[Samba] How to join join Ubuntu desktop to AD
lingpanda101 via samba
Does the wiki contain documentation on how to join a Linux
workstation to Samba? I can't seem to find it. I do see this
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member but
this appears to use SSH to login. I'm looking to login locally. I used
PBIS in the past and enabled the Login prompt as seen here
http://askubuntu.com/questions/451950/how-to-configure-lightdm-to-allow-manual-logins-in-ubuntu-14-04.
Can I follow the wiki and just enable the login prompt in replace of
PBIS aka likewise open? Thanks.
--
- James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Marc Muehlfeld via samba
Am 06.12.2016 um 19:15 schrieb lingpanda101 via samba:
> Does the wiki contain documentation on how to join a Linux
> workstation to Samba? I can't seem to find it. I do see this
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member but
> this appears to use SSH to login. I'm looking to login locally.
This is the documentation you're looking for.
SSH is just an example in the documentation how to use pam_winbind. Have
a look at your PAM configuration files and the PAM documentation to see
which file you have to add pam_winbind to for local logins.
Regards,
Marc
Rowland Penny via samba
Marc Muehlfeld via samba <sa...@lists.samba.org> wrote:
> Hello,
>
> Am 06.12.2016 um 19:15 schrieb lingpanda101 via samba:
> > Does the wiki contain documentation on how to join a Linux
> > workstation to Samba? I can't seem to find it. I do see this
> > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> > but this appears to use SSH to login. I'm looking to login locally.
>
> This is the documentation you're looking for.
>
> SSH is just an example in the documentation how to use pam_winbind.
> Have a look at your PAM configuration files and the PAM documentation
> to see which file you have to add pam_winbind to for local logins.
>
> Regards,
> Marc
>
libpam-winbind, libpam-krb5 and libnss-winbind on Debian, presumably
the same on Ubuntu.
Rowland
lingpanda101 via samba
> On Tue, 6 Dec 2016 19:38:49 +0100
> Marc Muehlfeld via samba <sa...@lists.samba.org> wrote:
>
>> Hello,
>>
>> Am 06.12.2016 um 19:15 schrieb lingpanda101 via samba:
>>> Does the wiki contain documentation on how to join a Linux
>>> workstation to Samba? I can't seem to find it. I do see this
>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>> but this appears to use SSH to login. I'm looking to login locally.
>> This is the documentation you're looking for.
>>
>> SSH is just an example in the documentation how to use pam_winbind.
>> Have a look at your PAM configuration files and the PAM documentation
>> to see which file you have to add pam_winbind to for local logins.
>>
>> Regards,
>> Marc
>>
> libpam-winbind, libpam-krb5 and libnss-winbind on Debian, presumably
> the same on Ubuntu.
>
> Rowland
>
OK thanks. I'm a bit stuck at the part where I configure my smb.conf.
I'm going with the winbind ad backend.
[global]
security = ADS
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL (Yes I know about .local)
log file = /var/log/samba/%m.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 2000-9999 (This is the range for local
users on the workstation?)
winbind nss info = rfc2307
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:range = 10000-999999 (This is the default
range samba uses correct?)
If I # cat /etc/adduser.conf I see
FIRST_UID=1000
LAST_UID=29999
Is this the range I should use for 'idmap config * : range = 2000-9999'?
I'm using rfc2307 on my DC's and my UID's start at 10000 when assigning
using Microsoft's ADUC tool. I should be good with using 'idmap config
MYDOMAIN:range = 10000-999999'?
Choosing the exact range to use is what I'm finding confusing. Thanks.
--
- James
Rowland Penny via samba
No, the '*' range is for the 'well known SIDs' (see here:
https://support.microsoft.com/en-us/kb/243330) and anything outside
your domain (aka workgroup).
The suggested ranges on the samba wiki are known to work (well, they
work for me). They allow for local Unix users & groups in the range
1000-1999, for the well known SIDs in the range 2000-9999 and domain
users & groups in the range 10000-999999
The local Unix users & groups will get their IDs when they are added
and they will be created in /etc/passwd and /etc/group.
The well known SIDs will be allocated an ID, starting from 2000 i.e.
the start number for the range
You will have to add unique uidNumber attributes to each user, starting
from 10000, you must also give 'Domain Users' a gidNumber attribute,
you can use 10000 for this (yes, you can have a user with uidNumber
10000 and a group with the same number)
If everything is installed and setup correctly and you run 'getent
passwd auser' you should get something like this:
rowland@devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
Any further questions, just ask ;-)
Rowland
lingpanda101 via samba
Samba 4.5.1 built from tar.
*# /usr/local/samba/bin/net ads join -U administrator*
Enter administrator's password:
Using short domain name -- DOMAIN
Joined 'DR210' to dns domain 'domain.local'
DNS update failed: NT_STATUS_UNSUCCESSFUL (I manually added the DNS A RR.)
*smb.conf file*
[global]
security = ADS
workgroup = DOMAIN
realm = DOMAIN.LOCAL
log file = /var/log/samba/%m.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 3000-7999
winbind nss info = rfc2307
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 10000-999999
*'libnss_winbind' links*
lrwxrwxrwx 1 root root 41 Dec 7 07:51 libnss_winbind.so ->
/lib/x86_64-linux-gnu/libnss_winbind.so.2
lrwxrwxrwx 1 root root 40 Dec 7 07:51 libnss_winbind.so.2 ->
/usr/local/samba/lib/libnss_winbind.so.2
*root@DR210:/# cat /etc/nsswitch.conf*
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
*root@DR210:/# cat /etc/resolv.conf *
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 172.16.232.29
nameserver 172.16.232.39
search domain.local
*root@DR210:/# cat /var/log/samba/winbindd.log *
[2016/12/07 08:12:17.545371, 0]
../lib/util/become_daemon.c:124(daemon_ready)
STATUS=daemon 'winbindd' finished starting up and ready to serve
connections
[2016/12/07 08:14:32.678686, 1] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)
tdb(/usr/local/samba/var/lock/mutex.tdb): tdb_lock failed on list 63
ltype=1 (Interrupted system call)
[2016/12/07 08:14:32.678743, 0]
../source3/lib/util_tdb.c:497(tdb_chainlock_with_timeout_internal)
tdb_chainlock_with_timeout_internal: alarm (40) timed out for key
PFDC1 in tdb /usr/local/samba/var/lock/mutex.tdb
[2016/12/07 08:14:32.678796, 1]
../source3/lib/server_mutex.c:97(grab_named_mutex)
Could not get the lock for PFDC1
[2016/12/07 08:14:32.678860, 0]
../source3/winbindd/winbindd_cm.c:1039(cm_prepare_connection)
cm_prepare_connection: mutex grab failed for PFDC1
[2016/12/07 08:18:13.433118, 1]
../source3/winbindd/winbindd_util.c:352(trustdom_list_done)
trustdom_list_done: Could not receive trusts for domain DOMAIN
--
- James
lingpanda101 via samba
I'll point out a typo in the wiki while I go through this exercise.
# smbd -B | grep LIBDIR
The switch is actually lowercase for me.
# smbd -b | grep LIBDIR
--
- James
lingpanda101 via samba
I think I have a issue with ldconfig not finding winbind. I create the
sym links and verified they exist. What am I missing? Thanks.
ldconfig -v | grep "libnss_"
/sbin/ldconfig.real: Path `/lib/x86_64-linux-gnu' given more than once
/sbin/ldconfig.real: Path `/usr/lib/x86_64-linux-gnu' given more than once
/sbin/ldconfig.real: /lib/x86_64-linux-gnu/ld-2.23.so is the dynamic
linker, ignoring
libnss_mdns4_minimal.so.2 -> libnss_mdns4_minimal.so.2
libnss_files.so.2 -> libnss_files-2.23.so
libnss_nis.so.2 -> libnss_nis-2.23.so
libnss_mdns.so.2 -> libnss_mdns.so.2
libnss_dns.so.2 -> libnss_dns-2.23.so
libnss_nisplus.so.2 -> libnss_nisplus-2.23.so
libnss_mdns6_minimal.so.2 -> libnss_mdns6_minimal.so.2
libnss_compat.so.2 -> libnss_compat-2.23.so
libnss_mdns_minimal.so.2 -> libnss_mdns_minimal.so.2
libnss_hesiod.so.2 -> libnss_hesiod-2.23.so
libnss_mdns6.so.2 -> libnss_mdns6.so.2
libnss_mdns4.so.2 -> libnss_mdns4.so.2
--
- James
Rowland Penny via samba
What version of Samba are you using ? I got the impression you were
using the distro's packages, in which case you do not create the
symlinks, you just install the packages I referred to earlier.
Rowland
lingpanda101 via samba
I compiled using 4.5.1.
--
- James
Rowland Penny via samba
OK, you need to have these symlinks:
ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so.2
ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so.2
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so
ln -s /usr/local/samba/lib/security/pam_winbind.so /lib/x86_64-linux-gnu/security/pam_winbind.so
Then run 'ldconfig'
You will also have to create a file: /usr/share/pam-configs/winbind
Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial:
[success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_winbind.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_winbind.so use_authtok try_first_pass
Password-Initial:
[success=end default=ignore] pam_winbind.so
Session-Type: Additional
Session:
optional pam_winbind.so
Rowland
lingpanda101 via samba
I will perform the additional steps. I should point out I do not see
anything related to configuring Kerberos in the wiki. I have kept the
default configuration. Thanks.
--
- James
Rowland Penny via samba
Now I look at the domain member page, nor do I, but you only need the
same krb5.conf as on the DC:
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
Rowland
lingpanda101 via samba
Still no luck getting getent to retrieve user information. I have uid's
and gid's setup for all users I am attempting to query. I still think I
have a issue with ldconfig. I started over and used 4.5.2 as well. I'm
going to switch to Debian 8.6 just to see if I get different results.
*root@DR210:~# /usr/local/samba/bin/wbinfo --ping-dc*
checking the NETLOGON for domain[DOMAIN] dc connection to
"pfdc1.domain.local" succeeded
*root@DR210:~# cat /var/log/samba/log.wb-DR210*
[2016/12/08 15:48:28.989794, 1]
../source3/passdb/pdb_tdb.c:543(tdbsam_open)
tdbsam_open: Converting version 0.0 database to version 4.0.
[2016/12/08 15:48:28.990276, 1]
../source3/passdb/pdb_tdb.c:304(tdbsam_convert_backup)
tdbsam_convert_backup: updated /usr/local/samba/private/passdb.tdb file.
*root@DR210:~# cat /var/log/samba/log.wb-DOMAIN *
[2016/12/08 15:45:07.390920, 0]
../source3/libsmb/cliconnect.c:1895(cli_session_setup_spnego_send)
Kinit for DR210$@DOMAIN.LOCAL to access cifs/PF...@DOMAIN.LOCAL
failed: Cannot contact any KDC for requested realm
[2016/12/08 15:45:50.542327, 0]
../source3/winbindd/winbindd_dual.c:107(child_write_response)
Could not write result
[2016/12/08 15:51:04.684796, 0]
../source3/libsmb/cliconnect.c:1895(cli_session_setup_spnego_send)
Kinit for DR210$@DOMAIN.LOCAL to access
cifs/pfdc1.dom...@DOMAIN.LOCAL failed: Cannot contact any KDC for
requested realm
[2016/12/09 01:26:36.412240, 0]
../source3/winbindd/winbindd_dual.c:107(child_write_response)
Could not write result
[2016/12/09 06:52:13.917652, 0]
../source3/winbindd/winbindd_dual.c:107(child_write_response)
Could not write result
[2016/12/09 06:57:58.461614, 0]
../source3/winbindd/winbindd_dual.c:107(child_write_response)
Could not write result
[2016/12/09 06:58:33.361393, 0]
../source3/winbindd/winbindd_dual.c:107(child_write_response)
Could not write result
*root@DR210:~# cat /var/log/samba/winbindd.log*
[2016/12/08 15:42:02.257023, 0]
../source3/winbindd/winbindd_cache.c:3244(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with
version number 2
[2016/12/08 15:42:02.258867, 0]
../lib/util/become_daemon.c:124(daemon_ready)
STATUS=daemon 'winbindd' finished starting up and ready to serve
connections
[2016/12/08 15:44:17.333519, 1] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)
tdb(/usr/local/samba/var/lock/mutex.tdb): tdb_lock failed on list 63
ltype=1 (Interrupted system call)
[2016/12/08 15:44:17.333569, 0]
../source3/lib/util_tdb.c:497(tdb_chainlock_with_timeout_internal)
tdb_chainlock_with_timeout_internal: alarm (40) timed out for key
PFDC1 in tdb /usr/local/samba/var/lock/mutex.tdb
[2016/12/08 15:44:17.333614, 1]
../source3/lib/server_mutex.c:97(grab_named_mutex)
Could not get the lock for PFDC1
[2016/12/08 15:44:17.333664, 0]
../source3/winbindd/winbindd_cm.c:1039(cm_prepare_connection)
cm_prepare_connection: mutex grab failed for PFDC1
[2016/12/08 15:45:50.041081, 1]
../source3/winbindd/winbindd.c:395(winbindd_sig_hup_handler)
Reloading services after SIGHUP
[2016/12/08 15:45:50.041662, 0]
../source3/winbindd/winbindd.c:279(winbindd_sig_term_handler)
Got sig[15] terminate (is_parent=1)
[2016/12/08 15:47:59.344472, 0]
../source3/winbindd/winbindd_cache.c:3244(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with
version number 2
[2016/12/08 15:47:59.386085, 0]
../lib/util/become_daemon.c:124(daemon_ready)
STATUS=daemon 'winbindd' finished starting up and ready to serve
connections
[2016/12/08 15:49:24.446952, 1] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)
tdb(/usr/local/samba/var/lock/mutex.tdb): tdb_lock failed on list 31
ltype=1 (Interrupted system call)
[2016/12/08 15:49:24.446995, 0]
../source3/lib/util_tdb.c:497(tdb_chainlock_with_timeout_internal)
tdb_chainlock_with_timeout_internal: alarm (40) timed out for key
pfdc1.domain.local in tdb /usr/local/samba/var/lock/mutex.tdb
[2016/12/08 15:49:24.447031, 1]
../source3/lib/server_mutex.c:97(grab_named_mutex)
Could not get the lock for pfdc1.domain.local
[2016/12/08 15:49:24.447080, 0]
../source3/winbindd/winbindd_cm.c:1039(cm_prepare_connection)
cm_prepare_connection: mutex grab failed for pfdc1.domain.local
[2016/12/08 15:51:04.907004, 1]
../source3/winbindd/winbindd_cm.c:1065(cm_prepare_connection)
cli_negprot failed: NT_STATUS_CONNECTION_RESET
*root@DR210:~# ldconfig -v | grep "libnss_"*
/sbin/ldconfig.real: Path `/lib/x86_64-linux-gnu' given more than once
/sbin/ldconfig.real: Path `/usr/lib/x86_64-linux-gnu' given more than once
/sbin/ldconfig.real: /lib/x86_64-linux-gnu/ld-2.23.so is the dynamic
linker, ignoring
libnss_mdns.so.2 -> libnss_mdns.so.2
libnss_mdns6_minimal.so.2 -> libnss_mdns6_minimal.so.2
libnss_mdns4.so.2 -> libnss_mdns4.so.2
libnss_mdns_minimal.so.2 -> libnss_mdns_minimal.so.2
libnss_compat.so.2 -> libnss_compat-2.23.so
libnss_hesiod.so.2 -> libnss_hesiod-2.23.so
libnss_mdns6.so.2 -> libnss_mdns6.so.2
libnss_files.so.2 -> libnss_files-2.23.so
libnss_dns.so.2 -> libnss_dns-2.23.so
libnss_nisplus.so.2 -> libnss_nisplus-2.23.so
libnss_nis.so.2 -> libnss_nis-2.23.so
libnss_mdns4_minimal.so.2 -> libnss_mdns4_minimal.so.2
--
- James
Kevin Davidson via samba
> On 9 Dec 2016, at 14:26, lingpanda101 via samba <sa...@lists.samba.org> wrote:
>
> Still no luck getting getent to retrieve user information. I have uid's and gid's setup for all users I am attempting to query.
But did you give Domain Users a gid? If you don’t do that, winbind and getent will not find any UNIX users (doesn’t matter if the users have a uid and gid within the range you’ve specified in smb.conf). It’s been a while since I had this problem - my memory is it’s not clearly mentioned in the wiki at all.
Kevin Davidson
Apple Certified System Administrator
Technical Director
t 01506 668674
m 07813 149620
w www.indigospring.co.uk
indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US
Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>
http://www.indigospring.co.uk/terms-and-conditions
Rowland Penny via samba
Kevin Davidson via samba <sa...@lists.samba.org> wrote:
>
> > On 9 Dec 2016, at 14:26, lingpanda101 via samba
> > <sa...@lists.samba.org> wrote:
> >
> > Still no luck getting getent to retrieve user information. I have
> > uid's and gid's setup for all users I am attempting to query.
>
>
> But did you give Domain Users a gid? If you don’t do that, winbind
> and getent will not find any UNIX users (doesn’t matter if the users
> have a uid and gid within the range you’ve specified in smb.conf).
> It’s been a while since I had this problem - my memory is it’s not
> clearly mentioned in the wiki at all.
>
It is mentioned on the wiki, to be precise here:
https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites
Do you think it needs more emphasis ?
Rowland
lingpanda101 via samba
>> On 9 Dec 2016, at 14:26, lingpanda101 via samba <sa...@lists.samba.org> wrote:
>>
>> Still no luck getting getent to retrieve user information. I have uid's and gid's setup for all users I am attempting to query.
>
> But did you give Domain Users a gid? If you don’t do that, winbind and getent will not find any UNIX users (doesn’t matter if the users have a uid and gid within the range you’ve specified in smb.conf). It’s been a while since I had this problem - my memory is it’s not clearly mentioned in the wiki at all.
>
>
> Kevin Davidson
> Apple Certified System Administrator
> Technical Director
>
> t 01506 668674
> m 07813 149620
> w www.indigospring.co.uk
>
> indigospring (Scotland) Ltd
> Registered in Scotland No. SC398572
> Registered office: 103 Oldwood Place, Livingston EH54 6US
>
> Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
> Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>
>
> http://www.indigospring.co.uk/terms-and-conditions
>
>
>
>
>
I do.
I had a Debian domain member joined to my ADDC successfully in the past
with the help from Rowland. For whatever reason Ubuntu is not playing
nice. I tried then with Ubuntu and couldn't get it to work either.
--
- James
Data Control Systems - Mike Elkevizth via samba
Ubuntu 16.04 desktop to a Samba AD using the Ubuntu distro provided
packages. I'm not sure if it's relevant, but the Samba AD DCs are also
running Ubuntu 16.04 with the distro provided packages.
Mike E.
On Fri, Dec 9, 2016 at 10:55 AM, Rowland Penny via samba <
lingpanda101 via samba
wrote:
--
- James
Data Control Systems - Mike Elkevizth via samba
winbind and switched to sssd. I can confirm that it does work now with
sssd.
getent passwd mae
mae:*:3000:2001:Michael A. Elkevizth:/home/DCS/mae:/bin/bash
getent passwd row (disabled user)
row:*:3001:2001:Robert O. Webster:/home/DCS/row:/bin/false
Regards,
Mike E.
On Fri, Dec 9, 2016 at 11:32 AM lingpanda101 via samba <
Kevin Davidson via samba
> On 9 Dec 2016, at 15:55, Rowland Penny via samba <sa...@lists.samba.org> wrote:
>
> On Fri, 9 Dec 2016 15:23:24 +0000
> Kevin Davidson via samba <sa...@lists.samba.org> wrote:
>
>>
>>> On 9 Dec 2016, at 14:26, lingpanda101 via samba
>>> <sa...@lists.samba.org> wrote:
>>>
>>> Still no luck getting getent to retrieve user information. I have
>>> uid's and gid's setup for all users I am attempting to query.
>>
>>
>> But did you give Domain Users a gid? If you don’t do that, winbind
>> and getent will not find any UNIX users (doesn’t matter if the users
>> have a uid and gid within the range you’ve specified in smb.conf).
>> It’s been a while since I had this problem - my memory is it’s not
>> clearly mentioned in the wiki at all.
>>
>
> It is mentioned on the wiki, to be precise here:
>
> https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites
>
> Do you think it needs more emphasis ?
I think I’d move it further up the list to be the first thing listed. As all the other requirements seem obvious to a UNIX admin (UNIX users must have a shell, homedir, uid and gid) it’s easy to miss this one non-obvious requirement that a group that is meaningless to UNIX admins also needs to be changed. There’s also no warning there that the primary group of users should be left as “Domain Users” and not changed to match what the UNIX admin regards as that user’s primary group. I think I’d expect UNIX admins to be reading that section and they may have little, no or wrong knowledge of AD and AD builtin groups.
Kevin Davidson
Apple Certified System Administrator
Technical Director
t 01506 668674
m 07813 149620
w www.indigospring.co.uk
indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US
Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>
http://www.indigospring.co.uk/terms-and-conditions
--
Brian Candler via samba
> OK, you need to have these symlinks:
>
> ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so.2
> ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so
>
> ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so.2
> ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so
Aside: the way I normally handle this is to configure the loader path.
For example, to make the loader able to find all libraries in
/usr/local/samba/lib I would do:
echo "/usr/local/samba/lib" >/etc/ld.so.conf.d/samba.conf
ldconfig
which is easier than symlinking individual libraries.
But I've not needed this with Samba. If the binaries were built in-situ,
they know about the locations of the libraries they are linked against. e.g.
root@wrn-dc1:~# ldd /usr/local/samba/sbin/winbindd | head
linux-vdso.so.1 => (0x00007ffceb92a000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f93429b2000)
libtevent-util.so.0 => /usr/local/samba/lib/libtevent-util.so.0
(0x00007f93427af000)
libMESSAGING-samba4.so =>
/usr/local/samba/lib/private/libMESSAGING-samba4.so (0x00007f93425a6000)
libcliauth-samba4.so =>
/usr/local/samba/lib/private/libcliauth-samba4.so (0x00007f934238f000)
libads-samba4.so => /usr/local/samba/lib/private/libads-samba4.so
(0x00007f9342160000)
libidmap-samba4.so =>
/usr/local/samba/lib/private/libidmap-samba4.so (0x00007f9341f4c000)
libndr-samba4.so => /usr/local/samba/lib/private/libndr-samba4.so
(0x00007f9341b7c000)
libnss-info-samba4.so =>
/usr/local/samba/lib/private/libnss-info-samba4.so (0x00007f9341978000)
libsamba-passdb.so.0 => /usr/local/samba/lib/libsamba-passdb.so.0
(0x00007f93416f0000)
Regards,
Brian.
Rowland Penny via samba
Yes, Samba knows where they are, but nsswitch doesn't ;-)
Rowland
Rowland Penny via samba
I have altered the wiki page:
https://wiki.samba.org/index.php/Idmap_config_ad
Hopefully it is a bit more obvious now ;-)
Rowland
Kevin Davidson via samba
!!!!! Yes, that's a little harder to miss now !!!!!
Sent from my iPhone
--
Kevin Davidson
Apple Certified System Administrator
Technical Director
t 01506 668674
m 07813 149620
w www.indigospring.co.uk
indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US
Follow us on Twitter - twitter.com/indigospringIT
Members of the Apple Consultants Network - consultants.apple.com/uk
http://www.indigospring.co.uk/terms-and-conditions
Brian Candler via samba
>> But did you give Domain Users a gid? If you don’t do that, winbind
>> and getent will not find any UNIX users (doesn’t matter if the users
>> have a uid and gid within the range you’ve specified in smb.conf).
>> It’s been a while since I had this problem - my memory is it’s not
>> clearly mentioned in the wiki at all.
>>
> It is mentioned on the wiki, to be precise here:
>
> https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites
>
> Do you think it needs more emphasis ?
I think there's plenty of emphasis now, but I think there is a part
which is misleading:
> To enable Samba to retrieve user and group information from Active
Directory (AD):
>
> * Users must have at least the uidNumber and groups the gidNumber
attribute set.
As far as I can tell there is no need at all to set the gidNumber on the
user entry, at least not when using the winbind component of Samba.
By saying it has to be set, the implication is that it does something
useful. So the admin sets e.g.
uidNumber: 1000
gidNumber: 1000
and is surprised when the user's primary group is the gidNumber from
Domain Users (or that the user doesn't appear at all, if Domain Users
has no gidNumber)
I think it would be clearer like this:
"To enable Samba to retrieve user and group information from Active
Directory (AD):
* Users must have the uidNumber attribute set. When using the rfc2307
winbind NSS info mode, user accounts must also have the loginShell and
unixHomeDirectory set.
* The group which the user's PrimaryGroupID refers to (normally "Domain
Users") must have the gidNumber attribute set.
* It is recommended that you do not change any user's primaryGroupID.
Windows expects all the users primary group to be "Domain Users". This
implies that all Unix logins will use the same primary gid.
* The user and group IDs must be within the range configured in the
smb.conf for this domain.
...etc"
Regards,
Brian.
Brian Candler via samba
> I think there's plenty of emphasis now, but I think there is a part
> which is misleading:
>
> > To enable Samba to retrieve user and group information from Active
> Directory (AD):
> >
> > * Users must have at least the uidNumber and groups the gidNumber
> attribute set.
I'm so sorry: I misread this as "Users must have at least the uidNumber
and gidNumber attribute set", which is of course *not* what it says.
Hence the text is accurate (if you read it correctly); it's my brain
which is at fault.
I do still think that the alternative text I gave is clearer - for my
brain anyway :-)
lingpanda101 via samba
> On 10/12/2016 16:25, Brian Candler wrote:
>> I think there's plenty of emphasis now, but I think there is a part
>> which is misleading:
>>
>> > To enable Samba to retrieve user and group information from Active
>> Directory (AD):
>> >
>> > * Users must have at least the uidNumber and groups the gidNumber
>> attribute set.
>
> I'm so sorry: I misread this as "Users must have at least the
> uidNumber and gidNumber attribute set", which is of course *not* what
> it says. Hence the text is accurate (if you read it correctly); it's
> my brain which is at fault.
>
> I do still think that the alternative text I gave is clearer - for my
> brain anyway :-)
>
> Regards,
>
> Brian.
>
>
OK I have progress....
I needed to disable avahi. Totally forgot about this. Probably should be
added to the wiki for folks who are stuck with .local domains at the moment.
vi /etc/nsswitch.conf
#hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
hosts: files dns
I heard changing the avahi suffix might work as well but didn't confirm.
I couldn't ping my DC's FQDN until I disabled it either. The strange
thing is
'getent passwd user'
returns nothing still. However if I use
'getent passwd us...@DOMAIN.LOCAL'
It works and returns expected results. Any reason why?
--
- James
lingpanda101 via samba
>> I think there's plenty of emphasis now, but I think there is a part
>> which is misleading:
>>
>> > To enable Samba to retrieve user and group information from Active
>> Directory (AD):
>> >
>> > * Users must have at least the uidNumber and groups the gidNumber
>> attribute set.
>
> I'm so sorry: I misread this as "Users must have at least the
> uidNumber and gidNumber attribute set", which is of course *not* what
> it says. Hence the text is accurate (if you read it correctly); it's
> my brain which is at fault.
>
> I do still think that the alternative text I gave is clearer - for my
> brain anyway :-)
>
> Regards,
>
> Brian.
>
>
OK finally solved. Added to my smb.conf
'winbind use default domain = yes'
Disabling Avahi and using the above was the issue. Next to attempt
actually signing in from the login screen and not via. SSH.
--
- James
lingpanda101 via samba
> On 12/11/2016 8:59 AM, Brian Candler via samba wrote:
>> On 10/12/2016 16:25, Brian Candler wrote:
>>> I think there's plenty of emphasis now, but I think there is a part
>>> which is misleading:
>>>
>>> > To enable Samba to retrieve user and group information from Active
>>> Directory (AD):
>>> >
>>> > * Users must have at least the uidNumber and groups the gidNumber
>>> attribute set.
>>
>> I'm so sorry: I misread this as "Users must have at least the
>> uidNumber and gidNumber attribute set", which is of course *not* what
>> it says. Hence the text is accurate (if you read it correctly); it's
>> my brain which is at fault.
>>
>> I do still think that the alternative text I gave is clearer - for my
>> brain anyway :-)
>>
>> Regards,
>>
>> Brian.
>>
>>
>
> OK finally solved. Added to my smb.conf
>
> 'winbind use default domain = yes'
>
> Disabling Avahi and using the above was the issue. Next to attempt
> actually signing in from the login screen and not via. SSH.
>
>
>
Following the wiki and I'm stuck at 'Authenticating Domain Users Using
PAM'. I see the section
If you have compiled Samba, you need to add a symbolic links.
Seepam_winbind Link
<https://wiki.samba.org/index.php/Pam_winbind_Link>for OS specific
information, where to place it.
If I follow the link it appears to take me to a page similar to
'libnss_winbind' linking. I don't see any difference. I ran
'pam-auth-update' and made sure to enable Winbind NT/Active Directory
authentication. I did not manually edit pam config files. If I attempt
to login with a domain account I get
user1@DR210:/$ su domainuser
Password:
su: Authentication failure
Any ideas? Thanks.
Rowland Penny via samba
lingpanda101 via samba <sa...@lists.samba.org> wrote:
Give that man a prize, the only difference between the 'Libnss winbind
Links' page and the 'Pam winbind Link' page is the title, they both
refer to setting up the libnss_winbind lib
I will fix it, not sure how because the links should probably all be on
one page.
> 'pam-auth-update' and made sure to enable Winbind NT/Active Directory
> authentication. I did not manually edit pam config files. If I
> attempt to login with a domain account I get
>
> user1@DR210:/$ su domainuser
>
> Password:
>
> su: Authentication failure
>
>
> Any ideas? Thanks.
>
>
You need three extra links:
ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so
ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so.2
ln
-s /usr/local/samba/lib/security/pam_winbind.so /lib/x86_64-linux-gnu/security/pam_winbind.so
You also need a file /usr/share/pam-configs/winbind
Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial:
[success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_winbind.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_winbind.so use_authtok try_first_pass
Password-Initial:
[success=end default=ignore] pam_winbind.so
Session-Type: Additional
Session:
optional pam_winbind.so
You will also need to install libpam-krb5
Finally check that the 'passwd' and 'group' lines in /etc/nsswitch.conf
have 'winbind' in them.
Rowland
lingpanda101 via samba
Success!
I'll post a few observations during this adventure.
Incorrect case on this page
https://wiki.samba.org/index.php/Libnss_winbind_Links for smbd -B.
Should be lowercase b.
smbd -b | grep LIBDIR
LIBDIR: /usr/local/samba/lib/
I could not retrieve users or groups unless I added
'winbind use default domain = yes'
in my smb.conf file. It's not listed in the wiki on this page
https://wiki.samba.org/index.php/Idmap_config_ad as being optional or
required. Did I do something wrong or should this be added to the wiki?
Without it I would need to explicitly define it when using
id us...@DOMAIN.LOCAL
I was unable to ping my DC when using it's FQDN. The fix was to disable
Avahi in my nsswitch.conf file. This was due to using .local for my domain.
#hosts: files mdns4_minimal [NOTFOUND=return] dns
hosts: files dns
Should this be added to the troubleshooting section of the wiki?
These three links also needed to be created. Not in the wiki that I seen.
ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so
ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so.2
ln -s /usr/local/samba/lib/security/pam_winbind.so /lib/x86_64-linux-gnu/security/pam_winbind.so
I installed libpam-winbind that created this file
'/usr/share/pam-configs/winbind'
I didn't need to manually create as suggested. However doing so created
the following file
'/lib/x86_64-linux-gnu/security/pam_winbind.so'
I had to rename and create the link you suggested.
ln -s /usr/local/samba/lib/security/pam_winbind.so /lib/x86_64-linux-gnu/security/pam_winbind.so
Hopeful this helps others who attempt to join to Ubuntu. Now I will
attempt to login from the GUI.
--
- James
Rowland Penny via samba
lingpanda101 via samba <sa...@lists.samba.org> wrote:
>
> Success!
>
> I'll post a few observations during this adventure.
>
> Incorrect case on this page
> https://wiki.samba.org/index.php/Libnss_winbind_Links for smbd -B.
> Should be lowercase b.
>
> smbd -b | grep LIBDIR
> LIBDIR: /usr/local/samba/lib/
Changed.
>
> I could not retrieve users or groups unless I added
>
> 'winbind use default domain = yes'
>
> in my smb.conf file. It's not listed in the wiki on this page
> https://wiki.samba.org/index.php/Idmap_config_ad as being optional or
> required. Did I do something wrong or should this be added to the
> wiki? Without it I would need to explicitly define it when using
>
> id us...@DOMAIN.LOCAL
What 'winbind use default domain' does is to make it so you do not need
the domain name in any call to getent etc. Without it, you would need
to run something like 'getent passwd SAMDOM\\rowland'. I will check
the wiki and if needs adding, I will do so.
>
> I was unable to ping my DC when using it's FQDN. The fix was to
> disable Avahi in my nsswitch.conf file. This was due to using .local
> for my domain.
>
> #hosts: files mdns4_minimal [NOTFOUND=return] dns
>
> hosts: files dns
>
> Should this be added to the troubleshooting section of the wiki?
The wiki does tell you not to use .local, perhaps it needs to said more
forcefully ?
>
> These three links also needed to be created. Not in the wiki that I
> seen.
>
> ln
> -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so
> ln
> -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so.2
> ln
> -s /usr/local/samba/lib/security/pam_winbind.so /lib/x86_64-linux-gnu/security/pam_winbind.so
>
It did have them at one time, unfortunately an error crept in, but I
think it will be fixed very shortly.
> I installed libpam-winbind that created this file
>
> '/usr/share/pam-configs/winbind'
>
> I didn't need to manually create as suggested. However doing so
> created the following file
>
> '/lib/x86_64-linux-gnu/security/pam_winbind.so'
>
> I had to rename and create the link you suggested.
>
> ln
> -s /usr/local/samba/lib/security/pam_winbind.so /lib/x86_64-linux-gnu/security/pam_winbind.so
>
The contents of libpam-winbind boils down to two files, the file I
posted and the .so file. The only problem with the way you did it, if
'libpam-winbind' gets updated, your .so link will get replaced and
this will probably lead to problems. I would suggest you remove the
package.
> Hopeful this helps others who attempt to join to Ubuntu. Now I will
> attempt to login from the GUI.
This should work, well it works for me ;-)
Rowland
lingpanda101 via samba
On 12/14/2016 12:15 PM, Rowland Penny via samba wrote:
> On Wed, 14 Dec 2016 11:37:10 -0500
> lingpanda101 via samba <sa...@lists.samba.org> wrote:
>
>> I was unable to ping my DC when using it's FQDN. The fix was to
>> disable Avahi in my nsswitch.conf file. This was due to using .local
>> for my domain.
>>
>> #hosts: files mdns4_minimal [NOTFOUND=return] dns
>>
>> hosts: files dns
>>
>> Should this be added to the troubleshooting section of the wiki?
> The wiki does tell you not to use .local, perhaps it needs to said more
> forcefully ?
Unfortunately it's a existing domain I provisioned during Samba 4.0
release and used .local. I think the wiki now makes it clear not to
provision new domains with it. Maybe add to the troubleshooting section?
>
>
>> I installed libpam-winbind that created this file
>>
>> '/usr/share/pam-configs/winbind'
>>
>> I didn't need to manually create as suggested. However doing so
>> created the following file
>>
>> '/lib/x86_64-linux-gnu/security/pam_winbind.so'
>>
>> I had to rename and create the link you suggested.
>>
>> ln
>> -s /usr/local/samba/lib/security/pam_winbind.so /lib/x86_64-linux-gnu/security/pam_winbind.so
>>
> The contents of libpam-winbind boils down to two files, the file I
> posted and the .so file. The only problem with the way you did it, if
> 'libpam-winbind' gets updated, your .so link will get replaced and
> this will probably lead to problems. I would suggest you remove the
> package.
I didn't think about the update replacing the link. I will remove the
package and manually create the file. Hopefully it doesn't break anything.
>
>
>> Hopeful this helps others who attempt to join to Ubuntu. Now I will
>> attempt to login from the GUI.
> This should work, well it works for me ;-)
>
> Rowland
>
>
>
I couldn't initially login from the GUI. I had to run 'pam-auth-update'
again and enable 'Create home directory on login'. Now everything works
as expected.
--
- James