search for: jgraham

...the tests for initial online login to my newly joined Linux domain member the machine through ssh are failing. I ran: ??? terra ~ # ssh HOME\\jgraham at localhost ??? (HOME\jgraham at localhost) Password: ??? (HOME\jgraham at localhost) Password: ??? (HOME\jgraham at localhost) Password: ??? HOME\jgraham at localhost's password: ??? Permission denied, please try again. ??? HOME\jgraham at localhost's password: ??? Received disconn...

...t is, it should have been: > > smbcontrol winbindd offline > > Rowland Okay, thanks, but I'm going to start over as I appear to have related some incorrect information. Running ??? smbcontrol winbind offline contrary to previous report does do something ??? wbinfo -K SAMDOM\\jgraham%password returns ??? plaintext kerberos password authentication for [SAMDOM\\jgraham] succeeded (requesting cctype: FILE) ??? user_flgs: NETLOGON_CACHED_ACCOUNT ??? credentials were put in: FILE:/tmp/krb5cc_0 Turns out smbcontrol will accept either "winbind" or "winbindd"...

...ine mode, ??? terra ~ # smbcontrol winbindd offline ??? terra ~ # smbcontrol winbindd onlinestatus ??? PID 20664: global:Offline BUILTIN:Online TERRA:Online HOME:Offline I can successfully log in (with the test shown in the PAM Offline Authentication Wiki article): ??? terra ~ # ssh SAMDOM\\jgraham at localhost ??? (SAMDOM\jgraham at localhost) Password: ??? Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable ??? Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable Log entries in /var/log/...

...appears that libnss_winbind.so.2 communicates with winbindd to do its job, so shouldn't it honor winbindd's offline status? It appears that it may not be--and it appears that that may be a bug. It seems central to my offline authentication issue that ??? terra ~ # getent passwd SAMDOM\\jgraham ??? [29645]: getpwnam_r SAMDOM\jgraham ??? [29645]: getpwnam SAMDOM\jgraham returns NSS_STATUS_SUCCESS (1) ??? SAMDOM\jgraham:*:10000:11001:John Graham:/home/jgraham:/bin/bash works when the network interface is up, but when the network interface is down, ??? terra ~ # getent passwd SAMDOM\\...

...bindd offline > ??? terra ~ # smbcontrol winbindd onlinestatus > ??? PID 20664: global:Offline BUILTIN:Online TERRA:Online > HOME:Offline > > I can successfully log in (with the test shown in the PAM Offline > Authentication Wiki article): > > ??? terra ~ # ssh SAMDOM\\jgraham at localhost > ??? (SAMDOM\jgraham at localhost) Password: > ??? Domain Controller unreachable, using cached credentials instead. > Network resources may be unavailable > ??? Domain Controller unreachable, using cached credentials instead. > Network resources may be unavailable...

On my Linux domain members, group membership for my domain login is reported as: ??? terra #? id SAMDOM\\jgraham ??? uid=11105(SAMDOM\jgraham) gid=10513(SAMDOM\domain users) groups=10513(SAMDOM\domain users),11105(SAMDOM\jgraham),11120(SAMDOM\wheel),3001(BUILTIN\users) (I filtered local groups to make the output less noisy.) But on the ADC the same command give different results: ??? dc1 # id SAMDOM\\j...

...As soon as the idmap lines were removed--and Samba was restarted--sanity was restored. I also uncommented these lines: ??? template shell = /bin/bash ??? template homedir = /home/%U I do get an unexpected result from retrieving my domain user's passwd line: ? ?? # getent passwd SAMDOM\\jgraham ???? SAMDOM\jgraham:*:10000:100::/home/SAMDOM/jgraham:/bin/false It appears that somehow the defaults from smb.conf are being ignored...or is it that the defaults were in place when the domain account was created? But, hmm, running ???? samba-tool user show -U Administrator jgraham gets me,...

On Fri, 14 Feb 2025 10:03:33 -0500 "John R. Graham via samba" <samba at lists.samba.org> wrote: > On my Linux domain members, group membership for my domain login is > reported as: > > ??? terra #? id SAMDOM\\jgraham > ??? uid=11105(SAMDOM\jgraham) gid=10513(SAMDOM\domain users) > groups=10513(SAMDOM\domain > users),11105(SAMDOM\jgraham),11120(SAMDOM\wheel),3001(BUILTIN\users) > > (I filtered local groups to make the output less noisy.) But on the > ADC the same command give different resu...

...; > Now when they log in your domain administrators will be able to use > sudo. > > For extra brownie points, you could store the sudo rules in AD ;-) > > Rowland > As it turns out, I still have the same issue: ??? dc1 ~ # samba-tool group addmembers "Domain Admins" jgraham ??? Added members to group Domain Admins ??? dc1 ~ # net cache flush ??? dc1 ~ # samba-tool group listmembers 'domain admins' ??? jgraham ??? Administrator And yet: ??? dc1 ~ # id HOME\\jgraham ??? uid=11105(SAMDOM\jgraham) gid=10513(SAMDOM\domain users) groups=10513(SAMDOM\domain...

On 11/27/24 12:38, Rowland Penny via samba wrote: >> Hmm, PAM on Gentoo appears to be very different to Debian. For >> instance on Debian, to include lines from another file you use >> '@include' and it includes the entire contents of the file, Gentoo >> appears to just include the lines referred to in the first column, >> which, if correct, means that your

...istrators will be able to use > > sudo. > > > > For extra brownie points, you could store the sudo rules in AD ;-) > > > > Rowland > > > As it turns out, I still have the same issue: > > ??? dc1 ~ # samba-tool group addmembers "Domain Admins" jgraham > ??? Added members to group Domain Admins > ??? dc1 ~ # net cache flush > ??? dc1 ~ # samba-tool group listmembers 'domain admins' > ??? jgraham > ??? Administrator > > And yet: > > ??? dc1 ~ # id HOME\\jgraham > ??? uid=11105(SAMDOM\jgraham) gid=1051...

...hich was necessary to start winbindd. It's now running, and the wbinfo and getent utilities are now behaving better: ??? terra ~ # wbinfo --ping-dc ??? checking the NETLOGON for domain[HOME] dc connection to "ceres.home.graham-family.org" succeeded terra ~ # getent passwd SAMDOM\\jgraham HOME\jgraham:*:10000:11001::/home/jgraham:/bin/bash >> Sorry but that is incorrect, it should be 'security = ADS' Thanks; fixed. I've been following the Samba Member Server Troubleshooting wiki page and have resolved almost everything. The only thing I've got at the mome...

...Samba was > restarted--sanity was restored. I also uncommented these lines: > > ??? template shell = /bin/bash > ??? template homedir = /home/%U > > I do get an unexpected result from retrieving my domain user's passwd > line: > > ? ?? # getent passwd SAMDOM\\jgraham > ???? SAMDOM\jgraham:*:10000:100::/home/SAMDOM/jgraham:/bin/false > > It appears that somehow the defaults from smb.conf are being > ignored...or is it that the defaults were in place when the domain > account was created? But, hmm, running > > ???? samba-tool user show...

On Fri, 14 Feb 2025 10:51:57 -0500 "John R. Graham via samba" <samba at lists.samba.org> wrote: > I was experimenting with centralized administration of Linux > administrative privileges, so I created the group. (I have to assume > that there's nothing fundamentally wrong with creating a domain group > for some special purpose.) I then added to /etc/sudoers:

...owland Penny via samba wrote: > On Fri, 14 Feb 2025 10:03:33 -0500 > "John R. Graham via samba" <samba at lists.samba.org> wrote: > >> On my Linux domain members, group membership for my domain login is >> reported as: >> >> ??? terra #? id SAMDOM\\jgraham >> ??? uid=11105(SAMDOM\jgraham) gid=10513(SAMDOM\domain users) >> groups=10513(SAMDOM\domain >> users),11105(SAMDOM\jgraham),11120(SAMDOM\wheel),3001(BUILTIN\users) >> >> (I filtered local groups to make the output less noisy.) But on the >> ADC the same comma...

...rectory and the shell attributes would be retrieved from AD--or else constructed from the 'template homedir' and 'template shell' lines in smb.conf. The values I set there were: ???? template shell = /bin/bash ???? template homedir = /home/%U but the getent is returning HOME\jgraham:*:10000:100::/home/SAMDOM/jgraham:/bin/false which appear to be the defaults for those two as opposed to what's specified in either smb.conf or AD. - John

On Wed, 13 Nov 2024 15:19:22 -0500 "John R. Graham via samba" <samba at lists.samba.org> wrote: > > On 11/12/24 09:35, Rowland Penny via samba wrote: > > > If you are using Debian, just install the libpam-winbind and > > libnss-winbind packages, open /etc/nsswitch.conf in your favourite > > editor and ensure that the passwd & group lines contain

...that, it will explain why you are > not getting any group members. > > Rowland Ah. Thank you! On my domain controller "getent" now behaves as you predicted: ??? dc1 ~ # getent group 'SAMDOM\domain admins' ??? SAMDOM\domain admins:x:3000000:SAMDOM\administrator,SAMDOM\jgraham ??? dc1 ~ # getent group SAMDOM\\wheel ??? SAMDOM\wheel:x:11120:SAMDOM\jgraham and "su -" now works but "sudo su -" is still broken on my domain controller; both work on my domain members. Interestingly, "id" still doesn't report correct group membership on th...

...or else constructed from > the 'template homedir' and 'template shell' lines in smb.conf. The > values I set there were: > > ???? template shell = /bin/bash > ???? template homedir = /home/%U > That should work. > but the getent is returning > > HOME\jgraham:*:10000:100::/home/SAMDOM/jgraham:/bin/false > > which appear to be the defaults for those two as opposed to what's > specified in either smb.conf or AD. Yes, they are the defaults, as is the '100' for 'users' which is mapped to Domain Users. I suggest you set a gidN...

On Sat, 16 Nov 2024 10:38:06 -0500 "John R. Graham via samba" <samba at lists.samba.org> wrote: > I apparently haven't created the correct formula to get Samba to > start winbindd on my workstation in the process of joining my domain. > Testing winbindd connectivity fails: Samba doesn't start any daemons on a Unix domain member, you have to do it yourself. >