Gary Dale
2023-Apr-26 15:05 UTC
[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
On 2023-04-25 12:01, Rowland Penny via samba wrote:> > > On 25/04/2023 16:34, Gary Dale via samba wrote: >> On 2023-04-25 07:30, Rowland Penny via samba wrote: >>> >>> >>> On 25/04/2023 04:56, Gary Dale via samba wrote: >>>> >>>> which is owned by root:Domain Admins. This shows up in Linux as: >>>> root at TheLibrarian:~# ls -l /srv/ >>>> total 4 >>>> drwxr-xr-x 2 root 110512 4096 Apr 23 11:30 taxes >>> >>> Why is the group being shown as a number rather than by name (which >>> ends in '512' so is probably Domain Admins, which shouldn't have a >>> gidNumber, it breaks sysvol when using the 'ad idmap backend) >>> Is /etc/nsswitch.conf setup correctly ? arre libpam-winbind and >>> libnss-winbind installed ? >>> >>> Rowland >>> >> Both are installed from backports (version 4.17.7). >> >> /etc/nsswitch.conf reads: >> passwd:???????? db files winbind systemd >> group:????????? db files winbind systemd > > I had to look up what 'db' was, never come across it before, I do not > know who put it there, but I would remove every mention of it from > nsswitch.conf > >> shadow:???????? files >> >> hosts:????????? files wins mdns4_minimal [NOTFOUND=return] dns mdns4 > > How did 'wins get there ? AD does not use it, so I would remove it, in > fact, I would remove the mdns4 stuff as well, leaving just this > > hosts:????????? files dns > >> mymachines >> networks:?????? files >> >> protocols:????? db files >> services:?????? db files >> ethers:???????? db files >> rpc:??????????? db files >> >> netgroup:?????? nis >> >> >> I can't see any mention of any configuration for libpam-winbind. > > You do not need to configure, just install it and ensure that > 'winbind' is in the passwd and group lines. > > ?When I >> look at >> https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM, >> there isn't much there. Under Configuring PAM, it just lists the >> utilities but doesn't say what you are supposed to do with them. It >> also shows an example for enabling SSH authentication on a Red Hat >> system, but I never use password authentication for SSH. I use >> certificates. > > That is the problem, PAM is set up differently depending on the > distro, so you have to refer to the distros documentation. However, > Debian does most of the required modifications for you, run > 'pam-auth-update' to see what is available and if it is already in use. > >> >> The man page for pam-auth-update isn't helpful but looking at the >> individual /etc/pam.dl files, they seem to have mention of winbind >> and kerberos. >> >> I note that: >> root at TheLibrarian:~# net rpc group list -U Administrator? ## same >> results from my workstation. >> Password for [HOME\Administrator]: >> Could not connect to server 127.0.0.1 > > It is trying to to connect to a non-existing server on localhost, you > will need to use '-S <DC_hostname>' > >> The username or password was not correct. >> Connection failed: NT_STATUS_LOGON_FAILURE >> >> but the command(s) work on DC1. Both machines were joined to the >> domain and both show in the list of domain computers. >> >While adding the -S option works on net rpc, the similar -s option fails for getent commands. e.g. root at DC1:~# getent passwd HOME\\gary HOME\gary:*:3000022:100::/home/HOME/gary:/bin/false root at TheLibrarian:~# getent passwd HOME\\gary root at TheLibrarian:~# getent passwd HOME\\gary -s DC1 root at TheLibrarian:~# Simlarly, when trying to login from a domain account I get: root at DC1:~# login DC1 login: gary Password: Linux DC1 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Apr 26 10:43:27 EDT 2023 on pts/0 No directory, logging in with HOME=/ However on a member server I get (after setting the winbind separator tp ":" - it rejected other characters I tried. Moreover I get the same results when I omit the winbind separator from smb.conf and use HOME\\gary to login) root at TheLibrarian:~# login TheLibrarian login: HOME:gary Password: Login incorrect and without the winbind separator and after restarting winbind root at TheLibrarian:~# login TheLibrarian login: HOME\\gary Password: Login incorrect The bit about the winbind separator is from an outdated Samba 3 wiki at https://www.samba.org/~ab/output/htmldocs/Samba3-HOWTO/winbind.html that I thought I try since login wasn't working anyway.
Gary Dale
2023-Apr-26 15:24 UTC
[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
On 2023-04-26 11:05, Gary Dale via samba wrote:> On 2023-04-25 12:01, Rowland Penny via samba wrote: >> >> >> On 25/04/2023 16:34, Gary Dale via samba wrote: >>> On 2023-04-25 07:30, Rowland Penny via samba wrote: >>>> >>>> >>>> On 25/04/2023 04:56, Gary Dale via samba wrote: >>>>> >>>>> which is owned by root:Domain Admins. This shows up in Linux as: >>>>> root at TheLibrarian:~# ls -l /srv/ >>>>> total 4 >>>>> drwxr-xr-x 2 root 110512 4096 Apr 23 11:30 taxes >>>> >>>> Why is the group being shown as a number rather than by name (which >>>> ends in '512' so is probably Domain Admins, which shouldn't have a >>>> gidNumber, it breaks sysvol when using the 'ad idmap backend) >>>> Is /etc/nsswitch.conf setup correctly ? arre libpam-winbind and >>>> libnss-winbind installed ? >>>> >>>> Rowland >>>> >>> Both are installed from backports (version 4.17.7). >>> >>> /etc/nsswitch.conf reads: >>> passwd:???????? db files winbind systemd >>> group:????????? db files winbind systemd >> >> I had to look up what 'db' was, never come across it before, I do not >> know who put it there, but I would remove every mention of it from >> nsswitch.conf >> >>> shadow:???????? files >>> >>> hosts:????????? files wins mdns4_minimal [NOTFOUND=return] dns mdns4 >> >> How did 'wins get there ? AD does not use it, so I would remove it, >> in fact, I would remove the mdns4 stuff as well, leaving just this >> >> hosts:????????? files dns >> >>> mymachines >>> networks:?????? files >>> >>> protocols:????? db files >>> services:?????? db files >>> ethers:???????? db files >>> rpc:??????????? db files >>> >>> netgroup:?????? nis >>> >>> >>> I can't see any mention of any configuration for libpam-winbind. >> >> You do not need to configure, just install it and ensure that >> 'winbind' is in the passwd and group lines. >> >> ?When I >>> look at >>> https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM, >>> there isn't much there. Under Configuring PAM, it just lists the >>> utilities but doesn't say what you are supposed to do with them. It >>> also shows an example for enabling SSH authentication on a Red Hat >>> system, but I never use password authentication for SSH. I use >>> certificates. >> >> That is the problem, PAM is set up differently depending on the >> distro, so you have to refer to the distros documentation. However, >> Debian does most of the required modifications for you, run >> 'pam-auth-update' to see what is available and if it is already in use. >> >>> >>> The man page for pam-auth-update isn't helpful but looking at the >>> individual /etc/pam.dl files, they seem to have mention of winbind >>> and kerberos. >>> >>> I note that: >>> root at TheLibrarian:~# net rpc group list -U Administrator? ## same >>> results from my workstation. >>> Password for [HOME\Administrator]: >>> Could not connect to server 127.0.0.1 >> >> It is trying to to connect to a non-existing server on localhost, you >> will need to use '-S <DC_hostname>' >> >>> The username or password was not correct. >>> Connection failed: NT_STATUS_LOGON_FAILURE >>> >>> but the command(s) work on DC1. Both machines were joined to the >>> domain and both show in the list of domain computers. >>> >> > While adding the -S option works on net rpc, the similar -s option > fails for getent commands. e.g. > > root at DC1:~# getent passwd HOME\\gary > HOME\gary:*:3000022:100::/home/HOME/gary:/bin/false > > root at TheLibrarian:~# getent passwd HOME\\gary > root at TheLibrarian:~# getent passwd HOME\\gary -s DC1 > root at TheLibrarian:~# > > Simlarly, when trying to login from a domain account I get: > > root at DC1:~# login > DC1 login: gary > Password: > Linux DC1 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 > > The programs included with the Debian GNU/Linux system are free software; > the exact distribution terms for each program are described in the > individual files in /usr/share/doc/*/copyright. > > Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent > permitted by applicable law. > Last login: Wed Apr 26 10:43:27 EDT 2023 on pts/0 > No directory, logging in with HOME=/ > > However on a member server I get (after setting the winbind separator > tp ":" - it rejected other characters I tried. Moreover I get the same > results when I omit the winbind separator from smb.conf and use > HOME\\gary to login) > > root at TheLibrarian:~# login > TheLibrarian login: HOME:gary > Password: > > Login incorrect > > and without the winbind separator and after restarting winbind > > root at TheLibrarian:~# login > TheLibrarian login: HOME\\gary > Password: > > Login incorrect > > The bit about the winbind separator is from an outdated Samba 3 wiki > at https://www.samba.org/~ab/output/htmldocs/Samba3-HOWTO/winbind.html > that I thought I try since login wasn't working anyway. >Further to above, I tried the testing it suggested and got this: root at transponder:~# wbinfo -g domain controllers domain computers group policy creator owners dnsadmins denied rodc password replication group protected users schema admins read-only domain controllers enterprise admins allowed rodc password replication group domain admins ras and ias servers enterprise read-only domain controllers dnsupdateproxy cert publishers domain guests domain users root at transponder:~# wbinfo -u krbtgt gary guest administrator which clearly are from the domain - I don't have a local user named "gary", for example. However the getent tests only show the local users, which is also what I get when I use it to find domain users - it fails to find them.