On Tue, 2021-10-26 at 11:59 +0200, Joachim Lindenberg via samba wrote:> Hello Louis, > sure. I know I configured /etc/resolv.conf during join, pointing to a > DC manually. Is the local resolver the culprit? > Thanks, > Joachim > > root at le:/tmp# cat samba-debug-info.txt > Collected config --- 2021-10-26-09:12 ----------- > > Hostname: le > DNS Domain: samba.lindenberg.one > FQDN: le.samba.lindenberg.one > ipaddress: 192.168.176.9 > > ----------- > > Kerberos SRV _kerberos._tcp.samba.lindenberg.one record verified ok, > sample output: > Server: 127.0.0.53 > Address: 127.0.0.53#53 > > Non-authoritative answer: > _kerberos._tcp.samba.lindenberg.one service = 0 100 88 > boa.samba.lindenberg.one. > _kerberos._tcp.samba.lindenberg.one service = 0 100 88 > mamba.samba.lindenberg.one. > _kerberos._tcp.samba.lindenberg.one service = 0 100 88 > cobra.samba.lindenberg.one. > > Authoritative answers can be found from: > Samba is running as a Unix domain member > Checking file: /etc/os-release > > NAME="Ubuntu" > VERSION="20.04.3 LTS (Focal Fossa)" > ID=ubuntu > ID_LIKE=debian > PRETTY_NAME="Ubuntu 20.04.3 LTS" > VERSION_ID="20.04" > HOME_URL="https://www.ubuntu.com/" > SUPPORT_URL="https://help.ubuntu.com/" > BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" > PRIVACY_POLICY_URL=" > https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" > VERSION_CODENAME=focal > UBUNTU_CODENAME=focal > > ----------- > > > This computer is running Ubuntu 20.04.3 LTS x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1420 qdisc mq state UP > group default qlen 1000 > link/ether 00:15:5d:b1:0c:70 brd ff:ff:ff:ff:ff:ff > inet 192.168.176.9/24 brd 192.168.176.255 scope global eth0 > inet6 fe80::215:5dff:feb1:c70/64 scope link > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhost > > # The following lines are desirable for IPv6 capable hosts > 192.168.176.9 le.samba.lindenberg.one le > ::1 ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff00::0 ip6-mcastprefix > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > # This file is managed by man:systemd-resolved(8). Do not edit. > # > # This is a dynamic resolv.conf file for connecting local clients to > the > # internal DNS stub resolver of systemd-resolved. This file lists all > # configured search domains. > # > # Run "resolvectl status" to see details about the uplink DNS servers > # currently in use. > # > # Third party programs must not access this file directly, but only > through the > # symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a > different way, > # replace this symlink by a static file or a different symlink. > # > # See man:systemd-resolved.service(8) for details about the supported > modes of > # operation for /etc/resolv.conf. > > nameserver 127.0.0.53 > options edns0 trust-ad > search samba.lindenberg.one > > ----------- > > systemd stub resolver detected, running command : systemd-resolve -- > status > ----------- > Global > LLMNR setting: no > MulticastDNS setting: no > DNSOverTLS setting: no > DNSSEC setting: no > DNSSEC supported: no > DNSSEC NTA: 10.in-addr.arpa > 16.172.in-addr.arpa > 168.192.in-addr.arpa > 17.172.in-addr.arpa > 18.172.in-addr.arpa > 19.172.in-addr.arpa > 20.172.in-addr.arpa > 21.172.in-addr.arpa > 22.172.in-addr.arpa > 23.172.in-addr.arpa > 24.172.in-addr.arpa > 25.172.in-addr.arpa > 26.172.in-addr.arpa > 27.172.in-addr.arpa > 28.172.in-addr.arpa > 29.172.in-addr.arpa > 30.172.in-addr.arpa > 31.172.in-addr.arpa > corp > d.f.ip6.arpa > home > internal > intranet > lan > local > private > test > > Link 2 (eth0) > Current Scopes: DNS > DefaultRoute setting: yes > LLMNR setting: yes > MulticastDNS setting: no > DNSOverTLS setting: no > DNSSEC setting: no > DNSSEC supported: no > Current DNS Server: 192.168.177.19 > DNS Servers: 192.168.177.18 > 192.168.177.19 > DNS Domain: samba.lindenberg.one > > -------resolv.conf end---- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = SAMBA.LINDENBERG.ONE > dns_lookup_realm = false > dns_lookup_kdc = true > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files systemd winbind > group: files systemd winbind > shadow: files > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > > Checking file: /etc/samba/smb.conf > > # Global parameters > [global] > netbios name = LE > realm = SAMBA.LINDENBERG.ONE > workgroup = SAMBA > security = ADS > # dns update command = /usr/sbin/samba_dnsupdate --use-samba- > tool > # idmap_ldb:use rfc2307 = yes > disable netbios = yes > smb encrypt = mandatory > kerberos method = secrets and keytab > # winbind refresh tickets = yes > template shell = /bin/bash > template homedir = /home/%U > winbind use default domain = yes >You do not have any 'idmap config' lines (I think I mentioned this already) As a minimum I would expect something like this: idmap config *:backend = tdb idmap config *:range = 3000-9999 idmap config SAMBA : backend = rid idmap config SAMBA : range = 10000-999999 Rowland
Hello Rowland, Louis,> You do not have any 'idmap config' lines (I think I mentioned this already)You did, and I replied that the documentation suggests I don?t need it. I am also not using idmap on my DCs either, where OpenSSH works with Kerberos. If there is a fine line inbetween the two setups, then I am missing that in the docs. Will try later and get back with the results. Thanks, Joachim -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland Penny via samba Gesendet: Tuesday, 26 October 2021 12:21 An: samba at lists.samba.org Betreff: Re: [Samba] Domain member? On Tue, 2021-10-26 at 11:59 +0200, Joachim Lindenberg via samba wrote:> Hello Louis, > sure. I know I configured /etc/resolv.conf during join, pointing to a > DC manually. Is the local resolver the culprit? > Thanks, > Joachim > > root at le:/tmp# cat samba-debug-info.txt Collected config --- > 2021-10-26-09:12 ----------- > > Hostname: le > DNS Domain: samba.lindenberg.one > FQDN: le.samba.lindenberg.one > ipaddress: 192.168.176.9 > > ----------- > > Kerberos SRV _kerberos._tcp.samba.lindenberg.one record verified ok, > sample output: > Server: 127.0.0.53 > Address: 127.0.0.53#53 > > Non-authoritative answer: > _kerberos._tcp.samba.lindenberg.one service = 0 100 88 > boa.samba.lindenberg.one. > _kerberos._tcp.samba.lindenberg.one service = 0 100 88 > mamba.samba.lindenberg.one. > _kerberos._tcp.samba.lindenberg.one service = 0 100 88 > cobra.samba.lindenberg.one. > > Authoritative answers can be found from: > Samba is running as a Unix domain member > Checking file: /etc/os-release > > NAME="Ubuntu" > VERSION="20.04.3 LTS (Focal Fossa)" > ID=ubuntu > ID_LIKE=debian > PRETTY_NAME="Ubuntu 20.04.3 LTS" > VERSION_ID="20.04" > HOME_URL="https://www.ubuntu.com/" > SUPPORT_URL="https://help.ubuntu.com/" > BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" > PRIVACY_POLICY_URL=" > https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" > VERSION_CODENAME=focal > UBUNTU_CODENAME=focal > > ----------- > > > This computer is running Ubuntu 20.04.3 LTS x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1420 qdisc mq state UP > group default qlen 1000 > link/ether 00:15:5d:b1:0c:70 brd ff:ff:ff:ff:ff:ff > inet 192.168.176.9/24 brd 192.168.176.255 scope global eth0 > inet6 fe80::215:5dff:feb1:c70/64 scope link > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhost > > # The following lines are desirable for IPv6 capable hosts > 192.168.176.9 le.samba.lindenberg.one le > ::1 ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff00::0 ip6-mcastprefix > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > # This file is managed by man:systemd-resolved(8). Do not edit. > # > # This is a dynamic resolv.conf file for connecting local clients to > the # internal DNS stub resolver of systemd-resolved. This file lists > all # configured search domains. > # > # Run "resolvectl status" to see details about the uplink DNS servers > # currently in use. > # > # Third party programs must not access this file directly, but only > through the # symlink at /etc/resolv.conf. To manage > man:resolv.conf(5) in a different way, # replace this symlink by a > static file or a different symlink. > # > # See man:systemd-resolved.service(8) for details about the supported > modes of # operation for /etc/resolv.conf. > > nameserver 127.0.0.53 > options edns0 trust-ad > search samba.lindenberg.one > > ----------- > > systemd stub resolver detected, running command : systemd-resolve -- > status > ----------- > Global > LLMNR setting: no > MulticastDNS setting: no > DNSOverTLS setting: no > DNSSEC setting: no > DNSSEC supported: no > DNSSEC NTA: 10.in-addr.arpa > 16.172.in-addr.arpa > 168.192.in-addr.arpa > 17.172.in-addr.arpa > 18.172.in-addr.arpa > 19.172.in-addr.arpa > 20.172.in-addr.arpa > 21.172.in-addr.arpa > 22.172.in-addr.arpa > 23.172.in-addr.arpa > 24.172.in-addr.arpa > 25.172.in-addr.arpa > 26.172.in-addr.arpa > 27.172.in-addr.arpa > 28.172.in-addr.arpa > 29.172.in-addr.arpa > 30.172.in-addr.arpa > 31.172.in-addr.arpa > corp > d.f.ip6.arpa > home > internal > intranet > lan > local > private > test > > Link 2 (eth0) > Current Scopes: DNS > DefaultRoute setting: yes > LLMNR setting: yes > MulticastDNS setting: no > DNSOverTLS setting: no > DNSSEC setting: no > DNSSEC supported: no > Current DNS Server: 192.168.177.19 > DNS Servers: 192.168.177.18 > 192.168.177.19 > DNS Domain: samba.lindenberg.one > > -------resolv.conf end---- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = SAMBA.LINDENBERG.ONE > dns_lookup_realm = false > dns_lookup_kdc = true > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, > try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files systemd winbind > group: files systemd winbind > shadow: files > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > > Checking file: /etc/samba/smb.conf > > # Global parameters > [global] > netbios name = LE > realm = SAMBA.LINDENBERG.ONE > workgroup = SAMBA > security = ADS > # dns update command = /usr/sbin/samba_dnsupdate --use-samba- > tool > # idmap_ldb:use rfc2307 = yes > disable netbios = yes > smb encrypt = mandatory > kerberos method = secrets and keytab > # winbind refresh tickets = yes > template shell = /bin/bash > template homedir = /home/%U > winbind use default domain = yes >You do not have any 'idmap config' lines (I think I mentioned this already) As a minimum I would expect something like this: idmap config *:backend = tdb idmap config *:range = 3000-9999 idmap config SAMBA : backend = rid idmap config SAMBA : range = 10000-999999 Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 10/26/21 05:21, Rowland Penny via samba wrote:> > You do not have any 'idmap config' lines (I think I mentioned this > already) > As a minimum I would expect something like this: > > idmap config *:backend = tdb > idmap config *:range = 3000-9999 > idmap config SAMBA : backend = rid > idmap config SAMBA : range = 10000-999999 > > Rowland > > >I have a quick and ignorant RTFM question. I was under the impression that backend=rid meant that Samba would use the user's Active Directory RID as their UID (which feels comfortably deterministic), but the fact that you're specifying an ID range indicates that this impression must be false, and that there's still an algorithmic mapping process? I mean maybe just as well, given that, for example, LXD wants to grab a lot the larger available UID's for it's own user namespaces.