On 2023-04-01 11:48, Rowland Penny via samba wrote:> > > On 01/04/2023 16:15, Gary Dale via samba wrote: >>> >>> The problem is, you shouldn't really have Linux groups per se, you >>> should have Windows groups that are also Linux groups i.e. >>> everything is in AD. >> >> That's not a great idea. It would mean I'd have to modify every Linux >> system. > > Possibly > >> And can Linux groups even have a domain let alone spaces in their >> names (e.g. home\Domain Users")? > > Yes: > > rowland at devstation:~$ getent group Domain\ Users > domain > users:x:10513:krbtgt,dhcpduser,test,user1,backupuser,user2,fred,rowland,administrator > > > ?Mapping seems like a far more >> practical solution. > > No it isn't and it sort of misses one of the points of AD, a single > point of authority.The single point of authority requires modifying every Linux installation I've got to point to that authority. And what happens when the Authority isn't accessible (e.g. a laptop while on vacation)? It needs to fallback to a local password authority.> >> >> >>> >>>> >>>> Any advice on how to proceed? >>> >>> Can we start with the smb.conf you are using now. >> >> Here's the part without the share definitions: >> >> # Global parameters >> [global] >> ???????? dns forwarder = 192.168.1.1 >> ???????? netbios name = THELIBRARIAN >> ???????? realm = HOME.RAHIM-DALE.ORG >> ???????? server role = active directory domain controller >> ???????? workgroup = HOME >> ???????? idmap_ldb:use rfc2307 = yes > > See below about the following lines: > >> ???????? idmap config * : backend = tdb >> ???????? idmap config * : range = 3000-7999 >> ???????? idmap config HOME:backend = ad >> ???????? idmap config HOME:schema_mode = rfc2307 >> ???????? idmap config HOME:range = 10000-999999 >> ???????? idmap config HOME:unix_nss_info = yes >> ???????? idmap config HOME:unix_primary_group = yes > > I will say this yet again, do not add 'idmap config' to a Samba AD > DC's smb.conf , they will do absolutely nothing.Again, these lines are from the Samba wiki. They weren't my idea. If something is now obsolete, the wiki pages should be updated by someone who knows how Samba currently operates. I note that the wiki distinguishes between pre and post 4.6. If further changes to Samba were made, the wiki doesn't reflect it.> >> ???????? vfs objects = acl_xattr > > Now that is a really, really big mistake. Whilst 'acl_xattr' is one of > the vfs objects used by a DC, you have just turned off the main one ' > dfs_samba4'See previous comment.> >> ???????? map acl inherit = yes >> ???????? store dos attributes = yes >> >> [sysvol] >> ???????? path = /var/lib/samba/sysvol >> ???????? read only = No >> >> [netlogon] >> ???????? path = /var/lib/samba/sysvol/home.rahim-dale.org/scripts >> ???????? read only = No >> >> [Profiles] >> ???????? path = /home/samba/profiles >> ???????? read only = No >> ???????? create mask = 0777 >> ???????? directory mask = 0777 >> ???????? guest ok = Yes >> ???????? browseable = No >> >> [homes] >> ???????? comment = Home Directories >> ???????? valid users = %S >> ???????? create mask = 0700 >> ???????? directory mask = 0700 >> ???????? browseable = No >> >>> >>> What version of NFS are you using 3 or 4 ? >> >> nfsstat -s shows v4 but I'm using the v3 style settings in >> /etc/exports (e.g. /home/shares??? 192.168.1.0/24(rw,sync) ). I >> haven't set up anything that takes advantage of any v4 features. I >> note that there are options for using Kerberos in v4, which I'm >> guessing is where you are going... >> > > Yep, you really should be using NFSv4, I wish Louis was still around, > he knew more about NFS than I do. > > What I will say is this, you know all that knowledge you know about > Samba PDC's and the like, well, you should forget most of it, AD is > nothing like an NT4-style domain. Once you get your head around this > and start to use AD as it is meant to be used, you will realise just > how much easier it is to use. Just one point of maintenance, user, > group and computer wise. > > Rowland >That may be true for full-time domain admins. However it seems less apt for people using Linux at home who need to run a windows (virtual) machine occasionally. Linux isn't built around AD and even using Kerberos is rarely something home users do. And from what I've been seeing, you actually need to run a Windows client to administer AD - Linux programs no longer seem to be capable of doing everything that is needed. That makes advising using AD problematic - something to be avoided if possible. As for forgetting NT4-style domains, I'm following documentation that deals strictly with Samba 4. I'd been running AD servers in various locations for a long time (an office with only Windows clients, my home with a mix of Linux and Windows clients). It's only in the last year that (some) things have stopped working. That's not due to a switch from NT4 to AD. It's due to AD breaking things. My Linux server has been a great single-point of maintenance without my needing to jump through hoops. Conversely, getting any Linux workstation to authenticate to an AD instance has never worked. I tried that a few times over the last decade with zero success. In fact my workstation's /etc/nssswitch.conf still has the settings to use winbind for authentication. Fortunately it allows a fallback... Can you point me to an up-to-date and accurate howto on setting up a Linux client to use AD and NFS4?
On 01/04/2023 17:51, Gary Dale via samba wrote:> > The single point of authority requires modifying every Linux > installation I've got to point to that authority. And what happens when > the Authority isn't accessible (e.g. a laptop while on vacation)? It > needs to fallback to a local password authority.If the laptop is running Linux, then add 'winbind offline logon = yes' to the smb.conf, winbind will cache the required credentials.> Again, these lines are from the Samba wiki. They weren't my idea. If > something is now obsolete, the wiki pages should be updated by someone > who knows how Samba currently operates. I note that the wiki > distinguishes between pre and post 4.6. If further changes to Samba were > made, the wiki doesn't reflect it.Can you please tell me just where in the Samba wiki it says add those lines to a DC's smb.conf ? Failing that, can you please say where in the wiki you think it says that ? Either way, I will fix it so it explicitly says to never add those lines to a DC's smb.conf, they have never been used or worked on a DC.> > >> >>> ???????? vfs objects = acl_xattr >> >> Now that is a really, really big mistake. Whilst 'acl_xattr' is one of >> the vfs objects used by a DC, you have just turned off the main one ' >> dfs_samba4' > > See previous comment.See my previous comment and here: https://wiki.samba.org/index.php/Using_the_acl_xattr_VFS_Module Where it states: On a Samba Active Directory (AD) domain controller (DC), the acl_xattr module is automatically globally enabled and cannot be deactivated. You must not add it to your smb.conf file manually. Also see here: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller Where amongst other things it says this: You should be aware that if wish to use a vfs object on a DC share e.g. recycle, you must not just set vfs objects = recycle in the share. Doing this will turn off the default vfs objects dfs_samba4 and acl_xattr. You must set vfs objects = dfs_samba4 acl_xattr recycle. That is under the 'Using the Domain Controller as a File Server (Optional)' heading>> > That may be true for full-time domain admins. However it seems less apt > for people using Linux at home who need to run a windows (virtual) > machine occasionally. Linux isn't built around AD and even using > Kerberos is rarely something home users do.Yes, historically, Linux wasn't built around AD, but that isn't a reason to not use it. You will find it easier to maintain than individual machines, just one place to maintain users, groups etc, rather than on every machine. Want to change a users password ? Either do it once on an AD DC, or go to every machine and change it, this can get tiring if you have a lot of machines.> > And from what I've been seeing, you actually need to run a Windows > client to administer AD - Linux programs no longer seem to be capable of > doing everything that is needed. That makes advising using AD > problematic - something to be avoided if possible.You can use samba-tool or one of the numerous other methods.> > As for forgetting NT4-style domains, I'm following documentation that > deals strictly with Samba 4. I'd been running AD servers in various > locations for a long time (an office with only Windows clients, my home > with a mix of Linux and Windows clients). It's only in the last year > that (some) things have stopped working. That's not due to a switch from > NT4 to AD. It's due to AD breaking things.An NT4-style domain relies on SMBv1, this is going away and is generally turned off now.> > My Linux server has been a great single-point of maintenance without my > needing to jump through hoops. Conversely, getting any Linux workstation > to authenticate to an AD instance has never worked. I tried that a few > times over the last decade with zero success. In fact my workstation's > /etc/nssswitch.conf still has the settings to use winbind for > authentication. Fortunately it allows a fallback...If you cannot get a Linux machine to authenticate to AD, then it sounds like you are doing something wrong. Can you share the smb.conf from your workstation ?> > Can you point me to an up-to-date and accurate howto on setting up a > Linux client to use AD and NFS4?I will get back to you on that, as I said, I do not know much about NFS because I do not use it, I just use Samba, on everything. Rowland
> Op 1 apr. 2023 om 18:53 heeft Gary Dale via samba <samba at lists.samba.org> het volgende geschreven: > > ?On 2023-04-01 11:48, Rowland Penny via samba wrote: >> >> >>> On 01/04/2023 16:15, Gary Dale via samba wrote: >>>>> >>>>> The problem is, you shouldn't really have Linux groups per se, you should have Windows groups that are also Linux groups i.e. everything is in AD. >>> >>> That's not a great idea. It would mean I'd have to modify every Linux system. >> >> Possibly >> >>> And can Linux groups even have a domain let alone spaces in their names (e.g. home\Domain Users")? >> >> Yes: >> >> rowland at devstation:~$ getent group Domain\ Users >> domain users:x:10513:krbtgt,dhcpduser,test,user1,backupuser,user2,fred,rowland,administrator >> >> >> Mapping seems like a far more >>> practical solution. >> >> No it isn't and it sort of misses one of the points of AD, a single point of authority. > > The single point of authority requires modifying every Linux installation I've got to point to that authority. And what happens when the Authority isn't accessible (e.g. a laptop while on vacation)? It needs to fallback to a local password authority. > > >> >>> >>> >>>> >>>>> >>>>> Any advice on how to proceed? >>>> >>>> Can we start with the smb.conf you are using now. >>> >>> Here's the part without the share definitions: >>> >>> # Global parameters >>> [global] >>> dns forwarder = 192.168.1.1 >>> netbios name = THELIBRARIAN >>> realm = HOME.RAHIM-DALE.ORG >>> server role = active directory domain controller >>> workgroup = HOME >>> idmap_ldb:use rfc2307 = yes >> >> See below about the following lines: >> >>> idmap config * : backend = tdb >>> idmap config * : range = 3000-7999 >>> idmap config HOME:backend = ad >>> idmap config HOME:schema_mode = rfc2307 >>> idmap config HOME:range = 10000-999999 >>> idmap config HOME:unix_nss_info = yes >>> idmap config HOME:unix_primary_group = yes >> >> I will say this yet again, do not add 'idmap config' to a Samba AD DC's smb.conf , they will do absolutely nothing. > > Again, these lines are from the Samba wiki. They weren't my idea. If something is now obsolete, the wiki pages should be updated by someone who knows how Samba currently operates. I note that the wiki distinguishes between pre and post 4.6. If further changes to Samba were made, the wiki doesn't reflect it. > > >> >>> vfs objects = acl_xattr >> >> Now that is a really, really big mistake. Whilst 'acl_xattr' is one of the vfs objects used by a DC, you have just turned off the main one ' dfs_samba4' > > See previous comment. > > >> >>> map acl inherit = yes >>> store dos attributes = yes >>> >>> [sysvol] >>> path = /var/lib/samba/sysvol >>> read only = No >>> >>> [netlogon] >>> path = /var/lib/samba/sysvol/home.rahim-dale.org/scripts >>> read only = No >>> >>> [Profiles] >>> path = /home/samba/profiles >>> read only = No >>> create mask = 0777 >>> directory mask = 0777 >>> guest ok = Yes >>> browseable = No >>> >>> [homes] >>> comment = Home Directories >>> valid users = %S >>> create mask = 0700 >>> directory mask = 0700 >>> browseable = No >>> >>>> >>>> What version of NFS are you using 3 or 4 ? >>> >>> nfsstat -s shows v4 but I'm using the v3 style settings in /etc/exports (e.g. /home/shares 192.168.1.0/24(rw,sync) ). I haven't set up anything that takes advantage of any v4 features. I note that there are options for using Kerberos in v4, which I'm guessing is where you are going... >>> >> >> Yep, you really should be using NFSv4, I wish Louis was still around, he knew more about NFS than I do. >> >> What I will say is this, you know all that knowledge you know about Samba PDC's and the like, well, you should forget most of it, AD is nothing like an NT4-style domain. Once you get your head around this and start to use AD as it is meant to be used, you will realise just how much easier it is to use. Just one point of maintenance, user, group and computer wise. >> >> Rowland >> > That may be true for full-time domain admins. However it seems less apt for people using Linux at home who need to run a windows (virtual) machine occasionally. Linux isn't built around AD and even using Kerberos is rarely something home users do. > > And from what I've been seeing, you actually need to run a Windows client to administer AD - Linux programs no longer seem to be capable of doing everything that is needed. That makes advising using AD problematic - something to be avoided if possible.I recommend LDAP Account Manager (LAM).> > As for forgetting NT4-style domains, I'm following documentation that deals strictly with Samba 4. I'd been running AD servers in various locations for a long time (an office with only Windows clients, my home with a mix of Linux and Windows clients). It's only in the last year that (some) things have stopped working. That's not due to a switch from NT4 to AD. It's due to AD breaking things. > > My Linux server has been a great single-point of maintenance without my needing to jump through hoops. Conversely, getting any Linux workstation to authenticate to an AD instance has never worked. I tried that a few times over the last decade with zero success. In fact my workstation's /etc/nssswitch.conf still has the settings to use winbind for authentication. Fortunately it allows a fallback... > > Can you point me to an up-to-date and accurate howto on setting up a Linux client to use AD and NFS4? > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba