Rowland Penny
2023-Apr-25 11:30 UTC
[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
On 25/04/2023 04:56, Gary Dale via samba wrote:> > which is owned by root:Domain Admins. This shows up in Linux as: > root at TheLibrarian:~# ls -l /srv/ > total 4 > drwxr-xr-x 2 root 110512 4096 Apr 23 11:30 taxesWhy is the group being shown as a number rather than by name (which ends in '512' so is probably Domain Admins, which shouldn't have a gidNumber, it breaks sysvol when using the 'ad idmap backend) Is /etc/nsswitch.conf setup correctly ? arre libpam-winbind and libnss-winbind installed ? Rowland
Gary Dale
2023-Apr-25 15:34 UTC
[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
On 2023-04-25 07:30, Rowland Penny via samba wrote:> > > On 25/04/2023 04:56, Gary Dale via samba wrote: >> >> which is owned by root:Domain Admins. This shows up in Linux as: >> root at TheLibrarian:~# ls -l /srv/ >> total 4 >> drwxr-xr-x 2 root 110512 4096 Apr 23 11:30 taxes > > Why is the group being shown as a number rather than by name (which > ends in '512' so is probably Domain Admins, which shouldn't have a > gidNumber, it breaks sysvol when using the 'ad idmap backend) > Is /etc/nsswitch.conf setup correctly ? arre libpam-winbind and > libnss-winbind installed ? > > Rowland >Both are installed from backports (version 4.17.7). /etc/nsswitch.conf reads: passwd:???????? db files winbind systemd group:????????? db files winbind systemd shadow:???????? files hosts:????????? files wins mdns4_minimal [NOTFOUND=return] dns mdns4 mymachines networks:?????? files protocols:????? db files services:?????? db files ethers:???????? db files rpc:??????????? db files netgroup:?????? nis I can't see any mention of any configuration for libpam-winbind. When I look at https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM, there isn't much there. Under Configuring PAM, it just lists the utilities but doesn't say what you are supposed to do with them. It also shows an example for enabling SSH authentication on a Red Hat system, but I never use password authentication for SSH. I use certificates. The man page for pam-auth-update isn't helpful but looking at the individual /etc/pam.dl files, they seem to have mention of winbind and kerberos. I note that: root at TheLibrarian:~# net rpc group list -U Administrator? ## same results from my workstation. Password for [HOME\Administrator]: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE but the command(s) work on DC1. Both machines were joined to the domain and both show in the list of domain computers.
Gary Dale
2023-Apr-25 15:54 UTC
[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
On 2023-04-25 07:30, Rowland Penny via samba wrote:> > > On 25/04/2023 04:56, Gary Dale via samba wrote: >> >> which is owned by root:Domain Admins. This shows up in Linux as: >> root at TheLibrarian:~# ls -l /srv/ >> total 4 >> drwxr-xr-x 2 root 110512 4096 Apr 23 11:30 taxes > > Why is the group being shown as a number rather than by name (which > ends in '512' so is probably Domain Admins, which shouldn't have a > gidNumber, it breaks sysvol when using the 'ad idmap backend) > Is /etc/nsswitch.conf setup correctly ? arre libpam-winbind and > libnss-winbind installed ? > > Rowland >going back through the DNS testing, I get on my workstation: root at transponder:~# nslookup > set type=SRV > _ldap._tcp.home.rahim-dale.org ;; communications error to 192.168.1.13#53: timed out Server:???????? 192.168.1.13 Address:??????? 192.168.1.13#53 _ldap._tcp.home.rahim-dale.org? service = 0 100 389 dc1.home.rahim-dale.org. > exit root at transponder:~# host -t SRV _ldap._tcp.home.rahim-dale.org _ldap._tcp.home.rahim-dale.org has SRV record 0 100 389 dc1.home.rahim-dale.org. and from the file & print server: root at TheLibrarian:~# nslookup > set type=SRV >? _ldap._tcp.home.rahim-dale.org Server:???????? 192.168.1.13 Address:??????? 192.168.1.13#53 _ldap._tcp.home.rahim-dale.org? service = 0 100 389 dc1.home.rahim-dale.org. > exit root at TheLibrarian:~# host -t SRV _ldap._tcp.home.rahim-dale.org _ldap._tcp.home.rahim-dale.org has SRV record 0 100 389 dc1.home.rahim-dale.org. As previously noted, on both machines wbinfo seems to be contacting the correct DC: root at TheLibrarian:~# wbinfo --ping-dc checking the NETLOGON for domain[HOME] dc connection to "dc1.home.rahim-dale.org" succeeded