ADS Domain Member - getent problem

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

ADS Domain Member - getent problem

Samba - General mailing list
Hello List,
I'm running a Samba ADS on Debian 9, Samba version 4.5.12-Debian.
Right now I'll try to add a Domain member - also running Samba version 4.5.12-Debian.
Thanks to Loius and Rowland, this howto guided me a lot in the right direction: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

But right now I'll get stuck. It seems that the configuration is ok - AD-members are successfully joined, I can ping via "wbinfo --ping-dc", all the tests regarding name resolution are working, and of course I'll get the complete list of users and groups via wbinfo -u or wbinfo -g on the member servers.  :-)

The users are maintained via ADUC on the DC, and every user and group has its UID assignd.

Surprisingly only "getent group" generates the list of groups with the correct ID's on the domain members. I tried this at two different members.
"getent passwd demo1" (or "getent passwd "H950\demo1"") generates nothing.


This is the config file from the domain member - smb.conf

[global]
           security = ADS
           workgroup = H950
           realm = H950.SOME.DOMAIN
           log file = /var/log/samba/%m.log
           log level = 5

#map untrusted to domain = Yes

          # Default idmap config for local BUILTIN accounts and groups
         idmap config * : backend = tdb
          idmap config * : range = 20000-20999

           idmap config H950:default = true
           idmap config H950:schema mode = rfc2307
           idmap config H950:backend = ad
           idmap config H950:range = 500-9999
           idmap config H950:unix_nss_info = yes
           idmap config H950:unix_primary_group = yes
           winbind nss info = rfc2307

           username map = /etc/samba/user.map
           acl allow execute always = True
           unix charset = UTF8

winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes



Is there anything I'm missing? Or mixing up? I'm sure ... ;-)

Thank you guys for your work!
Kind regards
Franz



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ADS Domain Member - getent problem

Samba - General mailing list
On Wed, 10 Jan 2018 18:43:37 +0100
Franz Gansberger via samba <[hidden email]> wrote:

> Hello List,
> I'm running a Samba ADS on Debian 9, Samba version 4.5.12-Debian.
> Right now I'll try to add a Domain member - also running Samba
> version 4.5.12-Debian. Thanks to Loius and Rowland, this howto guided
> me a lot in the right direction:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> But right now I'll get stuck. It seems that the configuration is ok -
> AD-members are successfully joined, I can ping via "wbinfo
> --ping-dc", all the tests regarding name resolution are working, and
> of course I'll get the complete list of users and groups via wbinfo
> -u or wbinfo -g on the member servers.  :-)
>
> The users are maintained via ADUC on the DC, and every user and group
> has its UID assignd.
>
> Surprisingly only "getent group" generates the list of groups with
> the correct ID's on the domain members. I tried this at two different
> members. "getent passwd demo1" (or "getent passwd "H950\demo1"")
> generates nothing.

From your smb.conf below, 'getent passwd demo1' should work.

>
>
> This is the config file from the domain member - smb.conf
>
> [global]
>   security = ADS
>   workgroup = H950
>   realm = H950.SOME.DOMAIN
>   log file = /var/log/samba/%m.log
>   log level = 5
>
> #map untrusted to domain = Yes
>
>  # Default idmap config for local BUILTIN accounts and groups
> idmap config * : backend = tdb
>  idmap config * : range = 20000-20999
>
>   idmap config H950:default = true
>   idmap config H950:schema mode = rfc2307
>   idmap config H950:backend = ad
>   idmap config H950:range = 500-9999
>   idmap config H950:unix_nss_info = yes
>   idmap config H950:unix_primary_group = yes
>   winbind nss info = rfc2307

You are using Samba 4.5.12, the above setup is for 4.6.x

Change the 'idmap config H950' block to this:

           idmap config H950:backend = ad
           idmap config H950:schema mode = rfc2307
           idmap config H950:range = 500-9999
           winbind nss info = rfc2307

Ensure that Domain Users has a gidNumber attribute contain a number
inside the '500-9999' range (I may have already said this, but
'500-9999' isn't a good range to use)

>
>   username map = /etc/samba/user.map
>   acl allow execute always = True
>   unix charset = UTF8
>
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes

You do not need the 'winbind enum' lines, the only thing they really do
is slow Samba down.

> winbind refresh tickets = yes

You should also add:

    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ADS Domain Member - getent problem

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi,
after addidional tests, and following another (earier) hint from Louis regarding his repository I did a quick update (over the old version, quick and dirty) to Samba version 4.6.7-Debian - an voila:
After rejoining this new member server to the domain H950 (it was a clone from the original one) this funny peace of software is showing all the users from the DC! :-)

Thank you Louis!
Franz

>>> Franz Gansberger 10.01.2018 18:43 >>>
Hello List,
I'm running a Samba ADS on Debian 9, Samba version 4.5.12-Debian.
Right now I'll try to add a Domain member - also running Samba version 4.5.12-Debian.
Thanks to Loius and Rowland, this howto guided me a lot in the right direction: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

But right now I'll get stuck. It seems that the configuration is ok - AD-members are successfully joined, I can ping via "wbinfo --ping-dc", all the tests regarding name resolution are working, and of course I'll get the complete list of users and groups via wbinfo -u or wbinfo -g on the member servers.  :-)

The users are maintained via ADUC on the DC, and every user and group has its UID assignd.

Surprisingly only "getent group" generates the list of groups with the correct ID's on the domain members. I tried this at two different members.
"getent passwd demo1" (or "getent passwd "H950\demo1"") generates nothing.


This is the config file from the domain member - smb.conf

[global]
           security = ADS
           workgroup = H950
           realm = H950.SOME.DOMAIN
           log file = /var/log/samba/%m.log
           log level = 5

#map untrusted to domain = Yes

          # Default idmap config for local BUILTIN accounts and groups
         idmap config * : backend = tdb
          idmap config * : range = 20000-20999

           idmap config H950:default = true
           idmap config H950:schema mode = rfc2307
           idmap config H950:backend = ad
           idmap config H950:range = 500-9999
           idmap config H950:unix_nss_info = yes
           idmap config H950:unix_primary_group = yes
           winbind nss info = rfc2307

           username map = /etc/samba/user.map
           acl allow execute always = True
           unix charset = UTF8

winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes



Is there anything I'm missing? Or mixing up? I'm sure ... ;-)

Thank you guys for your work!
Kind regards
Franz



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ADS Domain Member - getent problem

Samba - General mailing list
On Wed, 10 Jan 2018 20:58:25 +0100
Franz Gansberger via samba <[hidden email]> wrote:

> Hi,
> after addidional tests, and following another (earier) hint from
> Louis regarding his repository I did a quick update (over the old
> version, quick and dirty) to Samba version 4.6.7-Debian - an voila:
> After rejoining this new member server to the domain H950 (it was a
> clone from the original one) this funny peace of software is showing
> all the users from the DC! :-)
>
> Thank you Louis!
> Franz
>
> >>> Franz Gansberger 10.01.2018 18:43 >>>
> Hello List,
> I'm running a Samba ADS on Debian 9, Samba version 4.5.12-Debian.
> Right now I'll try to add a Domain member - also running Samba
> version 4.5.12-Debian. Thanks to Loius and Rowland, this howto guided
> me a lot in the right direction:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> But right now I'll get stuck. It seems that the configuration is ok -
> AD-members are successfully joined, I can ping via "wbinfo
> --ping-dc", all the tests regarding name resolution are working, and
> of course I'll get the complete list of users and groups via wbinfo
> -u or wbinfo -g on the member servers.  :-)
>
> The users are maintained via ADUC on the DC, and every user and group
> has its UID assignd.
>
> Surprisingly only "getent group" generates the list of groups with
> the correct ID's on the domain members. I tried this at two different
> members. "getent passwd demo1" (or "getent passwd "H950\demo1"")
> generates nothing.
>
>
> This is the config file from the domain member - smb.conf
>
> [global]
>   security = ADS
>   workgroup = H950
>   realm = H950.SOME.DOMAIN
>   log file = /var/log/samba/%m.log
>   log level = 5
>
> #map untrusted to domain = Yes
>
>  # Default idmap config for local BUILTIN accounts and groups
> idmap config * : backend = tdb
>  idmap config * : range = 20000-20999
>
>   idmap config H950:default = true
>   idmap config H950:schema mode = rfc2307
>   idmap config H950:backend = ad
>   idmap config H950:range = 500-9999
>   idmap config H950:unix_nss_info = yes
>   idmap config H950:unix_primary_group = yes
>   winbind nss info = rfc2307
>
>   username map = /etc/samba/user.map
>   acl allow execute always = True
>   unix charset = UTF8
>
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
>
>
>
> Is there anything I'm missing? Or mixing up? I'm sure ... ;-)
>
> Thank you guys for your work!
> Kind regards
> Franz
>
>
>

Well, yes that is the other way of doing things, make the software
version match the smb.conf ;-)

You still need these lines:

     vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba