On 03/12/2020 20:38, Krzysztof Kucyba?a via samba wrote:> Hi all, > I've been stuck on this for a good month now trying to set up a small domain at home so that I don't have to manage users on every PC at home separately. With 4 kids doing home schooling right now this is more important than ever, although by now I spent so much time one this that I probably would've set up the users on every machine 3 times back and forth and still would've spent less time ? > > I took the advice and set up a new AD DC in a dedicated VM (Debian 10). I also installed kubuntu fresh on one of the PCs and followed the samba wiki tutorial to join it to the domain using winbind. Here's my basic AD smb.conf: > > [global] > dns forwarder = 192.168.1.1 > netbios name = PRIMARYDC > realm = MYDOMAIN.COM > server role = active directory domain controller > workgroup = MYDOMAIN > idmap_ldb:use rfc2307 = yes > template shell = /bin/bash > template homedir = /home/%D/%UYour DC's smb.conf is ok up to here> unix extensions = Yes > vfs objects = dfs_samba4 acl_xattr recycleI would remove the unix extensions line, you do not need it on a DC and as you don't seem to be using the recycle bin, you might as well remove the 'vfs objects' line.> [netlogon] > path = /var/lib/samba/sysvol/mydomain.com/scripts > read only = No > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > I tried many different tweaks before I ended up with this on the client PC: > > ## Browsing/Identification ### > > # Change this to the workgroup/NT-domain name your Samba server will part of > security = userThis is a domain member, so it should be 'security = ADS'> winbind refresh tickets = Yes > map acl inherit = Yes > store dos attributes = Yes'store dos atributes = yes' is the default, so not required> dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind use default domain = Yes > bind interfaces only = Yes > interfaces = lo eth0 > winbind enum users = Yes > winbind enum groups = YesThe two line above should only be used for testing.> # server string is the equivalent of the NT Description field > server string = %h server (Samba, Ubuntu) > > winbind nss info = rfc2307That has been replaced by a line in 'idmap config', so not required.> idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config MYDOMAIN:backend = ad > idmap config MYDOMAIN:schema_mode = rfc2307 > idmap config MYDOMAIN:range = 10000-999999 > idmap config MYDOMAIN:unix_nss_info = Yes > idmap config MYDOMAIN:unix_primary_group = YesThis is where it gets interesting, first have you given your users a uidNumber containing a unique number inside the 10000-999999 range and does Domain Users have a gidNumber inside the same range ? Finally, you have this 'idmap config MYDOMAIN:unix_primary_group = Yes' , so do your users have a gidNumber attribute containing the number of the group you wish to use for that user ? None of these attributes are added to AD by default, you must add them manually.> > template shell = /bin/bash > template homedir = /home/%D/%U > > username map = /etc/samba/user.mapThe user.map should just contain '!root = MYDOMAIN\Administrator' You have a couple of lines missing: workgroup = MYDOMAIN realm = MYDOMAIN.COM> > pam.d configs were updated to contain winbind entries automatically after the installation of required packages. However, not this and none of the configs I experimented with on the way resulted in workable domain join. When I ran "net ads join" it reported success, but the client was only running winbindd - smbd and nmbd weren't even starting up.You should ensure that smbd, nmbd and winbind are stopped before the join, now join the domain, start winbind, then smbd followed by nmbd. If any of them do not start, check the logs and report the error. Rowland
Krzysztof KucybaĆa
2020-Dec-07 08:57 UTC
[Samba] ODP: Setting up new AD on (k)ubuntu 20.04
Thanks Rowland, I managed to join the PCs to the domain with the tweaks You suggested, much appreciated. However, I still seem to have two problems and I'm not sure what to do about that: 1) Every 10 minutes or so there's a dns update failure logged on the DC: /usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') 2) Winbind seems noticeably slower than sssd when logging users on. I was thinking that maybe it's the latency from running the DC in a VM, but that VM is hardly doing anything, CPU only rarely spikes above 5% use, RAM used in 25% consistently. Occasionally, after I logged on and opened a terminal instead of the usual prompt looking something like: username at computer:/home/username# I got something like this: I have no name!@computer:/home/username# This seems to come and go without any clear pattern, sometimes it happens, sometimes it doesn't. Everything seems to be working fine though - the user is logged on and they have access to their files and everything. Any hints? Cheers, Chris ________________________________ Od: samba <samba-bounces at lists.samba.org> w imieniu u?ytkownika Rowland penny via samba <samba at lists.samba.org> Wys?ane: czwartek, 3 grudnia 2020 22:22 Do: samba at lists.samba.org <samba at lists.samba.org> Temat: Re: [Samba] Setting up new AD on (k)ubuntu 20.04 On 03/12/2020 20:38, Krzysztof Kucyba?a via samba wrote:> Hi all, > I've been stuck on this for a good month now trying to set up a small domain at home so that I don't have to manage users on every PC at home separately. With 4 kids doing home schooling right now this is more important than ever, although by now I spent so much time one this that I probably would've set up the users on every machine 3 times back and forth and still would've spent less time ? > > I took the advice and set up a new AD DC in a dedicated VM (Debian 10). I also installed kubuntu fresh on one of the PCs and followed the samba wiki tutorial to join it to the domain using winbind. Here's my basic AD smb.conf: > > [global] > dns forwarder = 192.168.1.1 > netbios name = PRIMARYDC > realm = MYDOMAIN.COM > server role = active directory domain controller > workgroup = MYDOMAIN > idmap_ldb:use rfc2307 = yes > template shell = /bin/bash > template homedir = /home/%D/%UYour DC's smb.conf is ok up to here> unix extensions = Yes > vfs objects = dfs_samba4 acl_xattr recycleI would remove the unix extensions line, you do not need it on a DC and as you don't seem to be using the recycle bin, you might as well remove the 'vfs objects' line.> [netlogon] > path = /var/lib/samba/sysvol/mydomain.com/scripts > read only = No > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > I tried many different tweaks before I ended up with this on the client PC: > > ## Browsing/Identification ### > > # Change this to the workgroup/NT-domain name your Samba server will part of > security = userThis is a domain member, so it should be 'security = ADS'> winbind refresh tickets = Yes > map acl inherit = Yes > store dos attributes = Yes'store dos atributes = yes' is the default, so not required> dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind use default domain = Yes > bind interfaces only = Yes > interfaces = lo eth0 > winbind enum users = Yes > winbind enum groups = YesThe two line above should only be used for testing.> # server string is the equivalent of the NT Description field > server string = %h server (Samba, Ubuntu) > > winbind nss info = rfc2307That has been replaced by a line in 'idmap config', so not required.> idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config MYDOMAIN:backend = ad > idmap config MYDOMAIN:schema_mode = rfc2307 > idmap config MYDOMAIN:range = 10000-999999 > idmap config MYDOMAIN:unix_nss_info = Yes > idmap config MYDOMAIN:unix_primary_group = YesThis is where it gets interesting, first have you given your users a uidNumber containing a unique number inside the 10000-999999 range and does Domain Users have a gidNumber inside the same range ? Finally, you have this 'idmap config MYDOMAIN:unix_primary_group = Yes' , so do your users have a gidNumber attribute containing the number of the group you wish to use for that user ? None of these attributes are added to AD by default, you must add them manually.> > template shell = /bin/bash > template homedir = /home/%D/%U > > username map = /etc/samba/user.mapThe user.map should just contain '!root = MYDOMAIN\Administrator' You have a couple of lines missing: workgroup = MYDOMAIN realm = MYDOMAIN.COM> > pam.d configs were updated to contain winbind entries automatically after the installation of required packages. However, not this and none of the configs I experimented with on the way resulted in workable domain join. When I ran "net ads join" it reported success, but the client was only running winbindd - smbd and nmbd weren't even starting up.You should ensure that smbd, nmbd and winbind are stopped before the join, now join the domain, start winbind, then smbd followed by nmbd. If any of them do not start, check the logs and report the error. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba