On Tue, 18 Jun 2024 15:25:03 +0200 PaLi via samba <samba at lists.samba.org> wrote:> > on DC - dc31: > ------------- > $ sudo samba-tool testparm > > INFO 2024-06-18 13:09:06,760 pid:31797 /usr/lib/python3/dist- > packages/samba/netcmd/testparm.py #96: Loaded smb config files from > /etc/samba/smb.conf > INFO 2024-06-18 13:09:06,760 pid:31797 /usr/lib/python3/dist- > packages/samba/netcmd/testparm.py #97: Loaded services file OK. > Press enter to see a dump of your service definitions > > # Global parameters > [global] > bind interfaces only = Yes > dns forwarder = 127.0.0.53What is '127.0.0.53' ? I would expect an external (external to office.company.com) dns server, such as googles 8.8.8.8> interfaces = lo enp1s0 > netbios name = DC31 > realm = OFFICE.COMPANY.COM > server role = active directory domain controller > template homedir = /home/%D/%U > template shell = /bin/bash > winbind enum groups = Yes > winbind enum users = YesYou should only have the 'winbind enum' lines for testing purposes, they can slow things down in production.> workgroup = OFFICE > idmap_ldb:use rfc2307 = yes > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [netlogon] > path = /var/lib/samba/sysvol/office.company.com/scripts > read only = No > > [homes] > comment = Home Directories > inherit acls = Yes > read only = No > valid users = %S %D%w%SThis is a DC, you must set the permissions from Windows, therefor the 'inherit acls' and valid users' lines shouldn't be used.> > > on DC - dc31: > ------------- > $ sudo testparm -sNo, you should have used 'samba-tool testparm', I know it is a bit confusing, but it is 'samba-tool testparm' on Samba AD DCs and 'testparm -s' on everything else.> > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility > fallback) > > Server role: ROLE_ACTIVE_DIRECTORY_DC > > # Global parameters > [global] > bind interfaces only = Yes > dns forwarder = 127.0.0.53 > interfaces = lo enp1s0 > passdb backend = samba_dsdb > realm = OFFICE.COMPANY.COM > server role = active directory domain controller > template shell = /bin/bash > winbind enum groups = Yes > winbind enum users = Yes > workgroup = OFFICE > rpc_server:tcpip = no > rpc_daemon:spoolssd = embedded > rpc_server:spoolss = embedded > rpc_server:winreg = embedded > rpc_server:ntsvcs = embedded > rpc_server:eventlog = embedded > rpc_server:srvsvc = embedded > rpc_server:svcctl = embedded > rpc_server:default = external > winbindd:use external pipes = true > idmap_ldb:use rfc2307 = yes > idmap config * : backend = tdb > map archive = No > vfs objects = dfs_samba4 acl_xattr > > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > [netlogon] > path = /var/lib/samba/sysvol/office.company.com/scripts > read only = No > > > [homes] > comment = Home Directories > inherit acls = Yes > read only = No > valid users = %S %D%w%SSame comments as the other DC.> > > on member - smbubu48: > > --------------------- > $ sudo samba-tool testparm > > INFO 2024-06-12 17:11:33,740 pid:29617 /usr/lib/python3/dist- > packages/samba/netcmd/testparm.py #96: Loaded smb config files from > /etc/samba/smb.conf > INFO 2024-06-12 17:11:33,741 pid:29617 /usr/lib/python3/dist- > packages/samba/netcmd/testparm.py #97: Loaded services file OK. > Press enter to see a dump of your service definitions > > # Global parameters > [global] > log level = 0 > netbios name = SMBUBU48 > realm = OFFICE.COMPANY.COM > security = DOMAINSorry but that is wrong, it should be 'security = ADS'> server role = member server > template homedir = /home/%D/%U > template shell = /bin/bash > winbind enum groups = Yes > winbind enum users = YesSame comment as the DCs> winbind rpc only = YesI would remove the line above.> winbind use default domain = Yes > workgroup = OFFICE > idmap config office : unix_primary_group = yes > idmap config office : unix_nss_info = yes > idmap config office : range = 1000-9999The gidNumber you gave Domain Users (513) is outside the OFFICE range, so all your users will probably be getting IDs in the 10000-19999 range.> idmap config office : schema_mode = rfc2307 > idmap config office : backend = ad > idmap config * : range = 10000-19999 > idmap config * : backend = tdb > map acl inherit = Yes > store dos attributes = Yes > vfs objects = acl_xattr > > [homes] > comment = Home Directories > inherit acls = Yes > read only = No > valid users = %S %D%w%S > > > on member - smbubu48: > --------------------- > sudo testparm -s > > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility > fallback) > > Server role: ROLE_DOMAIN_MEMBER > > # Global parameters > [global] > kdc enable fast = No > realm = OFFICE.COMPANY.COM > security = DOMAIN > server role = member server > template shell = /bin/bash > winbind enum groups = Yes > winbind enum users = Yes > winbind rpc only = Yes > winbind use default domain = Yes > workgroup = OFFICE > idmap config office : unix_primary_group = yes > idmap config office : unix_nss_info = yes > idmap config office : range = 1000-9999 > idmap config office : schema_mode = rfc2307 > idmap config office : backend = ad > idmap config * : range = 10000-19999 > idmap config * : backend = tdb > map acl inherit = Yes > vfs objects = acl_xattr > > > [homes] > comment = Home Directories > inherit acls = Yes > read only = No > valid users = %S %D%w%S >same comments as the other Unix domain member. If you use the 'ad' idmap backend', then the uidNumber & gidNumber attributes you add to AD will be used instead of the IDs allocated (on a first come basis) in idmap.ldb. However, they may not be used straight after you add them until you run 'net cache flush'. Whatever Unix IDs you add to AD, the 'OFFICE' range in the Unix domain members must reflect this, so as you appear to have given Domain Users the gidNumber '513', the range line in your Unix domain members should look something like this: idmap config office : range = 500-9999 Which will mean that you cannot have any local Unix users except for root, so what happens if something goes wrong with AD and you need to login as a local Unix user ? I think you need to read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Also has you do not seem to be using Unix home directories etc from AD, you might want to consider using the 'rid' idmap backend, that way you do not need to add anything extra to AD. Rowland
On Tue, 2024-06-18 at 15:36 +0100, Rowland Penny via samba wrote:> On Tue, 18 Jun 2024 15:25:03 +0200 > PaLi via samba <samba at lists.samba.org> wrote: > > > > > on DC - dc31: > > ------------- > > $ sudo samba-tool testparm > > > > INFO 2024-06-18 13:09:06,760 pid:31797 /usr/lib/python3/dist- > > packages/samba/netcmd/testparm.py #96: Loaded smb config files from > > /etc/samba/smb.conf > > INFO 2024-06-18 13:09:06,760 pid:31797 /usr/lib/python3/dist- > > packages/samba/netcmd/testparm.py #97: Loaded services file OK. > > Press enter to see a dump of your service definitions > > > > # Global parameters > > [global] > > bind interfaces only = Yes > > dns forwarder = 127.0.0.53 > > What is '127.0.0.53' ?this was created by samba-tool during provisioning, so I left it unchanged samba-tool domain provision \ --realm={{sambadomain_realm}} \ --domain={{sambadomain_smbdomain}} \ --site={{sambadomain_officesite}} \ --server-role=dc \ --dns-backend=${DNS_BACKEND} \ --use-rfc2307 \ --option="interfaces=lo {{ansible_default_ipv4.interface}}" \ --option="bind interfaces only=yes" \ --adminpass='{{samba_administrator_pwd}}' I suppose it is because of systemd-resolved is configured on this DC.> I would expect an external (external to office.company.com) dns > server, > such as googles 8.8.8.8 > > > interfaces = lo enp1s0 > > netbios name = DC31 > > realm = OFFICE.COMPANY.COM > > server role = active directory domain controller > > template homedir = /home/%D/%U > > template shell = /bin/bash > > winbind enum groups = Yes > > winbind enum users = Yes > > You should only have the 'winbind enum' lines for testing purposes, > they can slow things down in production.OK I understand> > > workgroup = OFFICE > > idmap_ldb:use rfc2307 = yes > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > [netlogon] > > path = /var/lib/samba/sysvol/office.company.com/scripts > > read only = No > > > > [homes] > > comment = Home Directories > > inherit acls = Yes > > read only = No > > valid users = %S %D%w%S > > This is a DC, you must set the permissions from Windows, therefor the > 'inherit acls' and valid users' lines shouldn't be used. > >OK> > > > on DC - dc31: > > ------------- > > $ sudo testparm -s > > No, you should have used 'samba-tool testparm', I know it is a bit > confusing, but it is 'samba-tool testparm' on Samba AD DCs and > 'testparm > -s' on everything else. > > > > > Load smb config files from /etc/samba/smb.conf > > Loaded services file OK. > > Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility > > fallback) > > > > Server role: ROLE_ACTIVE_DIRECTORY_DC > > > > # Global parameters > > [global] > > bind interfaces only = Yes > > dns forwarder = 127.0.0.53 > > interfaces = lo enp1s0 > > passdb backend = samba_dsdb > > realm = OFFICE.COMPANY.COM > > server role = active directory domain controller > > template shell = /bin/bash > > winbind enum groups = Yes > > winbind enum users = Yes > > workgroup = OFFICE > > rpc_server:tcpip = no > > rpc_daemon:spoolssd = embedded > > rpc_server:spoolss = embedded > > rpc_server:winreg = embedded > > rpc_server:ntsvcs = embedded > > rpc_server:eventlog = embedded > > rpc_server:srvsvc = embedded > > rpc_server:svcctl = embedded > > rpc_server:default = external > > winbindd:use external pipes = true > > idmap_ldb:use rfc2307 = yes > > idmap config * : backend = tdb > > map archive = No > > vfs objects = dfs_samba4 acl_xattr > > > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > > > [netlogon] > > path = /var/lib/samba/sysvol/office.company.com/scripts > > read only = No > > > > > > [homes] > > comment = Home Directories > > inherit acls = Yes > > read only = No > > valid users = %S %D%w%S > > Same comments as the other DC. > > > > > > > on member - smbubu48: > > > > --------------------- > > $ sudo samba-tool testparm > > > > INFO 2024-06-12 17:11:33,740 pid:29617 /usr/lib/python3/dist- > > packages/samba/netcmd/testparm.py #96: Loaded smb config files from > > /etc/samba/smb.conf > > INFO 2024-06-12 17:11:33,741 pid:29617 /usr/lib/python3/dist- > > packages/samba/netcmd/testparm.py #97: Loaded services file OK. > > Press enter to see a dump of your service definitions > > > > # Global parameters > > [global] > > log level = 0 > > netbios name = SMBUBU48 > > realm = OFFICE.COMPANY.COM > > security = DOMAIN > > Sorry but that is wrong, it should be 'security = ADS' > > > server role = member server > > template homedir = /home/%D/%U > > template shell = /bin/bash > > winbind enum groups = Yes > > winbind enum users = Yes > > Same comment as the DCs > > > winbind rpc only = Yes > > I would remove the line above.OK> > winbind use default domain = Yes > > workgroup = OFFICE > > idmap config office : unix_primary_group = yes > > idmap config office : unix_nss_info = yes > > idmap config office : range = 1000-9999 > > The gidNumber you gave Domain Users (513) is outside the OFFICE > range, > so all your users will probably be getting IDs in the 10000-19999 > range.I see, I didn't know it is restriction for groups too.> > idmap config office : schema_mode = rfc2307 > > idmap config office : backend = ad > > idmap config * : range = 10000-19999 > > idmap config * : backend = tdb > > map acl inherit = Yes > > store dos attributes = Yes > > vfs objects = acl_xattr > > > > [homes] > > comment = Home Directories > > inherit acls = Yes > > read only = No > > valid users = %S %D%w%S > > > > > > on member - smbubu48: > > --------------------- > > sudo testparm -s > > > > Load smb config files from /etc/samba/smb.conf > > Loaded services file OK. > > Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility > > fallback) > > > > Server role: ROLE_DOMAIN_MEMBER > > > > # Global parameters > > [global] > > kdc enable fast = No > > realm = OFFICE.COMPANY.COM > > security = DOMAIN > > server role = member server > > template shell = /bin/bash > > winbind enum groups = Yes > > winbind enum users = Yes > > winbind rpc only = Yes > > winbind use default domain = Yes > > workgroup = OFFICE > > idmap config office : unix_primary_group = yes > > idmap config office : unix_nss_info = yes > > idmap config office : range = 1000-9999 > > idmap config office : schema_mode = rfc2307 > > idmap config office : backend = ad > > idmap config * : range = 10000-19999 > > idmap config * : backend = tdb > > map acl inherit = Yes > > vfs objects = acl_xattr > > > > > > [homes] > > comment = Home Directories > > inherit acls = Yes > > read only = No > > valid users = %S %D%w%S > > > > same comments as the other Unix domain member. > > If you use the 'ad' idmap backend', then the uidNumber & gidNumber > attributes you add to AD will be used instead of the IDs allocated > (on > a first come basis) in idmap.ldb. However, they may not be used > straight after you add them until you run 'net cache flush'. >My biggest question was: why getent passwd show gid 513 for Samba AD users on MEMBER server only. It showed gid 100 for the same users on DC servers (why 100? this number is not anywhere in configuration = some default) This is answer: run 'net cache flush' after that gid on DCs and MEMBERs are the same. Thanks a lot.> Whatever Unix IDs you add to AD, the 'OFFICE' range in the Unix > domain > members must reflect this, so as you appear to have given Domain > Users > the gidNumber '513', the range line in your Unix domain members > should > look something like this: > > idmap config office : range = 500-9999 > > Which will mean that you cannot have any local Unix users except for > root, so what happens if something goes wrong with AD and you need to > login as a local Unix user ? >As I'm preparing transform / upgrade old Samba3 (NT domain) to Samba AD my main motivation was to let the same gidNumber for Domain Users. But I can solve it other way. I need set uidNumber/gidNumber manualy in AD, because there are used by unix scripts for integration with other apps.> I think you need to read this: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > Also has you do not seem to be using Unix home directories etc from > AD, > you might want to consider using the 'rid' idmap backend, that way > you > do not need to add anything extra to AD. > > Rowland >
Hi I've just recreated whole environment and after DC provision ?group "domain users" has gid 100 getent passwd OFFICE\administrator:*:0:100::/home/OFFICE/administrator:/bin/bash OFFICE\guest:*:3000011:3000012::/home/OFFICE/guest:/bin/bash OFFICE\krbtgt:*:3000015:100::/home/OFFICE/krbtgt:/bin/bash OFFICE\dhcpduser:*:3000016:100::/home/OFFICE/dhcpduser:/bin/bash getent group ... BUILTIN\administrators:x:3000000: BUILTIN\users:x:3000001: BUILTIN\guests:x:3000002: BUILTIN\account operators:x:3000009: BUILTIN\server operators:x:3000010: BUILTIN\print operators:x:3000011: BUILTIN\backup operators:x:3000012: BUILTIN\replicator:x:3000013: BUILTIN\pre-windows 2000 compatible access:x:3000014: BUILTIN\remote desktop users:x:3000015: BUILTIN\network configuration operators:x:3000016: BUILTIN\incoming forest trust builders:x:3000017: BUILTIN\performance monitor users:x:3000018: BUILTIN\performance log users:x:3000019: BUILTIN\windows authorization access group:x:3000020: BUILTIN\terminal server license servers:x:3000021: BUILTIN\distributed com users:x:3000022: BUILTIN\iis_iusrs:x:3000023: BUILTIN\cryptographic operators:x:3000024: BUILTIN\event log readers:x:3000025: BUILTIN\certificate service dcom access:x:3000026: OFFICE\cert publishers:x:3000027: OFFICE\ras and ias servers:x:3000028: OFFICE\allowed rodc password replication group:x:3000029: OFFICE\denied rodc password replication group:x:3000030: OFFICE\dnsadmins:x:3000031: OFFICE\enterprise read-only domain controllers:x:3000032: OFFICE\domain admins:x:3000033: OFFICE\domain users:x:100: OFFICE\domain guests:x:3000004: OFFICE\domain computers:x:3000034: OFFICE\domain controllers:x:3000035: OFFICE\schema admins:x:3000036: OFFICE\enterprise admins:x:3000037: OFFICE\group policy creator owners:x:3000038: OFFICE\read-only domain controllers:x:3000039: OFFICE\protected users:x:3000040: OFFICE\dnsupdateproxy:x:3000041: Can somebody explain me: Is this intended configuration (normal behaviour) or is there something wrong? Now I remebered why I've tried change it to something known to me (gid: 513) Pavel On Tue, 2024-06-18 at 15:36 +0100, Rowland Penny via samba wrote:> On Tue, 18 Jun 2024 15:25:03 +0200 > PaLi via samba <samba at lists.samba.org> wrote: > > > > > on DC - dc31: > > ------------- > > $ sudo samba-tool testparm > > > > INFO 2024-06-18 13:09:06,760 pid:31797 /usr/lib/python3/dist- > > packages/samba/netcmd/testparm.py #96: Loaded smb config files from > > /etc/samba/smb.conf > > INFO 2024-06-18 13:09:06,760 pid:31797 /usr/lib/python3/dist- > > packages/samba/netcmd/testparm.py #97: Loaded services file OK. > > Press enter to see a dump of your service definitions > > > > # Global parameters > > [global] > > bind interfaces only = Yes > > dns forwarder = 127.0.0.53 > > What is '127.0.0.53' ? > I would expect an external (external to office.company.com) dns > server, > such as googles 8.8.8.8 > > > interfaces = lo enp1s0 > > netbios name = DC31 > > realm = OFFICE.COMPANY.COM > > server role = active directory domain controller > > template homedir = /home/%D/%U > > template shell = /bin/bash > > winbind enum groups = Yes > > winbind enum users = Yes > > You should only have the 'winbind enum' lines for testing purposes, > they can slow things down in production. > > > workgroup = OFFICE > > idmap_ldb:use rfc2307 = yes > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > [netlogon] > > path = /var/lib/samba/sysvol/office.company.com/scripts > > read only = No > > > > [homes] > > comment = Home Directories > > inherit acls = Yes > > read only = No > > valid users = %S %D%w%S > > This is a DC, you must set the permissions from Windows, therefor the > 'inherit acls' and valid users' lines shouldn't be used. > > > > > > > on DC - dc31: > > ------------- > > $ sudo testparm -s > > No, you should have used 'samba-tool testparm', I know it is a bit > confusing, but it is 'samba-tool testparm' on Samba AD DCs and > 'testparm > -s' on everything else. > > > > > Load smb config files from /etc/samba/smb.conf > > Loaded services file OK. > > Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility > > fallback) > > > > Server role: ROLE_ACTIVE_DIRECTORY_DC > > > > # Global parameters > > [global] > > bind interfaces only = Yes > > dns forwarder = 127.0.0.53 > > interfaces = lo enp1s0 > > passdb backend = samba_dsdb > > realm = OFFICE.COMPANY.COM > > server role = active directory domain controller > > template shell = /bin/bash > > winbind enum groups = Yes > > winbind enum users = Yes > > workgroup = OFFICE > > rpc_server:tcpip = no > > rpc_daemon:spoolssd = embedded > > rpc_server:spoolss = embedded > > rpc_server:winreg = embedded > > rpc_server:ntsvcs = embedded > > rpc_server:eventlog = embedded > > rpc_server:srvsvc = embedded > > rpc_server:svcctl = embedded > > rpc_server:default = external > > winbindd:use external pipes = true > > idmap_ldb:use rfc2307 = yes > > idmap config * : backend = tdb > > map archive = No > > vfs objects = dfs_samba4 acl_xattr > > > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > > > [netlogon] > > path = /var/lib/samba/sysvol/office.company.com/scripts > > read only = No > > > > > > [homes] > > comment = Home Directories > > inherit acls = Yes > > read only = No > > valid users = %S %D%w%S > > Same comments as the other DC. > > > > > > > on member - smbubu48: > > > > --------------------- > > $ sudo samba-tool testparm > > > > INFO 2024-06-12 17:11:33,740 pid:29617 /usr/lib/python3/dist- > > packages/samba/netcmd/testparm.py #96: Loaded smb config files from > > /etc/samba/smb.conf > > INFO 2024-06-12 17:11:33,741 pid:29617 /usr/lib/python3/dist- > > packages/samba/netcmd/testparm.py #97: Loaded services file OK. > > Press enter to see a dump of your service definitions > > > > # Global parameters > > [global] > > log level = 0 > > netbios name = SMBUBU48 > > realm = OFFICE.COMPANY.COM > > security = DOMAIN > > Sorry but that is wrong, it should be 'security = ADS' > > > server role = member server > > template homedir = /home/%D/%U > > template shell = /bin/bash > > winbind enum groups = Yes > > winbind enum users = Yes > > Same comment as the DCs > > > winbind rpc only = Yes > > I would remove the line above. > > > winbind use default domain = Yes > > workgroup = OFFICE > > idmap config office : unix_primary_group = yes > > idmap config office : unix_nss_info = yes > > idmap config office : range = 1000-9999 > > The gidNumber you gave Domain Users (513) is outside the OFFICE > range, > so all your users will probably be getting IDs in the 10000-19999 > range. > > > idmap config office : schema_mode = rfc2307 > > idmap config office : backend = ad > > idmap config * : range = 10000-19999 > > idmap config * : backend = tdb > > map acl inherit = Yes > > store dos attributes = Yes > > vfs objects = acl_xattr > > > > [homes] > > comment = Home Directories > > inherit acls = Yes > > read only = No > > valid users = %S %D%w%S > > > > > > on member - smbubu48: > > --------------------- > > sudo testparm -s > > > > Load smb config files from /etc/samba/smb.conf > > Loaded services file OK. > > Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility > > fallback) > > > > Server role: ROLE_DOMAIN_MEMBER > > > > # Global parameters > > [global] > > kdc enable fast = No > > realm = OFFICE.COMPANY.COM > > security = DOMAIN > > server role = member server > > template shell = /bin/bash > > winbind enum groups = Yes > > winbind enum users = Yes > > winbind rpc only = Yes > > winbind use default domain = Yes > > workgroup = OFFICE > > idmap config office : unix_primary_group = yes > > idmap config office : unix_nss_info = yes > > idmap config office : range = 1000-9999 > > idmap config office : schema_mode = rfc2307 > > idmap config office : backend = ad > > idmap config * : range = 10000-19999 > > idmap config * : backend = tdb > > map acl inherit = Yes > > vfs objects = acl_xattr > > > > > > [homes] > > comment = Home Directories > > inherit acls = Yes > > read only = No > > valid users = %S %D%w%S > > > > same comments as the other Unix domain member. > > If you use the 'ad' idmap backend', then the uidNumber & gidNumber > attributes you add to AD will be used instead of the IDs allocated > (on > a first come basis) in idmap.ldb. However, they may not be used > straight after you add them until you run 'net cache flush'. > > Whatever Unix IDs you add to AD, the 'OFFICE' range in the Unix > domain > members must reflect this, so as you appear to have given Domain > Users > the gidNumber '513', the range line in your Unix domain members > should > look something like this: > > idmap config office : range = 500-9999 > > Which will mean that you cannot have any local Unix users except for > root, so what happens if something goes wrong with AD and you need to > login as a local Unix user ? > > I think you need to read this: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > Also has you do not seem to be using Unix home directories etc from > AD, > you might want to consider using the 'rid' idmap backend, that way > you > do not need to add anything extra to AD. > > Rowland >