On Mon, 2022-02-14 at 13:32 +0000, Rowland Penny via samba wrote:> On Mon, 2022-02-14 at 16:22 +0300, Michael Tokarev via samba wrote: > > Hello! > > > > Another day, another issue which I can't resolve so far. > > > > We switched our user from local /etc/passwd to samba AD. > > And it was apparently a big mistake, since nothing work > > besides samba now. > > Anything that uses nsswitch should work, provided that everything is > set up correctly. > > Well, auth does not work anymore. The only way to login locally > > so far is to use ssh keys. Or it is possible to enable > > KerberosAuthentication in sshd_config, that one works too. > > What OS are you using on your Unix domain member ? and can you post > the > global part of the smb.conf currently in use. > > RowlandJust noticed 'debian' in your post, so please go here: https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh Download the script and run it on your Unix domain member. Post the output in a reply to this, do not attach it, this list strips attachments. Rowland
14.02.2022 16:39, Rowland Penny via samba wrote:> Just noticed 'debian' in your post, so please go here: > https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.shI fixed a bunch of errors in this script (mostly assumption that nslookup is installed, and also hardcoding Administrator user). Here it goes. Note: it does not include pam configuration which is the most relevant here, I think. Samba packages were rebuilt by me yesterday to include the fix for client cache poisoning. Collected config --- 2022-02-14-16:43 ----------- Hostname: tsrv DNS Domain: tls.msk.ru FQDN: tsrv.tls.msk.ru ipaddress: 192.168.177.2 192.168.177.4 192.168.177.10 ----------- Kerberos SRV _kerberos._tcp.tls.msk.ru record verified ok, sample output: _kerberos._tcp.tls.msk.ru. SRV 10 25 88 ai.tls.msk.ru. Samba is running as a Unix domain member Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 11.2 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 7: host0 at if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 42:b3:b3:26:e3:f3 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.168.177.2/26 brd 192.168.177.63 scope global host0 inet 192.168.177.4/26 scope global secondary host0:pvcs inet 192.168.177.10/26 scope global secondary host0:vesta inet6 fe80::40b3:b3ff:fe26:e3f3/64 scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost 192.168.177.2 tsrv.tls.msk.ru tsrv ----------- Checking file: /etc/resolv.conf search tls.msk.ru corpit.ru nameserver 192.168.177.15 #nameserver 192.168.177.5 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = TLS.MSK.RU dns_lookup_realm = false dns_lookup_kdc = true [realms] TLS.MSK.RU = { kdc = ai.tls.msk.ru } [domain_realm] .tls.msk.ru = TLS.MSK.RU tls.msk.ru = TLS.MSK.RU ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files winbind group: files winbind shadow: files hosts: files dns networks: files protocols: files services: files ethers: files rpc: files netgroup: nis ----------- Checking file: /etc/samba/smb.conf [global] server string = %h samba server %v netbios name = TSRV netbios aliases = LINUX FS realm = TLS.MSK.RU workgroup = TLS server role = member server security = ADS idmap config TLS : backend = ad idmap config TLS : range = 1000-3000 #idmap config TLS : schema_mode = rfc2307 # rfc2307 is the default idmap config TLS : unix_primary_group = yes template homedir = /home/%U template shell = /bin/bash idmap config * : backend = tdb idmap config * : range = 5000-7000 winbind use default domain = yes acl allow execute always = true interfaces = 192.168.177.2/26 127.0.0.1/8 bind interfaces only = yes allow hosts = 192.168.177.0/26 127.0.0.0/8 hostname lookups = yes log file = /var/log/samba/log.%m max log size = 1000 log level = 2 # disable user shares usershare max shares = 0 load printers = no printing = bsd disable spoolss = yes map hidden = yes create mask = 0775 directory mask = 0775 # unix ext and wide links are incompatible. we need wide links. unix extensions = no wide links = yes [homes] comment = Home Directories browseable = no writable = yes [ws] comment = TLS Workspace path = /ws/ws writable = yes [ekis] comment = EKIS RDS path = /share/ekis writable = no [stage] path = /stage/tmp browseable = no writable = yes short preserve case = yes [git] path = /ws/git browseable = no writable = yes short preserve case = yes [soft] comment = Software path = /share/soft writable = no public = yes [pkg] copy = soft browseable = no [dist] copy = soft browseable = no [wpkg] comment = WPKG automatic software distribution path = /share/wpkg browsable = no writable = no guest ok = yes [mail-storage] comment = Mail storage path = /home/mail browseable = no writable = yes guest ok = no ----------- Running as Unix domain member and no user.map detected. This is possible with an auth-only setup, checking also for NFS parts ----------- Warning, /etc/idmapd.conf does not exist ----------- Installed packages: ii acl 2.2.53-10 amd64 access control list - utilities ii attr 1:2.4.48-6 amd64 utilities for manipulating filesystem extended attributes ii krb5-config-dummy 1.0 all dummy version of krb5-config ii krb5-user 1.18.3-6+deb11u1 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.53-10 amd64 access control list - shared library ii libattr1:amd64 1:2.4.48-6 amd64 extended attribute handling - shared library ii libdbd-oracle11-perl 1.80-2 amd64 Oracle10g database interface for Perl ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba nameservice integration plugins ii libpam-winbind:amd64 2:4.13.13+dfsg-1~deb11u3.1 amd64 Windows domain authentication integration plugin ii libsmbclient:amd64 2:4.13.13+dfsg-1~deb11u3.1 amd64 shared library for communication with SMB/CIFS servers ii libwbclient0:amd64 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba winbind client library ii python3-samba 2:4.13.13+dfsg-1~deb11u3.1 amd64 Python 3 bindings for Samba ii samba 2:4.13.13+dfsg-1~deb11u3.1 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.13.13+dfsg-1~deb11u3.1 all common files used by both the Samba server and client ii samba-common-bin 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba Virtual FileSystem plugins ii smbclient 2:4.13.13+dfsg-1~deb11u3.1 amd64 command-line SMB/CIFS clients for Unix ii weblogic-forms 11.1.2.2.0-4 amd64 Oracle Forms 11g ii winbind 2:4.13.13+dfsg-1~deb11u3.1 amd64 service to resolve user and group information from Windows NT servers -----------
Hai Michael,
If you found errors, can you send me a copy, i'll update it.
Most apriciated.
And ps..
uid : 0x00000000000003e8 (1000)
<<
primary_gid : 0x00000000000003e8 (1000)
<<
Im wondering why i see UID 1000 there..
Normaly, IF you didnt give root a password, you get the first user with sudo
rights.
This user is always UID/GID 1000.
So this will only work if you didnt add any user.
+ what Rowland said. ;-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Michael Tokarev via samba
> Verzonden: maandag 14 februari 2022 14:50
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: Re: [Samba] making pam_winbind to work
>
> 14.02.2022 16:39, Rowland Penny via samba wrote:
>
> > Just noticed 'debian' in your post, so please go here:
> >
> https://github.com/thctlo/samba4/blob/master/samba-collect-deb
ug-info.sh>
> I fixed a bunch of errors in this script (mostly assumption that
> nslookup is installed, and also hardcoding Administrator user).
> Here it goes.
>
> Note: it does not include pam configuration which is the most relevant
> here, I think.
>
> Samba packages were rebuilt by me yesterday to include the fix for
> client cache poisoning.
>
> Collected config --- 2022-02-14-16:43 -----------
>
> Hostname: tsrv
> DNS Domain: tls.msk.ru
> FQDN: tsrv.tls.msk.ru
> ipaddress: 192.168.177.2 192.168.177.4 192.168.177.10
>
> -----------
>
> Kerberos SRV _kerberos._tcp.tls.msk.ru record verified ok,
> sample output:
> _kerberos._tcp.tls.msk.ru. SRV 10 25 88 ai.tls.msk.ru.
> Samba is running as a Unix domain member
> Checking file: /etc/os-release
>
> PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
> NAME="Debian GNU/Linux"
> VERSION_ID="11"
> VERSION="11 (bullseye)"
> VERSION_CODENAME=bullseye
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
> -----------
>
>
> This computer is running Debian 11.2 x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
> UNKNOWN group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 7: host0 at if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
> qdisc noqueue state UP group default qlen 1000
> link/ether 42:b3:b3:26:e3:f3 brd ff:ff:ff:ff:ff:ff link-netnsid 0
> inet 192.168.177.2/26 brd 192.168.177.63 scope global host0
> inet 192.168.177.4/26 scope global secondary host0:pvcs
> inet 192.168.177.10/26 scope global secondary host0:vesta
> inet6 fe80::40b3:b3ff:fe26:e3f3/64 scope link
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 192.168.177.2 tsrv.tls.msk.ru tsrv
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> search tls.msk.ru corpit.ru
> nameserver 192.168.177.15
> #nameserver 192.168.177.5
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = TLS.MSK.RU
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [realms]
> TLS.MSK.RU = {
> kdc = ai.tls.msk.ru
> }
>
>
> [domain_realm]
> .tls.msk.ru = TLS.MSK.RU
> tls.msk.ru = TLS.MSK.RU
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
>
> passwd: files winbind
> group: files winbind
> shadow: files
>
> hosts: files dns
> networks: files
>
> protocols: files
> services: files
> ethers: files
> rpc: files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> [global]
> server string = %h samba server %v
> netbios name = TSRV
> netbios aliases = LINUX FS
> realm = TLS.MSK.RU
> workgroup = TLS
> server role = member server
> security = ADS
>
> idmap config TLS : backend = ad
> idmap config TLS : range = 1000-3000
> #idmap config TLS : schema_mode = rfc2307 # rfc2307 is the default
> idmap config TLS : unix_primary_group = yes
> template homedir = /home/%U
> template shell = /bin/bash
> idmap config * : backend = tdb
> idmap config * : range = 5000-7000
> winbind use default domain = yes
>
> acl allow execute always = true
>
> interfaces = 192.168.177.2/26 127.0.0.1/8
> bind interfaces only = yes
> allow hosts = 192.168.177.0/26 127.0.0.0/8
>
> hostname lookups = yes
> log file = /var/log/samba/log.%m
> max log size = 1000
> log level = 2
>
> # disable user shares
> usershare max shares = 0
>
> load printers = no
> printing = bsd
> disable spoolss = yes
>
> map hidden = yes
> create mask = 0775
> directory mask = 0775
>
> # unix ext and wide links are incompatible. we need wide links.
> unix extensions = no
> wide links = yes
>
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
>
> [ws]
> comment = TLS Workspace
> path = /ws/ws
> writable = yes
>
> [ekis]
> comment = EKIS RDS
> path = /share/ekis
> writable = no
>
> [stage]
> path = /stage/tmp
> browseable = no
> writable = yes
> short preserve case = yes
>
> [git]
> path = /ws/git
> browseable = no
> writable = yes
> short preserve case = yes
>
> [soft]
> comment = Software
> path = /share/soft
> writable = no
> public = yes
>
> [pkg]
> copy = soft
> browseable = no
>
> [dist]
> copy = soft
> browseable = no
>
> [wpkg]
> comment = WPKG automatic software distribution
> path = /share/wpkg
> browsable = no
> writable = no
> guest ok = yes
>
> [mail-storage]
> comment = Mail storage
> path = /home/mail
> browseable = no
> writable = yes
> guest ok = no
>
> -----------
>
> Running as Unix domain member and no user.map detected.
> This is possible with an auth-only setup, checking also for NFS parts
> -----------
> Warning, /etc/idmapd.conf does not exist
>
> -----------
>
>
> Installed packages:
> ii acl 2.2.53-10
> amd64 access control list - utilities
> ii attr 1:2.4.48-6
> amd64 utilities for manipulating
> filesystem extended attributes
> ii krb5-config-dummy 1.0
> all dummy version of krb5-config
> ii krb5-user 1.18.3-6+deb11u1
> amd64 basic programs to authenticate
> using MIT Kerberos
> ii libacl1:amd64 2.2.53-10
> amd64 access control list - shared library
> ii libattr1:amd64 1:2.4.48-6
> amd64 extended attribute handling - shared library
> ii libdbd-oracle11-perl 1.80-2
> amd64 Oracle10g database interface for Perl
> ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1
> amd64 MIT Kerberos runtime libraries -
> krb5 GSS-API Mechanism
> ii libkrb5-3:amd64 1.18.3-6+deb11u1
> amd64 MIT Kerberos runtime libraries
> ii libkrb5support0:amd64 1.18.3-6+deb11u1
> amd64 MIT Kerberos runtime libraries -
> Support library
> ii libnss-winbind:amd64
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba
> nameservice integration plugins
> ii libpam-winbind:amd64
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 Windows
> domain authentication integration plugin
> ii libsmbclient:amd64
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 shared
> library for communication with SMB/CIFS servers
> ii libwbclient0:amd64
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba
> winbind client library
> ii python3-samba
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 Python 3
> bindings for Samba
> ii samba
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 SMB/CIFS
> file, print, and login server for Unix
> ii samba-common
> 2:4.13.13+dfsg-1~deb11u3.1 all common files
> used by both the Samba server and client
> ii samba-common-bin
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba common
> files used by both the server and the client
> ii samba-dsdb-modules:amd64
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba
> Directory Services Database
> ii samba-libs:amd64
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba core libraries
> ii samba-vfs-modules:amd64
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba
> Virtual FileSystem plugins
> ii smbclient
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 command-line
> SMB/CIFS clients for Unix
> ii weblogic-forms 11.1.2.2.0-4
> amd64 Oracle Forms 11g
> ii winbind
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 service to
> resolve user and group information from Windows NT
> servers
>
> -----------
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>