Dear list,
I'm using SAMBA 4.16.2 on a openSUSE Leap 15.4 platform as a domain
member, but I'm unable to get "winbind -r" to work. Also the linux
"groups" command show local groups only (as a result?).
When running "winbind -r DOM+username" I'm getting the following
error
in the logs:
Jun 21 09:02:23 lftworkli06 winbindd[12376]: [2022/06/21
09:02:23.768314, ?0]
../../source3/winbindd/winbindd_samr.c:72(open_internal_samr_conn)
Jun 21 09:02:23 lftworkli06 winbindd[12376]: ??open_internal_samr_conn:
Could not connect to samr pipe: NT_STATUS_CONNECTION_DISCONNECTED
smb.conf
[global]
???netbios name = lftworkli06
???security = ADS
???workgroup = ILRW
???realm = ILRW.ING.DOM.TU-DRESDEN.DE
???dedicated keytab file = /etc/krb5.keytab
???kerberos method = secrets and keytab
???#rpc start on demand helpers = false
???template homedir = /home/home_ilrw/%U
???template shell = /bin/bash
???winbind refresh tickets = yes
???winbind separator = +
???idmap config * : backend = tdb
???idmap config * : range = 2000-2999
???idmap config ILRW : backend = rid
???idmap config ILRW : range = 3000-9999 # UID aus RID fuer ILRW
???idmap config DOM : backend = rid
???idmap config DOM : range = 10000-9999999 # UID aus RID fuer DOM
krb.conf
[libdefaults]
???????default_realm = ILRW.ING.DOM.TU-DRESDEN.DE
???????dns_lookup_realm = false
???????dns_lookup_kdc = true
???????ticket_lifetime = 24h
???????renew_lifetime = 7d
???????forwardable = true
[realms]
??ILRW.ING.DOM.TU-DRESDEN.DE = {
???????auth_to_local =
RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE at
.*)s/\.ING\.DOM\.TU-DRESDEN\.DE@/+/
???????auth_to_local =
RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE at .*)s/\.TU-DRESDEN\.DE@/+/
???????auth_to_local = DEFAULT
??}
??DOM.TU-DRESDEN.DE = {
???????auth_to_local =
RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE at
.*)s/\.ING\.DOM\.TU-DRESDEN\.DE@/+/
???????auth_to_local =
RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE at .*)s/\.TU-DRESDEN\.DE@/+/
???????auth_to_local = DEFAULT
??}
--
*Andreas Hauffe***
On Tue, 2022-06-21 at 09:22 +0200, Andreas Hauffe via samba wrote:> Error verifying signature: parse error > Dear list, > > I'm using SAMBA 4.16.2 on a openSUSE Leap 15.4 platform as a domain > member, but I'm unable to get "winbind -r" to work. Also the linux > "groups" command show local groups only (as a result?). > > When running "winbind -r DOM+username" I'm getting the following > error > in the logs: > > Jun 21 09:02:23 lftworkli06 winbindd[12376]: [2022/06/21 > 09:02:23.768314, 0] > ../../source3/winbindd/winbindd_samr.c:72(open_internal_samr_conn) > Jun 21 09:02:23 lftworkli06 winbindd[12376]: > open_internal_samr_conn: > Could not connect to samr pipe: NT_STATUS_CONNECTION_DISCONNECTEDSamba 4.16 moved the internal SAMR implementation from a shared library to a internally execuated binary. Your packaging (debian was caught likewise) may not have caught up with this, and may not have it as a strict dependency. Check if installing more bits of samba fixes your issue.> smb.conf > > [global] > > netbios name = lftworkli06 > security = ADS > workgroup = ILRW > realm = ILRW.ING.DOM.TU-DRESDEN.DE > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > #rpc start on demand helpers = false > > template homedir = /home/home_ilrw/%U > template shell = /bin/bash > > winbind refresh tickets = yes > winbind separator = + > > idmap config * : backend = tdb > idmap config * : range = 2000-2999 > idmap config ILRW : backend = rid > idmap config ILRW : range = 3000-9999 # UID aus RID fuer ILRW > idmap config DOM : backend = rid > idmap config DOM : range = 10000-9999999 # UID aus RID fuer DOM > > krb.conf > > [libdefaults] > default_realm = ILRW.ING.DOM.TU-DRESDEN.DE > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > > [realms] > ILRW.ING.DOM.TU-DRESDEN.DE = { > auth_to_local = > RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE at .*)s/\.ING\.DOM\.TU- > DRESDEN\.DE@/+/ > auth_to_local = > RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE at .*)s/\.TU-DRESDEN\.DE@/+/ > auth_to_local = DEFAULT > } > DOM.TU-DRESDEN.DE = { > auth_to_local = > RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE at .*)s/\.ING\.DOM\.TU- > DRESDEN\.DE@/+/ > auth_to_local = > RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE at .*)s/\.TU-DRESDEN\.DE@/+/ > auth_to_local = DEFAULT > } >I would warn you to look at the first few slides of: https://sambaxp.org/fileadmin/user_upload/sambaxp2022-Slides/Bartlett-Kerberos.pdf https://www.youtube.com/watch?v=1BnraIAcybg Name-based authorization in AD can be very dangerous, if domain users are mapping the local users without any DOM\ prefix. Accounts can be created in the domain via machineAccountQuota that match sensitive local users, like root. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
On Tue, 2022-06-21 at 09:22 +0200, Andreas Hauffe via samba wrote:> Error verifying signature: parse error > Dear list, > > I'm using SAMBA 4.16.2 on a openSUSE Leap 15.4 platform as a domain > member, but I'm unable to get "winbind -r" to work. Also the linux > "groups" command show local groups only (as a result?). > > When running "winbind -r DOM+username"Do you mean 'wbinfo -r DOM+username' ? Have you set up trusts between ILRW and DOM ? Where did you get 4.16.2 from ? Rowland
Hi, I was able to solve the problem with the help of people in the openSUSE bug list (https://bugzilla.opensuse.org/show_bug.cgi?id=1200754) In fact it was an apparmor problem, which refused samba-dcerpcd and so on to work correctly. Now all user groups are listed. Regards, -- Andreas Hauffe** Am 21.06.22 um 09:22 schrieb Andreas Hauffe via samba:> Dear list, > > I'm using SAMBA 4.16.2 on a openSUSE Leap 15.4 platform as a domain > member, but I'm unable to get "winbind -r" to work. Also the linux > "groups" command show local groups only (as a result?). > > When running "winbind -r DOM+username" I'm getting the following error > in the logs: > > Jun 21 09:02:23 lftworkli06 winbindd[12376]: [2022/06/21 > 09:02:23.768314, ?0] > ../../source3/winbindd/winbindd_samr.c:72(open_internal_samr_conn) > Jun 21 09:02:23 lftworkli06 winbindd[12376]: > ??open_internal_samr_conn: Could not connect to samr pipe: > NT_STATUS_CONNECTION_DISCONNECTED > > smb.conf > > [global] > > ???netbios name = lftworkli06 > ???security = ADS > ???workgroup = ILRW > ???realm = ILRW.ING.DOM.TU-DRESDEN.DE > ???dedicated keytab file = /etc/krb5.keytab > ???kerberos method = secrets and keytab > > ???#rpc start on demand helpers = false > > ???template homedir = /home/home_ilrw/%U > ???template shell = /bin/bash > > ???winbind refresh tickets = yes > ???winbind separator = + > > ???idmap config * : backend = tdb > ???idmap config * : range = 2000-2999 > ???idmap config ILRW : backend = rid > ???idmap config ILRW : range = 3000-9999 # UID aus RID fuer ILRW > ???idmap config DOM : backend = rid > ???idmap config DOM : range = 10000-9999999 # UID aus RID fuer DOM > > krb.conf > > [libdefaults] > ???????default_realm = ILRW.ING.DOM.TU-DRESDEN.DE > ???????dns_lookup_realm = false > ???????dns_lookup_kdc = true > ???????ticket_lifetime = 24h > ???????renew_lifetime = 7d > ???????forwardable = true > > [realms] > ??ILRW.ING.DOM.TU-DRESDEN.DE = { > ???????auth_to_local = > RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE at .*)s/\.ING\.DOM\.TU-DRESDEN\.DE@/+/ > > ???????auth_to_local = > RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE at .*)s/\.TU-DRESDEN\.DE@/+/ > ???????auth_to_local = DEFAULT > ??} > ??DOM.TU-DRESDEN.DE = { > ???????auth_to_local = > RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE at .*)s/\.ING\.DOM\.TU-DRESDEN\.DE@/+/ > > ???????auth_to_local = > RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE at .*)s/\.TU-DRESDEN\.DE@/+/ > ???????auth_to_local = DEFAULT > ??} > >