samba - Nov 2021 - Server Mandatory SMB Signing Not Working

On Sun, 2021-11-14 at 11:39 -0500, Philip Cunio wrote:
> Yes, winbindd is running.
What about the rest of my comments ???

Rowland
> 
> 
> On Sun, Nov 14, 2021 at 10:51 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> > On Sun, 2021-11-14 at 10:17 -0500, Philip Cunio via samba wrote:
> > > We have just made the required changes to implement SMB Signing.
> > We
> > > are
> > > now using LDAP/Kerberos to authenticate users.
> > 
> > You might be, but I doubt Samba is, is winbind running ?
> > 
> > > We joined the SAMBA server to the domain via net ads join ....
> > > command.
> > > Everything works except that the add user script feature
doesn't
> > seem
> > > to
> > > work consistently.
> > 
> > I am surprised it works at all, that is really meant for the older
> > NT4-
> > style domains.
> > 
> > >  I can manually add users to the local AIX machine
> > 
> > Ah, but you shouldn't be, all your users should be in AD and not
in
> > /etc/passwd
> > 
> > > with the same script and the user can then map their drives.
> > However,
> > > SAMBA
> > > does not do it automatically per design. Below is the Global
> > section
> > > from
> > > my smb.conf. Any assistance would be
> > > greatly appreciated. I have obfuscated portions for security
> > > 
> > > [global]
> > >         workgroup = INM
> > >         realm = INMAR.COM
> > >         interfaces = 99.999.999.999
> > >         netbios name = AAAAAA
> > >         netbios aliases = BBBBBB
> > 
> > You do not use 'netbios aliases' with AD, you use a CNAME in
dns
> > instead.
> > 
> > >         security = ADS
> > >         add user script = /usr/sbin/smbusradd -g usr -G usr %u
> > >         log file = /var/samba/log/log.%m
> > >         log level = 3  passdb:5  auth:5
> > >         wins server = xxxxxxx.inmar.com
> > 
> > Sorry, but you do not use 'wins' with AD, you use dns instead.
> > 
> > >         password server =  xxxxxxx.inmar.com
> > 
> > Do not set that, allow Samba to find the best DC to use.
> > 
> > >         socket address =  99.999.999.999
> > 
> > Try reading 'man smb.conf', that parameter is a synonym for a
> > deprecated parameter.
> > 
> > >         server min protocol = SMB2
> > >         server signing = mandatory
> > >         create mask = 0666
> > 
> > You are missing the 'idmap config' lines, without which,
nothing is
> > going to work correctly, try reading this:
> > 
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > 
> > Rowland
> > 
> > 
> >

Yes, working on those. We need local accounts created as we have issues
using uid ranges out of AD. Does the idmap replace the add user script
functionality? That's why the add user script is useful for us - when it
works.  Does the idmap replace the add user script functionality? Also,
does having winbindd running override the add user script?

Thanks,
Phil

On Sun, Nov 14, 2021 at 11:44 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sun, 2021-11-14 at 11:39 -0500, Philip Cunio wrote:
> > Yes, winbindd is running.
>
> What about the rest of my comments ???
>
> Rowland
>
> >
> >
> > On Sun, Nov 14, 2021 at 10:51 AM Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> > > On Sun, 2021-11-14 at 10:17 -0500, Philip Cunio via samba wrote:
> > > > We have just made the required changes to implement SMB
Signing.
> > > We
> > > > are
> > > > now using LDAP/Kerberos to authenticate users.
> > >
> > > You might be, but I doubt Samba is, is winbind running ?
> > >
> > > > We joined the SAMBA server to the domain via net ads join
....
> > > > command.
> > > > Everything works except that the add user script feature
doesn't
> > > seem
> > > > to
> > > > work consistently.
> > >
> > > I am surprised it works at all, that is really meant for the
older
> > > NT4-
> > > style domains.
> > >
> > > >  I can manually add users to the local AIX machine
> > >
> > > Ah, but you shouldn't be, all your users should be in AD and
not in
> > > /etc/passwd
> > >
> > > > with the same script and the user can then map their drives.
> > > However,
> > > > SAMBA
> > > > does not do it automatically per design. Below is the Global
> > > section
> > > > from
> > > > my smb.conf. Any assistance would be
> > > > greatly appreciated. I have obfuscated portions for security
> > > >
> > > > [global]
> > > >         workgroup = INM
> > > >         realm = INMAR.COM
> > > >         interfaces = 99.999.999.999
> > > >         netbios name = AAAAAA
> > > >         netbios aliases = BBBBBB
> > >
> > > You do not use 'netbios aliases' with AD, you use a CNAME
in dns
> > > instead.
> > >
> > > >         security = ADS
> > > >         add user script = /usr/sbin/smbusradd -g usr -G usr
%u
> > > >         log file = /var/samba/log/log.%m
> > > >         log level = 3  passdb:5  auth:5
> > > >         wins server = xxxxxxx.inmar.com
> > >
> > > Sorry, but you do not use 'wins' with AD, you use dns
instead.
> > >
> > > >         password server =  xxxxxxx.inmar.com
> > >
> > > Do not set that, allow Samba to find the best DC to use.
> > >
> > > >         socket address =  99.999.999.999
> > >
> > > Try reading 'man smb.conf', that parameter is a synonym
for a
> > > deprecated parameter.
> > >
> > > >         server min protocol = SMB2
> > > >         server signing = mandatory
> > > >         create mask = 0666
> > >
> > > You are missing the 'idmap config' lines, without which,
nothing is
> > > going to work correctly, try reading this:
> > >
> > >
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > >
> > > Rowland
> > >
> > >
> > >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 


********************************************



?

*Inmar Confidentiality 
Note*:? This e-mail and any attachments are confidential and intended to be 
viewed and used solely by the intended recipient.? If you are not the 
intended recipient, be aware that any disclosure, dissemination, 
distribution, copying or use of this e-mail or any attachment is 
prohibited.? If you received this e-mail in error, please notify us 
immediately by returning it to the sender and delete this copy and all 
attachments from your system and destroy any printed copies.? Thank you for 
your cooperation.



?

*Notice of Protected Rights*:? The removal of any 
copyright, trademark, or proprietary legend contained in this e-mail or any 
attachment is prohibited without the express, written permission of Inmar, 
Inc.? Furthermore, the intended recipient must maintain all copyright 
notices, trademarks, and proprietary legends within this e-mail and any 
attachments in their original form and location if the e-mail or any 
attachments are reproduced, printed or distributed.

?

********************************************