Web lists-archives.com

Re: [Samba] Configured AD backend but getting different uid and gid




On Tue, 23 Apr 2019 11:40:43 +0800
Alfonso Conner via samba <samba@xxxxxxxxxxxxxxx> wrote:

>  Hi Samba Team,
> 
> I hope I have sent my enquiries to the correct address list.
> Need advise and support from the team. Here's the summary of my
> issues. I try to provide as much details and information.
> 
> Due to the business nature of my company, I have a mixture of Windows
> (XP, 7, 8/10 in future) and Linux RHEL workstations (5U6, 5U8, 5U11,
> 6/7 in future).
> I have an existing Samba PDC VM Server (CentOS 6.10) hosting for
> Windows Clients (XP, 7)
> I am tasked to research ways to allow Windows 10 PC to join Samba and
> followed the Classic Upgrade.
> This is done following the setup guide from Samba Wedsite and I am
> happy Windows 10 is able to join Samba AD with existing XP and 7
> still able to login without issues.
> 
> My next task is to join Linux workstations to Samba AD to centralize
> all login accounts.
> 
> These accounts need to have the same uid and gid for access to
> exisitng file servers using the correct NFS and CIFS credentials.
> After study and decided using ad as backend would be the suitable
> choice for me.
> 
> However, I have faced difficulties getting the same uid and gid for my
> domain users after my Linux workstations join Samba AD.
> 
> 
> Configurations as follows:
> 
> Samba PDC
> Hostname: DC1
> Workgroup: EXAMPLE.COM
> 
> Samba version for classic upgrade: 4.8.5
> Packages installed: gcc python-devel gnutls-devel libacl-devel
> openldap-devel pam-devel bind-utils krb5-workstation
> 
> Samba AD smb.configuration
> Samba does not allow me to use same value for realm and workgroup
> [global]
>         netbios name = DC1
>         realm = NEWEXAMPLE.COM
>         server role = active directory domain controller
>         workgroup = EXAMPLE.COM
>         idmap_ldb:use rfc2307 = yes
>         client max protocol = NT1
>         ldap server require strong auth = no
>         template shell = /bin/bash
>         template homedir = /home/%U
> 
> Kerberos configuration
> [libdefaults]
>         default_realm = NEWEXAMPLE.COM
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> 
> No issues running wbinfo -u, wbinfo -g, getent passwd DOMAIN\\USER
> EXAMPLE.COM\administrator
> EXAMPLE.COM\krbtgt
> EXAMPLE.COM\guest
> EXAMPLE.COM\Users
> ..
> ..
> ..
> 
> I cannot change my netbios name nor change my AD Server hostname as I
> found out my Linux member will have spnego invalid credentials error
> unabe to join AD Domain.
> 
> Samba Domain member smb.conf using RHEL 5U11 for testing
> Packages installed: samba3x-winbind-3.6.23-6.el5
> system-config-samba-1.2.41-5.el5 samba3x-client-3.6.23-6.el5
> samba3x-swat-3.6.23-6.el5 samba3x-3.6.23-6.el5
> 
> member smb.conf
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
> 
> [global]
>         workgroup = EXAMPLE.COM
>         realm = NEWEXAMPLE.COM
>         server string = Samba Server Version %v
>         security = ADS
>         username map = /etc/samba/user.map
>         template homedir = /home/%U
>         template shell = /bin/bash
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind use default domain = Yes
>         winbind nss info = rfc2307
>         winbind refresh tickets = Yes
>         winbind offline logon = Yes
>         idmap config NEWEXAMPLE.COM : unix_primary_group = yes
>         idmap config NEWEXAMPLE.COM : unix_nss_info = yes
>         idmap config NEWEXAMPLE.COM : range = 1001-9999
>         idmap config NEWEXAMPLE.COM : schema_mode = rfc2307
>         idmap config NEWEXAMPLE.COM : backend = ad
>         idmap config * : range = 10001-99999
>         idmap config * : backend = tdb
>         map acl inherit = Yes
>         cups options = raw
>         store dos attributes = Yes
>         vfs objects = acl_xattr
> 
> AD Member krb5.conf
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = NEWEXAMPLE.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = true
>  ticket_lifetime = 24h
>  forwardable = yes
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> After joined to AD, I am able to get results from wbinfo and getent
> passwd but am getting Domain Users uid and gid starting from "*"
> range. Have ensured all Computers, Users and Groups have assigned uid
> and gid using RSAT from Windows 7 Client and able to see Attribute
> editor, Unix attributes.
> 
> Please advise and appreciate for the response.

el5 ? Samba 3.6.23 ? XP ? these are all EOL and more specifically
your smb.conf contains idmap config unknown to your Samba version.

Your 'future' needs to be now.

There is nothing intrinsically wrong with your conf files, they just
aren't for your old systems ;-)

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba