[Samba] Samba AD: gidNumber?

[Viktor Trojanovic]

I joined a Samba AD member server (file server) to a Samba AD DC. This
seems to have worked. However, if I try to access the file server from
the domain administrator account on a Windows client, I am asked to
provide authorization details. Since I have no other privileged users, I
am using the domain admin credentials but they're not accepted.

I'm not sure exactly where to look but I think the problem could be
connected to the following: On my member server, the getent command does
not yield any results. As per the recommendations on the "Samba Member
Server Troubleshooting" page, I checked on the DC if the group Domain
Users has a gidNumber. Well, it doesn't. Neither do my users have
uidNumbers though this, allegedly, is not such an issue.

To solve it, all it says is to "add a gidNumber to Domain Users".

How do I do that?

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland Penny]

On 26/10/15 21:38, Viktor Trojanovic wrote:
> I joined a Samba AD member server (file server) to a Samba AD DC. This
> seems to have worked. However, if I try to access the file server from
> the domain administrator account on a Windows client, I am asked to
> provide authorization details. Since I have no other privileged users,
> I am using the domain admin credentials but they're not accepted.
>
> I'm not sure exactly where to look but I think the problem could be
> connected to the following: On my member server, the getent command
> does not yield any results. As per the recommendations on the "Samba
> Member Server Troubleshooting" page, I checked on the DC if the group
> Domain Users has a gidNumber. Well, it doesn't. Neither do my users
> have uidNumbers though this, allegedly, is not such an issue.

Yes it is, there is no point in adding a gidNumber to Domain Users if
you are not going to give your Users a uidNumber.

As far as how to add uidNumbers and gidNumbers, well firstly, do you
need to? if your users are never going to actually log into the member
server and this is your only Unix machine, you could use the winbind
'rid' backend, this will create the ID numbers on the fly.
If you have more than one member server, or Unix clients or want your
users to log into the member server, you will probably be better off
using the winbind 'ad' backend. To do this you will need to give your
users a unique uidNumber and Domain Users (at least) a gidNumber. You
can do this by using the ADUC UNIX Attributes tab, by writing your own
script using an ldif, or by using something like the LDAP Account
Manager (LAM).

Rowland

[Viktor Trojanovic]

Thanks again for helping, Rowland.

As I mentioned before, both the DC and the member server are Unix
running Samba 4.3. The purpose of the member server is to act as file
server, nothing more.

The clients are all windows machines and users, they will never log in
to one of the unix systems directly. If they are able to access shares
on the file server without having to log in, then I guess this 'rid'
backend seems to be what I need. Correct? Can you give me some pointers
on how to do that, or direct me to the documentation?

Though one has to wonder: There is a wiki how to implement a Samba AD,
and how to add a Samba Member Server. I followed the instructions step
by step, for both, and now it turns out that the instructions for the
member server are not made to fit the configuration of the DC? That's a
bit discouraging.

Viktor

[Rowland Penny]

The main problem is that idmap.ldb on the DC will allocate an xidNumber
to a user in the '3000000' range, this xidNumber is used for the users
uidNumber. If you use the DC as a fileserver and a user stores something
on the DC and you were to examine the permissions, you will find that it
doesn't belong to a user but a number. This gets worse, if you have two
DCs, you can and probably will get different numbers on each DC. Now
this is not a problem until you do something like copy the file from one
DC to the other, the file could then belong to another user, this can
also happen with a member server.

If you use a member server and do not want your users to log into it,
you can use the winbind 'rid' backend, this will allocate UID numbers to
your users using an algorithm based on the users RID, this also has the
affect of creating the same UID on every member server.

If you need to use the DC as a fileserver, then I would advise the use
of the winbind 'ad' backend. Using this, your users will get the same
UID everywhere, as the users UID is stored in AD using the uidNumber
attribute.

To add uidNumber & gidNumber attributes to AD is fairly simple, you can
do it using ADUC, or by writing your own script around an ldif.

To use the winbind 'rid' backend, see here:
https://wiki.samba.org/index.php/Idmap_config_rid

Rowland

[Viktor Trojanovic]

Thanks a lot for this very valuable information, this all became a lot
clearer now.

I am currently just doing a lab setup with a very small AD (5 users, 1
OU, just the standard groups), so I want to try both variations,
starting with the ad (rfc2307) backend, and I already have some questions.

I'm using Win10 RSAT, so I don't have the "Unix Attributes" tab but I
can still modify the attributes manually in the "Attributes" tab. I
understand how to change the attributes but I'm not clear on which
values to use.

The wiki says that "by default, ADUC starts assigning UIDs and GIDs at
10000". I haven't changed those defaults anywhere so this is what must
apply for my AD. But I don't understand how ADUC "assigns" anything. It
seems that I have to manually choose which values to enter, and I'm not
being restricted. So, I'm worried I will break something if I do a
mistake here.

For example, I gave the admin account a UID of 10000 and my Domain Users
group a GID of 10000. Was that the right thing to do? And where do I go
from here? Because I'm further confused by the sentence in the wiki
"Every time a UID/GID is assigned using ADUC, the next UID/GID is stored
inside the AD". So, this sounds that there has to be a strict rule which
number comes next.

By the way, is there a way that the server could just handle these
assignments automatically for me? Or is this the ldif script I would
have to write myself you were mentioning?

[Rowland Penny]

I don't have access to RSAT on a win10 machine, so wasn't really aware
that the UNIX Attributes tab had disappeared, but this isn't really a
problem, you will just have to resort to another tool such as LAM.

When ADUC adds the uidNumber to a user, it first tries to obtain the
next number from an attribute in AD, this attribute is '
msSFU30MaxUidNumber' (groups use 'msSFU30MaxGidNumber') and is not
created as standard on a Samba4 AD DC. This attribute usually starts at
10000 and is the number that will be used for the next uidNumber, once
it is used, it is replaced with the number just used plus one i.e. if
the uidNumber just created was '10000' it would be replaced with
'10001'. The same system is used for groups.

Now that we know where the uidNumber comes from, what other attributes
does ADUC add?

uid
msSFU30Name
msSFU30NisDomain
uidNumber
gidNumber
loginShell
unixHomeDirectory

It also adds unixUserPassword and this is always set to
'ABCD!efgh12345$67890'

So what is the easiest way to add these?

The user is 'Fred Bloggs' with the samaccountname of 'fred', the
workgroup is 'SAMDOM', the realm is 'SAMDOM.EXAMPLE.COM', you want the
user to have the uidNumber of '10001' and be a member of Domain Users
which has the gidNumber '10000', he will have the login shell of
'/bin/bash' and will have an home directory stored at '/home/fred'.

Create an ldif /tmp/user with this info:

dn: CN=Fred Bloggs,CN=Users,DC=samdom.DC=example,DC=com
changetype: modify
add: uid
uid: fred
-
add: msSFU30Name
msSFU30Name: fred
-
add: msSFU30NisDomain
msSFU30NisDomain: samdom
-
add: uidNumber
uidNumber: 10001
-
add: gidNumber
gidNumber: 10000
-
add: loginShell
loginShell: /bin/bash
-
add: unixHomeDirectory
unixHomeDirectory: /home/fred
-
add: unixUserPassword
unixUserPassword: ABCD!efgh12345$67890

Now use ldbmodify to alter the user object in AD:

ldbmodify --url=/usr/local/samba/private/sam.ldb /tmp/user

If you do this on the DC as 'root', it should update the users object in AD.

Note that '--url=' may need to be changed if you are using a distro package
You will also need to keep track of uidNumbers and gidNumbers yourself

Rowland

[Viktor Trojanovic]

Before doing anything, let me clarify a few points because I don't
understand it all.

1. While the "Unix Attributes" tab is gone on windows, there is a new
"Attributes" tab that gives me access to just about any attribute. I
take it, I can use this then and don't have to resort to third party
software, such as LAM?
I took two screenshots of the new ADUC for you to get a feel. General
view: http://imgur.com/WPjJJPM. Changing the uidNumber:
http://imgur.com/JKMOeO3 (the content of the field is neither proposed
nor checked).

2. I'm not sure I understand your second statement. You say that when I
assign a UID for an account in the ADUC, the ADUC is doing something
actively (looking up the next number), at the same time you're saying
that Samba DCs don't create the attributes where this information would
be stored. I'm confused. Am I supposed to create those attributes
(msSFU30MaxUidNumber' and 'msSFU30MaxGidNumber')? All I can confirm is
that, at the current stage, ADUC is not checking my entries. I was able
to give the same UID to two different accounts without any error or
warning messages.

3. Since my users will only log in to their windows stations, is it
really necessary to define a shell and a home directory? Are there any
benefits of doing that, or drawbacks of omitting?

Thank you so much for bearing with me.

4. I think I understand the ldif template. If I were to import it
manually, I would just increase the UID by one each after having used
it. The GID you selected would be the GID I have assigned to "Domain
Users", so I would leave it. Correct? And since there are only two
attributes that need to be changed to add a GID to a group, an ldif
template would be overkill.

4b) What about the Admin account? Do I treat it as any other account
(with regards to assigning a UID) or is there something special I have
to consider?

[Rowland Penny]

See inline comments:

Yes, you can use the 'Attributes' tab, but I have never done it this
way, so cannot give any help doing it this way. Can you change several
attributes at once or do you have to change them one by one?

>
> 2. I'm not sure I understand your second statement. You say that when
> I assign a UID for an account in the ADUC, the ADUC is doing something
> actively (looking up the next number), at the same time you're saying
> that Samba DCs don't create the attributes where this information
> would be stored. I'm confused. Am I supposed to create those
> attributes (msSFU30MaxUidNumber' and 'msSFU30MaxGidNumber')? All I can
> confirm is that, at the current stage, ADUC is not checking my
> entries. I was able to give the same UID to two different accounts
> without any error or warning messages.

The two attributes in question are available in Samba4 AD, they just
aren't created as standard. Even if you did create them, without the
'UNIX Attribute' tab, I am unsure whether it would help with storing and
creating Unix attributes from windows. I just pointed out how ADUC
before win10 worked.

>
> 3. Since my users will only log in to their windows stations, is it
> really necessary to define a shell and a home directory? Are there any
> benefits of doing that, or drawbacks of omitting?

If they are never going to login to the DC or member server, then they
do not need to have these two attributes, again they are what ADUC adds
as standard.

>
> Thank you so much for bearing with me.
>
> 4. I think I understand the ldif template. If I were to import it
> manually, I would just increase the UID by one each after having used
> it. The GID you selected would be the GID I have assigned to "Domain
> Users", so I would leave it. Correct? And since there are only two
> attributes that need to be changed to add a GID to a group, an ldif
> template would be overkill.

In order: good, yes, yes (but for a windows user only, you do not need
it), probably yes, unless you were to script this on the DC.

>
> 4b) What about the Admin account? Do I treat it as any other account
> (with regards to assigning a UID) or is there something special I have
> to consider?

We are talking Administrator here aren't we, well in which case he is a
bit special (though others say otherwise). On the DC, Administrator is
given the UID of '0' which is also the UID of the 'root' user, so
Administrator is automatically mapped to 'root', but any files &
directories created by Administrator show as belonging to 'root' on the DC.
On a 'member server', you need to do this mapping your self, add this
line to smb.conf:

username map = /etc/samba/samba_usermapping

then create the map file:

nano /etc/samba/samba_usermapping

!root = SAMDOM\Administrator SAMDOM\administrator

Restart samba and you should be good to go.

Rowland

[Viktor Trojanovic]

If you look at the first picture, I can choose any attribute from the
list, set/change it (as in picture 2), then go and change other
attributes before confirming all changes with OK and thus closing the
user properties. Though I'm really not sure at what point in time the AD
is actually updated with the changed information.

>>
>> 2. I'm not sure I understand your second statement. You say that when
>> I assign a UID for an account in the ADUC, the ADUC is doing
>> something actively (looking up the next number), at the same time
>> you're saying that Samba DCs don't create the attributes where this
>> information would be stored. I'm confused. Am I supposed to create
>> those attributes (msSFU30MaxUidNumber' and 'msSFU30MaxGidNumber')?
>> All I can confirm is that, at the current stage, ADUC is not checking
>> my entries. I was able to give the same UID to two different accounts
>> without any error or warning messages.
>
> The two attributes in question are available in Samba4 AD, they just
> aren't created as standard. Even if you did create them, without the
> 'UNIX Attribute' tab, I am unsure whether it would help with storing
> and creating Unix attributes from windows. I just pointed out how ADUC
> before win10 worked.
>

Since I don't know how ADUC worked before, I wonder: When you used the
Unix Attributes tab, the UID would be prepopulated for you based on
these attributes? So there was no need for you to track UID/GID yourself?

> [...]

>>
>> 4b) What about the Admin account? Do I treat it as any other account
>> (with regards to assigning a UID) or is there something special I
>> have to consider?
>
> We are talking Administrator here aren't we, well in which case he is
> a bit special (though others say otherwise). On the DC, Administrator
> is given the UID of '0' which is also the UID of the 'root' user, so
> Administrator is automatically mapped to 'root', but any files &
> directories created by Administrator show as belonging to 'root' on
> the DC.
> On a 'member server', you need to do this mapping your self, add this
> line to smb.conf:
>
> username map = /etc/samba/samba_usermapping
>
> then create the map file:
>
> nano /etc/samba/samba_usermapping
>
> !root = SAMDOM\Administrator SAMDOM\administrator
>
> Restart samba and you should be good to go.
>
> Rowland
>

Yes, I meant the administrator. I did your suggested change on my member
server and restarted it. 'getent passwd administrator' is still not
returning anything, though. Or is that the wrong way to check if it worked?

[Rowland Penny]

Probably when you press OK

>
>>>
>>> 2. I'm not sure I understand your second statement. You say that
>>> when I assign a UID for an account in the ADUC, the ADUC is doing
>>> something actively (looking up the next number), at the same time
>>> you're saying that Samba DCs don't create the attributes where this
>>> information would be stored. I'm confused. Am I supposed to create
>>> those attributes (msSFU30MaxUidNumber' and 'msSFU30MaxGidNumber')?
>>> All I can confirm is that, at the current stage, ADUC is not
>>> checking my entries. I was able to give the same UID to two
>>> different accounts without any error or warning messages.
>>
>> The two attributes in question are available in Samba4 AD, they just
>> aren't created as standard. Even if you did create them, without the
>> 'UNIX Attribute' tab, I am unsure whether it would help with storing
>> and creating Unix attributes from windows. I just pointed out how
>> ADUC before win10 worked.
>>
> Since I don't know how ADUC worked before, I wonder: When you used the
> Unix Attributes tab, the UID would be prepopulated for you based on
> these attributes? So there was no need for you to track UID/GID yourself?

Yes, on a windows DC, if you installed IDMU (it was also known by other
names) the two attributes were created, both containing '10000', it is
just on a Samba DC that they do not exists. You are also correct that
ADUC would track the numbers for you.

>
>> [...]
>>>
>>> 4b) What about the Admin account? Do I treat it as any other account
>>> (with regards to assigning a UID) or is there something special I
>>> have to consider?
>>
>> We are talking Administrator here aren't we, well in which case he is
>> a bit special (though others say otherwise). On the DC, Administrator
>> is given the UID of '0' which is also the UID of the 'root' user, so
>> Administrator is automatically mapped to 'root', but any files &
>> directories created by Administrator show as belonging to 'root' on
>> the DC.
>> On a 'member server', you need to do this mapping your self, add this
>> line to smb.conf:
>>
>> username map = /etc/samba/samba_usermapping
>>
>> then create the map file:
>>
>> nano /etc/samba/samba_usermapping
>>
>> !root = SAMDOM\Administrator SAMDOM\administrator
>>
>> Restart samba and you should be good to go.
>>
>> Rowland
>>
>
> Yes, I meant the administrator. I did your suggested change on my
> member server and restarted it. 'getent passwd administrator' is still
> not returning anything, though. Or is that the wrong way to check if
> it worked?
>

If you ran the same command on the DC, it will return something, but on
a member server it won't, because the range you set in smb.conf is (if
you followed the wiki, 10000-99999) above '0' and anything that is
outside the range is ignored. This is not a problem, remember that
Administrator is mapped to root on the member server, so if you want to
log into the member server, you would so as root. From windows,
Administrator becomes root and carries out any changes etc as root.

Rowland

[Viktor Trojanovic]

On 27.10.2015 13:54, Rowland Penny wrote:
> [...]

>> Yes, I meant the administrator. I did your suggested change on my
>> member server and restarted it. 'getent passwd administrator' is
>> still not returning anything, though. Or is that the wrong way to
>> check if it worked?
>>
>
> If you ran the same command on the DC, it will return something, but
> on a member server it won't, because the range you set in smb.conf is
> (if you followed the wiki, 10000-99999) above '0' and anything that is
> outside the range is ignored. This is not a problem, remember that
> Administrator is mapped to root on the member server, so if you want
> to log into the member server, you would so as root. From windows,
> Administrator becomes root and carries out any changes etc as root.
>
> Rowland
>
>

Ok, all understood, thank you. But how can I check if it worked with the
users? I manually changed the Nisdomain and uidNumber for two users
using ADUC (to 10001 and 10002, respectively), I restarted Samba (was
this even necessary?), and getent passwd <username> will still not
return anything.

In other words, what is the quickest way to check if my member server
setup worked out alright?

[Rowland Penny]

OK, if you compiled samba yourself and you want to test getent on the
member server, see this that I posted earlier:

https://lists.samba.org/archive/samba/2015-October/195319.html

If you are using distro packages, the wiki pages should give you a good
idea of what you need.

Rowland

[mourik jan heupink]

Hi Rowland,

Perhaps that info could be added to a wiki page? Perhaps somewhere here:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Setting_up_PAM_authentication?

MJ

[Viktor Trojanovic]

So, I spent quite some time researching it all a bit more in depth but I
get stuck at the same point, although I at least seem to have a better
understanding of how things should be now.

So, my smb.conf on the member server looks exactly like the one in the
wiki, except that I also added ACL support as suggested on the wiki page
"Shares with Windows ACLs". My filesystem is XFS and has ACL built-in.

I do get proper results for wbinfo -u and wbinfo -g, but the id and
getent commands just won't work. I'm trying it on users and groups that
have a uidNumber or gidNumber defined, respectively.

This is how my nsswitch.conf looks like:

passwd: compat winbind
group: compat winbind
hosts:compat dns
networks: compat dns

My Samba came from a package but I verified that libnss_winbind.so.2 is
properly linked.

smbd, nmbd and winbindd are properly started with no errors in the logs,
I'm joined to the AD, I can browse the member server from my windows
machine being logged in as Administrator. But I still can't seem to
change ACLs on any objects in the share from within Windows, I'm getting
error messages "Error when applying security" (I'm translating freely
from German).

Do you have any idea what's going wrong here?

Viktor

[Rowland Penny]

OK, If I remember correctly, we are talking about a domain member here,
not a DC. If you are using the default smb.conf from here:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

with the 'ad' setup from here:

https://wiki.samba.org/index.php/Idmap_config_ad

with the acl support lines from here:

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#ACL_support_on_domain_members

then getent should work, but they are a few caveats, the users must have
a uidNumber inside the range 10000-99999 and Domain Users (at least)
must have a gidNumber inside the same range. Any users or groups outside
this range will be ignored and *all* users will be ignored if Domain
Users either doesn't have a gidNumber or it is outside the range.

Time must be synchronised between the machines, within 5 mins if
remember correctly.
The domain member must be joined to the domain (obviously)
The domain member must be using the DC has its DNS server

/etc/resolv.conf
search samdom.example.com
nameserver 192.168.0.3 <-- this is the ip of the DC

You only need this in /etc/krb5.conf

[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true

Ideally your domain member should have a fixed ip, but if you are using
dhcp, check that the ipaddress isn't 127.0.0.1 or even worse 127.0.1.1.
If you using Ubuntu with Network Manager, stop it using dnsmasq.

Check that pam is setup correctly, on debian you can do this by running
'pam-auth-update'

If everything seems correct, but 'getent passwd' doesn't return any
domain users, try 'getent passwd adomainuser', later samba versions only
return individual records.

Rowland

[Viktor Trojanovic]

No. I'm using the smb.conf from
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

> with the 'ad' setup from here:
>
> https://wiki.samba.org/index.php/Idmap_config_ad
>

Those lines are already implemented in the smb.conf retrieved from
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

> with the acl support lines from here:
>
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#ACL_support_on_domain_members
>
>

Those exact 3 lines, yes.

> then getent should work, but they are a few caveats, the users must
> have a uidNumber inside the range 10000-99999 and Domain Users (at
> least) must have a gidNumber inside the same range. Any users or
> groups outside this range will be ignored and *all* users will be
> ignored if Domain Users either doesn't have a gidNumber or it is
> outside the range.
>

The user I'm trying to return has a uidNumber of 10002, and Domain Users
is set to gidNumber 10000. I have not set those attributes for other
groups and did not expect them to show up with getent.

> Time must be synchronised between the machines, within 5 mins if
> remember correctly.

Time is synced and well within 5 mins. Kerberos would fail otherwise and
I am able to request k-tickets for any user without issues.

> The domain member must be joined to the domain (obviously)

Of course.

> The domain member must be using the DC has its DNS server
>
> /etc/resolv.conf
> search samdom.example.com
> nameserver 192.168.0.3 <-- this is the ip of the DC
>

My DC has a fixed IP and that's exactly how my resolv.conf looks like,
no other lines.

> You only need this in /etc/krb5.conf
>
> [libdefaults]
> default_realm = SAMDOM.EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
>

That's exactly what I have. As mentioned, Kerberos seems to work properly.

> Ideally your domain member should have a fixed ip, but if you are
> using dhcp, check that the ipaddress isn't 127.0.0.1 or even worse
> 127.0.1.1. If you using Ubuntu with Network Manager, stop it using
> dnsmasq.
>

See above.

> Check that pam is setup correctly, on debian you can do this by
> running 'pam-auth-update'
>

I don't have pam setup since I don't need the users to log in to Linux.
It is nowhere mentioned, neither on the wiki nor on the book that this
is a prerequisite for getent to work.

> If everything seems correct, but 'getent passwd' doesn't return any
> domain users, try 'getent passwd adomainuser', later samba versions
> only return individual records.
>

I tried that, it doesn't return any values.
> Rowland
>
>
>
Do you see some issue with my config? Obviously, most of the things seem
to work, it's just this bloody acl mapping..

[Rowland Penny]

OK, what is the difference between a 'domain member' and a 'member
server', well to be honest, not much. You can think of a 'domain member'
being the same as a normal windows workstation that a user logs into and
it doesn't share anything. You can turn a 'domain member' into a 'member
server' very easily, just make it share something :-) if you share
printers from it, it becomes a 'Print Server' , add data shares and it
becomes a 'File Server', I think you get the idea here :-)

Your smb.conf from the 'member server' page is equivalent to the one you
can create from the three pages I posted.

>> with the acl support lines from here:
>>
>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#ACL_support_on_domain_members
>>
>>
> Those exact 3 lines, yes.
>> then getent should work, but they are a few caveats, the users must
>> have a uidNumber inside the range 10000-99999 and Domain Users (at
>> least) must have a gidNumber inside the same range. Any users or
>> groups outside this range will be ignored and *all* users will be
>> ignored if Domain Users either doesn't have a gidNumber or it is
>> outside the range.
>>
> The user I'm trying to return has a uidNumber of 10002, and Domain
> Users is set to gidNumber 10000. I have not set those attributes for
> other groups and did not expect them to show up with getent.
>
>> Time must be synchronised between the machines, within 5 mins if
>> remember correctly.
> Time is synced and well within 5 mins. Kerberos would fail otherwise
> and I am able to request k-tickets for any user without issues.
>> The domain member must be joined to the domain (obviously)
> Of course.
>> The domain member must be using the DC has its DNS server
>>
>> /etc/resolv.conf
>> search samdom.example.com
>> nameserver 192.168.0.3 <-- this is the ip of the DC
>>
> My DC has a fixed IP and that's exactly how my resolv.conf looks like,
> no other lines.

Yes but does your 'member server' have a fixed ip ?

>> You only need this in /etc/krb5.conf
>>
>> [libdefaults]
>> default_realm = SAMDOM.EXAMPLE.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
> That's exactly what I have. As mentioned, Kerberos seems to work
> properly.
>
>> Ideally your domain member should have a fixed ip, but if you are
>> using dhcp, check that the ipaddress isn't 127.0.0.1 or even worse
>> 127.0.1.1. If you using Ubuntu with Network Manager, stop it using
>> dnsmasq.
>>
> See above.
>> Check that pam is setup correctly, on debian you can do this by
>> running 'pam-auth-update'
>>
> I don't have pam setup since I don't need the users to log in to
> Linux. It is nowhere mentioned, neither on the wiki nor on the book
> that this is a prerequisite for getent to work.

Applying Hand brake screeching to a halt :-D

If pam is not set up you will not get 'getent' to work. Can you please
refresh my memory and tell me what OS you are using. Pam is not required
on a DC unless you require your users to actually log into it, but it is
definitely needed on a 'domain member' (or as you call it, a 'member
server')

There is a mention of setting up PAM on the page you referred to:

https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Setting_up_PAM_authentication

Though it is a bit unclear that it is required to make 'getent' work, I
will not update this page because there is a very good chance it will
get a massive overhaul soon, but I will look into whether any other Pam
info specifies that it is needed on a domain member.

Rowland

[Viktor Trojanovic]

Well, I'll be... I really didn't figure out that that was any kind of
necessity. Since the getent checks on the wiki (and in my book) are
performed before the comments about PAM, I thought that's just for
special situations (such as needing users to log in on Linux). So you're
saying I can't set my ACL's with domain users because of that?

I guess my next project then is to figure out how to configure this on
Alpine Linux which is what I'm using for my member server. While I can
find packages for PAM, it seems that there is no pam_winbind module so
I'm not sure where this leaves me. Any tips?

Even if not, at least I know now where the problem is. I really
appreciate all your help.

Viktor

[Rowland Penny]

getent shows what the OS knows about a user, if it shows nothing, that
user is unknown to the OS and as such cannot own anything. On the DC,
this is not really a problem because the users are automatically given
an xidNumber and this is used instead and most people only use the DC
for authentication. You only need the libnss_winbind links and pam (or
something in its place) if you want your users to connect to the member
server.

>
> I guess my next project then is to figure out how to configure this on
> Alpine Linux which is what I'm using for my member server. While I can
> find packages for PAM, it seems that there is no pam_winbind module so
> I'm not sure where this leaves me. Any tips?

Er, use Debian instead :-D
I could give you instructions to set up a basic Samba domain member on
Debian that would only take you about 15mins and is guaranteed to work
(famous last words).

Rowland

[Viktor Trojanovic]

Haha :) I've already spent so much time on getting to know Arch and
Alpine Linux in and out, with some Ubuntu on the side, just can't bother
to add Debian to the list. But if I can't get neither to work, I'll
reconsider. :)

I'll report back.. thanks again, and good night.

[Rowland Penny]

Well, Ubuntu is heavily based on Debian, so what works for one,
generally works for the other with slight mods.

Rowland

[Viktor Trojanovic]

Let me just reconfirm something. Is PAM still needed if I used RID as a mapping backend instead of AD?

I'm asking because I came accross other tutorials how to set up a samba member server and it didn't involve pam. The main difference in the config was the backend which is RID in their case.

In the Arch Wiki (which could be outdated) it is explicitely stated that all that is needed for getent to work is a proper nsswitch.conf. https://wiki.archlinux.org/index.php/Active_Directory_Integration

Here is a tutorial how to do it on Freebsd 9. The info is based on Samba 3.6 joining a windows dc, though. See http://samba.ninja/2012/05/freebsd-9-samba-ad-member-server/

[Rowland Penny]

Yes, pam is still required. I am no expert, but this is how I think
nsswitch works:

when you run 'getent passwd user' it checks in /etc/nsswitch.conf for
what the 'passwd' line contains
It then checks each of the databases one by one, normally it would check
the local files first (though this can be called 'compat') if it finds a
local user it stops and returns the info for the user. If it doesn't
find anything it moves on to the next database, in our case 'winbind',
this checks for the user and if the user is found, the users info is
returned. This is where PAM comes in, you can think of it as a 'bridge'
between getent and AD, without this bridge winbind cannot get to the info.

>
> I'm asking because I came accross other tutorials how to set up a samba member server and it didn't involve pam. The main difference in the config was the backend which is RID in their case.
>
> In the Arch Wiki (which could be outdated) it is explicitely stated that all that is needed for getent to work is a proper nsswitch.conf. https://wiki.archlinux.org/index.php/Active_Directory_Integration

Yes, but it also tells you to install pam-krb5

>
> Here is a tutorial how to do it on Freebsd 9. The info is based on Samba 3.6 joining a windows dc, though. See http://samba.ninja/2012/05/freebsd-9-samba-ad-member-server/

The only thing it doesn't mention is PAM, but does freebsd use PAM?

All I can say is that I use Debian Wheezy and I have to install PAM
packages to make getent work.

Rowland

[Viktor Trojanovic]

Finally! It works! Fireworks!

So I tried it with Arch Linux this time. I did exactly what I did
before, meaning:

- fixed IP, added the DC to /etc/hosts, configured /etc/resolv.conf to
contain the dc nameserver and search domain
- added new host (A) entry on the DC
- set up ntp to get times from the dc
- joined the AD (error messages about DNS remain as before but the join
is OK)
- set up /etc/smb.conf as per the wiki, added parts for "load
printers=no", the 3 lines for acl file sharing, and the usermapping file
containing the root=admin mapping
- added "winbind" to the lines for passwd, group, and shadow in
/etc/nsswitch.conf
- started the 3 services smbd, nmbd, winbindd

And voilà, it all works. getent passwd/group is returning the expected
values, I can define ACLs through Windows and read them in Linux.

While the PAM packages are installed on the base system by default, I
did not have to change or adapt the configuration. I did not even
install the pam-krb5 package. You indeed only need to do all this if you
want to log in to the machine with AD user accounts.

Next step is now to change to the RID backend.. I think that makes more
sense in my setup.

That was quite an exhausting learning experience.. :) Thanks once more
for all your support. Without it, I probably would have given up stuck
as I was.

Viktor