users? We only use Samba to join the
> computers to the domain. The user accounts are locally created and is
> not used from a identity management system.
> As mentioned I'm not particularly interested in authentication any user
> accounts via Samba/Winbind, I'm only interested in joining the
> computers to our Active Directory domain.
If you do not want to authenticate users and groups, why are you joining 
the computers to AD ?

The whole idea behind AD is the centralisation of users and groups. If 
you are using users and groups created locally on the computer (i.e. 
they are not in AD), then you are not using AD even if the computer is 
joined to AD.

I think you need to explain just what you are doing.

Rowland

On 04/06/2020 08:17, Markus Lindberg wrote:
>> If you do not want to authenticate users and groups, why are you
joining
>> the computers to AD ?
>>
>> The whole idea behind AD is the centralisation of users and groups. If
>> you are using users and groups created locally on the computer (i.e.
>> they are not in AD), then you are not using AD even if the computer is
>> joined to AD.
>>
>> I think you need to explain just what you are doing.
> We are joining the computers to the AD since we are using 802.1x
> combined with RADIUS to place computers in a AD group that is tied to a
> RADIUS group. This allows us to place computers in different VLANs
> based on the RADIUS group. When we join the computer to the AD it gets
> created in a specific container, then we do _some_ changes to the
> computer object, placing it into a AD group for example.
>
> --
> Markus
What then, there must be users and groups involved (there is at least 
one user, the computer), where do they come from ?

Rowland

On 04/06/2020 08:48, Markus Lindberg wrote:
>>>> If you do not want to authenticate users and groups, why are
you joining
>>>> the computers to AD ?
>>>>
>>>> The whole idea behind AD is the centralisation of users and
groups. If
>>>> you are using users and groups created locally on the computer
(i.e.
>>>> they are not in AD), then you are not using AD even if the
computer is
>>>> joined to AD.
>>>>
>>>> I think you need to explain just what you are doing.
>>> We are joining the computers to the AD since we are using 802.1x
>>> combined with RADIUS to place computers in a AD group that is tied
to a
>>> RADIUS group. This allows us to place computers in different VLANs
>>> based on the RADIUS group. When we join the computer to the AD it
gets
>>> created in a specific container, then we do _some_ changes to the
>>> computer object, placing it into a AD group for example.
>> What then, there must be users and groups involved (there is at least
>> one user, the computer), where do they come from ?
> I think the compter account is created when I join the computers. This
> is the command I run when I join the computer to the AD.
>
> net ads join -k createcomputer=Admin/Staging/Client-Lnx
createupn="host/`hostname -f`@EXAMPLE.COM" osName='Linux
Client' osVer="$(echo -n $(lsb_release -s -i -c))"
>
> After that has been finished I'm able to run `net ads status` by
> authenticating "as the computer", like so.
>
> net ads status -P
>
> --
> Markus
Ah, I think I understand what you are doing now, but I think you must be 
running the command as root. If I run the command it just errors out 
'ERROR: Unable to open secrets database', but if I run it using sudo, I 
get a similar output as yours.

You are quite correct, '-P' means use the machine account and this is a 
very unprivileged user.

Rowland

On 04/06/2020 10:00, Markus Lindberg wrote:
>> Ah, I think I understand what you are doing now, but I think you must
be
>> running the command as root. If I run the command it just errors out
>> 'ERROR: Unable to open secrets database', but if I run it using
sudo, I
>> get a similar output as yours.
>>
>> You are quite correct, '-P' means use the machine account and
this is a
>> very unprivileged user.
> That is fair. When I run the `net ads status` command I run it as a
> somewhat 'normal' user. I can always authenticate with an AD
account if
> I supply the '-U' flag or if I supply the '-k' flag (if
`kinit` has
> been run). I always get the exact same stripped output.
>
> The attribute that I'm looking for is the 'distinguishedName'
attribute.
> But it is not displayed when I run `net ads status` and I suspect that
> _something_ has changed that limits this output. So my question is, has
> this been changed? If so I need to find another way to fetch this
> attribute.
>
> --
> Markus
I suppose it must have changed, but? you can get it with something like 
this:

ldbsearch -H ldap://$(host -t SRV _ldap._tcp.pdc._msdcs.$(hostname -d) | 
awk '{print $NF}') -P "(sAMAccountName=$(hostname -s)\$)" 
distinguishedName | grep 'distinguishedName' | awk '{print $NF}'

It will involve installing ldb-tools

Rowland

On 04/06/2020 10:53, Markus Lindberg wrote:
>> ldbsearch -H ldap://$(host -t SRV _ldap._tcp.pdc._msdcs.$(hostname -d)
|
>> awk '{print $NF}') -P "(sAMAccountName=$(hostname
-s)\$)"
>> distinguishedName | grep 'distinguishedName' | awk '{print
$NF}'
>>
>> It will involve installing ldb-tools
> Thanks I guess I can use `net ads search` as well, like this for
> example.
>
> net -P ads search
"(&(objectCategory=computer)(cn=$(hostname)))" | sed -ne
's/distinguishedName: //p'
>
> Or is this not a recommended tool to use?
>
> --
> Markus
I don't see why you couldn't use that, it produces the same output as
mine.

Isn't Linux wonderful, numerous ways of doing the same thing ;-)

Rowland