On Tue, 2021-10-26 at 07:31 -0500, K. R. Foley wrote:> On 10/26/21 7:09 AM, Rowland Penny via samba wrote: > > On Tue, 2021-10-26 at 06:54 -0500, K. R. Foley wrote: > > > On 10/26/21 2:28 AM, Rowland Penny via samba wrote: > > > > On Mon, 2021-10-25 at 20:19 -0500, K. R. Foley wrote: > > > > > On 10/25/21 3:18 AM, Rowland Penny via samba wrote: > > > > > > On Sun, 2021-10-24 at 18:21 -0500, K. R. Foley wrote: > > > > > > > I am just getting back to troubleshooting this. > > > > > > > > > > > > > > I do not think that sssd is enabled. In fact I do not > > > > > > > think > > > > > > > it is > > > > > > > even > > > > > > > installed on this system. > > > > > > OK, I have lost track of this, but it looks like you are > > > > > > running > > > > > > Samba > > > > > > as an AD DC. Have you checked that sssd isn't installed ? > > > > > Yes. sssd is not installed. > > > > > > > > > > "rpm -qa | grep sss" returns nothing. > > > > > > > > > > > If it is, remove it along with all the 'sss' in > > > > > > /etc/nsswitch.conf > > > > > Commented all references in nsswitch.conf > > > > > > > > > > > Have you created the libnss-winbind links ? either manually > > > > > > (see > > > > > > here: > > > > > > https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC > > > > > I followed those instructions. > > > > > > > > > > [root at cln-files-prod kr]# ls -lt /lib64/libnss_winbind.so.2 > > > > > > > > > > lrwxrwxrwx 1 root root 40 Oct 11 21:21 > > > > > /lib64/libnss_winbind.so.2 > > > > > -> > > > > > /usr/local/samba/lib/libnss_winbind.so.2 > > > > > [root at cln-files-prod kr]# ls -lt /lib64/libnss_winbind.so > > > > > lrwxrwxrwx 1 root root 26 Oct 11 21:21 > > > > > /lib64/libnss_winbind.so > > > > > -> > > > > > /lib64/libnss_winbind.so.2 > > > > This is on fedora if I remember correctly, so have you > > > > installed > > > > these > > > > packages: > > > > > > > > samba samba-winbind samba-winbind-clients oddjob-mkhomedir > > > > > > > > Rowland > > > > > > > Actually it is > > > > > > CentOS 7 > > > > > > Samba 4.11.13 built from source on AD and member server > > > > > > Does the Samba build on the client include everything needed or > > > do I > > > still need to add some package? > > Yes, If you built Samba by './configure && make && make install' > > follow > > the wiki, as everything should be in /usr/local/samba. > > I built it using the commands above following the wiki to build from > source. > > - built from source > > - AD was migrated from Samba NT4 Domain > > - DNS is Bind9 external DNS server > > - everything seems to work on the AD > > - DNS works from linux Samba member server > > - linux Samba member setup following wiki here > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > - joined using "# net ads join -U administrator" > > - wbinfo seems to work fine > > [root at cln-files-prod kr]# wbinfo --ping-dc > checking the NETLOGON for domain[LOCAL] dc connection to > "ss-prod.local.SAMDOM.com" succeeded > > - wbinfo -g lists the domain groups > > - wbinfo -u lists the domain users > > - getint passwd tech - tech is a domain user that is not a local > user. > This returns nothing on the domain member. Returns expected result on > the AD > > - getint passwd local\\tech - also does not return anything on the > member server, but works fine on the AD > > krPlease post the output of 'testparm -s' run on the Unix domain member Rowland
On 10/26/21 7:38 AM, Rowland Penny via samba wrote:> On Tue, 2021-10-26 at 07:31 -0500, K. R. Foley wrote: >> On 10/26/21 7:09 AM, Rowland Penny via samba wrote: >>> On Tue, 2021-10-26 at 06:54 -0500, K. R. Foley wrote: >>>> On 10/26/21 2:28 AM, Rowland Penny via samba wrote: >>>>> On Mon, 2021-10-25 at 20:19 -0500, K. R. Foley wrote: >>>>>> On 10/25/21 3:18 AM, Rowland Penny via samba wrote: >>>>>>> On Sun, 2021-10-24 at 18:21 -0500, K. R. Foley wrote: >>>>>>>> I am just getting back to troubleshooting this. >>>>>>>> >>>>>>>> I do not think that sssd is enabled. In fact I do not >>>>>>>> think >>>>>>>> it is >>>>>>>> even >>>>>>>> installed on this system. >>>>>>> OK, I have lost track of this, but it looks like you are >>>>>>> running >>>>>>> Samba >>>>>>> as an AD DC. Have you checked that sssd isn't installed ? >>>>>> Yes. sssd is not installed. >>>>>> >>>>>> "rpm -qa | grep sss" returns nothing. >>>>>> >>>>>>> If it is, remove it along with all the 'sss' in >>>>>>> /etc/nsswitch.conf >>>>>> Commented all references in nsswitch.conf >>>>>> >>>>>>> Have you created the libnss-winbind links ? either manually >>>>>>> (see >>>>>>> here: >>>>>>> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC >>>>>> I followed those instructions. >>>>>> >>>>>> [root at cln-files-prod kr]# ls -lt /lib64/libnss_winbind.so.2 >>>>>> >>>>>> lrwxrwxrwx 1 root root 40 Oct 11 21:21 >>>>>> /lib64/libnss_winbind.so.2 >>>>>> -> >>>>>> /usr/local/samba/lib/libnss_winbind.so.2 >>>>>> [root at cln-files-prod kr]# ls -lt /lib64/libnss_winbind.so >>>>>> lrwxrwxrwx 1 root root 26 Oct 11 21:21 >>>>>> /lib64/libnss_winbind.so >>>>>> -> >>>>>> /lib64/libnss_winbind.so.2 >>>>> This is on fedora if I remember correctly, so have you >>>>> installed >>>>> these >>>>> packages: >>>>> >>>>> samba samba-winbind samba-winbind-clients oddjob-mkhomedir >>>>> >>>>> Rowland >>>>> >>>> Actually it is >>>> >>>> CentOS 7 >>>> >>>> Samba 4.11.13 built from source on AD and member server >>>> >>>> Does the Samba build on the client include everything needed or >>>> do I >>>> still need to add some package? >>> Yes, If you built Samba by './configure && make && make install' >>> follow >>> the wiki, as everything should be in /usr/local/samba. >> I built it using the commands above following the wiki to build from >> source. >> >> - built from source >> >> - AD was migrated from Samba NT4 Domain >> >> - DNS is Bind9 external DNS server >> >> - everything seems to work on the AD >> >> - DNS works from linux Samba member server >> >> - linux Samba member setup following wiki here >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member >> >> - joined using "# net ads join -U administrator" >> >> - wbinfo seems to work fine >> >> [root at cln-files-prod kr]# wbinfo --ping-dc >> checking the NETLOGON for domain[LOCAL] dc connection to >> "ss-prod.local.SAMDOM.com" succeeded >> >> - wbinfo -g lists the domain groups >> >> - wbinfo -u lists the domain users >> >> - getint passwd tech - tech is a domain user that is not a local >> user. >> This returns nothing on the domain member. Returns expected result on >> the AD >> >> - getint passwd local\\tech - also does not return anything on the >> member server, but works fine on the AD >> >> kr > Please post the output of 'testparm -s' run on the Unix domain member[root at cln-files-prod kr]# testparm -s Load smb config files from /usr/local/samba/etc/smb.conf Loaded services file OK. idmap range not specified for domain '*' ERROR: Invalid idmap range for domain *! Server role: ROLE_DOMAIN_MEMBER # Global parameters [global] ??? dedicated keytab file = /etc/krb5.keytab ??? disable spoolss = Yes ??? kerberos method = secrets and keytab ??? load printers = No ??? printcap name = /dev/null ??? realm = LOCAL.SAMDOM.COM ??? security = ADS ??? username map = /usr/local/samba/user.map ??? winbind enum groups = Yes ??? winbind enum users = Yes ??? winbind refresh tickets = Yes ??? winbind use default domain = Yes ??? workgroup = LOCAL ??? idmap config * : backend = tdb ??? map acl inherit = Yes ??? printing = bsd ??? vfs objects = acl_xattr Is the line above "ERROR: Invalid idmap range for domain *!" a problem? Also per request from Louis: [root at ss-prod kr]# getent passwd local\\tech LOCAL\tech:*:3000020:100::/home/LOCAL/tech:/bin/false kr
> >> kr > > Please post the output of 'testparm -s' run on the Unix > domain member > [root at cln-files-prod kr]# testparm -s > Load smb config files from /usr/local/samba/etc/smb.conf > Loaded services file OK. > idmap range not specified for domain '*' > ERROR: Invalid idmap range for domain *! > > Server role: ROLE_DOMAIN_MEMBER > > # Global parameters > [global] > ??? dedicated keytab file = /etc/krb5.keytab > ??? disable spoolss = Yes > ??? kerberos method = secrets and keytab > ??? load printers = No > ??? printcap name = /dev/null > ??? realm = LOCAL.SAMDOM.COM > ??? security = ADS > ??? username map = /usr/local/samba/user.map > ??? winbind enum groups = Yes > ??? winbind enum users = Yes > ??? winbind refresh tickets = Yes > ??? winbind use default domain = Yes > ??? workgroup = LOCAL > ??? idmap config * : backend = tdb > ??? map acl inherit = Yes > ??? printing = bsd > ??? vfs objects = acl_xattr > > > Is the line above "ERROR: Invalid idmap range for domain *!" > a problem? > > Also per request from Louis: > > [root at ss-prod kr]# getent passwd local\\tech > LOCAL\tech:*:3000020:100::/home/LOCAL/tech:/bin/false > > kr >Thats a bit what i expected to see.. Missing backend settings and system overlapping GID's. So this is an migration from PDC to AD im thinking.. (* didnt follow the completely). Your missing from below link "Choose backend for id mapping in winbindd" https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member And quick link set : https://wiki.samba.org/index.php/Idmap_config_rid Which reflexs to your config with : # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999 # - You must set a DOMAIN backend configuration # idmap config for the SAMDOM domain idmap config LOCAL: backend = rid idmap config LOCAL: range = 10000-999999 Now, you will be seeing/getting a "small" problem. The users GID, its 100, thats the linux group. Where samba starts with 10000 by default in above example. That needs a fix and that also involves resetting your ACLs later on. Greetz, Louis