SAMBA 4.5 // Gentoo Linux Domain Member // File Server

krb5
pidSources:
https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

https://wiki.samba.org/index.php/User_Home_Folders

https://wiki.samba.org/index.php/Idmap_config_ad

https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

Strategy

This machine file server (domain member server). It will serve domain users profiles, homes and other file stuff.
ADDC’s IP is 10.81.100.150.
This machines IP is 10.81.100.151, host name is F4

Principles

Users on a domain member will be authenticated by the domain controller. This process uses winbind. Winbind connects the domain controller via kerberos.

Configure NTP

 emerge ntp
 rc-update add ntp-client default

Selecting Sambas USE flags

 cups fam quota winbind ads gnutls ldap
 emerge samba

Your domain member machine should resolve all names against sambas internal DNS:
Edit /etc/resolv.conf

 domain samdom.test.local
 nameserver 10.81.100.150

Create /etc/krb5.conf

 [libdefaults]
	default_realm = SAMDOM.TEST.LOCAL
	dns_lookup_realm = false
	dns_lookup_kdc = true

Check /etc/hosts

# CHECK #
10.81.100.151	f4.samdom.test.local f4

Creating smb.conf

ATTENTION: At this point you have to decide what type of ID mapping you will use, ad or rid. rid is very simple to configure, ad is a little bit more complicated. I will describe both.

ATTENTION 2:A very essential thing is the above mentioned id mapping. That means that if a user on a domain member who was successful authenticated via winbind by the domain controller gets a unix user id on the domain member. The smb.conf files contains lines who define the id ranges of these mappings. In case of using rid the local unix uid of users and gid of groups on the domain member machine is selected my the domain member machine from the range defined in smb.conf. In case of using ad the local unix uid (for users) and unix gid (for groups) on the domain member must be defined on the domain controller. You have to edit users and groups ldap properties on the domain controller and should add stuff like uid, gid etc. Using rfc2307 means that all informations about users on the domain member will be retrieved from the Active Directory on the Domain controller – On the ADDC users profiles should be contain all the informations (uidNumber, gidNumber, loginShell, unixHomeDirectory, primaryGroupID). Group profiles need a gidNumber. A standard user generated on the addc is always per default a member of the “Domain Users” group. This is defined as users so called Primary Group. Unfortunately Sambas “Domain Users” default group does not have defined a gidNumber so you will run in trouble on linux domain members. That means: If you decide to use ad you should check ALL groups on the ADDC for existing gidNumbers and all users for uidNumber, gidNumber, loginShell, unixHomeDirectory, primaryGroupID. The uidNumbers and gidNumbers MUST match the id ranges defined on the domain member. smb.conf.

Idmap config rid
https://wiki.samba.org/index.php/Idmap_config_rid

smb.conf

[global]
    security = ADS
    workgroup = SAMDOM
    realm = SAMDOM.TEST.LOCAL

    log file = /var/log/samba/%m.log
    log level = 1

    # Default ID mapping configuration for local BUILTIN accounts
    # and groups on a domain member. The default (*) domain:
    # - must not overlap with any domain ID mapping configuration!
    # - must use a read-write-enabled back end, such as tdb.
    # - Adding just this is not enough
    # - You must set a DOMAIN backend configuration, see below
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999

    # idmap config for the SAMDOM domain
    idmap config SAMDOM : backend = rid
    idmap config SAMDOM : range = 10000-999999


    # Template settings for login shell and home directory
    winbind nss info = template
    template shell = /bin/bash
    template homedir = /data/samba/home/%U

    username map = /etc/samba/user.map
    
[homes]
    comment = Home Directories
    path = /data/samba/home/%U
    browseable = no
    writeable = yes
    valid users = SAMDOM\%U
    create mode = 0600
    directory mode = 0700

[profiles]
    comment = Profile Directories
    path = /data/samba/profile/
    browseable = no
    read only = No
    force create mode = 0600
    force directory mode = 0700
    csc policy = disable
    store dos attributes = yes
    vfs objects = acl_xattr

[exchange]
    path = /data/samba/exchange
    browseable = yes
    writeable = yes

# END

Idmap config ad
https://wiki.samba.org/index.php/Idmap_config_ad

smb.conf

[global]
    security = ADS
    workgroup = SAMDOM
    realm = SAMDOM.TEST.LOCAL

    log file = /var/log/samba/%m.log
    log level = 1

    # Default ID mapping configuration for local BUILTIN accounts
    # and groups on a domain member. The default (*) domain:
    # - must not overlap with any domain ID mapping configuration!
    # - must use a read-write-enabled back end, such as tdb.
    # - Adding just this is not enough
    # - You must set a DOMAIN backend configuration, see below
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999

    # idmap config for the SAMDOM domain
    idmap config SAMDOM:backend = ad
    idmap config SAMDOM:schema_mode = rfc2307
    idmap config SAMDOM:range = 10000-9999999

    winbind nss info = rfc2307

    username map = /etc/samba/user.map
    
[homes]
    comment = Home Directories
    path = /data/samba/home/%U
    browseable = no
    writeable = yes
    valid users = SAMDOM\%U
    create mode = 0600
    directory mode = 0700

[profiles]
    comment = Profile Directories
    path = /data/samba/profile/
    browseable = no
    read only = No
    force create mode = 0600
    force directory mode = 0700
    csc policy = disable
    store dos attributes = yes
    vfs objects = acl_xattr

[exchange]
    path = /data/samba/exchange
    browseable = yes
    writeable = yes

# END

Create /etc/samba/user.map

 !root = SAMDOM\Administrator

Join the domain

 net ads join -U administrator

Config /etc/nsswitch.conf – add winbind to the passwd and group lines.

passwd:      compat files winbind
shadow:      compat files 
group:       compat files winbind

hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files

Run winbind

Create a winbind start script in /etc/local.d and make it excutable. -n means that the winbind daemon does not cache requests. This is good for testing.

/usr/sbin/winbindd -n

Create a winbind stop script in /etc/local.d and make it excutable

 pkill winbindd

Start samba

 /etc/init.d/samba start
 rc-update add samba default

Hints

Mounting the data volume with user_xattr parameter is depr – xattr set by default.

Reload samba configuration via

smbcontrol all reload-config

Profile version extension (V2 .. V5) is set by the system transparently for you – DO NOT SET IT MANUALLY ELSEWHERE.

The users profile directories will be created automatically by the domain controller during the first login.

Create and leave users login scripts on the domain controller (/var/lib/samba/sysvol/samdom.test.local/scripts/). Don’t forget to set the executable flag. AttentionIf you separate the file server from the domain controller you can’t set separated “SAMDOM\\userxyz” acls/rights for each login script via chown on the domain controller!

The users home directories must be created by hand. Do not forget to chown them.

Creating the Profile base directory

 mkdir -p /data/samba/profiles/
 chgrp -R "SAMDOM\\Domain Users" /data/samba/profiles/
 chmod 1770 /data/samba/profiles/

Creating the home base directorY

 mkdir -p /data/samba/homes/
 chgrp -R "SAMDOM\\Domain Users" /data/samba/homes/
 chmod 1770 /data/samba/homes/

If the chgrp command fails, that means that you have a problem with mapping uid/gid to your machine from the DC.
At first do

 # getent passwd "DOMAIN\domain users"

If there is nothing in return check the following on your DC:

ldbedit -e mcedit -H /var/lib/samba/private/sam.ldb 'sAMAccountName=Domain Users'

If there is no line beginning with
gidNumber:
then add one. Set this value to 65534 if you wanna map samba group “Domain Users” to unix group nobody or 100 to unix group users

Attention:
The getent passwd/group command needs always a user as argument or it will show only local unix users/groups

Attention II:

If you are in RID mode and you do

 getent passwd "DOMAIN\domain users"

on your domain member machine it will always return groups properties, because the domain member machine handles the gid stuff alone. It doesn’t matter your Domain Users group is provided with an gidNumber on your DC or not.

If you set your domain member to AD mode, you MUST provide the domain users group on the DC with a gidNumber. Only in ths case

 getent passwd "DOMAIN\domain users"

will return some information.

Attention III:

On your ADDC

 getent passwd "DOMAIN\domain users"

will never return anything.

TESTING
… coming soon.

################################

Creating Users

 # samba-tool user create usernamedzuppi usernamedzuppispassword --home-drive="U:" --home-directory="\\\\FILESERVER\\usernamedzuppi" --profile-path="\\\\FILESERVER\\usernamedzuppi"

Attention: Using rfc2307 is good manner and means that your ADDC manages all your users informations. Domain members in AD mode use these infos and will pull them from your ADDC – via winbindd. You should prefer AD mode. Get rid of RID – it’s old fashioned.

If you wanna change some user values on your ADDC – use this command:

on the domain controller:

ldbedit -H /var/lib/samba/private/sam.ldb 'sAMAccountName=usernamedzuppi'

SHOW USERS and GROUPS
On ADDC and Domain members:

 getent passwd "DOMAIN\\Domain Users"
 getent group "DOMAIN\\Domain Users"

or

 wbinfo -u
 wbinfo -g

ATTENTION: At the DC getent in our configuration (separated dc and fileserver) did now show any SAMDOM users/machines but works properly on the fileserver.

ATTENTION2: winbind on the fileserver CACHES. It is possible that newly generated users and machines appear later on fileserver (getent passwd “SAMDOM\\xyz”. To avoid caching start winbindd with -n

DELETING MACHINES [COMPUTERS]

install ADUC – download KB958830 from microsoft (https://www.microsoft.com/de-de/download/details.aspx?id=7887)

activate the windows feature [https://www.itsupportguides.com/knowledge-base/windows-7/windows-7-how-to-install-the-active-directory-users-and-computers-tools/]

run dsa.msc

User Login very slow (abt 45 sec)

Here in KVM environment: Cloned Windows 7 guests had the same SID. This causes incorrect machine registration at the domain controller. Use sysprep (c:\windows\system32\sysprep) to flatten (SID reset) a new machine. Before starting this, grab and store your windows product key – use ProduKey.exe. Good luck!

ATTENTION ATTENTION ATTENTION – wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

linux domain member – idmap ad – getent passwd not working – wbinfo -i SAMDOM\\xyzuser returns wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

PROBLEM: Users per default primary group “domain users” has not set gidNumber per default. Edit these groups props with ldbedit and add gidNumber entry.

How detected (https://stackoverflow.com/questions/30601942/consistent-uid-and-gid-across-linux-clients-for-multiple-domain-using-autorid):
wbinfo -n TEST2\\user1

to give you the SID (windows user ID) for the user, and then use

wbinfo -S SID

with this sid to check UID assignment. Similarly, use

wbinfo -Y SID

wbinfo -Y [Domain Users SID] returns that it could not get a gid

Additional Info:

Have had to add the pid directory to the newly created smb.conf

Have had to create /var/run/samba directory

Edit /etc/krb5.conf -> set default realm from ${REALM} to ‘SAMDOM.TEST.YOURTLD’

Samba (smb-client) displays incorrect OS ( Windoes 6.1 instead of Unix) _> https://centrify.force.com/support/Article/KB-7086-Samba-displays-incorrect-OS-information

Tune smb.conf

csc policy = disable
store dos attributes = yes
vfs objects = acl_xattr

HINTS:
xidNumber is the UNIX user Id (root -> 0)

Show and edit users properties:

# ldbedit -e mcedit -H /usr/local/samba/private/sam.ldb 'sAMAccountName=zuppiuser'

ATTENTION: Adding a user with samba-tool:

home-directory should be double quoted
home-drive needs trailing ‘:’ (like U:) – otherwise z: will be used.

ATTENTION:
Your setfacl fails for groups? Maybe your group lives without a gidNumber.

ATTENTION:
Winbindd caches thes credentials.
What really helps:
On your Domain member do

 # net cache flush

every time you change some user/group properties on your DC.

or add a line like winbind cache time = 60 to the glocal section of your samba config file.

TO CHECK:

http://wiki.pratznschutz.com/index.php/Samba_3.6_und_4.x_ADS_Member_Server

 winbind trusted domains only = no
 winbind use default domain = yes 
 #User muss kein Prefix bei der Anmeldung angeben
 winbind enum users  = yes
 winbind enum groups = yes
winbind nested groups = yes. 

client use spnego = yes
client ntlmv2 auth = yes

vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s