samba - Dec 2020 - Windows 2016 RSAT not connect with samba4 DC

On 30/11/2020 22:25, Rommel Rodriguez Toirac via samba
wrote:
> El 30 de noviembre de 2020 16:27:10 GMT-05:00, Rowland penny via samba
<samba at lists.samba.org> escribi?:
>> On 30/11/2020 20:55, Rommel Rodriguez Toirac wrote:
>>> El 30 de noviembre de 2020 15:43:24 GMT-05:00, Rowland penny via
>> samba <samba at lists.samba.org> escribi?:
>>>> On 30/11/2020 20:32, Rommel Rodriguez Toirac via samba wrote:
>>>>> El 30 de noviembre de 2020 14:19:19 GMT-05:00, Rowland
penny via
>>>> samba <samba at lists.samba.org> escribi?:
>>>>>> On 30/11/2020 19:09, Rommel Rodriguez Toirac wrote:
>>>>>>> El 30 de noviembre de 2020 13:41:09 GMT-05:00,
Rowland penny via
>>>>>> samba <samba at lists.samba.org> escribi?:
>>>>>>>> On 30/11/2020 18:21, Rommel Rodriguez Toirac
wrote:
>>>>>>>>>       I do not have installed sssd. I use
winbind.
>>>>>>>>>
>>>>>>>> in which case, edit /etc/nsswitch.conf and make
the passwd,
>> shadow
>>>>>> and
>>>>>>>> group lines look like this:
>>>>>>>>
>>>>>>>> passwd:????? files winbind systemd
>>>>>>>> shadow:????? files
>>>>>>>> group:?????? files winbind systemd
>>>>>>>>
>>>>>>>> remove every mention of 'sss'
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>      Done, now look like this:
>>>>>>>
>>>>>>>
>>>>>>>     ?[root at gtmad1 sbin]# cat /etc/nsswitch.conf
>>>>>>> #
>>>>>>> # /etc/nsswitch.conf
>>>>>>> #
>>>>>>> # An example Name Service Switch config file. This
file should be
>>>>>>> # sorted with the most-used services at the
beginning.
>>>>>>> #
>>>>>>> # The entry '[NOTFOUND=return]' means that
the search for an
>>>>>>> # entry should stop if the search in the previous
entry turned
>>>>>>> # up nothing. Note that if the search failed due to
some other
>>>> reason
>>>>>>> # (like no NIS server responding) then the search
continues with
>>>> the
>>>>>>> # next entry.
>>>>>>> #
>>>>>>> # Valid entries include:
>>>>>>> #
>>>>>>> # ??????nisplus ????????????????Use NIS+ (NIS
version 3)
>>>>>>> # ??????nis ????????????????????Use NIS (NIS
version 2), also
>>>> called
>>>>>> YP
>>>>>>> # ??????dns ????????????????????Use DNS (Domain
Name Service)
>>>>>>> # ??????files ??????????????????Use the local files
in /etc
>>>>>>> # ??????db ?????????????????????Use the
pre-processed /var/db
>> files
>>>>>>> # ??????compat ?????????????????Use /etc files plus
*_compat
>>>>>> pseudo-databases
>>>>>>> # ??????hesiod ?????????????????Use Hesiod (DNS)
for user lookups
>>>>>>> # ??????sss ????????????????????Use sssd (System
Security
>> Services
>>>>>> Daemon)
>>>>>>> # ??????[NOTFOUND=return] ??????Stop searching if
not found so
>> far
>>>>>>> #
>>>>>>> # 'sssd' performs its own
'files'-based caching, so it should
>>>>>>> # generally come before 'files'.
>>>>>>>
>>>>>>> # To use 'db', install the nss_db package,
and put the 'db' in
>>>> front
>>>>>>> # of 'files' for entries you want to be
looked up first in the
>>>>>>> # databases, like this:
>>>>>>> #
>>>>>>> # passwd: ???db files
>>>>>>> # shadow: ???db files
>>>>>>> # group: ????db files
>>>>>>>
>>>>>>> passwd: ????files winbind systemd
>>>>>>> shadow: ????files
>>>>>>> group: ?????files winbind systemd
>>>>>>>
>>>>>>> hosts: ?????files dns myhostname
>>>>>>>
>>>>>>> bootparams: files
>>>>>>>
>>>>>>> ethers: ????files
>>>>>>> netmasks: ??files
>>>>>>> networks: ??files
>>>>>>> protocols: ?files
>>>>>>> rpc: ???????files
>>>>>>> services: ??files sss
>>>>>>>
>>>>>>> netgroup: ??sss
>>>>>>>
>>>>>>> publickey: ?files
>>>>>>>
>>>>>>> automount: ?files sss
>>>>>>> aliases: ???files
>>>>>>>
>>>>>>>
>>>>>> You still have 'sss' in the file, you do not
need them if you
>> don't
>>>>>> have
>>>>>> sssd installed, I would change 'netgroup: sss'
to 'netgroup: nis'
>>>> and
>>>>>> remove the other 'sss'
>>>>>>
>>>>>> Rowland
>>>>>
>>>>>    ?After send the messages I was change the file and lets
it like
>>>> this:
>>>>>    ?[root at gtmad1 var]# cat /etc/nsswitch.conf
>>>>> #
>>>>> # /etc/nsswitch.conf
>>>>> #
>>>>> # An example Name Service Switch config file. This file
should be
>>>>> # sorted with the most-used services at the beginning.
>>>>> #
>>>>> # The entry '[NOTFOUND=return]' means that the
search for an
>>>>> # entry should stop if the search in the previous entry
turned
>>>>> # up nothing. Note that if the search failed due to some
other
>> reason
>>>>> # (like no NIS server responding) then the search continues
with
>> the
>>>>> # next entry.
>>>>> #
>>>>> # Valid entries include:
>>>>> #
>>>>> # ??????nisplus ????????????????Use NIS+ (NIS version 3)
>>>>> # ??????nis ????????????????????Use NIS (NIS version 2),
also
>> called
>>>> YP
>>>>> # ??????dns ????????????????????Use DNS (Domain Name
Service)
>>>>> # ??????files ??????????????????Use the local files in /etc
>>>>> # ??????db ?????????????????????Use the pre-processed
/var/db files
>>>>> # ??????compat ?????????????????Use /etc files plus
*_compat
>>>> pseudo-databases
>>>>> # ??????hesiod ?????????????????Use Hesiod (DNS) for user
lookups
>>>>> # ??????sss ????????????????????Use sssd (System Security
Services
>>>> Daemon)
>>>>> # ??????[NOTFOUND=return] ??????Stop searching if not found
so far
>>>>> #
>>>>> # 'sssd' performs its own 'files'-based
caching, so it should
>>>>> # generally come before 'files'.
>>>>>
>>>>> # To use 'db', install the nss_db package, and put
the 'db' in
>> front
>>>>> # of 'files' for entries you want to be looked up
first in the
>>>>> # databases, like this:
>>>>> #
>>>>> # passwd: ???db files
>>>>> # shadow: ???db files
>>>>> # group: ????db files
>>>>>
>>>>> passwd: ????files winbind
>>>>> shadow: ????files
>>>>> group: ?????files winbind
>>>>> initgroups ?files
>>>>>
>>>>> hosts: ?????files dns myhostname
>>>>>
>>>>> bootparams: nisplus files
>>>>>
>>>>> ethers: ????files
>>>>> netmasks: ??files
>>>>> networks: ??files
>>>>> protocols: ?files
>>>>> rpc: ???????files
>>>>> services: ??files
>>>>>
>>>>> netgroup: ??nis
>>>>>
>>>>> publickey: ?nisplus
>>>>>
>>>>>
>>>>> automount: ?files nisplus
>>>>> aliases: ???files nisplus
>>>>>
>>>>>     But, it not work when I run getent command:
>>>>>
>>>>>
>>>>> [root at gtmad1 var]# wbinfo -p
>>>>> Ping to winbindd succeeded
>>>>>
>>>>>
>>>>> [root at gtmad1 var]# getent passwd
"ATGTM00\\rommel.rodriguez"
>>>>>
>>>>> [root at gtmad1 var]# getent group "ATGTM00\\Domain
Users"
>>>>>
>>>>>
>>>>> ... and still do not connect from Windows (7) using RSAT
neather
>> from
>>>> Windows 2016 Server Admin Tools/Active Directory Users and
Computer
>>>> tool.
>>>> Do you have these packages installed: samba samba-winbind
>>>> samba-winbind-clients krb5-workstation
>>>>
>>>> Have you run this command: authselect select winbind
with-mkhomedir
>>>>
>>>> Rowland
>>>    
>>>    (Sorry for all problems)
>>>
>>>    Is needed this packeds even I compile from source
>> samba-4.13.2.tar.gz?
>>
>> No, but you will need to create the links, see here:
>> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>>
>> Rowland
>
>
>
>  ?Thanks, now is working. I made the links:
>
>
>  ?ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/
>
>  ?ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
>
>
>  ?Testing command getent:
>
>
>  ?[root at gtmad1 ~]# getent passwd "ATGTM00\\rommel.rodriguez"
>
ATGTM00\rommel.rodriguez:*:3000127:100::/home/ATGTM00/rommel.rodriguez:/bin/false
> [root at gtmad1 ~]# getent group "ATGTM00\\Domain Users"
> ATGTM00\domain users:x:100:
Well that's one thing fixed ?
>
>   
>
>   I still can not to connect using Windows 7 RSAT or Windows 2016 Server
Admin Tools/Active Directory User and Computers tools to make some task of
administrations to this Domain Controller samba 4.13.2.
>
>  ?I can do it to samba 4.11.2 (my ADDC)
>
Haven't got Windows 2016, but Win7 & win10 ADUC works against 4.13.2 for
me, the only differences are, I use Devuan with Louis's repo and pam-krb5.

Unlikely to be the OS (unless it is Selinux), The code in Louis's repo 
will be the same code you used, so that leaves pam-krb5 and the lack of 
that shouldn't cause your your problem, it should fall back to NTLM.

What error message are you getting when you try to use ADUC ?

Rowland

On 01/12/2020 10:00, Rowland penny via samba wrote:
> On 30/11/2020 22:25, Rommel Rodriguez Toirac via samba wrote:
>> El 30 de noviembre de 2020 16:27:10 GMT-05:00, Rowland penny via 
>> samba <samba at lists.samba.org> escribi?:
>>> On 30/11/2020 20:55, Rommel Rodriguez Toirac wrote:
>>>> El 30 de noviembre de 2020 15:43:24 GMT-05:00, Rowland penny
via
>>> samba <samba at lists.samba.org> escribi?:
>>>>> On 30/11/2020 20:32, Rommel Rodriguez Toirac via samba
wrote:
>>>>>> El 30 de noviembre de 2020 14:19:19 GMT-05:00, Rowland
penny via
>>>>> samba <samba at lists.samba.org> escribi?:
>>>>>>> On 30/11/2020 19:09, Rommel Rodriguez Toirac wrote:
>>>>>>>> El 30 de noviembre de 2020 13:41:09 GMT-05:00,
Rowland penny via
>>>>>>> samba <samba at lists.samba.org> escribi?:
>>>>>>>>> On 30/11/2020 18:21, Rommel Rodriguez
Toirac wrote:
>>>>>>>>>> ????? I do not have installed sssd. I
use winbind.
>>>>>>>>>>
>>>>>>>>> in which case, edit /etc/nsswitch.conf and
make the passwd,
>>> shadow
>>>>>>> and
>>>>>>>>> group lines look like this:
>>>>>>>>>
>>>>>>>>> passwd:????? files winbind systemd
>>>>>>>>> shadow:????? files
>>>>>>>>> group:?????? files winbind systemd
>>>>>>>>>
>>>>>>>>> remove every mention of 'sss'
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>> ???? Done, now look like this:
>>>>>>>>
>>>>>>>>
>>>>>>>> ??? ?[root at gtmad1 sbin]# cat
/etc/nsswitch.conf
>>>>>>>> #
>>>>>>>> # /etc/nsswitch.conf
>>>>>>>> #
>>>>>>>> # An example Name Service Switch config file.
This file should be
>>>>>>>> # sorted with the most-used services at the
beginning.
>>>>>>>> #
>>>>>>>> # The entry '[NOTFOUND=return]' means
that the search for an
>>>>>>>> # entry should stop if the search in the
previous entry turned
>>>>>>>> # up nothing. Note that if the search failed
due to some other
>>>>> reason
>>>>>>>> # (like no NIS server responding) then the
search continues with
>>>>> the
>>>>>>>> # next entry.
>>>>>>>> #
>>>>>>>> # Valid entries include:
>>>>>>>> #
>>>>>>>> # ??????nisplus ????????????????Use NIS+ (NIS
version 3)
>>>>>>>> # ??????nis ????????????????????Use NIS (NIS
version 2), also
>>>>> called
>>>>>>> YP
>>>>>>>> # ??????dns ????????????????????Use DNS (Domain
Name Service)
>>>>>>>> # ??????files ??????????????????Use the local
files in /etc
>>>>>>>> # ??????db ?????????????????????Use the
pre-processed /var/db
>>> files
>>>>>>>> # ??????compat ?????????????????Use /etc files
plus *_compat
>>>>>>> pseudo-databases
>>>>>>>> # ??????hesiod ?????????????????Use Hesiod
(DNS) for user lookups
>>>>>>>> # ??????sss ????????????????????Use sssd
(System Security
>>> Services
>>>>>>> Daemon)
>>>>>>>> # ??????[NOTFOUND=return] ??????Stop searching
if not found so
>>> far
>>>>>>>> #
>>>>>>>> # 'sssd' performs its own
'files'-based caching, so it should
>>>>>>>> # generally come before 'files'.
>>>>>>>>
>>>>>>>> # To use 'db', install the nss_db
package, and put the 'db' in
>>>>> front
>>>>>>>> # of 'files' for entries you want to be
looked up first in the
>>>>>>>> # databases, like this:
>>>>>>>> #
>>>>>>>> # passwd: ???db files
>>>>>>>> # shadow: ???db files
>>>>>>>> # group: ????db files
>>>>>>>>
>>>>>>>> passwd: ????files winbind systemd
>>>>>>>> shadow: ????files
>>>>>>>> group: ?????files winbind systemd
>>>>>>>>
>>>>>>>> hosts: ?????files dns myhostname
>>>>>>>>
>>>>>>>> bootparams: files
>>>>>>>>
>>>>>>>> ethers: ????files
>>>>>>>> netmasks: ??files
>>>>>>>> networks: ??files
>>>>>>>> protocols: ?files
>>>>>>>> rpc: ???????files
>>>>>>>> services: ??files sss
>>>>>>>>
>>>>>>>> netgroup: ??sss
>>>>>>>>
>>>>>>>> publickey: ?files
>>>>>>>>
>>>>>>>> automount: ?files sss
>>>>>>>> aliases: ???files
>>>>>>>>
>>>>>>>>
>>>>>>> You still have 'sss' in the file, you do
not need them if you
>>> don't
>>>>>>> have
>>>>>>> sssd installed, I would change 'netgroup:
sss' to 'netgroup: nis'
>>>>> and
>>>>>>> remove the other 'sss'
>>>>>>>
>>>>>>> Rowland
>>>>>>
>>>>>> ?? ?After send the messages I was change the file and
lets it like
>>>>> this:
>>>>>> ?? ?[root at gtmad1 var]# cat /etc/nsswitch.conf
>>>>>> #
>>>>>> # /etc/nsswitch.conf
>>>>>> #
>>>>>> # An example Name Service Switch config file. This file
should be
>>>>>> # sorted with the most-used services at the beginning.
>>>>>> #
>>>>>> # The entry '[NOTFOUND=return]' means that the
search for an
>>>>>> # entry should stop if the search in the previous entry
turned
>>>>>> # up nothing. Note that if the search failed due to
some other
>>> reason
>>>>>> # (like no NIS server responding) then the search
continues with
>>> the
>>>>>> # next entry.
>>>>>> #
>>>>>> # Valid entries include:
>>>>>> #
>>>>>> # ??????nisplus ????????????????Use NIS+ (NIS version
3)
>>>>>> # ??????nis ????????????????????Use NIS (NIS version
2), also
>>> called
>>>>> YP
>>>>>> # ??????dns ????????????????????Use DNS (Domain Name
Service)
>>>>>> # ??????files ??????????????????Use the local files in
/etc
>>>>>> # ??????db ?????????????????????Use the pre-processed
/var/db files
>>>>>> # ??????compat ?????????????????Use /etc files plus
*_compat
>>>>> pseudo-databases
>>>>>> # ??????hesiod ?????????????????Use Hesiod (DNS) for
user lookups
>>>>>> # ??????sss ????????????????????Use sssd (System
Security Services
>>>>> Daemon)
>>>>>> # ??????[NOTFOUND=return] ??????Stop searching if not
found so far
>>>>>> #
>>>>>> # 'sssd' performs its own 'files'-based
caching, so it should
>>>>>> # generally come before 'files'.
>>>>>>
>>>>>> # To use 'db', install the nss_db package, and
put the 'db' in
>>> front
>>>>>> # of 'files' for entries you want to be looked
up first in the
>>>>>> # databases, like this:
>>>>>> #
>>>>>> # passwd: ???db files
>>>>>> # shadow: ???db files
>>>>>> # group: ????db files
>>>>>>
>>>>>> passwd: ????files winbind
>>>>>> shadow: ????files
>>>>>> group: ?????files winbind
>>>>>> initgroups ?files
>>>>>>
>>>>>> hosts: ?????files dns myhostname
>>>>>>
>>>>>> bootparams: nisplus files
>>>>>>
>>>>>> ethers: ????files
>>>>>> netmasks: ??files
>>>>>> networks: ??files
>>>>>> protocols: ?files
>>>>>> rpc: ???????files
>>>>>> services: ??files
>>>>>>
>>>>>> netgroup: ??nis
>>>>>>
>>>>>> publickey: ?nisplus
>>>>>>
>>>>>>
>>>>>> automount: ?files nisplus
>>>>>> aliases: ???files nisplus
>>>>>>
>>>>>> ??? But, it not work when I run getent command:
>>>>>>
>>>>>>
>>>>>> [root at gtmad1 var]# wbinfo -p
>>>>>> Ping to winbindd succeeded
>>>>>>
>>>>>>
>>>>>> [root at gtmad1 var]# getent passwd
"ATGTM00\\rommel.rodriguez"
>>>>>>
>>>>>> [root at gtmad1 var]# getent group
"ATGTM00\\Domain Users"
>>>>>>
>>>>>>
>>>>>> ... and still do not connect from Windows (7) using
RSAT neather
>>> from
>>>>> Windows 2016 Server Admin Tools/Active Directory Users and
Computer
>>>>> tool.
>>>>> Do you have these packages installed: samba samba-winbind
>>>>> samba-winbind-clients krb5-workstation
>>>>>
>>>>> Have you run this command: authselect select winbind
with-mkhomedir
>>>>>
>>>>> Rowland
>>>> ?? ?? (Sorry for all problems)
>>>>
>>>> ?? Is needed this packeds even I compile from source
>>> samba-4.13.2.tar.gz?
>>>
>>> No, but you will need to create the links, see here:
>>>
https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>>>
>>> Rowland
>>
>>
>>
>> ??Thanks, now is working. I made the links:
>>
>>
>> ??ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/
>>
>> ??ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
>>
>>
>> ??Testing command getent:
>>
>>
>> ??[root at gtmad1 ~]# getent passwd
"ATGTM00\\rommel.rodriguez"
>>
ATGTM00\rommel.rodriguez:*:3000127:100::/home/ATGTM00/rommel.rodriguez:/bin/false
>>
>> [root at gtmad1 ~]# getent group "ATGTM00\\Domain Users"
>> ATGTM00\domain users:x:100:
> Well that's one thing fixed ?
>>
>>
>> ? I still can not to connect using Windows 7 RSAT or Windows 2016 
>> Server Admin Tools/Active Directory User and Computers tools to make 
>> some task of administrations to this Domain Controller samba 4.13.2.
>>
>> ??I can do it to samba 4.11.2 (my ADDC)
>>
> Haven't got Windows 2016, but Win7 & win10 ADUC works against
4.13.2
> for me, the only differences are, I use Devuan with Louis's repo and 
> pam-krb5.
>
> Unlikely to be the OS (unless it is Selinux), The code in Louis's repo 
> will be the same code you used, so that leaves pam-krb5 and the lack 
> of that shouldn't cause your your problem, it should fall back to NTLM.
>
> What error message are you getting when you try to use ADUC ?
>
> Rowland
>
>
Just to wrap this up, the OP had his Samba DC running in an unprivileged 
container, changing this now allows him to use ADUC.

Rowland