Web lists-archives.com

Re: [Samba] Opensolaris-ish joins but does not seem to be valid




On Tue, 10 Oct 2017 11:28:09 -0500 (CDT)
Andrew Martin <amartin@xxxxxxxxxxx> wrote:


> > 
> > Is this from the Opensolaris-ish machine ?
> > 
> > I expected to see a smb.conf file from a Unix domain member.
> > 
> > If it is from the machine where you are getting '[NT
> > AUTHORITY]\[ANONYMOUS LOGON]', then can you try 'getent passwd
> > username'. By default winbind doesn't enumerate users and groups.
> 
> Running "getent passwd username" does not return anything on the
> client machine.

Then you have a problem, your users and groups seem to be unknown to
the underlying OS.
 
> The Solaris CIFS service, aka smb/server, is joined to the domain
> with "smbadm join -u Administrator example.com" and once joined you
> can query AD users using "idmap show -cV user@xxxxxxxxxxx". By
> default, idmapd uses "Ephemeral mapping", so AD users are represented
> locally by a randomly-chosen, high-numbered uid rather than their
> actual uid as stored in uidNumber or elsewhere in AD. This is
> undesirable, so we have reconfigured idmap to use
> "directory-based mapping" instead:
> http://docs.oracle.com/cd/E22471_01/html/820-4167/configuration__services__identity_mapping.html
> https://docs.oracle.com/cd/E19120-01/open.solaris/820-2429/configuredirbasedmapping/index.html
> 

If you provisioned the Samba AD DC with --use-rfc2307, then I think you
should have gone with the IDMU mapping, what we call around here
'RFC2307'. By using this, you will doing something very similar to
using the winbind 'ad' backend and will be able to use RSAT on a WIN 7
or 8.1 to admin it.
 
> 
> This allows us to set some properties in idmap to tell it which AD
> attribute (CN) to query to find out how to map AD users to local
> users: svccfg -s svc:/system/idmap setprop
> config/ad_unixgroup_attr=astring: cn svccfg -s svc:/system/idmap
> setprop config/ad_unixuser_attr=astring: cn svccfg -s
> svc:/system/idmap setprop config/directory_based_mapping=astring:
> name svcadm refresh idmap
> 
> 
> At this point smb/server and idmap should be able to look up AD users
> and map them to a local user whose username is the same as the user's
> CN field in AD. We then populate all of the AD users in the local
> nsswitch database by running "ldapclient" and telling it which AD
> attributes to map to each property in the nsswitch database:
> https://docs.oracle.com/cd/E23824_01/html/821-1455/clientsetup-49.html

If Opensolaris is like Linux, you will not need local users, as your
windows users can be made to be Unix users as well.
 
> 
> 
> We have two problems, both of which I think may be related to the same
> underlying issue of not being able to communicate with the Samba DC:
> * idmap cannot query user's CN values for "directory-based mapping"
> * ldapclient cannot query users to populate the nsswitch database
> 
> 
> I think both of these are related to the "sasl/GSSAPI bind" error that
> Mike mentioned; previously on Samba 4.0.6, this client was able to
> make these queries successfully, but now on Samba 4.7.0 these queries
> require that we manually kinit on the client before the GSSAPI 
> authentication is allowed. Has something changed with how GSSAPI
> authentication or host Kerberos tickets are issued? Can we still allow
> the old behavior with a smb.conf config option?

There have been a lot of changes between 4.0.6 and 4.7.0, to many to
mention, have a look here:

https://wiki.samba.org/index.php/Samba_Features_added/changed_%28by_release%29

If this was Samba running on Opensolaris, I could talk you through
setting up very easily, but I don't have an Opensolaris machine and have
never used it, so I can only advise you on what I would try.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba