Quantcast

Samba AD domain member with SSSD: ACL not work

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba AD domain member with SSSD: ACL not work

Samba - General mailing list
On a Centos 7 minimal fresh install and samba 4.4.4 I have follow this
howto:

http://www.hexblot.com/blog/centos-7-active-directory-and-samba

and I have Joining to an Active Directory server and login to it with
domain user without problem.

My problem occur when I try from windows to modify some new rights
(ACL's) to new folder on samba share.

The folder is created correctly but if I add some groups or setup ACL's
I get this error log and the new ACL's is not saved:

> feb 14 12:07:42 samba-dati.srl.local smbd[1178]: [2017/02/14 12:07:42.149812,  0] ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists)
> feb 14 12:07:42 samba-dati.srl.local smbd[1178]:   create_canon_ace_lists: unable to map SID S-1-5-21-347198863-3916504048-2821235790-1213 to uid or gid.

This is my testparm -s (smb.conf):

> Server role: ROLE_DOMAIN_MEMBER
>  
> [global]
>         realm = SRL.LOCAL
>         workgroup = SRL
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         load printers = No
>         printcap name = /dev/null
>         client signing = if_required
>         security = ADS
>         idmap config srl:range = 200000-399999
>         idmap config srl:backend = nss
>         idmap config *:range = 70001-80000
>         idmap config * : backend = tdb
>         cups options = raw
>         hosts allow = 127. 192.168.1.
>
> [dati]  
>         comment = Cartella Dati x tutti
>         path = /u/samba/dati
>         create mask = 0664
>         directory mask = 0775

This is my sssd.conf

> #
> [sssd]  
> domains = srl.local
> config_file_version = 2
> services = nss, pam 
>
> [domain/srl.local]
> ad_domain = srl.local
> krb5_realm = SRL.LOCAL
> realmd_tags = manages-system joined-with-samba
> cache_credentials = True
> id_provider = ad
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = True
> # use_fully_qualified_names = True
> use_fully_qualified_names = False
> fallback_homedir = /home/%u@%d
> # fallback_homedir = /home/%u
> access_provider = ad
>

I have try some modify to smb.conf without success an now the ACLs
still not work.

Any help will be appreciated

Many Thanks
 
--
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD domain member with SSSD: ACL not work

Samba - General mailing list
On Tue, 14 Feb 2017 16:57:24 +0100
Dario Lesca via samba <[hidden email]> wrote:

> On a Centos 7 minimal fresh install and samba 4.4.4 I have follow this
> howto:
>
> http://www.hexblot.com/blog/centos-7-active-directory-and-samba
>
> and I have Joining to an Active Directory server and login to it with
> domain user without problem.
>
> My problem occur when I try from windows to modify some new rights
> (ACL's) to new folder on samba share.

Have you modified /etc/nsswitch.conf ?

If you haven't, then you are not using winbind, you are using sssd. In
which case you should remove the 'idmap config' lines from smb.conf.

You should also try asking on the sssd users mailing list for help,
because if you are not using winbind for authentication, this is
probably where your problem lies.

If you want use winbind instead of sssd, you will need to turn sssd off.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD domain member with SSSD: ACL not work

Samba - General mailing list
Il giorno mar, 14/02/2017 alle 16.13 +0000, Rowland Penny via samba ha
scritto:
> Have you modified /etc/nsswitch.conf ?
No:
> passwd:     files sss
> shadow:     files sss
> group:      files sss

for default nsswitch.conf is configure to use sssd

> If you haven't, then you are not using winbind, you are using sssd.
Yes. I use sssd, If this is not a problem for samba.

> In which case you should remove the 'idmap config' lines from
> smb.conf.

Ok, now I have remove this 4 lines, restart smb and test: ACLs still
not work.

> feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:   *****
> feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:   
> feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:   Samba name server SAMBA-DATI is now a local master browser for workgroup SRL on subnet 192.168.1.5
> feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:   
> feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:   *****
> feb 14 17:45:44 samba-dati.srl.local smbd[3369]: [2017/02/14 17:45:44.973268,  0] ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists)
> feb 14 17:45:44 samba-dati.srl.local smbd[3369]:   create_canon_ace_lists: unable to map SID S-1-5-21-347198863-3916504048-2821235790-1213 to uid or gid.

The error still exist

> You should also try asking on the sssd users mailing list for help,
> because if you are not using winbind for authentication, this is
> probably where your problem lies.

Ok, but my question now is: it's possible to use samba in conjunction
to sssd?

or this kind of configuration is not allowed or not fully tested or
supported by samba team?

> If you want use winbind instead of sssd, you will need to turn sssd
> off.

Ok, this way it's another possible solution, if I am not able to
configure samba + sssd


Many Thanks


--
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD domain member with SSSD: ACL not work

Samba - General mailing list
On Tue, 14 Feb 2017 18:07:33 +0100
Dario Lesca via samba <[hidden email]> wrote:

>
> The error still exist
>
> > You should also try asking on the sssd users mailing list for help,
> > because if you are not using winbind for authentication, this is
> > probably where your problem lies.
>
> Ok, but my question now is: it's possible to use samba in conjunction
> to sssd?

Yes

>
> or this kind of configuration is not allowed or not fully tested or
> supported by samba team?

It is allowed (after all, it is your computer), but is not tested or
supported by Samba, sssd is not part of Samba.

>
> > If you want use winbind instead of sssd, you will need to turn sssd
> > off.
>
> Ok, this way it's another possible solution, if I am not able to
> configure samba + sssd

Yes, but as sssd isn't part of Samba, we don't know how to do it.

We do know how to setup winbind, see here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD domain member with SSSD: ACL not work

Samba - General mailing list
In reply to this post by Samba - General mailing list
Have you seen :

( centos/redhat )
https://outsideit.net/realmd-sssd-ad-authentication/ 

( debian/ubuntu )
http://www.alandmoore.com/blog/2015/05/06/joining-debian-8-to-active-directory/

but i must say, i havent tested/tried these, i dont use sssd.
But i think these are usefull for you to read at least.

If you use the debian variant, you may need to install also :
One or more of these : libnss-sss libpam-sss libsss-idmap0 libsss-sudo

But same as Rowland is saying, you get better support at the sssd list.


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens Dario Lesca via
> samba
> Verzonden: dinsdag 14 februari 2017 18:08
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Samba AD domain member with SSSD: ACL not work
>
> Il giorno mar, 14/02/2017 alle 16.13 +0000, Rowland Penny via samba ha
> scritto:
> > Have you modified /etc/nsswitch.conf ?
> No:
> > passwd:     files sss
> > shadow:     files sss
> > group:      files sss
>
> for default nsswitch.conf is configure to use sssd
>
> > If you haven't, then you are not using winbind, you are using sssd.
> Yes. I use sssd, If this is not a problem for samba.
>
> > In which case you should remove the 'idmap config' lines from
> > smb.conf.
>
> Ok, now I have remove this 4 lines, restart smb and test: ACLs still
> not work.
>
> > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:   *****
> > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:
> > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:   Samba name server
> SAMBA-DATI is now a local master browser for workgroup SRL on subnet
> 192.168.1.5
> > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:
> > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:   *****
> > feb 14 17:45:44 samba-dati.srl.local smbd[3369]: [2017/02/14
> 17:45:44.973268,  0]
> ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists)
> > feb 14 17:45:44 samba-dati.srl.local
> smbd[3369]:   create_canon_ace_lists: unable to map SID S-1-5-21-
> 347198863-3916504048-2821235790-1213 to uid or gid.
>
> The error still exist
>
> > You should also try asking on the sssd users mailing list for help,
> > because if you are not using winbind for authentication, this is
> > probably where your problem lies.
>
> Ok, but my question now is: it's possible to use samba in conjunction
> to sssd?
>
> or this kind of configuration is not allowed or not fully tested or
> supported by samba team?
>
> > If you want use winbind instead of sssd, you will need to turn sssd
> > off.
>
> Ok, this way it's another possible solution, if I am not able to
> configure samba + sssd
>
>
> Many Thanks
>
>
> --
> Dario Lesca
> (inviato dal mio Linux Fedora 25 Workstation)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD domain member with SSSD: ACL not work

Samba - General mailing list
Il giorno mer, 15/02/2017 alle 08.42 +0100, L.P.H. van Belle via samba
ha scritto:
> Have you seen : 
>
> ( centos/redhat )
> https://outsideit.net/realmd-sssd-ad-authentication/ 
>
> ( debian/ubuntu ) 
> http://www.alandmoore.com/blog/2015/05/06/joining-debian-8-to-active-
> directory/

Thank Luis, Thank Rowland.

Yes, I have read this howto, and many others.
None show howro setup correctly ACLs with SSSD.
Nobody talk about ACLs + SSSD.

Then I came to the conclusion that samba + sssd + acls are not working
yet.

> but i must say, i havent tested/tried these, i dont use sssd.
> But i think these are usefull for you to read at least.
>
> If you use the debian variant, you may need to install also :
> One or more of these : libnss-sss libpam-sss libsss-idmap0 libsss-
> sudo
>
> But same as Rowland is saying, you get better support at the sssd
> list. 
>

.... or use winbind, as I have always done with samba3

Then Yesterday in 5 minutes I installed, configured and activated
winbind and now all work fine.

IMHO: probably it would be useful write in some howto that "samba AD
Member based on sssd have some problem with ACLs (not work yet)", so
that others users like me do not waste time (2 days) attempt to make
them work.

Many thanks to all

Dario


>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens Dario
> > Lesca via
> > samba
> > Verzonden: dinsdag 14 februari 2017 18:08
> > Aan: [hidden email]
> > Onderwerp: Re: [Samba] Samba AD domain member with SSSD: ACL not
> > work
> >
> > Il giorno mar, 14/02/2017 alle 16.13 +0000, Rowland Penny via samba
> > ha
> > scritto:
> > > Have you modified /etc/nsswitch.conf ?
> >
> > No:
> > > passwd:     files sss
> > > shadow:     files sss
> > > group:      files sss
> >
> > for default nsswitch.conf is configure to use sssd
> >
> > > If you haven't, then you are not using winbind, you are using
> > > sssd.
> >
> > Yes. I use sssd, If this is not a problem for samba.
> >
> > > In which case you should remove the 'idmap config' lines from
> > > smb.conf.
> >
> > Ok, now I have remove this 4 lines, restart smb and test: ACLs
> > still
> > not work.
> >
> > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:   *****
> > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:
> > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:   Samba name
> > > server
> >
> > SAMBA-DATI is now a local master browser for workgroup SRL on
> > subnet
> > 192.168.1.5
> > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:
> > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:   *****
> > > feb 14 17:45:44 samba-dati.srl.local smbd[3369]: [2017/02/14
> >
> > 17:45:44.973268,  0]
> > ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists)
> > > feb 14 17:45:44 samba-dati.srl.local
> >
> > smbd[3369]:   create_canon_ace_lists: unable to map SID S-1-5-21-
> > 347198863-3916504048-2821235790-1213 to uid or gid.
> >
> > The error still exist
> >
> > > You should also try asking on the sssd users mailing list for
> > > help,
> > > because if you are not using winbind for authentication, this is
> > > probably where your problem lies.
> >
> > Ok, but my question now is: it's possible to use samba in
> > conjunction
> > to sssd?
> >
> > or this kind of configuration is not allowed or not fully tested or
> > supported by samba team?
> >
> > > If you want use winbind instead of sssd, you will need to turn
> > > sssd
> > > off.
> >
> > Ok, this way it's another possible solution, if I am not able to
> > configure samba + sssd
> >
> >
> > Many Thanks
> >
> >
> > --
> > Dario Lesca
> > (inviato dal mio Linux Fedora 25 Workstation)
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
--
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD domain member with SSSD: ACL not work

Samba - General mailing list
On Wed, 15 Feb 2017 09:45:59 +0100
Dario Lesca via samba <[hidden email]> wrote:

>
> Then Yesterday in 5 minutes I installed, configured and activated
> winbind and now all work fine.
>
> IMHO: probably it would be useful write in some howto that "samba AD
> Member based on sssd have some problem with ACLs (not work yet)", so
> that others users like me do not waste time (2 days) attempt to make
> them work.
>

In a way we do, by not mentioning sssd on the Samba wiki ;-)
What is shown on the wiki is known to work.

At least your problems have shown that winbind works.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD domain member with SSSD: ACL not work

Samba - General mailing list
In reply to this post by Samba - General mailing list
Il giorno mer, 15/02/2017 alle 09.45 +0100, Dario Lesca via samba ha
scritto:
> Then Yesterday in 5 minutes I installed, configured and activated
> winbind and now all work fine.

Ok, ACLs now work, but I now it's appeared another problem.

I can only access to my samba+winbind server from Windows Server AD DC
and from itself (smbclient -Uadministrator -L server-dati).

If I try to access to it from a windows PC into domain (\\server-dati)
do not access and require a user and password

If I try to access it via smbclient from samba on another Linux PC (es.
my notebook) not in domain I can access only if I specify the
domain+user like this:

> smbclient -Usrl\\administrator%pwd //server-dati/dati

If I do not specify the domain but only user, I do not access and show
this error:

> smbclient -Uadministrator%pwd //server-dati/dati -d3
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384)
> Processing section "[global]"
> added interface lo ip=::1 bcast=
> netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> added interface lo ip=127.0.0.1 bcast=127.255.255.255
> netmask=255.0.0.0
> added interface enp10s0 ip=192.168.1.195 bcast=192.168.1.255
> netmask=255.255.255.0
> Client started (version 4.5.5).
> resolve_lmhosts: Attempting lmhosts lookup for name server-dati<0x20>
> resolve_wins: WINS server resolution selected and no WINS servers
> listed.
> resolve_hosts: Attempting host lookup for name server-dati<0x20>
> Connecting to 192.168.1.5 at port 445
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178@please_ignore
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
> SPNEGO login failed: Logon failure
> session setup failed: NT_STATUS_LOGON_FAILURE

This is my smb.conf [global] session:

> # Global parameters
> [global]
>         realm = SRL.LOCAL
>         workgroup = SRL
>         domain master = No
>         local master = No
>         preferred master = No
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         load printers = No
>         printcap name = /dev/null
>         client signing = if_required
>         password server = tx150s8.srl.local
>         security = ADS
>         template homedir = /u/samba/home/%U
>         template shell = /sbin/nologin
>         winbind use default domain = Yes
>         idmap config srl:schema_mode = rfc2307
>         idmap config srl:range = 100000-199999
>         idmap config srl:backend = tdb
>         idmap config * : range = 10000-99999
>         idmap config * : backend = tdb
>         store dos attributes = Yes
>         cups options = raw
>         acl allow execute always = Yes
>         map acl inherit = Yes
>         hosts allow = 127. 192.168.1.
>         vfs objects = acl_xattr
>
This is my kbd5.conf

> # Configuration snippets may be placed in this directory as well
> #includedir /etc/krb5.conf.d/
>
> #includedir /var/lib/sss/pubconf/krb5.include.d/
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  dns_lookup_realm = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>  rdns = false
>  default_ccache_name = KEYRING:persistent:%{uid}
>
>  default_realm = SRL.LOCAL
>  # dns_lookup_kdc = false
> [realms]
>  SRL.LOCAL = {
>  # kdc = tx150s8.srl.local
>  # admin_server = tx150s8.srl.local
>  }
>
> [domain_realm]
>  srl.local = SRL.LOCAL
>  .srl.local = SRL.LOCAL
>

Any suggest is appreciated

Many thanks

--
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD domain member with SSSD: ACL not work

Samba - General mailing list
On Wed, 15 Feb 2017 12:35:51 +0100
Dario Lesca via samba <[hidden email]> wrote:

> Il giorno mer, 15/02/2017 alle 09.45 +0100, Dario Lesca via samba ha
> scritto:
> > Then Yesterday in 5 minutes I installed, configured and activated
> > winbind and now all work fine.
>
> Ok, ACLs now work, but I now it's appeared another problem.

Make your smb.conf look like this:

[global]
        realm = SRL.LOCAL
        workgroup = SRL
        security = ADS
        domain master = No
        local master = No
        preferred master = No
        log file = /var/log/samba/log.%m
        max log size = 50
        load printers = No
        printcap name = /dev/null
        client signing = if_required
        template homedir = /u/samba/home/%U
        template shell = /sbin/nologin
        winbind use default domain = Yes
        idmap config SRL:schema_mode = rfc2307
        idmap config SRL:range = 100000-199999
        idmap config SRL:backend = rid
        idmap config * : range = 10000-99999
        idmap config * : backend = tdb
        store dos attributes = Yes
        cups options = raw
        acl allow execute always = Yes
        map acl inherit = Yes
        hosts allow = 127. 192.168.1.
        vfs objects = acl_xattr

Make your /etc/krb5.conf look like this:

[libdefaults]
  default_realm = SRL.LOCAL
  dns_lookup_realm = false
  dns_lookup_kdc = true

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD domain member with SSSD: ACL not work

Samba - General mailing list
Il giorno mer, 15/02/2017 alle 11.54 +0000, Rowland Penny via samba ha
scritto:
> Make your .... look like this:

Now my smb.conf and kbr5.conf is like your proposed.

I reboot and now seem all work fine, I can connect to my server from
windows PC.

From my Linux instead I must use domain, but this is not a problem. 

Many thanks

--
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...