Web lists-archives.com

Re: [Samba] Attempting a trust between Samba and Windows AD DC




Hi all,

I didn't have much luck getting SSSD to work so I'm currently testing out
the following:

Built a new member server from source on Ubuntu 16.04. I used the following
./configure statement:

./configure --enable-fhs --prefix=/usr --sysconfdir=/etc
--localstatedir=/var --libdir=/usr/lib/x86_64-linux-gnu

This seems to install nicely onto Ubuntu and puts everything in the right
place. Winbind works well which is what I've always had problems with in
the past.

My current smb.conf on the Domain member looks like this:

[global]
        netbios name = FS-007
        security = ADS
        workgroup = EXAMPLE
        realm = ADS.EXAMPLE.COM

        log file = /var/log/samba/%m.log
        log level = 7

        idmap config * : backend = tdb
        idmap config * : range = 200-499

        idmap config EXAMPLE:backend = ad
        idmap config EXAMPLE:schema_mode = rfc2307
        idmap config EXAMPLE:range = 500-400000
        idmap config EXAMPLE:unix_nss_info = yes
        idmap config EXAMPLE:unix_primary_group = yes

        idmap config EXTERNAL : backend = rid
        idmap config EXTERNAL : range = 400001-99999999

        winbind nss info = template
        template shell = /bin/bash
        template homedir = /home/%U

#       allow trusted domains = yes
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
#       kerberos method = secrets and keytab

        client signing = yes
        client use spnego = yes


        vfs objects = acl_xattr,full_audit
        server signing = mandatory

        # VFS settings
        full_audit:prefix = %u|%I|%m|%S
        full_audit:success = mkdir rename unlink rmdir pwrite
        full_audit:failure = none
        full_audit:facility = local7
        full_audit:priority = notice

        map acl inherit = yes
        store dos attributes = yes


##SHARES

[test]
        path = /data/test/
        read only = no


This gives me good connectivity on the EXAMPLE domain, wbinfo and getent
work nicely and are returning correct values.

Not much luck getting EXTERNAL domain to work though. A trust exists
between the two forests and Kerberos and DNS are all working ok.

"wbinfo -u --domain EXTERNAL" returns users as does "wbinfo -g --domain
EXTERNAL" return groups. However, I cannot get getent to give me anything.

The EXAMPLE domain is a group of Samba 4.6.3 DC's (about 10 of them, all
replicating ok).

The EXTERNAL domain is a new Windows AD DC running Windows Server 2008 R2,
I've also added a new Samba 4.7.2 to this domain which is replicating
nicely.

I've tried both rid and ad on the EXTERNAL domain with no luck.

I've installed Server for NIS on the Windows Server 2008 R2 AD DC and added
NIS info there (this was for testing using ad on idmap), but no joy.

Any pointers most appreciated.

Thanks,
Chris.



On 7 November 2017 at 15:47, Chris Alavoine <chrisa@xxxxxxxxxxxxxx> wrote:

> Hi Rowland,
>
> Thanks for the swift response.
>
> I'm not married to SSSD and am happy to use the best tool for the job, but
> was just looking for some general advice on my situation.
>
> I'll post on the sssd-users mailing as well.
>
> Thanks,
> Chris.
>
> On 7 November 2017 at 15:38, Rowland Penny <rpenny@xxxxxxxxx> wrote:
>
>> On Tue, 7 Nov 2017 15:06:55 +0000
>> Chris Alavoine via samba <samba@xxxxxxxxxxxxxxx> wrote:
>>
>> > Hi all,
>> >
>> > We are about to integrate a large number of users into our
>> > organisation and I've been tasked with attempting to allow said users
>> > access to our internal systems which are controlled from 10 x Samba
>> > 4.6.3 DC's across several sites.
>> >
>> > All Samba DC's are running either Ubuntu 14.04 or 16.04.
>> >
>> > Replication works nicely between these DC's and this system has been
>> > relatively stable for some time now. We use BIND_DLZ as our DNS
>> > backend.
>> >
>> > The new users will be being created on a Windows Server 2016 AD DC
>> > and I've created a trust between the 2 domains (which has validated
>> > at both ends). wbinfo returns useful information for each domain and
>> > I've got SSSD working from a member server. I can assign rights to a
>> > share on a member server from the trusted domain and all looks good.
>> > However, I am unable to access the shares on our member servers
>> > (fileservers) as one of the new external users. It feels like I'm
>> > quite close but I am either missing something very obvious or going
>> > about it in the wrong way.
>> >
>> > All member servers are running Ubuntu and at least Samba 4.6.3 (some
>> > of them newer). I've created a test member server for me to test
>> > things out on. I am currently testing with SSSD as it allows multiple
>> > domains to be declared. My smb.conf currently looks like this:
>> >
>> > [global]
>> >    netbios name = FS-006
>> >    security = ADS
>> >    realm = EXAMPLE.COM
>> >    workgroup = EXAMPLE
>> >
>> >    allow trusted domains = yes
>> >
>> >    log file = /var/log/samba/%m.log
>> >
>> >    kerberos method = secrets and keytab
>> >
>> >    idmap config *:backend = tdb
>> >    idmap config *:range = 500-2000
>> >    idmap config EXAMPLE:backend = ad
>> >    idmap config EXAMPLE:schema_mode = rfc2307
>> >    idmap config EXAMPLE:range = 10000-9999999
>> >    idmap config EXTERNAL:backend = ad
>> >    idmap config EXTERNAL:schema_mode = rfc2307
>> >    idmap config EXTERNAL:range = 10000000-99999999999
>>
>> If you are running sssd and using it for authentication, then the above
>> 'idmap config' is useless.
>> If you want to continue using sssd, then can I suggest asking on the
>> sssd-users mailing list, sssd has nothing to do with Samba.
>>
>> Rowland
>>
>
>
>
> --
> ACS (Alavoine Computer Services Ltd)
> Chris Alavoine
> mob +44 (0)7724 710 730 <07724%20710730>
> www.alavoinecs.co.uk
> http://twitter.com/#!/alavoinecs
> http://www.linkedin.com/pub/chris-alavoine/39/606/192
>



-- 
ACS (Alavoine Computer Services Ltd)
Chris Alavoine
mob +44 (0)7724 710 730
www.alavoinecs.co.uk
http://twitter.com/#!/alavoinecs
http://www.linkedin.com/pub/chris-alavoine/39/606/192
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba