Hi Rowland,
I don't mind in using any technology as long as it works. In Redhat 7 and
Samba 4.6, everything is simple and work well. But Redhat 7 is near end-of-life,
and we have to move on. The next choice is Redhat 8, but we met with this
strange problem. We also tried Ubuntu 22.04 with Samba 4.16 which didn't
work neither. If you think Rocky 9 and its Samba/winbind will work, I'd like
to try it.
Let me provide some descriptions on the configuration here. This machine is a
dedicated Samba server, which serves about 200-300 users. However, neither the
file systems nor the user accounts are in this Samba server. The file systems
are in several other NFS servers, and user accounts are in another NIS server.
However, user accounts are their netids (like zs24) which are authenticated
again Yale central AD. This is the only reason why the Samba server must join
AD, i.e. to authenticate user.
We managed to use sss to integrate user accounts with NIS and AD. With winbind,
this doesn't work. Either it cannot find the user account, or the
authentication always fail. If you think Rocky 9 with Samba/winbind can satisfy
the requirements, I'll be happy to install Rocky 9 and all associated
software in this server for test purposes. Let me know if you have any questions
before I reimage the server.
Thanks.
Zhongdong
-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny
via samba
Sent: Tuesday, May 7, 2024 1:44 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Samba domain name in short format
On Tue, 7 May 2024 01:34:58 +0000
"Sun, Zhongdong via samba" <samba at lists.samba.org> wrote:
> Hi Jeremy,
>
> I forgot to mention this. All these strange behaviors occurred when
> winbind was turned off.
You cannot turn winbind off on a Samba AD domain member, it must be running and
if winbind is running, you do not need sssd.
> If I turn on winbind, this problem could be resolved, i.e. at least it
> allowed me to login as YALE\zs24, but it always said 'access is
> denied' even I input the correct password.
> Maybe something wrong with the Samba settings. Here is my smb.conf
> file. Anything looks unusual? I'm not sure about the ipmap config
> part, especially the range and backend.
>
> Thanks.
> Zhongdong
>
> [global]
>
> netbios name = HECATE
> workgroup = YALE
> realm = YU.YALE.EDU
> server string = PET Center Samba Server
> security = ADS
> #2017-11-23 zs24, allow ntlm which is still used by some local
> accounts and old Windows XP machines. ntlm auth = yes
> client NTLMv2 auth = yes
> client lanman auth = no
> client plaintext auth = no
> min protocol = NT1
>
> kerberos method = secrets and keytab
> idmap config * : backend = tdb
> idmap config * : range = 10000-199999
> idmap config YALE : backend = sss
> idmap config YALE : range = 200000-2147483647
> machine password timeout = 0
>
I have very little knowledge about the 'sss' idmap backend, mainly
because I do not use it, but the above appears to be correct.
You say that 'yu.yale.edu\zs24' works, but 'YALE\zs24'
doesn't. The first is using the dns domain and the second is using the
NetBIOS domain name (aka workgroup). I use the 'rid' idmap backend with
winbind and it is the opposite way around for me 'SAMDOM\rowland' works,
'samdom.example.com\rowland' doesn't.
As you do not have a redhat contract, can I suggest you setup a Rocky Linux 9
machine (in a VM will do) and I will talk you through setting up a Unix domain
member on it using winbind, that way you will be able to see what works.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba