Gary Dale
2023-Apr-25 15:34 UTC
[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
On 2023-04-25 07:30, Rowland Penny via samba wrote:> > > On 25/04/2023 04:56, Gary Dale via samba wrote: >> >> which is owned by root:Domain Admins. This shows up in Linux as: >> root at TheLibrarian:~# ls -l /srv/ >> total 4 >> drwxr-xr-x 2 root 110512 4096 Apr 23 11:30 taxes > > Why is the group being shown as a number rather than by name (which > ends in '512' so is probably Domain Admins, which shouldn't have a > gidNumber, it breaks sysvol when using the 'ad idmap backend) > Is /etc/nsswitch.conf setup correctly ? arre libpam-winbind and > libnss-winbind installed ? > > Rowland >Both are installed from backports (version 4.17.7). /etc/nsswitch.conf reads: passwd:???????? db files winbind systemd group:????????? db files winbind systemd shadow:???????? files hosts:????????? files wins mdns4_minimal [NOTFOUND=return] dns mdns4 mymachines networks:?????? files protocols:????? db files services:?????? db files ethers:???????? db files rpc:??????????? db files netgroup:?????? nis I can't see any mention of any configuration for libpam-winbind. When I look at https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM, there isn't much there. Under Configuring PAM, it just lists the utilities but doesn't say what you are supposed to do with them. It also shows an example for enabling SSH authentication on a Red Hat system, but I never use password authentication for SSH. I use certificates. The man page for pam-auth-update isn't helpful but looking at the individual /etc/pam.dl files, they seem to have mention of winbind and kerberos. I note that: root at TheLibrarian:~# net rpc group list -U Administrator? ## same results from my workstation. Password for [HOME\Administrator]: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE but the command(s) work on DC1. Both machines were joined to the domain and both show in the list of domain computers.
Rowland Penny
2023-Apr-25 16:01 UTC
[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
On 25/04/2023 16:34, Gary Dale via samba wrote:> On 2023-04-25 07:30, Rowland Penny via samba wrote: >> >> >> On 25/04/2023 04:56, Gary Dale via samba wrote: >>> >>> which is owned by root:Domain Admins. This shows up in Linux as: >>> root at TheLibrarian:~# ls -l /srv/ >>> total 4 >>> drwxr-xr-x 2 root 110512 4096 Apr 23 11:30 taxes >> >> Why is the group being shown as a number rather than by name (which >> ends in '512' so is probably Domain Admins, which shouldn't have a >> gidNumber, it breaks sysvol when using the 'ad idmap backend) >> Is /etc/nsswitch.conf setup correctly ? arre libpam-winbind and >> libnss-winbind installed ? >> >> Rowland >> > Both are installed from backports (version 4.17.7). > > /etc/nsswitch.conf reads: > passwd:???????? db files winbind systemd > group:????????? db files winbind systemdI had to look up what 'db' was, never come across it before, I do not know who put it there, but I would remove every mention of it from nsswitch.conf> shadow:???????? files > > hosts:????????? files wins mdns4_minimal [NOTFOUND=return] dns mdns4How did 'wins get there ? AD does not use it, so I would remove it, in fact, I would remove the mdns4 stuff as well, leaving just this hosts: files dns> mymachines > networks:?????? files > > protocols:????? db files > services:?????? db files > ethers:???????? db files > rpc:??????????? db files > > netgroup:?????? nis > > > I can't see any mention of any configuration for libpam-winbind.You do not need to configure, just install it and ensure that 'winbind' is in the passwd and group lines. When I> look at > https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM, > there isn't much there. Under Configuring PAM, it just lists the > utilities but doesn't say what you are supposed to do with them. It also > shows an example for enabling SSH authentication on a Red Hat system, > but I never use password authentication for SSH. I use certificates.That is the problem, PAM is set up differently depending on the distro, so you have to refer to the distros documentation. However, Debian does most of the required modifications for you, run 'pam-auth-update' to see what is available and if it is already in use.> > The man page for pam-auth-update isn't helpful but looking at the > individual /etc/pam.dl files, they seem to have mention of winbind and > kerberos. > > I note that: > root at TheLibrarian:~# net rpc group list -U Administrator? ## same > results from my workstation. > Password for [HOME\Administrator]: > Could not connect to server 127.0.0.1It is trying to to connect to a non-existing server on localhost, you will need to use '-S <DC_hostname>'> The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > but the command(s) work on DC1. Both machines were joined to the domain > and both show in the list of domain computers. > >Rowland