samba - Nov 2020 - samba / debian 10 / security=ads

Hi all

I'm looking for some help on winbind/idmap for a new host

The debian version is new on this host : debian 10 buster so samba
is
> root at homedir10:~# samba --version
> Version 4.9.5-Debian
We want to use security=ads so we join this host to the domain
No problem for windows clients : they can mount shares that are 
accessible to their primary unix group and secondary unix group(s)

But we have a problem with linux clients smbclient refuse to access the 
shares
> [grocher: ~ ] 130 $ smbclient //homedir10/ditiric -U IFR\\grocher
> WARNING: The "syslog" option is deprecated
> Enter IFR\grocher's password: 
> session setup failed: NT_STATUS_NO_LOGON_SERVERS
On this host the smb.conf was copied from previous host debian 9 / samba 
4.5.16-Debian and the winbind package was not installed.
On debian9 / samba 4.5.16 both clients work without winbind and idmap 
parameters in smb.conf

So I begin to study
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

On a devhost, I installed missing pakages 
https://wiki.samba.org/index.php/Distribution-specific_Package_Installation#Debian
in particular winbind, libnss-winbind, libpam-winbind

with this config none of the clients could access to shares

Some diagnostic I could perform

winbind seems working and samba can access to the
service
> root at vans-d10-cl:~# wbinfo -p
> Ping to winbindd succeeded
AD domain parameters seems correct and the seems to have correctly 
joined the domain (our domain is IFR)
> root at vans-d10-cl:~# wbinfo --domain-info=IFR
> Name              : IFR
> Alt_Name          : ifremer.fr
> SID               : S-1-5-21-500109986-1412980772-1848903544
> Active Directory  : Yes
> Native            : Yes
> Primary           : Yes
We can ping Domain Controllers
> root at vans-d10-cl:~# wbinfo --getdcname=IFR
> VDC2016
> root at vans-d10-cl:~# wbinfo --ping-dc
> checking the NETLOGON for domain[IFR] dc connection to
"vdc2016.ifremer.fr" succeeded
Users and groups of the domain are seen by samba
> root at vans-d10-cl:~# wbinfo --domain-users | head
> IFR\peronm
> IFR\pgermane
> IFR\galviset
> IFR\cbontemp
> IFR\ldecubbe
> IFR\mmeloni
> IFR\ssaunier
> IFR\gkorchag
> IFR\clemeu
> IFR\tlebreto
> root at vans-d10-cl:~# wbinfo --domain-groups | head
> IFR\administrateurs du sch?ma
> IFR\administrateurs de l'entreprise
> IFR\contr?leurs de domaine d?entreprise en lecture seule
> IFR\exchangelegacyinterop
> IFR\exchange windows permissions
> IFR\managed availability servers
> IFR\exchange trusted subsystem
> IFR\exchange servers
> IFR\compliance management
> IFR\hygiene management
> root at vans-d10-cl:~# wbinfo --domain-groups | tail
> IFR\sgc
> IFR\hdfstest
> IFR\ofseair
> IFR\rhldcm
> IFR\gcelimer
> IFR\gpacl
> IFR\metocean
> IFR\drhdajf
> IFR\grotor
> IFR\workflowums
In /etc/nsswitch.conf I have added winbind as source for passwd and
group
> root at vans-d10-cl:~# grep winbind /etc/nsswitch.conf 
> passwd:         files winbind nis compat
> group:          files winbind nis compat
And the host seems to have correct information on both nis and domain 
users and groups
> root at vans-d10-cl:~# getent passwd grocher
> grocher:$1$[password hash redacted]:21826:10022:Gregory ROCHER, Ifremer
Brest PDG-IRSI-RIC, 02 29 00 85 79:/home1/homedir1/perso/grocher:/bin/csh
> root at vans-d10-cl:~# getent passwd IFR\\grocher
> IFR\grocher:*:11752:10513:Gregory ROCHER, Ifremer Brest PDG-IRSI-RIC, 02
2:/home/IFR/grocher:/bin/false
> root at vans-d10-cl:~# getent group ditiric
>
ditiric:x:10022:ricdba,ricora,bmilo,tina,cotty,gmaudire,dcroizef,clebris,fguesnon
> root at vans-d10-cl:~# getent group IFR\\ditiric
> IFR\ditiric:x:11375:
For id mapping I have studied the three backends mentionned in
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Choose_backend_for_id_mapping_in_winbindd

I don't think we can use the ad backend because of the lack of uidNumber 
and gidNumber in our Active Directory. For exemple on a domain 
controller when I study entries of the AD I don't see these attributes
> PS C:\Users\rootifr> Get-ADUser grocher
> 
> DistinguishedName : CN=grocher,CN=Users,DC=ifremer,DC=fr
> Enabled           : True
> GivenName         : 
> Name              : grocher
> ObjectClass       : user
> ObjectGUID        : 7c29e837-e6b0-4228-b4a6-5f9d40f9fbe9
> SamAccountName    : grocher
> SID               : S-1-5-21-500109986-1412980772-1848903544-1752
> Surname           : 
> UserPrincipalName : 
> 
> PS C:\Users\rootifr> Get-ADGroup ditiric
> 
> DistinguishedName : CN=ditiric,CN=Users,DC=ifremer,DC=fr
> GroupCategory     : Security
> GroupScope        : Global
> Name              : ditiric
> ObjectClass       : group
> ObjectGUID        : a37a82ac-f190-463a-a251-c639f9d36a33
> SamAccountName    : ditiric
> SID               : S-1-5-21-500109986-1412980772-1848903544-1375

So in smb.conf I defined these parameters (uid for our nis users goes 
from 10000 to the infinite)
> idmap config * : backend = tdb
> idmap config * : range = 0-999
> idmap config IFR : backend = rid
> idmap config IFR : range = 10000-5000000
I verified SIDs calculated by this config dans this seems coherent
both nis users and domain users have the same SID and it's also the same 
that de AD Domain Controller show
> root at vans-d10-cl:~# wbinfo --name-to-sid=grocher
> S-1-5-21-500109986-1412980772-1848903544-1752 SID_USER (1)
> root at vans-d10-cl:~# wbinfo --name-to-sid=IFR\\grocher
> S-1-5-21-500109986-1412980772-1848903544-1752 SID_USER (1)
If I verify the groups of a SID it seems coherent too
> root at vans-d10-cl:~# wbinfo
--user-sids=S-1-5-21-500109986-1412980772-1848903544-1752
> S-1-5-21-500109986-1412980772-1848903544-1752
> S-1-5-21-500109986-1412980772-1848903544-513
> S-1-5-21-500109986-1412980772-1848903544-3215561
> S-1-5-21-500109986-1412980772-1848903544-1632
> S-1-5-21-500109986-1412980772-1848903544-3206726
> S-1-5-21-500109986-1412980772-1848903544-1375
The  S-1-5-21-500109986-1412980772-1848903544-1375 is both seen on my 
SID and it's the SID of the groups
> root at vans-d10-cl:~# wbinfo --name-to-sid=ditiric
> S-1-5-21-500109986-1412980772-1848903544-1375 SID_DOM_GROUP (2)
> root at vans-d10-cl:~# wbinfo --name-to-sid=IFR\\ditiric
> S-1-5-21-500109986-1412980772-1848903544-1375 SID_DOM_GROUP (2)


Finally kerberos
I had installed packages and configured
> root at vans-d10-cl:~# head /etc/krb5.conf 
> [libdefaults]
> 	default_realm = IFREMER.FR
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
Ticket list before auth
> root at vans-d10-cl:~# klist 
> klist: No credentials cache found (filename: /tmp/krb5cc_0)
Auth with a volontary bad password : incorrect
> root at vans-d10-cl:~# kinit grocher
> Password for grocher at IFREMER.FR: 
> kinit: Password incorrect while getting initial credentials
Auth with a good password succeeded
> root at vans-d10-cl:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: grocher at IFREMER.FR
> 
> Valid starting       Expires              Service principal
> 18/11/2020 07:18:21  18/11/2020 17:18:21  krbtgt/IFREMER.FR at IFREMER.FR
> 	renew until 19/11/2020 07:18:15
Are my id mappings incorrects ?
What can I test to debug this configuration ?

Thanks in advance

Here are the complete smb.conf returned by testparm
> root at vans-d10-cl:~# testparm -s
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[homes]"
> Processing section "[testsamba]"
> Processing section "[fakedrhrrh]"
> Processing section "[q]"
> Processing section "[winnt]"
> Loaded services file OK.
> Invalid combination of parameters for service testsamba. Level II oplocks
can only be set if oplocks are also set.
> 
> Invalid combination of parameters for service fakedrhrrh. Level II oplocks
can only be set if oplocks are also set.
> 
> Invalid combination of parameters for service q. Level II oplocks can only
be set if oplocks are also set.
> 
> Invalid combination of parameters for service winnt. Level II oplocks can
only be set if oplocks are also set.
> 
> Server role: ROLE_DOMAIN_MEMBER
> 
> # Global parameters
> [global]
> 	deadtime = 15
> 	dedicated keytab file = /etc/krb5.keytab
> 	kerberos method = secrets and keytab
> 	preferred master = No
> 	realm = IFREMER.FR
> 	security = ADS
> 	server string = Linux
> 	unix extensions = No
> 	wins server = 134.246.155.180
> 	workgroup = IFR
> 	idmap config ifr : range = 10000-5000000
> 	idmap config ifr : backend = rid
> 	idmap config * : range = 0-999
> 	idmap config * : backend = tdb
> 	create mask = 0700
> 	directory mask = 0700
> 	follow symlinks = No
> 	hosts allow = 134.246.
> 	include = /usr/local/samba/etc/smb.conf.global.vans-d10-cl
> 	invalid users = root smtp bin sys mail daemon adm lp uucp nuucp listen
noaccess
> 	map archive = No
> 	oplocks = No
> 	print command = lpr -s -r -P %p %s
> 	printing = bsd
> 
> 
> [homes]
> 	browseable = No
> 	create mask = 0750
> 	directory mask = 0750
> 	include = /usr/local/samba/etc/smb.conf.vans-d10-cl
> 	oplocks = Yes
> 	path = %H
> 	read only = No
> 
> 
> [testsamba]
> 	browseable = No
> 	create mask = 0770
> 	directory mask = 0770
> 	force group = ditiric
> 	path = /export/home/testsamba
> 	read only = No
> 	valid users = @ditiric
> 
> 
> [fakedrhrrh]
> 	browseable = No
> 	create mask = 0770
> 	directory mask = 0770
> 	force group = drhrrh
> 	path = /export/home/fakedrhrrh
> 	read only = No
> 	valid users = @drhrrh
> 
> 
> [q]
> 	comment = Disque personnel de %u
> 	create mask = 0750
> 	directory mask = 0750
> 	path = %H
> 	read only = No
> 
> 
> [winnt]
> 	browseable = No
> 	comment = Repertoire pour logon winnt
> 	create mask = 0555
> 	directory mask = 0555
> 	path = /home/spool/winnt
> 	preexec = /home/services/systeme/winnt/bin/winnt.pl %u %g %H %M %m
-- 
Gr?gory Rocher
02 29 00 85 79 (8579)

On 18/11/2020 10:42, Gregory ROCHER via samba wrote:
> Hi all
>
> I'm looking for some help on winbind/idmap for a new host
>
>
> We want to use security=ads so we join this host to the domain
> No problem for windows clients : they can mount shares that are 
> accessible to their primary unix group and secondary unix group(s)
You are using AD now, so the primary group for all your users will be 
Domain Users
>
> But we have a problem with linux clients smbclient refuse to access 
> the shares
>> [grocher: ~ ] 130 $ smbclient //homedir10/ditiric -U IFR\\grocher
>> WARNING: The "syslog" option is deprecated
>> Enter IFR\grocher's password: session setup failed: 
>> NT_STATUS_NO_LOGON_SERVERS
Are the Unix clients joined to the domain and do they use a DC as their 
first nameserver ?
>
> On this host the smb.conf was copied from previous host debian 9 / 
> samba 4.5.16-Debian and the winbind package was not installed.
> On debian9 / samba 4.5.16 both clients work without winbind and idmap 
> parameters in smb.conf
In which case it sounds like you were using something like sssd or 
nslcd, have you removed whatever you were using ?
>
> So I begin to study
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> On a devhost, I installed missing pakages 
>
https://wiki.samba.org/index.php/Distribution-specific_Package_Installation#Debian
> in particular winbind, libnss-winbind, libpam-winbind
Add libpam-krb5 if you haven't already installed it.
>
> with this config none of the clients could access to shares
Strange, the rid backend is the easiest to set up.
>
> In /etc/nsswitch.conf I have added winbind as source for passwd and group
>> root at vans-d10-cl:~# grep winbind /etc/nsswitch.conf passwd:???????? 
>> files winbind nis compat
>> group:????????? files winbind nis compat
I would remove 'nis' and 'compat', you do not need
them.
>
> And the host seems to have correct information on both nis and domain 
> users and groups
>
>> root at vans-d10-cl:~# getent passwd grocher
>> grocher:$1$[password hash redacted]:21826:10022:Gregory ROCHER, 
>> Ifremer Brest PDG-IRSI-RIC, 02 29 00 85 
>> 79:/home1/homedir1/perso/grocher:/bin/csh
>> root at vans-d10-cl:~# getent passwd IFR\\grocher
>> IFR\grocher:*:11752:10513:Gregory ROCHER, Ifremer Brest PDG-IRSI-RIC, 
>> 02 2:/home/IFR/grocher:/bin/false
Why do you have a schizophrenic user ?

Do you by any chance have NIS setup ?

If you do have NIS set up, then remove it, you do not need it.
>> root at vans-d10-cl:~# getent group ditiric
>>
ditiric:x:10022:ricdba,ricora,bmilo,tina,cotty,gmaudire,dcroizef,clebris,fguesnon
>>
>> root at vans-d10-cl:~# getent group IFR\\ditiric
>> IFR\ditiric:x:11375:
>
> For id mapping I have studied the three backends mentionned in
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Choose_backend_for_id_mapping_in_winbindd
>
>
> I don't think we can use the ad backend because of the lack of 
> uidNumber and gidNumber in our Active Directory. For exemple on a 
> domain controller when I study entries of the AD I don't see these 
> attributes
Correct, if you do not have uidNumber & gidNumber attributes in AD, you 
cannot use the 'ad' backend.
>
>
> So in smb.conf I defined these parameters (uid for our nis users goes 
> from 10000 to the infinite)
>> idmap config * : backend = tdb
>> idmap config * : range = 0-999
You didn't read the wikipage correctly, '0-999' is reserved for the
Unix
system users & groups, so change it to '3000-7999' as shown on the
wikipage
>> idmap config IFR : backend = rid
>> idmap config IFR : range = 10000-5000000
>
>
>
> Here are the complete smb.conf returned by testparm
>> root at vans-d10-cl:~# testparm -s
>>
>> Loaded services file OK.
>> Invalid combination of parameters for service testsamba. Level II 
>> oplocks can only be set if oplocks are also set.
>>
>> Invalid combination of parameters for service fakedrhrrh. Level II 
>> oplocks can only be set if oplocks are also set.
>>
>> Invalid combination of parameters for service q. Level II oplocks can 
>> only be set if oplocks are also set.
>>
>> Invalid combination of parameters for service winnt. Level II oplocks 
>> can only be set if oplocks are also set.
You have one error (multiple times)
>>
>> Server role: ROLE_DOMAIN_MEMBER
>>
>> # Global parameters
>> [global]
>> ????deadtime = 15
>> ????dedicated keytab file = /etc/krb5.keytab
>> ????kerberos method = secrets and keytab
>> ????preferred master = No
>> ????realm = IFREMER.FR
>> ????security = ADS
>> ????server string = Linux
>> ????unix extensions = No
>> ????wins server = 134.246.155.180
Remove the 'wins server' line, not required in AD, you use
DNS
>> ????workgroup = IFR
>> ????idmap config ifr : range = 10000-5000000
>> ????idmap config ifr : backend = rid
>> ????idmap config * : range = 0-999
>> ????idmap config * : backend = tdb
>> ????create mask = 0700
>> ????directory mask = 0700
>> ????follow symlinks = No
>> ????hosts allow = 134.246.
>> ????include = /usr/local/samba/etc/smb.conf.global.vans-d10-cl
What is in the 'include' file ?
>>
>> ????invalid users = root smtp bin sys mail daemon adm lp uucp nuucp 
>> listen noaccess
Better to set ACL's on the shares instead of using 'invalid
users'
>> ????map archive = No
>> ????oplocks = No
>> ????print command = lpr -s -r -P %p %s
>> ????printing = bsd
>>
>>
>> [homes]
>> ????browseable = No
>> ????create mask = 0750
>> ????directory mask = 0750
>> ????include = /usr/local/samba/etc/smb.conf.vans-d10-cl
Again, what is in the 'include' file ?
>> ????oplocks = Yes
>> ????path = %H
>> ????read only = No
>>
>>
>> [testsamba]
>> ????browseable = No
>> ????create mask = 0770
>> ????directory mask = 0770
>> ????force group = ditiric
>> ????path = /export/home/testsamba
>> ????read only = No
>> ????valid users = @ditiric
>>
>>
>> [fakedrhrrh]
>> ????browseable = No
>> ????create mask = 0770
>> ????directory mask = 0770
>> ????force group = drhrrh
>> ????path = /export/home/fakedrhrrh
Sharing an NFS share by CIFS isn't a good idea.
>> ????read only = No
>> ????valid users = @drhrrh
>>
>>
>> [q]
>> ????comment = Disque personnel de %u
>> ????create mask = 0750
>> ????directory mask = 0750
>> ????path = %H
>> ????read only = No
>>
>>
>> [winnt]
>> ????browseable = No
>> ????comment = Repertoire pour logon winnt
>> ????create mask = 0555
>> ????directory mask = 0555
>> ????path = /home/spool/winnt
>> ????preexec = /home/services/systeme/winnt/bin/winnt.pl %u %g %H %M %m
>
Is the 'winnt' share meant for netlogon scripts ?

Rowland

Many Thanks Rowland to have read and respond to this very long mail

Le 18/11/2020 ? 12:46, Rowland penny via samba a ?crit?:
>>> NT_STATUS_NO_LOGON_SERVERS
> Are the Unix clients joined to the domain and do they use a DC as their 
> first nameserver ?
No linux clients aren't binded by any mean to the AD
Their name servers in /etc/resolv.conf are standards bind resolvers

>> On debian9 / samba 4.5.16 both clients work without winbind and idmap 
>> parameters in smb.conf
> In which case it sounds like you were using something like sssd or 
> nslcd, have you removed whatever you were using ?
No I've just verified in the debian 9 server. We don't use sssd nor nscd
but yes nis are used on the host.

> Add libpam-krb5 if you haven't already installed it.
The package is installed/configured and seems to work on the debian 10 
server. Not on the linux clients

>>> root at vans-d10-cl:~# getent passwd grocher
>>> grocher:$1$[password hash redacted]:21826:10022:Gregory ROCHER, 
>>> Ifremer Brest PDG-IRSI-RIC, 02 29 00 85 
>>> 79:/home1/homedir1/perso/grocher:/bin/csh
>>> root at vans-d10-cl:~# getent passwd IFR\\grocher
>>> IFR\grocher:*:11752:10513:Gregory ROCHER, Ifremer Brest
PDG-IRSI-RIC,
>>> 02 2:/home/IFR/grocher:/bin/false
> 
> Why do you have a schizophrenic user ?
> 
> Do you by any chance have NIS setup ?
> 
> If you do have NIS set up, then remove it, you do not need it.

We use nis to authenticate users by ssh by example. That may be the root 
cause of our problem

grocher : is the "unix user" via nis, used in the unix world we have a
mixed environment here
IFR\grocher is the corresponding user in the IFR domain

Do you mean that security=ads and nis completly incompatible for the 
samba use case ?

>>> ????include = /usr/local/samba/etc/smb.conf.global.vans-d10-cl
> What is in the 'include' file ?
>>> ????include = /usr/local/samba/etc/smb.conf.vans-d10-cl
> Again, what is in the 'include' file ?
specific config files + shares definition on the host
> root at vans-d10-cl:~# cat /usr/local/samba/etc/smb.conf.global.vans-d10-cl
/usr/local/samba/etc/smb.conf.vans-d10-cl
> preferred master= no
> print command   = lpr -s -r -P %p %s
> printing        = bsd
> server string   = Linux
> wins server     = 134.246.155.180
> 
> [homes]
> browseable      = no
> create mask     = 0750
> directory mask  = 0750
> oplocks         = yes
> path            = %H
> writable        = yes
> 
> [testsamba]
> browseable	= no	
> create mask	= 0770
> directory mask	= 0770
> force group	= ditiric
> path		= /export/home/testsamba
> valid users	= @ditiric
> writable	= yes
> 
> [fakedrhrrh]
> browseable	= no	
> create mask	= 0770
> directory mask	= 0770
> force group	= drhrrh
> path		= /export/home/fakedrhrrh
> valid users	= @drhrrh
> writable	= yes
>>> ????preexec = /home/services/systeme/winnt/bin/winnt.pl %u %g %H %M
%m
>>
> Is the 'winnt' share meant for netlogon scripts ?
It's an home made perl script that produces log file of logins by our 
users and pre-mount some of the shares at the login in the domain. For 
windows users only.

-- 
Gr?gory Rocher
02 29 00 85 79 (8579)