samba - Apr 2023 - Big problems with samba 4.17.7 with classic domain (NT4) and LDAP

Am 18. April 2023 14:29:29 MESZ schrieb Roland Schwingel via samba <samba at
lists.samba.org>:
>Hi...
>
>We are still using NT4 classic domain with a couple of samba server but 
>want to upgrade step by step to AD as a distant goal.
>We tried to upgrade to samba 4.17.7 as in intermediate step and keep LDAP 
>for now but fail as we could not find a suitable 
>example for id mapping. Hope someone can help!
>
>Previously we did run samba 4.7 on CentOS 7 without problems as domain 
>controller and member servers.
>Now we want to switch to Oracle Linux 9. But here samba 4.7 does no longer 
>compile so we need to use a
>newer version. So we decided to use 4.17.7. With 4.7 we did not need to 
>use winbind - now we have to.
>
>We have a domain controller which connects to an ldap server for accounts 
>and everything containing
>all users, groups, hosts, dns,dhcp infos.
>
>Domain Controller smb conf:
>
>[global]
>        server role = classic primary domain controller
>        unix charset = UTF-8
>        workgroup = MYDOM
>        server string = MYDOM domaincontroller
>        passdb backend = ldapsam:"ldap://localhost"
>        log file = /usr/local/samba/var/log.%m
>        name resolve order = host bcast
>        logon path = \\%N\profiles\%U
>        logon home >        domain logons = Yes
>        os level = 66
>        preferred master = Yes
>        domain master = Yes
>        dns proxy = No
>        ldap admin dn = cn=Directory Manager
>        ldap group suffix = ou=groups
>        ldap idmap suffix = ou=idmap,ou=samba
>        ldap machine suffix = ou=computers,ou=samba
>        ldap passwd sync = yes
>        ldap suffix = dc=onevision,dc=com
>        ldap user suffix = ou=people
>        hide dot files = No
>        csc policy = disable
>        strict locking = No
>        idmap config * : backend = tdb
>        idmap config * : range = 101-999
>        idmap config * : backend = tdb
>        idmap config * : range = 101-999
>        idmap config MYDOM : backend = rid
>        idmap config MYDOM : range = 1000-999999
>        winbind use default domain = true
>        winbind offline logon = false
>        idmap backend = ldap:"ldap://localhost"
>        idmap uid = 1000-10000
>        idmap gid = 1000-10000
>        allow nt4 crypto = Yes
>        max protocol = NT1
>        client min protocol = NT1
>        server min protocol = NT1
>
>This seems to work I can login here with my ldap account and see and use 
>shares from the PDC.
>We limit the protocol to NT1 as we did always. Maybe this is no longer 
>needed? We have
>to investigate this later. So far so good.
>
>But the problems arise on member servers. Config of one of it:
>[global]
>        server role = member server
>        unix charset = UTF-8
>        workgroup = MYDOM
>        server string = Fileserver
>        security = domain
>        map to guest = Never
>        name resolve order = host bcast
>        client min protocol=NT1
>        server min protocol=NT1
>        unix extensions = No
>        hide dot files = No
>        csc policy = disable
>        strict locking = No
>        wide links = Yes
>        acl allow execute always = True
>        idmap config * : backend = tdb
>        idmap config * : range = 101-999
>        idmap config ONEVISION : backend = rid
>        idmap config ONEVISION : range = 1000-999999
>        winbind use default domain = true
>        winbind offline logon = false
>
>I cannot open the member server from my windows machine with my 
>useraccount (which works for the domain controller).
>On the member server I see these errors:
>
>Apr 18 17:46:12 host winbindd[143640]:   saf_store: refusing to store 0 
>length domain or servername!
>
>I don't know whether this is a problem but wanted to show it
>
>Apr 18 17:46:31 host smbd[143656]: [2023/04/18 17:46:31.153040,  0] 
>../../source3/auth/auth_util.c:1933(check_account)
>Apr 18 17:46:31 host smbd[143656]:   check_account: Failed to find local 
>account with UID 2000 for SID S-1-5-21-X-Y-Z-1000 (dom_user[MYDOM\roland])
>
>This is for sure a problem. Why does samba wants to map to uid 2000?
Because you configured it that way:

idmap config ONEVISION : range = 1000-999999

As Rowland explained how the rid backend works you should have:

idmap config ONEVISION : range = 0-999999

Most of the things Rowland wrote about your other settings also applies.

But if this works we can work from there.




Regards

Christian

Hello Rowland and Christian

Thanks for your replies...

Yes ONEVISION and MYDOM are the very same here. Copy/Paste.

"Christian Naumer" <christian.naumer at greyfish.net> wrote on
18.04.2023
20:12:35:
> Am 18. April 2023 14:29:29 MESZ schrieb Roland Schwingel via samba 
> <samba at lists.samba.org>:
> >Hi...
> >
> >We are still using NT4 classic domain with a couple of samba server but
> >want to upgrade step by step to AD as a distant goal.
> >We tried to upgrade to samba 4.17.7 as in intermediate step and keep 
LDAP 
> >for now but fail as we could not find a suitable 
> >example for id mapping. Hope someone can help!
> >
> >Previously we did run samba 4.7 on CentOS 7 without problems as domain 
> >controller and member servers.
> >Now we want to switch to Oracle Linux 9. But here samba 4.7 does no 
longer 
> >compile so we need to use a
> >newer version. So we decided to use 4.17.7. With 4.7 we did not need to
> >use winbind - now we have to.
> >
> >We have a domain controller which connects to an ldap server for 
accounts 
> >and everything containing
> >all users, groups, hosts, dns,dhcp infos.
> >
> >Domain Controller smb conf:
> >
> >[global]
> >        server role = classic primary domain controller
> >        unix charset = UTF-8
> >        workgroup = MYDOM
> >        server string = MYDOM domaincontroller
> >        passdb backend = ldapsam:"ldap://localhost"
> >        log file = /usr/local/samba/var/log.%m
> >        name resolve order = host bcast
> >        logon path = \\%N\profiles\%U
> >        logon home > >        domain logons = Yes
> >        os level = 66
> >        preferred master = Yes
> >        domain master = Yes
> >        dns proxy = No
> >        ldap admin dn = cn=Directory Manager
> >        ldap group suffix = ou=groups
> >        ldap idmap suffix = ou=idmap,ou=samba
> >        ldap machine suffix = ou=computers,ou=samba
> >        ldap passwd sync = yes
> >        ldap suffix = dc=onevision,dc=com
> >        ldap user suffix = ou=people
> >        hide dot files = No
> >        csc policy = disable
> >        strict locking = No
> >        idmap config * : backend = tdb
> >        idmap config * : range = 101-999
> >        idmap config * : backend = tdb
> >        idmap config * : range = 101-999
> >        idmap config MYDOM : backend = rid
> >        idmap config MYDOM : range = 1000-999999
> >        winbind use default domain = true
> >        winbind offline logon = false
> >        idmap backend = ldap:"ldap://localhost"
> >        idmap uid = 1000-10000
> >        idmap gid = 1000-10000
> >        allow nt4 crypto = Yes
> >        max protocol = NT1
> >        client min protocol = NT1
> >        server min protocol = NT1
> >
> >This seems to work I can login here with my ldap account and see and 
use 
> >shares from the PDC.
> >We limit the protocol to NT1 as we did always. Maybe this is no longer 
> >needed? We have
> >to investigate this later. So far so good.
> >
> >But the problems arise on member servers. Config of one of it:
> >[global]
> >        server role = member server
> >        unix charset = UTF-8
> >        workgroup = MYDOM
> >        server string = Fileserver
> >        security = domain
> >        map to guest = Never
> >        name resolve order = host bcast
> >        client min protocol=NT1
> >        server min protocol=NT1
> >        unix extensions = No
> >        hide dot files = No
> >        csc policy = disable
> >        strict locking = No
> >        wide links = Yes
> >        acl allow execute always = True
> >        idmap config * : backend = tdb
> >        idmap config * : range = 101-999
> >        idmap config ONEVISION : backend = rid
> >        idmap config ONEVISION : range = 1000-999999
> >        winbind use default domain = true
> >        winbind offline logon = false
> >
> >I cannot open the member server from my windows machine with my 
> >useraccount (which works for the domain controller).
> >On the member server I see these errors:
> >
> >Apr 18 17:46:12 host winbindd[143640]:   saf_store: refusing to store 0
> >length domain or servername!
> >
> >I don't know whether this is a problem but wanted to show it
> >
> >Apr 18 17:46:31 host smbd[143656]: [2023/04/18 17:46:31.153040,  0] 
> >../../source3/auth/auth_util.c:1933(check_account)
> >Apr 18 17:46:31 host smbd[143656]:   check_account: Failed to find 
local 
> >account with UID 2000 for SID S-1-5-21-X-Y-Z-1000 
(dom_user[MYDOM\roland])
> >
> >This is for sure a problem. Why does samba wants to map to uid 2000?
> 
> Because you configured it that way:
> 
> idmap config ONEVISION : range = 1000-999999
> 
> As Rowland explained how the rid backend works you should have:
> 
> idmap config ONEVISION : range = 0-999999
> 
> Most of the things Rowland wrote about your other settings also applies.
> 
> But if this works we can work from there.
So on the PDC I need the
ldap xxxx
lines for ldap connectivity

and the passdb backend line for the ldap hostname

and the 
idmap config *
idmap config ONEVISION
stuff

On the member server I also need the same 
idmap config *
idmap config ONEVISION
stuff.

Right?

The linux servers serving the samba shares also serve the same folders via 
NFS. We 
have concurrent use of windows, linux and mac users via SMB and NFS so ids 
must
be correct on all OSes. Our central brain is here our LDAP providing the 
exact infos

I will try this tomorrow morning.

Thanks for your help so far!

Roland