Web lists-archives.com

Re: [Samba] Fwd: Migrating server




Hi Louis,

Thank you

Holiday eh!. I thought people who work in "IT" are not allowed to have
holidays. Beer and Samba sounds like an interesting combination......

Will comment on the rest of the section later.

RT

On Sat, Mar 3, 2018 at 9:27 AM, L.P.H. van Belle via samba <
samba@xxxxxxxxxxxxxxx> wrote:

> hai, im still on holiday but i did see some things a bit, also in addition
> about the smb.conf
>
> in classic mode dns forwarder is predecated, so i suggest avoiding the
> option.
>
> this part, you set ssl off but also set the ports to the ssl ports.
>
> ldap ssl = off
> ldap passwd sync = yes
>
> /etc/ldap/ldap.conf
> BASE    dc=mydomain
> URI     ldap://sam3dc.mydomain ldap://sam3dc.mydomain:666
>
> use
> URI ldaps://sam3dc.mydomain
> or ldaps://sam3dc.mydomain:666
> and ldap ssl = on.
>
>
> long a go i write a classic on a debian sarge, there might be still some
> parts useable to help you in your setup, if a classic setup is a must.
>
> google, big samba howto debian only. should popup in top 10, it was posted
> on the samba list, (around 2005-2007), if i recall it right.
>
> i used smbldap-tools also but as Rowland said not really useable.
>
> Now, i missed the part why a classic setup is needed.
> but what i would do is, just because it give you the same  options, but
> avoid the a  problem when ms removes the classic support from win10, that
> will happen, just because ms is keeping improving security setting.
> just my thought here.
>
> why not.
> install a dc with internal dns.
> and use the phpldapadmin tools in place of smbldap-tools to manage it.
>
> an other i liked was ldapadmin, small windows tool but with nice plugin, i
> dont know the current state.
>
> let win 10 use the dc funtions, and other client use ldap where.needed,
> that part is still the same a classic setup, and preffered ldaps imo.
>
> Again i missed the part why the classics setup here..
> but i hope you can use something of it.
> Typing without glasses on me phone is not funny... ;-)
> The beer is not helping also... :-))
>
>
> Greetz,
>
> Louis
>
>
> > Op 2 mrt. 2018 om 20:00 heeft Harry Jede via samba <
> samba@xxxxxxxxxxxxxxx> het volgende geschreven:
> >
> > Hi Rob,
> > please stay on list. Otherwise I will charge you :-)
> > By the way I have no problem to get payed.
> >
> >> Hi Harry,
> >>
> >> The one very obvious difference is the result of this command: #
> >> ldapsearch -xLLL -b dc=afrika,dc=xx -s sub -D
> >> cn=admin,dc=afrika,dc=xx -w 'sambadomainname=*'
> >> dn: sambaDomainName=SCHULE,dc=afrika,dc=xx
> >>
> >> I get dn: sambaDomainName=MYDOMAIN, dc=mydomain which is different ,
> >> should it be MYDOMAIN dc=sam3dc?
> > I hope you have got the first line, the second will never work:
> > dn: sambaDomainName=MYDOMAIN,dc=mydomain
> > dn: sambaDomainName=MYDOMAIN, dc=mydomain
> >
> > The difference is just one space. Remember ldap is white space
> sensitive!!!
> >
> > You may get trouble with some dns resolver libs, because you use only
> one "domain component". Search for ndots...
> > You may also get trouble with certificate name validation for SSL/TLS
> hosts.
> >
> >> sambaDomainName: MYDOMAIN
> >> sambaSID: S-1-5-21-3936576374-1604338294-181246221
> >> sambaAlgorithmicRidBase: 1000
> >> objectClass: sambaDomain
> > I prefer to add here an auxiliary objectclass: sambaUnixIdPool
> > More later on
> >
> >> sambaNextUserRid: 1000
> >> sambaMinPwdLength: 5
> >> sambaPwdHistoryLength: 0
> >> sambaLogonToChgPwd: 0
> >> sambaMaxPwdAge: -1
> >> sambaMinPwdAge: 0
> >> sambaLockoutDuration: 30
> >> sambaLockoutObservationWindow: 30
> >> sambaLockoutThreshold: 0
> >> sambaForceLogoff: -1
> >> sambaRefuseMachinePwdChange: 0
> >> sambaNextRid: 1002
> >>
> >>
> >>
> >>
> >> ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config
> >> 'olcAttributeTypes=*' dn
> >> SASL/EXTERNAL authentication started
> >> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> >> SASL SSF: 0
> >> dn: cn=schema,cn=config
> >>
> >> dn: cn={0}core,cn=schema,cn=config
> >>
> >> dn: cn={1}cosine,cn=schema,cn=config
> >>
> >> dn: cn={2}nis,cn=schema,cn=config
> >>
> >> dn: cn={3}inetorgperson,cn=schema,cn=config
> >>
> >> dn: cn={4}samba,cn=schema,cn=config
> > That is the minimum you need. So it is OK.
> >
> >>
> >> ldapsearch -xLLL -s base -b dc=mydomain
> >> dn: dc=mydomain
> >> objectClass: top
> >> objectClass: dcObject
> >> objectClass: organization
> >> o: mydomain
> >> dc: mydomain
> > OK
> >
> >>
> >>
> >>
> >> The one thing I found is that when I tried to add a new Win10 machine
> >> to the domain, I got wrong password. The login details I entered is
> >> for a admin account. I then changed the password using smbpasswd and
> >> then I got the machine was joined with another account error message
> > OK. But what error message? What command?
> > Please post the resulting machine account.
> >
> > You should first try a win 7 machine. From win 7 to current win 10
> > the default settings for smb protocol has changed. Thanks to wanna cry.
> > Maybe "max protocol = NT1" will help. But read man smb.conf section:
> > client max protocol. Depending on the used clients you should go with
> > the highest protocol level!!!
> >
> >> The other bits are similar to yours. Here is the smb.conf
> >>
> >>
> >> [global]
> >>        workgroup = MYDOMAIN
> >>        bind interfaces only = Yes
> >>        netbios name = sam3DC
> >>        security = USER
> >>        dns forwarder = 8.8.8.8
> > "dns forwarder" is not required, *but* if you set this entry,
> > it should point to a local DNS server.
> > Google is not always the best choice.
> >
> >>  passdb backend = ldapsam:ldap://127.0.0.1/
> >>  obey pam restrictions = no
> > That I would change to yes. If yes, pam can create the
> > home directorys if you add users from windows tools or
> > samba tools. The user dir is created at first logon.
> > The template directory is /etc/skel.
> >
> >>  ldap admin dn = cn=admin,dc=mydomain
> >>  ldap suffix = dc=mydomain
> >>  ldap group suffix = ou=Group
> >>  ldap user suffix = ou=People
> >>  ldap machine suffix = ou=Computers
> >>  ldap idmap suffix = ou=People
> >>  ldap passwd sync = No
> >>  unix password sync = Yes
> >>  passwd program = /usr/sbin/smbldap-passwd -u %u
> >>  passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> >>  ldap ssl= no
> >>
> >>       encrypt passwords = true
> >>        password server = sam3dc
> > What sould be the benefit ???
> > At first you setup this host as a PDC and then you delegate
> > to an other password server?
> >
> >>         check password script = /usr/local/sbin/crackcheck -d
> >> /var/cache/cracklib/cracklib_dict
> >>
> >>        unix password sync = No
> > You should add:
> >        ldap passwd sync     = yes
> >        pam password change  = yes
> > to sync windows and unix passwords.
> >
> >>        log level = 10 auth:5
> > tooooooooooooo high
> >        log level = 1 auth:5
> > makes more sense
> >
> >>        syslog = 0
> >>        log file = /var/log/samba/log.%m
> >>        max log size = 1000
> >>
> >>         socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
> >> SO_SNDBUF=8192 SO_RCVBUF=8192
> > Please remove this line. Do not ask me or any other.
> > Just do it. It is mystic.
> >
> >>        local master = No
> >>        domain master = No
> >>        preferred master = No
> > If this host should be a domain controler ( primary or secondary )
> > change all to yes
> >
> > Test it with nmblookup i.e.
> > # nmblookup SCHULE
> > querying SCHULE on 127.255.255.255
> > 10.100.0.1 SCHULE<00>
> >
> > # nmblookup -M  SCHULE
> > querying SCHULE on 127.255.255.255
> > 10.100.0.1 SCHULE<1d>
> >
> > # nmblookup ALIX
> > querying ALIX on 127.255.255.255
> > 10.100.0.1 ALIX<00>
> >
> > # nmblookup -M  ALIX
> > querying ALIX on 127.255.255.255
> > querying ALIX on 10.100.255.255
> > name_query failed to find name ALIX#1d
> >
> > Where SCHULE is the netbios domain name and
> > ALIX is the PDC name.
> >
> >>         invalid users =
> >>          hosts deny = ALL
> > Fine, you deny all hosts on your network. What are you doing here?
> >
> >>        load printers = Yes
> >>        printcap name = cups
> >>        printing = cups
> >>        add machine script = /usr/sbin/useradd -d /dev/null -g
> >> machines -s /bin/false %u
> > This will *not* add windows hosts to the ldap backend. So do not
> > expect working windows machines.
> >
> > A common script is:
> >        add machine script   = /usr/sbin/smbldap-useradd -w "%u"
> >
> >>        # Logon Options
> >>        logon script = %U.bat
> >>        logon drive = n:
> >>        domain logons = Yes
> >>
> >>        logon home = \\%L\%u\%a\.profiles
> >>        logon home = \\%L\%U\profile
> > Overwriting entrys in this way seems bad practice, surely it works.
> >
> >>        logon path =
> >>
> >>        # Browse Options
> >>        os level = 65
> >>        preferred master = Yes
> >>        local master = Yes
> >>        domain master = Yes
> > Fine you will setup the Netbios stuff. Please remove the
> > other lines. This one wins, because they comes later in this file.
> >
> >>        # WINS Options
> >>        dns proxy = No
> >>        wins proxy = No
> >>        wins support = Yes
> >>
> >>
> >>        # Getting symlinks working for the OCEs
> >>        unix extensions = no
> >>
> >>        # Audit settings
> >>        full_audit:prefix = %u|%I|%S
> >>        full_audit:failure = none
> >>        full_audit:success = mkdir rmdir read pread write pwrite
> >> rename unlink
> >>        full_audit:facility = local5
> >>        full_audit:priority = notice
> >>
> >> [homes]
> >>        comment = Home Directories
> >>        create mask = 0700
> >>        directory mask = 0700
> >>        browseable = No
> >>        read only = No
> >>        path = %H/samba
> > unusual, but if it works for you
> >
> >>        vfs objects = full_audit
> > you have silently disabled acl handling!
> >        vfs objects = acl_xattr full_audit
> >
> >>        follow symlinks = yes
> > risky. Remove it if possible. Otherwise change symlinks to real dirs
> > and remove then.
> >
> >
> >
> >
> > Check if you have a machine account for your server:
> > # ldapsearch -xLLL 'uid=hostname$'
> > I assume you have none.
> >
> > Now, the unixidpool:
> >
> > Add the attached    ldif with:
> > ldapmodify -x -D cn=admin,dc=mydomain -W -f unixidpool.ldif
> >
> > check if it is OK
> > # ldapsearch -xLLL objectclass=sambaunixidpool
> >
> > Restart samba and reapply the admin password. This should add the
> machine account:
> > smbpasswd -w <ldap admin password>
> >
> > If the machine account is not their, restart both samba and winbind and
> wait some seconds.
> >
> > The next useable uidnumber in smabaDomainName should change from 10000
> to 10001.
> > # ldapsearch -xLLL uidnumber=10001
> > dn: sambaDomainName=SCHULE,dc=afrika,dc=xx
> > objectClass: top
> > objectClass: sambaDomain
> > objectClass: sambaUnixIdPool
> > sambaDomainName: SCHULE
> > sambaSID: S-1-5-21-1507708399-2130971284-2230424465
> > sambaAlgorithmicRidBase: 1000
> > sambaNextRid: 100000
> > sambaNextUserRid: 2000
> > sambaNextGroupRid: 100000
> > uidNumber: 10001
> > gidNumber: 2000
> > sambaPwdHistoryLength: 0
> > sambaLogonToChgPwd: 0
> > sambaMaxPwdAge: -1
> > sambaMinPwdAge: 0
> > sambaLockoutDuration: 30
> > sambaLockoutObservationWindow: 30
> > sambaLockoutThreshold: 0
> > sambaForceLogoff: -1
> >
> > have fun
> >
> > # cat unixidpool.ldif
> > dn: sambaDomainName=MYDOMAIN,dc=mydomain
> > changetype: modify
> > add: objectclass
> > objectclass: sambaUnixIdPool
> > -
> > add: uidnumber
> > uidnumber: 10000
> > -
> > add: gidnumber
> > gidnumber: 10000
> > -
> >
> > --
> >
> > Gruss
> >    Harry Jede
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba