krb5
pidSources:
https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://wiki.samba.org/index.php/User_Home_Folders
https://wiki.samba.org/index.php/Idmap_config_ad
https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
Strategy
This machine file server (domain member server). It will serve domain users profiles, homes and other file stuff.
ADDC’s IP is 10.81.100.150.
This machines IP is 10.81.100.151, host name is F4
Principles
Users on a domain member will be authenticated by the domain controller. This process uses winbind. Winbind connects the domain controller via kerberos.
Configure NTP
emerge ntp rc-update add ntp-client default
Selecting Sambas USE flags
cups fam quota winbind ads gnutls ldap emerge samba
Your domain member machine should resolve all names against sambas internal DNS:
Edit /etc/resolv.conf
domain samdom.test.local nameserver 10.81.100.150
Create /etc/krb5.conf
[libdefaults] default_realm = SAMDOM.TEST.LOCAL dns_lookup_realm = false dns_lookup_kdc = true
Check /etc/hosts
# CHECK # 10.81.100.151 f4.samdom.test.local f4
Creating smb.conf
ATTENTION: At this point you have to decide what type of ID mapping you will use, ad or rid. rid is very simple to configure, ad is a little bit more complicated. I will describe both.
ATTENTION 2:A very essential thing is the above mentioned id mapping. That means that if a user on a domain member who was successful authenticated via winbind by the domain controller gets a unix user id on the domain member. The smb.conf files contains lines who define the id ranges of these mappings. In case of using rid the local unix uid of users and gid of groups on the domain member machine is selected my the domain member machine from the range defined in smb.conf. In case of using ad the local unix uid (for users) and unix gid (for groups) on the domain member must be defined on the domain controller. You have to edit users and groups ldap properties on the domain controller and should add stuff like uid, gid etc. Using rfc2307 means that all informations about users on the domain member will be retrieved from the Active Directory on the Domain controller – On the ADDC users profiles should be contain all the informations (uidNumber, gidNumber, loginShell, unixHomeDirectory, primaryGroupID). Group profiles need a gidNumber. A standard user generated on the addc is always per default a member of the “Domain Users” group. This is defined as users so called Primary Group. Unfortunately Sambas “Domain Users” default group does not have defined a gidNumber so you will run in trouble on linux domain members. That means: If you decide to use ad you should check ALL groups on the ADDC for existing gidNumbers and all users for uidNumber, gidNumber, loginShell, unixHomeDirectory, primaryGroupID. The uidNumbers and gidNumbers MUST match the id ranges defined on the domain member. smb.conf.
Idmap config rid
https://wiki.samba.org/index.php/Idmap_config_rid
smb.conf
[global]
security = ADS
workgroup = SAMDOM
realm = SAMDOM.TEST.LOCAL
log file = /var/log/samba/%m.log
log level = 1
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
# - Adding just this is not enough
# - You must set a DOMAIN backend configuration, see below
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# idmap config for the SAMDOM domain
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999
# Template settings for login shell and home directory
winbind nss info = template
template shell = /bin/bash
template homedir = /data/samba/home/%U
username map = /etc/samba/user.map
[homes]
comment = Home Directories
path = /data/samba/home/%U
browseable = no
writeable = yes
valid users = %U
create mode = 0600
directory mode = 0700
[profiles]
comment = Profile Directories
path = /data/samba/profile/
browseable = no
read only = No
force create mode = 0600
force directory mode = 0700
csc policy = disable
store dos attributes = yes
vfs objects = acl_xattr
[exchange]
path = /data/samba/exchange
browseable = yes
writeable = yes
# END
Idmap config ad
https://wiki.samba.org/index.php/Idmap_config_ad
smb.conf
[global]
security = ADS
workgroup = SAMDOM
realm = SAMDOM.TEST.LOCAL
log file = /var/log/samba/%m.log
log level = 1
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
# - Adding just this is not enough
# - You must set a DOMAIN backend configuration, see below
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# idmap config for the SAMDOM domain
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 10000-9999999
winbind nss info = rfc2307
username map = /etc/samba/user.map
[homes]
comment = Home Directories
path = /data/samba/home/%U
browseable = no
writeable = yes
valid users = SAMDOM\%U
create mode = 0600
directory mode = 0700
[profiles]
comment = Profile Directories
path = /data/samba/profile/
browseable = no
read only = No
force create mode = 0600
force directory mode = 0700
csc policy = disable
store dos attributes = yes
vfs objects = acl_xattr
[exchange]
path = /data/samba/exchange
browseable = yes
writeable = yes
# END
Create /etc/samba/user.map
!root = SAMDOM\Administrator
Join the domain
net ads join -U administrator
Config /etc/nsswitch.conf – add winbind to the passwd and group lines.
passwd: compat files winbind shadow: compat files group: compat files winbind hosts: files dns networks: files dns services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files bootparams: files automount: files aliases: files
Run winbind
Create a winbind start script in /etc/local.d and make it excutable. -n means that the winbind daemon does not cache requests. This is good for testing.
/usr/sbin/winbindd -n
Create a winbind stop script in /etc/local.d and make it excutable
pkill winbindd
Start samba
/etc/init.d/samba start rc-update add samba default
Hints
Mounting the data volume with user_xattr parameter is depr – xattr set by default.
Reload samba configuration via
smbcontrol all reload-config
Profile version extension (V2 .. V5) is set by the system transparently for you – DO NOT SET IT MANUALLY ELSEWHERE.
The users profile directories will be created automatically by the domain controller during the first login.
Create and leave users login scripts on the domain controller (/var/lib/samba/sysvol/samdom.test.local/scripts/). Don’t forget to set the executable flag. AttentionIf you separate the file server from the domain controller you can’t set separated “SAMDOM\\userxyz” acls/rights for each login script via chown on the domain controller!
The users home directories must be created by hand. Do not forget to chown them.
Creating the Profile base directory
mkdir -p /data/samba/profiles/ chgrp -R "SAMDOM\\Domain Users" /data/samba/profiles/ chmod 1770 /data/samba/profiles/
Creating the home base directorY
mkdir -p /data/samba/homes/ chgrp -R "SAMDOM\\Domain Users" /data/samba/homes/ chmod 1770 /data/samba/homes/
If the chgrp command fails, that means that you have a problem with mapping uid/gid to your machine from the DC.
At first do
# getent passwd "DOMAIN\domain users"
If there is nothing in return check the following on your DC:
ldbedit -e mcedit -H /var/lib/samba/private/sam.ldb 'sAMAccountName=Domain Users'
If there is no line beginning with
gidNumber:
then add one. Set this value to 65534 if you wanna map samba group “Domain Users” to unix group nobody or 100 to unix group users
Attention:
The getent passwd/group command needs always a user as argument or it will show only local unix users/groups
Attention II:
If you are in RID mode and you do
getent passwd "DOMAIN\domain users"
on your domain member machine it will always return groups properties, because the domain member machine handles the gid stuff alone. It doesn’t matter your Domain Users group is provided with an gidNumber on your DC or not.
If you set your domain member to AD mode, you MUST provide the domain users group on the DC with a gidNumber. Only in ths case
getent passwd "DOMAIN\domain users"
will return some information.
Attention III:
On your ADDC
getent passwd "DOMAIN\domain users"
will never return anything.
TESTING
… coming soon.
################################
Creating Users
# samba-tool user create usernamedzuppi usernamedzuppispassword --home-drive="U:" --home-directory="\\\\FILESERVER\\usernamedzuppi" --profile-path="\\\\FILESERVER\\usernamedzuppi"
Attention: Using rfc2307 is good manner and means that your ADDC manages all your users informations. Domain members in AD mode use these infos and will pull them from your ADDC – via winbindd. You should prefer AD mode. Get rid of RID – it’s old fashioned.
If you wanna change some user values on your ADDC – use this command:
on the domain controller:
ldbedit -H /var/lib/samba/private/sam.ldb 'sAMAccountName=usernamedzuppi'
SHOW USERS and GROUPS
On ADDC and Domain members:
getent passwd "DOMAIN\\Domain Users" getent group "DOMAIN\\Domain Users"
or
wbinfo -u wbinfo -g
ATTENTION: At the DC getent in our configuration (separated dc and fileserver) did now show any SAMDOM users/machines but works properly on the fileserver.
ATTENTION2: winbind on the fileserver CACHES. It is possible that newly generated users and machines appear later on fileserver (getent passwd “SAMDOM\\xyz”. To avoid caching start winbindd with -n
DELETING MACHINES [COMPUTERS]
install ADUC – download KB958830 from microsoft (https://www.microsoft.com/de-de/download/details.aspx?id=7887)
activate the windows feature [https://www.itsupportguides.com/knowledge-base/windows-7/windows-7-how-to-install-the-active-directory-users-and-computers-tools/]
run dsa.msc
User Login very slow (abt 45 sec)
Here in KVM environment: Cloned Windows 7 guests had the same SID. This causes incorrect machine registration at the domain controller. Use sysprep (c:\windows\system32\sysprep) to flatten (SID reset) a new machine. Before starting this, grab and store your windows product key – use ProduKey.exe. Good luck!
ATTENTION ATTENTION ATTENTION – wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
linux domain member – idmap ad – getent passwd not working – wbinfo -i SAMDOM\\xyzuser returns wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
PROBLEM: Users per default primary group “domain users” has not set gidNumber per default. Edit these groups props with ldbedit and add gidNumber entry.
How detected (https://stackoverflow.com/questions/30601942/consistent-uid-and-gid-across-linux-clients-for-multiple-domain-using-autorid):
wbinfo -n TEST2\\user1
to give you the SID (windows user ID) for the user, and then use
wbinfo -S SID
with this sid to check UID assignment. Similarly, use
wbinfo -Y SID
wbinfo -Y [Domain Users SID] returns that it could not get a gid
Additional Info:
Have had to add the pid directory to the newly created smb.conf
Have had to create /var/run/samba directory
Edit /etc/krb5.conf -> set default realm from ${REALM} to ‘SAMDOM.TEST.YOURTLD’
Samba (smb-client) displays incorrect OS ( Windoes 6.1 instead of Unix) _> https://centrify.force.com/support/Article/KB-7086-Samba-displays-incorrect-OS-information
Tune smb.conf
csc policy = disable
store dos attributes = yes
vfs objects = acl_xattr
HINTS:
xidNumber is the UNIX user Id (root -> 0)
Show and edit users properties:
# ldbedit -e mcedit -H /usr/local/samba/private/sam.ldb 'sAMAccountName=zuppiuser'
ATTENTION: Adding a user with samba-tool:
home-directory should be double quoted
home-drive needs trailing ‘:’ (like U:) – otherwise z: will be used.
ATTENTION:
Your setfacl fails for groups? Maybe your group lives without a gidNumber.
ATTENTION:
Winbindd caches thes credentials.
What really helps:
On your Domain member do
# net cache flush
every time you change some user/group properties on your DC.
or add a line like winbind cache time = 60 to the glocal section of your samba config file.
TO CHECK:
http://wiki.pratznschutz.com/index.php/Samba_3.6_und_4.x_ADS_Member_Server
winbind trusted domains only = no winbind use default domain = yes #User muss kein Prefix bei der Anmeldung angeben winbind enum users = yes winbind enum groups = yes winbind nested groups = yes. client use spnego = yes client ntlmv2 auth = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes
bytes and bones 