samba - Dec 2021 - Authentication issue after updating samba on CentOS 7 (from yum)

Hello Rowland,

Thank you for your prompt reply!

[skip]
>> 
>> smb.conf:
>> [global]
>>    workgroup = DOMAIN
>>    server string = vm-corp
>>    netbios name = VM-CORP
>>    realm = DOMAIN.BIZ
>>    security = ads
>>    template shell = /sbin/nologin
> So, your users never log into the server directly, just via Samba.
Most users don't. Some of them that are allowed have a shell defined in the
AD (loginShell attribute).
>>     idmap config * : backend = tdb
>>     idmap config * : range = 16777216-33554431
> Is there some reason for that range ? It will allow you 16777215 users
> & groups for something that requires only about 200.
I think it's a legacy. Don't remember why it's here. I'll try to
remove it.
>>     idmap config DOMAIN:backend = ad
>>     idmap config DOMAIN:schema_mode = rfc2307
>>     idmap config DOMAIN:range = 400-999999
> Again why the strange range, do you have users & groups with uidNumber
> & gidNumber attributes that low ?
This is also a legacy thing. There're users in the AD with uidNumber
starting from 400.
>>     idmap config DOMAIN:unix_primary_group = yes
> Do your users have gidNumber attributes.
Yes, they do. This came from MS Services for Unix.
>>     idmap config DOMAIN:unix_nss_info = yes
> This is interesting, you only need that if your users have a
> unixHomeDirectory attribute (at least), yet you are not using
'[homes]'
> below.
Yes, they do have unixHomeDirectory attribute.
>>    winbind use default domain = true
>>    winbind offline logon = false
>>    winbind enum users = Yes
>>    winbind enum groups = Yes
> You do not need the 'enum' lines, it works without them.
There was an issue w/o the enum lines. Unfortunately, I don't remember
exactly what it was, probably couldn't retrieve groups from the AD with
"getent group" command.
>> [username]
>>         comment = username's home
>>         path = /home/username
>>         read only = No
>>         create mode = 0660
>>         valid users = username
> As noted above, why are you not using '[homes]' ?
It's b/c most users are prohibited from using this server. So, I allowed
homes on this server for just a few of them directly.
>> 
>> I tried to create the username_map_script.sh and add the following
>> lines (as mentioned in 
>> https://bugzilla.samba.org/show_bug.cgi?id=14901):
>>     min domain uid = 500
> Try changing the '500' to '0'
>>     username map script = /etc/samba/username_map_script.sh
> Change that to:
> username map script = /etc/samba/user.map
> Create /etc/samba/user.map containing:
> !root = DOMAIN\Administrator
Assuming you meant "username map = /etc/samba/user.map" here. I did
that both (changed min uid to 0 and set a user.map file) - still can't log
in :(

-- 
Best regards,
Alexander Kolesnik

On Wed, 2021-12-22 at 19:34 +0300, Alex wrote:
> Hello Rowland,
> 
> Thank you for your prompt reply!
> 
> [skip]
> 
> > > smb.conf:
> > > [global]
> > >    workgroup = DOMAIN
> > >    server string = vm-corp
> > >    netbios name = VM-CORP
> > >    realm = DOMAIN.BIZ
> > >    security = ads
> > >    template shell = /sbin/nologin
> > So, your users never log into the server directly, just via Samba.
> 
> Most users don't. Some of them that are allowed have a shell defined
> in the AD (loginShell attribute).
Sounds reasonable
> 
> > >     idmap config * : backend = tdb
> > >     idmap config * : range = 16777216-33554431
> > Is there some reason for that range ? It will allow you 16777215
> > users
> > & groups for something that requires only about 200.
> 
> I think it's a legacy. Don't remember why it's here. I'll
try to
> remove it.
You are probably stuck with it.
> 
> > >     idmap config DOMAIN:backend = ad
> > >     idmap config DOMAIN:schema_mode = rfc2307
> > >     idmap config DOMAIN:range = 400-999999
> > Again why the strange range, do you have users & groups with
> > uidNumber
> > & gidNumber attributes that low ?
> 
> This is also a legacy thing. There're users in the AD with uidNumber
> starting from 400.
Okay, I was just checking, some people think they need a range like
that because they are using the winbind 'ad' backend, but they don't
actually add any RFC2307 attributes to AD.
> 
> > >     idmap config DOMAIN:unix_primary_group = yes
> > Do your users have gidNumber attributes.
> 
> Yes, they do. This came from MS Services for Unix.
Have you actually checked, MS-SFU didn't add a gidNumber attribute to
users, unless you told it to.
 
> 
> > >     idmap config DOMAIN:unix_nss_info = yes
> > This is interesting, you only need that if your users have a
> > unixHomeDirectory attribute (at least), yet you are not using
> > '[homes]'
> > below.
> 
> Yes, they do have unixHomeDirectory attribute.
> 
> > >    winbind use default domain = true
> > >    winbind offline logon = false
> > >    winbind enum users = Yes
> > >    winbind enum groups = Yes
> > You do not need the 'enum' lines, it works without them.
> 
> There was an issue w/o the enum lines. Unfortunately, I don't
> remember exactly what it was, probably couldn't retrieve groups from
> the AD with "getent group" command.
Adding those lines would not fix such a problem, either it would work
or it wouldn't. All those lines do is to get 'getent user' to
display
all users and 'getent group' to display all groups, along with slowing
everything down.
> 
> > > [username]
> > >         comment = username's home
> > >         path = /home/username
> > >         read only = No
> > >         create mode = 0660
> > >         valid users = username
> > As noted above, why are you not using '[homes]' ?
> 
> It's b/c most users are prohibited from using this server. So, I
> allowed homes on this server for just a few of them directly.
So does that mean you have multiple '[username]' shares in smb.conf ?
> 
> > > I tried to create the username_map_script.sh and add the
> > > following
> > > lines (as mentioned in 
> > > https://bugzilla.samba.org/show_bug.cgi?id=14901):
> > >     min domain uid = 500
> > Try changing the '500' to '0'
> > >     username map script = /etc/samba/username_map_script.sh
> > Change that to:
> > username map script = /etc/samba/user.map
> > Create /etc/samba/user.map containing:
> > !root = DOMAIN\Administrator
> 
> Assuming you meant "username map = /etc/samba/user.map" here.
Yes, I did, sorry for the mistake
>  I did that both (changed min uid to 0 and set a user.map file) -
> still can't log in :(
This is very strange, I am using Samba 4.15.3 with this smb.conf and I
can log in:

[global]
  workgroup = SAMDOM
  security = ADS
  realm = SAMDOM.EXAMPLE.COM

  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab
  server string = Samba Client %h

  winbind use default domain = yes
  winbind expand groups = 2
  winbind refresh tickets = Yes
  disable netbios = yes
  dns proxy = no

  idmap config * : backend = tdb
  idmap config * : range = 3000-7999
  idmap config SAMDOM : backend  = ad
  idmap config SAMDOM : schema_mode = rfc2307
  idmap config SAMDOM : range = 10000-999999
  template shell = /bin/bash
  template homedir = /home/%U

  username map = /etc/samba/user.map

  vfs objects = acl_xattr
  map acl inherit = Yes

  # Comment the following 4 lines to act as a print server
  printcap name = /dev/null
  load printers = no
  disable spoolss = yes
  printing = bsd

  # logging
  log file = /var/log/samba/%m.log
  logging = file
  log level = auth_audit:3@/var/log/samba/auth.log
  auth_json_audit:4@/var/log/samba/json/auth.log

  min domain uid = 0

Rowland