Hi all, I've been stuck on this for a good month now trying to set up a small domain at home so that I don't have to manage users on every PC at home separately. With 4 kids doing home schooling right now this is more important than ever, although by now I spent so much time one this that I probably would've set up the users on every machine 3 times back and forth and still would've spent less time ? Following the suggestions here: https://askubuntu.com/questions/1287239/mounting-samba-share-loses-file-ownership-info [https://cdn.sstatic.net/Sites/askubuntu/Img/apple-touch-icon at 2.png?v=c492c9229955]<https://askubuntu.com/questions/1287239/mounting-samba-share-loses-file-ownership-info> networking - Mounting samba share loses file ownership info - Ask Ubuntu<https://askubuntu.com/questions/1287239/mounting-samba-share-loses-file-ownership-info> So I tried this solution out and it kinda works, but doesn't do what I need. It exposes the directory only of the user currently logged into samba, like this (both are actually the same folder under the hood): \\addc.mydomain.com\homes \\addc.mydomain.com\<username> but this means two things: 1) I need to be a logged in user or provide the password at mount time 2) I cannot do this at boot ... askubuntu.com and here: https://askubuntu.com/questions/1292869/samba-ad-dc-no-longer-accepts-login-using-domain-accounts [https://cdn.sstatic.net/Sites/askubuntu/Img/apple-touch-icon at 2.png?v=c492c9229955]<https://askubuntu.com/questions/1292869/samba-ad-dc-no-longer-accepts-login-using-domain-accounts> password - Samba AD DC no longer accepts login using domain accounts - Ask Ubuntu<https://askubuntu.com/questions/1292869/samba-ad-dc-no-longer-accepts-login-using-domain-accounts> You see this is the part I really don't understand - I'm running AD DC on Samba 4.11.6 and for the love of me I wasn't able to reliably connect any domain client pc with winbind - it would come and go, couldn't be trusted. askubuntu.com I took the advice and set up a new AD DC in a dedicated VM (Debian 10). I also installed kubuntu fresh on one of the PCs and followed the samba wiki tutorial to join it to the domain using winbind. Here's my basic AD smb.conf: [global] dns forwarder = 192.168.1.1 netbios name = PRIMARYDC realm = MYDOMAIN.COM server role = active directory domain controller workgroup = MYDOMAIN idmap_ldb:use rfc2307 = yes template shell = /bin/bash template homedir = /home/%D/%U unix extensions = Yes vfs objects = dfs_samba4 acl_xattr recycle [netlogon] path = /var/lib/samba/sysvol/mydomain.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No I tried many different tweaks before I ended up with this on the client PC: ## Browsing/Identification ### # Change this to the workgroup/NT-domain name your Samba server will part of security = user winbind refresh tickets = Yes map acl inherit = Yes store dos attributes = Yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind use default domain = Yes bind interfaces only = Yes interfaces = lo eth0 winbind enum users = Yes winbind enum groups = Yes # server string is the equivalent of the NT Description field server string = %h server (Samba, Ubuntu) winbind nss info = rfc2307 idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config MYDOMAIN:backend = ad idmap config MYDOMAIN:schema_mode = rfc2307 idmap config MYDOMAIN:range = 10000-999999 idmap config MYDOMAIN:unix_nss_info = Yes idmap config MYDOMAIN:unix_primary_group = Yes template shell = /bin/bash template homedir = /home/%D/%U username map = /etc/samba/user.map pam.d configs were updated to contain winbind entries automatically after the installation of required packages. However, not this and none of the configs I experimented with on the way resulted in workable domain join. When I ran "net ads join" it reported success, but the client was only running winbindd - smbd and nmbd weren't even starting up. And trying to run getent passwd or getent group on any domain objects gave me no results. What is even more annoying is that the unrecommended approach of using SSSD instead of winbind works like charm. What am I doing wrong? Is there a definitive tutorial somewhere on how to do it? I don't think my setup is special in any way but the use of rfc2307 schema, but even that is recommended as the default for any new domain setup such as mine. Any help will be greatly appreciated. Cheers, Chris
On 03/12/2020 20:38, Krzysztof Kucyba?a via samba wrote:> Hi all, > I've been stuck on this for a good month now trying to set up a small domain at home so that I don't have to manage users on every PC at home separately. With 4 kids doing home schooling right now this is more important than ever, although by now I spent so much time one this that I probably would've set up the users on every machine 3 times back and forth and still would've spent less time ? > > I took the advice and set up a new AD DC in a dedicated VM (Debian 10). I also installed kubuntu fresh on one of the PCs and followed the samba wiki tutorial to join it to the domain using winbind. Here's my basic AD smb.conf: > > [global] > dns forwarder = 192.168.1.1 > netbios name = PRIMARYDC > realm = MYDOMAIN.COM > server role = active directory domain controller > workgroup = MYDOMAIN > idmap_ldb:use rfc2307 = yes > template shell = /bin/bash > template homedir = /home/%D/%UYour DC's smb.conf is ok up to here> unix extensions = Yes > vfs objects = dfs_samba4 acl_xattr recycleI would remove the unix extensions line, you do not need it on a DC and as you don't seem to be using the recycle bin, you might as well remove the 'vfs objects' line.> [netlogon] > path = /var/lib/samba/sysvol/mydomain.com/scripts > read only = No > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > I tried many different tweaks before I ended up with this on the client PC: > > ## Browsing/Identification ### > > # Change this to the workgroup/NT-domain name your Samba server will part of > security = userThis is a domain member, so it should be 'security = ADS'> winbind refresh tickets = Yes > map acl inherit = Yes > store dos attributes = Yes'store dos atributes = yes' is the default, so not required> dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind use default domain = Yes > bind interfaces only = Yes > interfaces = lo eth0 > winbind enum users = Yes > winbind enum groups = YesThe two line above should only be used for testing.> # server string is the equivalent of the NT Description field > server string = %h server (Samba, Ubuntu) > > winbind nss info = rfc2307That has been replaced by a line in 'idmap config', so not required.> idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config MYDOMAIN:backend = ad > idmap config MYDOMAIN:schema_mode = rfc2307 > idmap config MYDOMAIN:range = 10000-999999 > idmap config MYDOMAIN:unix_nss_info = Yes > idmap config MYDOMAIN:unix_primary_group = YesThis is where it gets interesting, first have you given your users a uidNumber containing a unique number inside the 10000-999999 range and does Domain Users have a gidNumber inside the same range ? Finally, you have this 'idmap config MYDOMAIN:unix_primary_group = Yes' , so do your users have a gidNumber attribute containing the number of the group you wish to use for that user ? None of these attributes are added to AD by default, you must add them manually.> > template shell = /bin/bash > template homedir = /home/%D/%U > > username map = /etc/samba/user.mapThe user.map should just contain '!root = MYDOMAIN\Administrator' You have a couple of lines missing: workgroup = MYDOMAIN realm = MYDOMAIN.COM> > pam.d configs were updated to contain winbind entries automatically after the installation of required packages. However, not this and none of the configs I experimented with on the way resulted in workable domain join. When I ran "net ads join" it reported success, but the client was only running winbindd - smbd and nmbd weren't even starting up.You should ensure that smbd, nmbd and winbind are stopped before the join, now join the domain, start winbind, then smbd followed by nmbd. If any of them do not start, check the logs and report the error. Rowland