winbind rfc2307 not being obeyed

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

winbind rfc2307 not being obeyed

Samba - General mailing list
OS:fedora-26
SAMBA:4.6.8
[root@squints ~]# cat /etc/samba/smb.conf
[global]
   security = ads
   realm = MIND.UNM.EDU
   workgroup = MIND
   idmap config * : backend = tdb
   idmap config * : range = 2000-7999
   idmap config MIND:backend = ad
   idmap config MIND:schema_mode = rfc2307
   idmap config MIND:range = 8000-9999999
   winbind nss info = rfc2307
   winbind use default domain = yes
   # so that the users show up in getent
   winbind enum users = yes
   # so that the groups show up in getent
   winbind enum groups = yes
   restrict anonymous = 2
   #added the following 2 for the Badlock updates that change the defaults
   #to no longer work with my domain controllers
   ldap server require strong auth = no
   client ldap sasl wrapping = plain

[root@squints ~]# getent passwd jsadowski
jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false

however from an ubuntu machine with the same smb.conf it looks like so
OS:ubuntu-16.04
SAMBA:4.3.11
root@daddles:~# getent passwd jsadowski
jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash

which is how AD shows it as well.

Did something change in newer versions of samba that I need to add
more config options?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind rfc2307 not being obeyed

Samba - General mailing list
On Mon, 30 Oct 2017 09:49:24 -0600
Jeff Sadowski via samba <[hidden email]> wrote:

> OS:fedora-26
> SAMBA:4.6.8
> [root@squints ~]# cat /etc/samba/smb.conf
> [global]
>    security = ads
>    realm = MIND.UNM.EDU
>    workgroup = MIND
>    idmap config * : backend = tdb
>    idmap config * : range = 2000-7999
>    idmap config MIND:backend = ad
>    idmap config MIND:schema_mode = rfc2307
>    idmap config MIND:range = 8000-9999999
>    winbind nss info = rfc2307
>    winbind use default domain = yes
>    # so that the users show up in getent
>    winbind enum users = yes
>    # so that the groups show up in getent
>    winbind enum groups = yes
>    restrict anonymous = 2
>    #added the following 2 for the Badlock updates that change the
> defaults #to no longer work with my domain controllers
>    ldap server require strong auth = no
>    client ldap sasl wrapping = plain
>
> [root@squints ~]# getent passwd jsadowski
> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>
> however from an ubuntu machine with the same smb.conf it looks like so
> OS:ubuntu-16.04
> SAMBA:4.3.11
> root@daddles:~# getent passwd jsadowski
> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>
> which is how AD shows it as well.
>
> Did something change in newer versions of samba that I need to add
> more config options?
>

Yes, there have been changes and no, you don't have to use them and
they wouldn't cause your problem.

Your smb.conf shows you are using the 'ad' backend and you say you are
using the same smb.conf on both machines.

So, why are there these different:

jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash

Which RFC2307 attributes have you added to AD ?
The above user seems to have the same uidNumber, but Domain Users
seems to have two different gidNumbers (8513 and 8000), the
unixHomeDirectory also has two identities, as does loginShell

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind rfc2307 not being obeyed

Samba - General mailing list
I found what I needed to do
DOMAIN=MIND.UNM.EDU
SHORT=MIND
authconfig --enablekrb5 --krb5kdc=${DOMAIN}
--krb5adminserver=${DOMAIN} --krb5realm=${DOMAIN} --enablewinbind
--enablewinbindauth --smbsecurity=ads --smbrealm=${DOMAIN}
--smbservers=${DOMAIN} --smbworkgroup=${SHORT}
--winbindtemplatehomedir=/na/homes/%U --winbindtemplateshell=/bin/bash
--enablemkhomedir --enablewinbindusedefaultdomain --update

this worked

On Mon, Oct 30, 2017 at 10:11 AM, Rowland Penny via samba
<[hidden email]> wrote:

> On Mon, 30 Oct 2017 09:49:24 -0600
> Jeff Sadowski via samba <[hidden email]> wrote:
>
>> OS:fedora-26
>> SAMBA:4.6.8
>> [root@squints ~]# cat /etc/samba/smb.conf
>> [global]
>>    security = ads
>>    realm = MIND.UNM.EDU
>>    workgroup = MIND
>>    idmap config * : backend = tdb
>>    idmap config * : range = 2000-7999
>>    idmap config MIND:backend = ad
>>    idmap config MIND:schema_mode = rfc2307
>>    idmap config MIND:range = 8000-9999999
>>    winbind nss info = rfc2307
>>    winbind use default domain = yes
>>    # so that the users show up in getent
>>    winbind enum users = yes
>>    # so that the groups show up in getent
>>    winbind enum groups = yes
>>    restrict anonymous = 2
>>    #added the following 2 for the Badlock updates that change the
>> defaults #to no longer work with my domain controllers
>>    ldap server require strong auth = no
>>    client ldap sasl wrapping = plain
>>
>> [root@squints ~]# getent passwd jsadowski
>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>>
>> however from an ubuntu machine with the same smb.conf it looks like so
>> OS:ubuntu-16.04
>> SAMBA:4.3.11
>> root@daddles:~# getent passwd jsadowski
>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>
>> which is how AD shows it as well.
>>
>> Did something change in newer versions of samba that I need to add
>> more config options?
>>
>
> Yes, there have been changes and no, you don't have to use them and
> they wouldn't cause your problem.
>
> Your smb.conf shows you are using the 'ad' backend and you say you are
> using the same smb.conf on both machines.
>
> So, why are there these different:
>
> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>
> Which RFC2307 attributes have you added to AD ?
> The above user seems to have the same uidNumber, but Domain Users
> seems to have two different gidNumbers (8513 and 8000), the
> unixHomeDirectory also has two identities, as does loginShell
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind rfc2307 not being obeyed

Samba - General mailing list
fedora's authconfig must edit a bunch of files

On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <[hidden email]> wrote:

> I found what I needed to do
> DOMAIN=MIND.UNM.EDU
> SHORT=MIND
> authconfig --enablekrb5 --krb5kdc=${DOMAIN}
> --krb5adminserver=${DOMAIN} --krb5realm=${DOMAIN} --enablewinbind
> --enablewinbindauth --smbsecurity=ads --smbrealm=${DOMAIN}
> --smbservers=${DOMAIN} --smbworkgroup=${SHORT}
> --winbindtemplatehomedir=/na/homes/%U --winbindtemplateshell=/bin/bash
> --enablemkhomedir --enablewinbindusedefaultdomain --update
>
> this worked
>
> On Mon, Oct 30, 2017 at 10:11 AM, Rowland Penny via samba
> <[hidden email]> wrote:
>> On Mon, 30 Oct 2017 09:49:24 -0600
>> Jeff Sadowski via samba <[hidden email]> wrote:
>>
>>> OS:fedora-26
>>> SAMBA:4.6.8
>>> [root@squints ~]# cat /etc/samba/smb.conf
>>> [global]
>>>    security = ads
>>>    realm = MIND.UNM.EDU
>>>    workgroup = MIND
>>>    idmap config * : backend = tdb
>>>    idmap config * : range = 2000-7999
>>>    idmap config MIND:backend = ad
>>>    idmap config MIND:schema_mode = rfc2307
>>>    idmap config MIND:range = 8000-9999999
>>>    winbind nss info = rfc2307
>>>    winbind use default domain = yes
>>>    # so that the users show up in getent
>>>    winbind enum users = yes
>>>    # so that the groups show up in getent
>>>    winbind enum groups = yes
>>>    restrict anonymous = 2
>>>    #added the following 2 for the Badlock updates that change the
>>> defaults #to no longer work with my domain controllers
>>>    ldap server require strong auth = no
>>>    client ldap sasl wrapping = plain
>>>
>>> [root@squints ~]# getent passwd jsadowski
>>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>>>
>>> however from an ubuntu machine with the same smb.conf it looks like so
>>> OS:ubuntu-16.04
>>> SAMBA:4.3.11
>>> root@daddles:~# getent passwd jsadowski
>>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>>
>>> which is how AD shows it as well.
>>>
>>> Did something change in newer versions of samba that I need to add
>>> more config options?
>>>
>>
>> Yes, there have been changes and no, you don't have to use them and
>> they wouldn't cause your problem.
>>
>> Your smb.conf shows you are using the 'ad' backend and you say you are
>> using the same smb.conf on both machines.
>>
>> So, why are there these different:
>>
>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>
>> Which RFC2307 attributes have you added to AD ?
>> The above user seems to have the same uidNumber, but Domain Users
>> seems to have two different gidNumbers (8513 and 8000), the
>> unixHomeDirectory also has two identities, as does loginShell
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind rfc2307 not being obeyed

Samba - General mailing list
My smb.conf file now looks like so
[global]
#--authconfig--start-line--

# Generated by authconfig on 2017/10/30 10:47:34
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = MIND
   password server = MIND.UNM.EDU
   realm = MIND.UNM.EDU
   security = ads
   idmap config * : range = 2000-7999
   template homedir = /na/homes/%U
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = true
   winbind offline logon = false

#--authconfig--end-line--
;   security = ads
;   realm = MIND.UNM.EDU
;   workgroup = MIND
   idmap config * : backend = tdb
   idmap config * : range = 2000-7999
   idmap config MIND:backend = ad
   idmap config MIND:schema_mode = rfc2307
   idmap config MIND:range = 8000-9999999
   winbind nss info = rfc2307
;   winbind use default domain = yes
   # so that the users show up in getent
   winbind enum users = yes
   # so that the groups show up in getent
   winbind enum groups = yes
   restrict anonymous = 2
   #added the following 2 for the Badlock updates that change the defaults
   #to no longer work with my domain controllers
   ldap server require strong auth = no
   client ldap sasl wrapping = plain
;   template homedir=/na/homes/%U
;   template shell=/bin/bash

On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <[hidden email]> wrote:

> fedora's authconfig must edit a bunch of files
>
> On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <[hidden email]> wrote:
>> I found what I needed to do
>> DOMAIN=MIND.UNM.EDU
>> SHORT=MIND
>> authconfig --enablekrb5 --krb5kdc=${DOMAIN}
>> --krb5adminserver=${DOMAIN} --krb5realm=${DOMAIN} --enablewinbind
>> --enablewinbindauth --smbsecurity=ads --smbrealm=${DOMAIN}
>> --smbservers=${DOMAIN} --smbworkgroup=${SHORT}
>> --winbindtemplatehomedir=/na/homes/%U --winbindtemplateshell=/bin/bash
>> --enablemkhomedir --enablewinbindusedefaultdomain --update
>>
>> this worked
>>
>> On Mon, Oct 30, 2017 at 10:11 AM, Rowland Penny via samba
>> <[hidden email]> wrote:
>>> On Mon, 30 Oct 2017 09:49:24 -0600
>>> Jeff Sadowski via samba <[hidden email]> wrote:
>>>
>>>> OS:fedora-26
>>>> SAMBA:4.6.8
>>>> [root@squints ~]# cat /etc/samba/smb.conf
>>>> [global]
>>>>    security = ads
>>>>    realm = MIND.UNM.EDU
>>>>    workgroup = MIND
>>>>    idmap config * : backend = tdb
>>>>    idmap config * : range = 2000-7999
>>>>    idmap config MIND:backend = ad
>>>>    idmap config MIND:schema_mode = rfc2307
>>>>    idmap config MIND:range = 8000-9999999
>>>>    winbind nss info = rfc2307
>>>>    winbind use default domain = yes
>>>>    # so that the users show up in getent
>>>>    winbind enum users = yes
>>>>    # so that the groups show up in getent
>>>>    winbind enum groups = yes
>>>>    restrict anonymous = 2
>>>>    #added the following 2 for the Badlock updates that change the
>>>> defaults #to no longer work with my domain controllers
>>>>    ldap server require strong auth = no
>>>>    client ldap sasl wrapping = plain
>>>>
>>>> [root@squints ~]# getent passwd jsadowski
>>>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>>>>
>>>> however from an ubuntu machine with the same smb.conf it looks like so
>>>> OS:ubuntu-16.04
>>>> SAMBA:4.3.11
>>>> root@daddles:~# getent passwd jsadowski
>>>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>>>
>>>> which is how AD shows it as well.
>>>>
>>>> Did something change in newer versions of samba that I need to add
>>>> more config options?
>>>>
>>>
>>> Yes, there have been changes and no, you don't have to use them and
>>> they wouldn't cause your problem.
>>>
>>> Your smb.conf shows you are using the 'ad' backend and you say you are
>>> using the same smb.conf on both machines.
>>>
>>> So, why are there these different:
>>>
>>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>>
>>> Which RFC2307 attributes have you added to AD ?
>>> The above user seems to have the same uidNumber, but Domain Users
>>> seems to have two different gidNumbers (8513 and 8000), the
>>> unixHomeDirectory also has two identities, as does loginShell
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind rfc2307 not being obeyed

Samba - General mailing list
nope that just brute forced homedir and shell. It'll work for what I
want this machine for but I'd like to get the homedir and shell from
AD

On Mon, Oct 30, 2017 at 10:54 AM, Jeff Sadowski <[hidden email]> wrote:

> My smb.conf file now looks like so
> [global]
> #--authconfig--start-line--
>
> # Generated by authconfig on 2017/10/30 10:47:34
> # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
> # Any modification may be deleted or altered by authconfig in future
>
>    workgroup = MIND
>    password server = MIND.UNM.EDU
>    realm = MIND.UNM.EDU
>    security = ads
>    idmap config * : range = 2000-7999
>    template homedir = /na/homes/%U
>    template shell = /bin/bash
>    kerberos method = secrets only
>    winbind use default domain = true
>    winbind offline logon = false
>
> #--authconfig--end-line--
> ;   security = ads
> ;   realm = MIND.UNM.EDU
> ;   workgroup = MIND
>    idmap config * : backend = tdb
>    idmap config * : range = 2000-7999
>    idmap config MIND:backend = ad
>    idmap config MIND:schema_mode = rfc2307
>    idmap config MIND:range = 8000-9999999
>    winbind nss info = rfc2307
> ;   winbind use default domain = yes
>    # so that the users show up in getent
>    winbind enum users = yes
>    # so that the groups show up in getent
>    winbind enum groups = yes
>    restrict anonymous = 2
>    #added the following 2 for the Badlock updates that change the defaults
>    #to no longer work with my domain controllers
>    ldap server require strong auth = no
>    client ldap sasl wrapping = plain
> ;   template homedir=/na/homes/%U
> ;   template shell=/bin/bash
>
> On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <[hidden email]> wrote:
>> fedora's authconfig must edit a bunch of files
>>
>> On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <[hidden email]> wrote:
>>> I found what I needed to do
>>> DOMAIN=MIND.UNM.EDU
>>> SHORT=MIND
>>> authconfig --enablekrb5 --krb5kdc=${DOMAIN}
>>> --krb5adminserver=${DOMAIN} --krb5realm=${DOMAIN} --enablewinbind
>>> --enablewinbindauth --smbsecurity=ads --smbrealm=${DOMAIN}
>>> --smbservers=${DOMAIN} --smbworkgroup=${SHORT}
>>> --winbindtemplatehomedir=/na/homes/%U --winbindtemplateshell=/bin/bash
>>> --enablemkhomedir --enablewinbindusedefaultdomain --update
>>>
>>> this worked
>>>
>>> On Mon, Oct 30, 2017 at 10:11 AM, Rowland Penny via samba
>>> <[hidden email]> wrote:
>>>> On Mon, 30 Oct 2017 09:49:24 -0600
>>>> Jeff Sadowski via samba <[hidden email]> wrote:
>>>>
>>>>> OS:fedora-26
>>>>> SAMBA:4.6.8
>>>>> [root@squints ~]# cat /etc/samba/smb.conf
>>>>> [global]
>>>>>    security = ads
>>>>>    realm = MIND.UNM.EDU
>>>>>    workgroup = MIND
>>>>>    idmap config * : backend = tdb
>>>>>    idmap config * : range = 2000-7999
>>>>>    idmap config MIND:backend = ad
>>>>>    idmap config MIND:schema_mode = rfc2307
>>>>>    idmap config MIND:range = 8000-9999999
>>>>>    winbind nss info = rfc2307
>>>>>    winbind use default domain = yes
>>>>>    # so that the users show up in getent
>>>>>    winbind enum users = yes
>>>>>    # so that the groups show up in getent
>>>>>    winbind enum groups = yes
>>>>>    restrict anonymous = 2
>>>>>    #added the following 2 for the Badlock updates that change the
>>>>> defaults #to no longer work with my domain controllers
>>>>>    ldap server require strong auth = no
>>>>>    client ldap sasl wrapping = plain
>>>>>
>>>>> [root@squints ~]# getent passwd jsadowski
>>>>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>>>>>
>>>>> however from an ubuntu machine with the same smb.conf it looks like so
>>>>> OS:ubuntu-16.04
>>>>> SAMBA:4.3.11
>>>>> root@daddles:~# getent passwd jsadowski
>>>>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>>>>
>>>>> which is how AD shows it as well.
>>>>>
>>>>> Did something change in newer versions of samba that I need to add
>>>>> more config options?
>>>>>
>>>>
>>>> Yes, there have been changes and no, you don't have to use them and
>>>> they wouldn't cause your problem.
>>>>
>>>> Your smb.conf shows you are using the 'ad' backend and you say you are
>>>> using the same smb.conf on both machines.
>>>>
>>>> So, why are there these different:
>>>>
>>>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>>>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>>>
>>>> Which RFC2307 attributes have you added to AD ?
>>>> The above user seems to have the same uidNumber, but Domain Users
>>>> seems to have two different gidNumbers (8513 and 8000), the
>>>> unixHomeDirectory also has two identities, as does loginShell
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind rfc2307 not being obeyed

Samba - General mailing list
On Mon, 30 Oct 2017 10:58:01 -0600
Jeff Sadowski <[hidden email]> wrote:

> nope that just brute forced homedir and shell. It'll work for what I
> want this machine for but I'd like to get the homedir and shell from
> AD
>

The only real thing running authconfig did to the smb.conf was to add:

   password server = MIND.UNM.EDU

You shouldn't need this, so I think your dns is up the spout ;-)

If you have populated the users uidNumber, loginShell and
unixHomeDirectory attributes the winbind 'ad' backend should use them,
provided that Domain Users has a gidNumber attribute and all numbers
used are inside the DOMAIN range set in smb.conf

Can you post your /etc/hosts, /etc/resolv.conf and /etc/krb5.conf files

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind rfc2307 not being obeyed

Samba - General mailing list
No, fedora is action strange. it isn't getting the  loginShell and
unixHomeDirectory attributes even if I take out the templates. also it
sets a bunch of other files up and I'm not sure what all it is doing.

On Mon, Oct 30, 2017 at 11:24 AM, Rowland Penny via samba
<[hidden email]> wrote:

> On Mon, 30 Oct 2017 10:58:01 -0600
> Jeff Sadowski <[hidden email]> wrote:
>
>> nope that just brute forced homedir and shell. It'll work for what I
>> want this machine for but I'd like to get the homedir and shell from
>> AD
>>
>
> The only real thing running authconfig did to the smb.conf was to add:
>
>    password server = MIND.UNM.EDU
>
> You shouldn't need this, so I think your dns is up the spout ;-)
>
> If you have populated the users uidNumber, loginShell and
> unixHomeDirectory attributes the winbind 'ad' backend should use them,
> provided that Domain Users has a gidNumber attribute and all numbers
> used are inside the DOMAIN range set in smb.conf
>
> Can you post your /etc/hosts, /etc/resolv.conf and /etc/krb5.conf files
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind rfc2307 not being obeyed

Samba - General mailing list
On Mon, 30 Oct 2017 12:22:54 -0600
Jeff Sadowski <[hidden email]> wrote:

> No, fedora is action strange. it isn't getting the  loginShell and
> unixHomeDirectory attributes even if I take out the templates. also it
> sets a bunch of other files up and I'm not sure what all it is doing.
>

Forget it is Fedora, do not use their tools and set up the individual
files and most importantly, remove sssd

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind rfc2307 not being obeyed

Samba - General mailing list
for this machine it was unimportant. I will just use local accounts to
login it is only one user
I did remove sssd and went back to my original smb.conf but it still shows

[root@squints ~]# getent passwd jsadowski
jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false

I restarted winbind.

On Mon, Oct 30, 2017 at 12:30 PM, Rowland Penny via samba
<[hidden email]> wrote:

> On Mon, 30 Oct 2017 12:22:54 -0600
> Jeff Sadowski <[hidden email]> wrote:
>
>> No, fedora is action strange. it isn't getting the  loginShell and
>> unixHomeDirectory attributes even if I take out the templates. also it
>> sets a bunch of other files up and I'm not sure what all it is doing.
>>
>
> Forget it is Fedora, do not use their tools and set up the individual
> files and most importantly, remove sssd
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind rfc2307 not being obeyed

Samba - General mailing list
maybe it'll work when f27 comes out in a few days I'll wait for it.


On Mon, Oct 30, 2017 at 3:05 PM, Jeff Sadowski <[hidden email]> wrote:

> for this machine it was unimportant. I will just use local accounts to
> login it is only one user
> I did remove sssd and went back to my original smb.conf but it still shows
>
> [root@squints ~]# getent passwd jsadowski
> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>
> I restarted winbind.
>
> On Mon, Oct 30, 2017 at 12:30 PM, Rowland Penny via samba
> <[hidden email]> wrote:
>> On Mon, 30 Oct 2017 12:22:54 -0600
>> Jeff Sadowski <[hidden email]> wrote:
>>
>>> No, fedora is action strange. it isn't getting the  loginShell and
>>> unixHomeDirectory attributes even if I take out the templates. also it
>>> sets a bunch of other files up and I'm not sure what all it is doing.
>>>
>>
>> Forget it is Fedora, do not use their tools and set up the individual
>> files and most importantly, remove sssd
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind rfc2307 not being obeyed

Samba - General mailing list
In centos I had to do the following

centos

  GNU nano 2.0.9
File: /etc/pam.d/system-auth-ac

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so

  GNU nano 2.0.9
File: /etc/pam.d/password-auth-ac

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so

On Mon, Oct 30, 2017 at 3:06 PM, Jeff Sadowski <[hidden email]> wrote:

> maybe it'll work when f27 comes out in a few days I'll wait for it.
>
>
> On Mon, Oct 30, 2017 at 3:05 PM, Jeff Sadowski <[hidden email]> wrote:
>> for this machine it was unimportant. I will just use local accounts to
>> login it is only one user
>> I did remove sssd and went back to my original smb.conf but it still shows
>>
>> [root@squints ~]# getent passwd jsadowski
>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>>
>> I restarted winbind.
>>
>> On Mon, Oct 30, 2017 at 12:30 PM, Rowland Penny via samba
>> <[hidden email]> wrote:
>>> On Mon, 30 Oct 2017 12:22:54 -0600
>>> Jeff Sadowski <[hidden email]> wrote:
>>>
>>>> No, fedora is action strange. it isn't getting the  loginShell and
>>>> unixHomeDirectory attributes even if I take out the templates. also it
>>>> sets a bunch of other files up and I'm not sure what all it is doing.
>>>>
>>>
>>> Forget it is Fedora, do not use their tools and set up the individual
>>> files and most importantly, remove sssd
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind rfc2307 not being obeyed

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 30 Oct 2017 15:06:32 -0600
Jeff Sadowski <[hidden email]> wrote:

> maybe it'll work when f27 comes out in a few days I'll wait for it.
>

It worked for me on f25, there cannot have been that many changes.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind rfc2307 not being obeyed

Samba - General mailing list
Hello Jeff,

After upgrading from Samba 4.4.x to Samba 4.6.x I encountered the same
problem (also on Fedora). I had to add following lines to smb.conf file
(replaced my domain name with yours):
        # required by samba >=4.6
        idmap config MIND:unix_primary_group = yes
        idmap config MIND:unix_nss_info = yes

and comment out both lines (use pound sign #; semicolon, didn't work for me
by some reason):
#   template homedir = /home/%D/%U
#   template shell = /bin/bash

Not relevant to your issue, but for samba 4.6 and newer I also had to add
following line:
   kerberos encryption types = all

Hope it will help.
Regards,
Matt


On Mon, Oct 30, 2017 at 5:25 PM, Rowland Penny via samba <
[hidden email]> wrote:

> On Mon, 30 Oct 2017 15:06:32 -0600
> Jeff Sadowski <[hidden email]> wrote:
>
> > maybe it'll work when f27 comes out in a few days I'll wait for it.
> >
>
> It worked for me on f25, there cannot have been that many changes.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind rfc2307 not being obeyed

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 30 Oct 2017 21:25:06 +0000
Rowland Penny via samba <[hidden email]> wrote:

> On Mon, 30 Oct 2017 15:06:32 -0600
> Jeff Sadowski <[hidden email]> wrote:
>
> > maybe it'll work when f27 comes out in a few days I'll wait for it.
> >
>
> It worked for me on f25, there cannot have been that many changes.
>
> Rowland
>

It also works on F26 ;-)

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind rfc2307 not being obeyed

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 30/10/2017 16:49, Jeff Sadowski via samba wrote:

> [root@squints ~]# getent passwd jsadowski
> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>
> however from an ubuntu machine with the same smb.conf it looks like so
> OS:ubuntu-16.04
> SAMBA:4.3.11
> root@daddles:~# getent passwd jsadowski
> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>
> which is how AD shows it as well.


I have the same issue on debian stretch (package 4.6.8), on time per
month max. I was thinking more on a network issue with the DCs (Windows
domain, not a samba one).

Emmanuel

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind rfc2307 not being obeyed

Samba - General mailing list
On Tue, 31 Oct 2017 11:04:17 +0100
Blindauer Emmanuel via samba <[hidden email]> wrote:

> On 30/10/2017 16:49, Jeff Sadowski via samba wrote:
> > [root@squints ~]# getent passwd jsadowski
> > jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
> >
> > however from an ubuntu machine with the same smb.conf it looks like
> > so OS:ubuntu-16.04
> > SAMBA:4.3.11
> > root@daddles:~# getent passwd jsadowski
> > jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
> >
> > which is how AD shows it as well.
>
>
> I have the same issue on debian stretch (package 4.6.8), on time per
> month max. I was thinking more on a network issue with the DCs
> (Windows domain, not a samba one).
>
> Emmanuel
>

Provided that smb.conf is set up correctly and there are the required
RFC2307 attributes in AD, you should get the same IDs everywhere and
they should be consistent.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba