samba - Jun 2020 - SAMBA using existing users and passwords on Linux

On 19/06/2020 15:06, Fernando Gon?alves wrote:
> I will pass all the commands I used for installation and inclusion of 
> the linux server server in AD.
>
> Installation of KERBEROS 5 packages:
> #yum install krb5-server krb5-libs krb5-workstation
Why install krb5-server ? this is not required on a Unix domain
member.
>
> I added the following lines to the /etc/krb5.conf file
> [libdefaults]
> default_realm = SAMDOM.EXAMPLE.COM <http://SAMDOM.EXAMPLE.COM>
> dns_lookup_realm = false
> dns_lookup_kdc = false
Change the last line to true
>
> I installed realmd
> # yum install realmd
Why, what is wrong with 'net ads join' ?

Nothing really wrong, apart from, you do not seem to understand that any 
users in /etc/passwd are unknown to AD.

You can have the same username in /etc/passwd and AD, but they will be 
different users. The only Samba supported way of making users known to 
both AD and the local Linux OS, is for the users to be in AD and use 
Samba to make them Unix users as well. You are half way there, you have 
in smb.conf:

idmap config TJSC : range = 2000000-2999999
idmap config TJSC : backend = rid

This will take any AD users (and groups), extract the RID and then 
calculate the Unix ID using the lower range, so from what you have 
posted, I am very sure that 'getent group Domain\ Users' will return the
ID '2000513'.

So to cut to a shorter version, create your users in AD and delete them 
from /etc/passwd.

Your way is not supported.

Rowland

Good morning Rowland.

As you may have noticed, I am no expert in deploying SAMBA in an AD domain.
Could you give me a link with a tutorial that explains in a simple way the
procedure for this?

Just to not leave without a return I executed the following commands:

# getent group TJSC\users
#
Nothing came back.

# getent group TJSC users
users: x: 100:
This group "users" is local to the linux server (it is in /etc/passwd)
and
does not exist in the AD domain.

I can then conclude that my intention to use local users of the linux
server without having to specify the name of the linux server is not
possible, right?

Em sex., 19 de jun. de 2020 ?s 11:43, Rowland penny via samba <
samba at lists.samba.org> escreveu:
> On 19/06/2020 15:06, Fernando Gon?alves wrote:
> > I will pass all the commands I used for installation and inclusion of
> > the linux server server in AD.
> >
> > Installation of KERBEROS 5 packages:
> > #yum install krb5-server krb5-libs krb5-workstation
> Why install krb5-server ? this is not required on a Unix domain member.
> >
> > I added the following lines to the /etc/krb5.conf file
> > [libdefaults]
> > default_realm = SAMDOM.EXAMPLE.COM <http://SAMDOM.EXAMPLE.COM>
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> Change the last line to true
> >
> > I installed realmd
> > # yum install realmd
> Why, what is wrong with 'net ads join' ?
>
> Nothing really wrong, apart from, you do not seem to understand that any
> users in /etc/passwd are unknown to AD.
>
> You can have the same username in /etc/passwd and AD, but they will be
> different users. The only Samba supported way of making users known to
> both AD and the local Linux OS, is for the users to be in AD and use
> Samba to make them Unix users as well. You are half way there, you have
> in smb.conf:
>
> idmap config TJSC : range = 2000000-2999999
> idmap config TJSC : backend = rid
>
> This will take any AD users (and groups), extract the RID and then
> calculate the Unix ID using the lower range, so from what you have
> posted, I am very sure that 'getent group Domain\ Users' will
return the
> ID '2000513'.
>
> So to cut to a shorter version, create your users in AD and delete them
> from /etc/passwd.
>
> Your way is not supported.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Livre
de v?rus. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>.
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On 22/06/2020 14:00, Fernando Gon?alves wrote:
> Good morning Rowland.
>
> As you may have noticed, I am no expert in deploying SAMBA in an AD 
> domain.
> Could you give me a link with a tutorial that explains in a simple way 
> the procedure for this?
You could start here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> Just to not leave without a return I executed the following commands:
>
> # getent group TJSC\users
> #
> Nothing came back.
It shouldn't, not even on a Samba AD DC
>
> # getent group TJSC users
> users: x: 100:
> This group "users" is local to the linux server (it is in
/etc/passwd)
> and does not exist in the AD domain.
Ah, yes it does, just not where you expect it ;-)

If you examine 'idmap.ldb' on a DC, you should find something like this:

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-513
cn: S-1-5-21-1768301897-3342589593-1064908849-513
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-513
type: ID_TYPE_GID
xidNumber: 100
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-513

The '513' is the RID for Domain Users and the xidNumber maps it to to 
the local 'users' group.
>
> I can then conclude that my intention to use local users of the linux 
> server without having to specify the name of the linux server is not 
> possible, right?
Correct, not possible and definitely not supported on a Samba AD DC (or 
any other Samba domain machine)

Rowland