Samba 4.6.5-Debian, authentication on a mix workgroup+domain

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Samba - General mailing list
Hello,

I encounter a particular configuration at a client.
Stations linked to the Samba domain are mixed with other workstations
configured as a Workgroup.

The Workgroup has the same name as the Samba domain.
Domain machines can access data from a domain member server.
There is no additionnal identification request since this step was
carried out at the open time of the session.

Historically, this was also the case for machines operating in the
Workgroup mode. The condition was obviously that the same connection
name had to be create on both the machine and the domain controller.
I am glad to think that passwords should not be often changed !

Since then, I have updated Samba to :
# Samba -V
Version 4.6.5-Debian

Therefore, when a Workstation tries to access the resources of a member
server on the domain, a prompt asks the user to identify itself.

If the user only input his ID, this will not work. User must prefix his
identifier with the name of the domain:
DOMAIN\login

The client asks me if it would be possible not to have to add the domain
name in this entry. I guess that's not the best way...
Why was this working before ?
Is there a configuration variable that would allow that?
Something like "username level = 2" can do.

An option that helps Samba to try and 'guess' at the real DOMAIN name.
I can read this on smb.conf man page :

"When performing local authentication, the username map is applied to
the login name before attempting to authenticate the connection.

When relying upon a external domain controller for validating
authentication requests, smbd will apply the username map to the fully
qualified username (i.e.  DOMAIN\user) only after the user has been
successfully authenticated."

Sorry, but I do not understand how this works or how does this
authentication work?

Regards,
--
Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr
6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex
Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Samba - General mailing list
On Fri, 28 Jul 2017 00:38:15 +0200
Marc-Henri Pamiseux via samba <[hidden email]> wrote:

> Hello,
>
> I encounter a particular configuration at a client.
> Stations linked to the Samba domain are mixed with other workstations
> configured as a Workgroup.
>
> The Workgroup has the same name as the Samba domain.
> Domain machines can access data from a domain member server.
> There is no additionnal identification request since this step was
> carried out at the open time of the session.
>
> Historically, this was also the case for machines operating in the
> Workgroup mode. The condition was obviously that the same connection
> name had to be create on both the machine and the domain controller.
> I am glad to think that passwords should not be often changed !
>
> Since then, I have updated Samba to :
> # Samba -V
> Version 4.6.5-Debian
>
> Therefore, when a Workstation tries to access the resources of a
> member server on the domain, a prompt asks the user to identify
> itself.
>
> If the user only input his ID, this will not work. User must prefix
> his identifier with the name of the domain:
> DOMAIN\login
>
> The client asks me if it would be possible not to have to add the
> domain name in this entry. I guess that's not the best way...
> Why was this working before ?
> Is there a configuration variable that would allow that?
> Something like "username level = 2" can do.
>
> An option that helps Samba to try and 'guess' at the real DOMAIN name.
> I can read this on smb.conf man page :
>
> "When performing local authentication, the username map is applied to
> the login name before attempting to authenticate the connection.
>
> When relying upon a external domain controller for validating
> authentication requests, smbd will apply the username map to the fully
> qualified username (i.e.  DOMAIN\user) only after the user has been
> successfully authenticated."
>
> Sorry, but I do not understand how this works or how does this
> authentication work?
>
> Regards,

Hi, sorry but my crystal ball is away at the menders and my telepathy
is on the fritz, so could you please post your smb.conf ;-)

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Samba - General mailing list
Hi Rowland,

Sorry if i did not post smb.conf again, just because nothing really
change since my post from 25/07/2017 14:52.
I have add "ntlm auth = yes" for testing.

# .................... START /etc/samba/smb.conf .......................
# Global parameters
[global]
        netbios name = RHEA
        workgroup = MYDOMAIN
        realm = LOCAL.MYDOMAIN
        security = ADS

        dedicated keytab file = /etc/krb5.keytab
        # use the secrets.tdb first, then the system keytab
        kerberos method = secrets and keytab

# OFF   password server = hera.local.mydomain
        username map = /etc/samba/user.map
        username level = 2
        ntlm auth = yes

        # Niveau de log :
        # all,tdb,printdrivers,lanman,smb,rpc_parse,rpc_srv,rpc_cli,passdb,
        # sam,auth,winbind,vfs,idmap,quota,acls,locking,msdfs,dmapi,registry
        log level = 2 passdb:2 auth:2 vfs:1 acls:1 locking:1
        max log size = 5000
        log file = /var/log/samba/log.%m
        os level = 53

        load printers = no
        printing = cups
        cups options = raw
        printcap name = /dev/null

#............... Section specifique a Winbind ...............
        winbind cache time = 60
        winbind reconnect delay = 15
        winbind request timeout = 2
        winbind max clients = 2000
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes

        # Without it your kerberos tickets will expire and not be renewed
        winbind refresh tickets = Yes
        winbind offline logon = Yes
        winbind separator = +
        # OFF winbind trusted domains only = no

        # See http://pig.made-it.com/uidgid.html
        idmap config * : backend = tdb
        idmap config * : range = 500-999
        idmap config MYDOMAIN:backend = ad
        idmap config MYDOMAIN:range = 1000-3000300
        idmap config MYDOMAIN:unix_nss_info = yes
        idmap config MYDOMAIN:schema_mode = rfc2307
        idmap config MYDOMAIN:unix_primary_group = yes
#............... /Section specifique a Winbind ...............

        # Network discovery
        domain master = no
        local master = no
        preferred master = no
        wins support = no

        server signing = auto
        client signing = auto
        client use spnego = yes

        keepalive = 180
        dos charset = cp850
        kernel change notify = no
        notify:inotify = false
        # use sendfile = yes

# Gestion globale des droits des partages
# Ces parametres seront - au besoin - surclassé dans la definition du
partage
        map acl inherit = yes
        store dos attributes = yes
#       valid users = %U
        acl group control = yes
        inherit permissions = yes
        browseable = yes
        read only = yes
        create mask = 0660
        directory mask = 0770
        access based share enum = yes
        hide unreadable = yes
        hide unwriteable files = yes
        hide files = /.*/desktop.ini/ntuser.ini/NTUSER.*/

        # Gestion des Locks
        locking = yes
        oplocks = yes
        strict locking = no
        veto oplock files =
/*.doc/*.DOC/.docx/.DOCX/*.xls/*.XLS/*.xlsx/*.XLSX/*.pptx/*.PPTX/*.ppsx/*.PPSX/*.ppt/*.PPT/*.pps/.PPS/*.mdb/*.MDB/*.xml/*.XML/*.db/*.DB/*.PX/*.px/*.LCX/*.lcx/*.LCK/*.lck/*.XG0/*.xg0/*.YG0/*.yg0/*.NET/*.net
/*.tmp/*.TMP

        # Virtual File System
        vfs objects = acl_xattr
#
[homes]
#    path = /home/MYDOMAIN/%U/
        comment = Repertoire Personnel
        read only = no
        browseable = no
        create mask = 0600
        directory mask = 0700

        # Locks
        oplocks = no
        level2 oplocks = no

        # corbeille
        include = /etc/samba/inc_recycle.conf
        recycle:exclude =
*.o|**obj|*.lo|*.la|*.al|.libs|*.so|*.so.*|*.a|*.pyc|*.pyo|__pycache__|*.rej|*~
#*# .#*|*.swp|.DS_Store|[Tt]humbs.db|*.sdf|*.ncb
        recycle:repository = /home/trash/%U/private
#
[Intranet]
        path = /home/web/local.mydomain/htdocs/
        comment = Intranet Haption
        read only = no

        # Locks
        oplocks = no
        level2 oplocks = no

        # corbeille
        include = /etc/samba/inc_recycle.conf
        recycle:exclude = *.tmp
        recycle:repository = /home/trash/%U/intranet
#
[projets]
        path = /home/data/projets/
        comment = Gestion des projets
        read only = no

        # Locks
        oplocks = no
        level2 oplocks = no
#
[public]
        path = /home/data/public/
        comment = Public Stuff
        read only = no

        # Locks
        oplocks = no
        level2 oplocks = no
# .................... STOP /etc/samba/smb.conf ........................

# ................... START /etc/samba/user.map ........................
!root = MYDOMAIN\Administrator MYDOMAIN\administrator Administrator
administrator
# .................... STOP /etc/samba/user.map ........................

Regards,

--
Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr
6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex
Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97

Le 28/07/2017 à 10:46, Rowland Penny via samba a écrit :
>
> Hi, sorry but my crystal ball is away at the menders and my telepathy
> is on the fritz, so could you please post your smb.conf ;-)
>
> Rowland
>  
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Samba - General mailing list
On Mon, 31 Jul 2017 00:29:31 +0200
Marc-Henri Pamiseux via samba <[hidden email]> wrote:

> Hi Rowland,
>
> Sorry if i did not post smb.conf again, just because nothing really
> change since my post from 25/07/2017 14:52.
> I have add "ntlm auth = yes" for testing.

There are things in that smb.conf I would remove, but none that have
anything to do with your problem.

I think your problem is down to sheer stupidity, who thought it was a
good idea to have an an AD domain and a workgroup with the
same NetBIOS domain name ?

Not that any of this will stop your problem, your workgroup users are
NOT in the AD NetBIOS domain (MYDOMAIN) and so they will be mapped into
the '*' domain and winbindd needs to know who they are, so they get
asked for the NetBIOS domain they are in, windows does this as well.

You could try adding 'map untrusted to domain', this may help, I am
unsure though, mainly because I have never been daft enough to use the
same NetBIOS domain twice on the same network.

Can I also point that I (and probably everybody else) cannot remember
all the smb.conf files that get posted on here ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Samba - General mailing list
Hello,

Thanks Rowland,

> You could try adding 'map untrusted to domain', this may help, I am
> unsure though, mainly because I have never been daft enough to use the
> same NetBIOS domain twice on the same network.

I'll try this as soon as possible.

It seems to me that there is also a problem of name resolution. What
lets me think about this is the name of the log. The latter have an IP
address instead of a machine name.

> I think your problem is down to sheer stupidity, who thought it was a
> good idea to have an an AD domain and a workgroup with the
> same NetBIOS domain name ?

Well, it is the client. Just because at a certain time it loose user's
profile on joining domain. Instead of correcting the problem, it masks
it. But following my remarks, admin. sys. will move all computers in
domain. he found an utility that turns the local profile into a domain
profile.

> Can I also point that I (and probably everybody else) cannot remember
> all the smb.conf files that get posted on here ;-)

No, you can't. I mean, you must have to forget all the smb.conf files
that get posted on here :)

Thank you again :)
--
Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr
6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex
Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Samba - General mailing list
In reply to this post by Samba - General mailing list
 
I suspect a problem from this part is creating problems.
idmap config * : backend = tdb
idmap config * : range = 500-999
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:range = 1000-3000300
idmap config MYDOMAIN:unix_nss_info = yes
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:unix_primary_group = yes

This link :

this link:
http://pig.made-it.com/uidgid.html 
has wrong info for debian .
 
 
debian local ( system )  1-999
local users : 1000+

so i suggest correct the idmappings ..
** beware, you might need to correct rights.
 

Greetz,

Louis

 




 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 31 Jul 2017 10:37:29 +0200
L.P.H. van Belle <[hidden email]> wrote:

> I suspect a problem from this part.
>
>         idmap config * : backend = tdb
>         idmap config * : range = 500-999
>         idmap config MYDOMAIN:backend = ad
>         idmap config MYDOMAIN:range = 1000-3000300
>         idmap config MYDOMAIN:unix_nss_info = yes
>         idmap config MYDOMAIN:schema_mode = rfc2307
>         idmap config MYDOMAIN:unix_primary_group = yes
>
> This link :
>

ENOLINK ;-)

I wouldn't bother though, it is an old set up with legacy IDs and also
a good example why a new domain might be a better idea than doing a
classicupgrade.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Samba - General mailing list
In reply to this post by Samba - General mailing list
Thank you Louis,

I know the current mapping is incorrect.
This is a transition map for the update.
What I foresee:
Idmap config *: range = 1000-1999
Idmap config *: range = 2000-3999

In Active Directory, groups will have an identifier between 2000 and
2999 while users will have an ID between 3000 and 3999.

However, what range should I assign to machines?

On the LDAP branch CN=Computers,DC=local,DC=mydomain, should I also add
an uidNumber entry whose value would be included in a uidmap of winbind?

Regards,
--
Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr
6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex
Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Samba - General mailing list
On Mon, 31 Jul 2017 11:07:53 +0200
Marc-Henri Pamiseux via samba <[hidden email]> wrote:

> Thank you Louis,
>
> I know the current mapping is incorrect.
> This is a transition map for the update.
> What I foresee:
> Idmap config *: range = 1000-1999
> Idmap config *: range = 2000-3999

That should be okay for the '*' domain and allow you to have local Unix
users.
>
> In Active Directory, groups will have an identifier between 2000 and
> 2999 while users will have an ID between 3000 and 3999.

No they don't, Active Directory uses RIDs and they typically start at
'1000'. Also there is no real differentiation between users, groups or
machines (as far as RIDs are concerned) , the next 'thing' to be created
gets the next available RID and RIDs are never reused.
ADUC starts the Unix IDs for users and groups at '10000' i.e. you can
have a user and a group with the same ID, but you can use whatever
start number you like and different ones for users & groups, even if
there is no point ;-)
 
>
> However, what range should I assign to machines?

Don't bother

>
> On the LDAP branch CN=Computers,DC=local,DC=mydomain, should I also
> add an uidNumber entry whose value would be included in a uidmap of
> winbind?

Do you actually use IDs for machines ? Active Directory uses DNS.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi Louis,

Do the default idmap values must precede the idmap values of the
MYDOMAIN domain? May I write something like:
Idmap config *: backend = tdb
Idmap config *: range = 65000-65535
Idmap config MYDOMAIN: backend = ad
Idmap config MYDOMAIN: range = 500-3999

I think there is a problemn using user nobody as guest account while
nobody's id is 65534.

I think there is a problem in using nobody for the guest account
directive while its user ID is 65534.

As Rowland mention in 2017-07-25 :
"You now need to give your users a gidNumber containing the Unix ID
number of a group and the group would have to have a gidNumber attribute
containing the same number."

So, does it mean that user nobody who's gidNumber is "nogroup:x:65534:"
need to be included in this mapping ? Should it be as default mapping or
as domain mapping ?

Regards,
--
Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr
6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex
Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97

Le 31/07/2017 à 10:42, L.P.H. van Belle via samba a écrit :
> idmap config * : backend = tdb
> idmap config * : range = 500-999
> idmap config MYDOMAIN:backend = ad
> idmap config MYDOMAIN:range = 1000-3000300

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi Rowland,

Precisely, I think I have a problem with the DNS resolution.
No, i don't use IDs for machines.
But that was used in Samba 3.x so i wonder it could be whith Samba 4.6...
What I understand is that I dont care about machine identifiers.
What about unix id value 65534 for the nobody account ?

Regards,
--
Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr
6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex
Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97

Le 31/07/2017 à 11:30, Rowland Penny via samba a écrit :
> Do you actually use IDs for machines ? Active Directory uses DNS.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 31 Jul 2017 11:38:23 +0200
Marc-Henri Pamiseux via samba <[hidden email]> wrote:

> Hi Louis,
>
> Do the default idmap values must precede the idmap values of the
> MYDOMAIN domain? May I write something like:
> Idmap config *: backend = tdb
> Idmap config *: range = 65000-65535
> Idmap config MYDOMAIN: backend = ad
> Idmap config MYDOMAIN: range = 500-3999

You can do it like that, in fact quite a lot of people do, but what
happens when you have got to user ID 64999 and you want to add another
user. It is easy to raise the last number in the 'MYDOMAIN' range, but
the ranges must not overlap.

>
> I think there is a problem in using nobody for the guest account
> directive while its user ID is 65534.

Well spotted, somebody, somewhere made a bad decision when they gave
that ID to 'nobody'. You will just have to work around it.

>
> As Rowland mention in 2017-07-25 :
> "You now need to give your users a gidNumber containing the Unix ID
> number of a group and the group would have to have a gidNumber
> attribute containing the same number."
>
> So, does it mean that user nobody who's gidNumber is
> "nogroup:x:65534:" need to be included in this mapping ? Should it be
> as default mapping or as domain mapping ?

No, 'nobody' is a Unix user and Samba maps the Windows user 'Guest' to
'nobody'

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Samba - General mailing list
In addition.

You may write anything you want, but.

I would suggest the following, base on :
https://www.debian.org/doc/debian-policy/ch-opersys.html#s9.2.2 

Your "MYDOMAIN" range is in a danger zone, and the * range is in a reserved range.

In my opinion, its better fix this now the best you can, which means re-apply the user/group rights.
This is why i use these layout on all my servers.
Idmap config *: backend = tdb
Idmap config *: range = 1999-9999
Idmap config MYDOMAIN: backend = ad
Idmap config MYDOMAIN: range = 10000-99999

All ranges are in a safe range. ( depending on the size of AD / number of users/groups )
By default samba AD starts at 10000, so i matched that also.

I know this is a pain in the .... But (lol, still funny)..  ;-)

The longer you wait, the more problems you wil hit in the future.


And.. What Rowland did say..  ;-)

Greetz,

Louis

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Rowland Penny via samba
> Verzonden: maandag 31 juli 2017 12:04
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Samba 4.6.5-Debian, authentication on
> a mix workgroup+domain
>
> On Mon, 31 Jul 2017 11:38:23 +0200
> Marc-Henri Pamiseux via samba <[hidden email]> wrote:
>
> > Hi Louis,
> >
> > Do the default idmap values must precede the idmap values of the
> > MYDOMAIN domain? May I write something like:
> > Idmap config *: backend = tdb
> > Idmap config *: range = 65000-65535
> > Idmap config MYDOMAIN: backend = ad
> > Idmap config MYDOMAIN: range = 500-3999
>
> You can do it like that, in fact quite a lot of people do,
> but what happens when you have got to user ID 64999 and you
> want to add another user. It is easy to raise the last number
> in the 'MYDOMAIN' range, but the ranges must not overlap.
>
> >
> > I think there is a problem in using nobody for the guest account
> > directive while its user ID is 65534.
>
> Well spotted, somebody, somewhere made a bad decision when
> they gave that ID to 'nobody'. You will just have to work around it.
>
> >
> > As Rowland mention in 2017-07-25 :
> > "You now need to give your users a gidNumber containing the Unix ID
> > number of a group and the group would have to have a gidNumber
> > attribute containing the same number."
> >
> > So, does it mean that user nobody who's gidNumber is
> > "nogroup:x:65534:" need to be included in this mapping ?
> Should it be
> > as default mapping or as domain mapping ?
>
> No, 'nobody' is a Unix user and Samba maps the Windows user
> 'Guest' to 'nobody'
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi,

A simple solution, as an alternative, is to create a user account in
Active Directory, then assign it an Unix uidNumber in the range of
domain users, and then to configure in smb.conf the "map to guest"
directive with that login's name.
By doing this, we can forget the assignment to nobody's login.

Regards,
--
Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr
6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex
Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97

Le 31/07/2017 à 12:04, Rowland Penny via samba a écrit :
> No, 'nobody' is a Unix user and Samba maps the Windows user 'Guest' to
> 'nobody'

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Samba - General mailing list
On Mon, 31 Jul 2017 12:40:40 +0200
Marc-Henri Pamiseux via samba <[hidden email]> wrote:

> Hi,
>
> A simple solution, as an alternative, is to create a user account in
> Active Directory, then assign it an Unix uidNumber in the range of
> domain users, and then to configure in smb.conf the "map to guest"
> directive with that login's name.
> By doing this, we can forget the assignment to nobody's login.
>
> Regards,

AH, something just went 'ping' ;-)

There was a recent Debian bug, the bug being that the 'passwd' and
'group' lines in /etc/nsswitch.conf had been setup as 'winbind compat',
I couldn't understand why anybody would want to do that, I think you
may have just given me a reason.

When (on a Unix machine) you ask for a users ID, NSS is consulted and
this uses /etc/nsswitch.conf to find the users ID. Normally the local
files are search first and if you are searching for 'nobody' on Debian,
you get back '65534', winbind is not consulted. However if the order of
searching is switched around and winbind is used before the local
files, then you will get the user mapped by winbind to whoever you have
in smb.conf and the ID for this user returned.

This is what I think will happen, never tried it myself, but I will.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Samba - General mailing list
In reply to this post by Samba - General mailing list
Ouhh !

It's a misunderstanding, a copy/paste error.
It should read:
Idmap config *: range = 1000-1999
Idmap config MYDOMAIN : range = 2000-3999

Regards,
--
Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr
6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex
Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97

Le 31/07/2017 à 11:07, Marc-Henri Pamiseux via samba a écrit :
> What I foresee:
> Idmap config *: range = 1000-1999
> Idmap config *: range = 2000-3999
>
> In Active Directory, groups will have an identifier between 2000 and
> 2999 while users will have an ID between 3000 and 3999.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Samba - General mailing list
On Mon, 31 Jul 2017 16:11:54 +0200
Marc-Henri Pamiseux via samba <[hidden email]> wrote:

> Ouhh !
>
> It's a misunderstanding, a copy/paste error.
> It should read:
> Idmap config *: range = 1000-1999
> Idmap config MYDOMAIN : range = 2000-3999
>
> Regards,

OK, I will try and explain it better ;-)

On a Unix machine joined to an Active Directory domain, you need 4 (yes
four) sets of users and groups

1) Unix system users & groups
2) Local Unix users & groups
3) The '*' domain Active Directory system users & groups
4) The 'DOMAIN' domain Active Directory users & groups

Set 1) these are numbered from 1-499 (with the exception of 65534) and
will be found in /etc/passwd & /etc/group

Set 2) These start from ID 1000 and are found in /etc/passwd
& /etc/group. A user or group found in either /etc/passwd
or /etc/group, cannot exist in Active Directory with the same name.

Set 3) These users & groups (Also known as the Well Known SIDs) are
mapped by windbind into the 'BUILTIN' domain.

Set 4) These users & groups are your Active Domain ones that you
also want to be Unix users & groups.

This leads to what ranges you should use in smb.conf:

You should never use any range that starts below 500, it will interfere
with the Unix system users & groups.

You should never use any range that starts at 1000, using this number
will mean that you will not be able to have ANY local Unix users or
groups and then what will do if there is a problem and AD is down and
'root' is corrupt (or your system uses sudo). I know it isn't likely to
happen, but it could.

Do not use anything in the range '500-999', these numbers could be used
by Unix.

Should you put the '*' domain after the 'DOMAIN', well no, not in my
opinion, by doing this, you are putting hurdles in your way if your
users & groups grow to the point that you need to raise the high
'DOMAIN' range and cannot because it would be higher than the '*'
domain low range.

So this leads us to what the Samba wiki recommends:
Use '3000-7999' for the '*' range
Use '10000-999999' for the 'DOMAIN' range

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...