On Fri, May 24, 2019 at 01:13:38PM +0200, Alexander Fieroch wrote:
Am 20.05.19 um 17:22 schrieb Sumit Bose:
> Hi,
Hi!
> the recommendation is to use both.
> Recent version of Samba require winbind to run on domain members. The
> reason is that legacy code was removed from the smbd process which older
> versions used as a fallback to communicate with an AD DC. Now smbd needs
> winbind to be able to communicate with AD.
>
> But you still can use SSSD for all other system services, winbind will
> be used exclusively by smbd.
>
> Following changes are needed (I'm sorry but I'm not too familiar with
> the SSSD packages in Ubuntu, so I hope I'm right about the package
> names).
>
> First, I assume you have the libwbclient-sssd package installed to
> redirect requests for winbind to SSSD. Please remove this package and
> make sure libwbclient0 is installed.
>
> To make sure the winbind and SSSD use the same id-mapping please add
> something like the following to smb.conf:
>
> idmap config <AD-DOMAIN-SHORTNAME> : backend = sss
> idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647
>
> idmap config * : backend = tdb
> idmap config * : range = 100000-199999
>
> this tells winbind to ask SSSD which POSIX IDs to use for Windows users
> and groups.
Thank you very much!
Ho do I have to adapt the range to our AD? I'm not sure about these values.
Our AD users have an ID between 10000 and 23000, our groups have IDs between
31000 and 33000. We only have one domain.
So is it save to set 10000 as minimum range value and 33000 as maximum?
idmap config * : backend = tdb
idmap config * : range = 1000-5000
idmap config DOMAIN : backend = sss
idmap config DOMAIN : range = 10000-33000
Hi,
that's ok, just keep in mind that you have to increase the upper limit
in case your GID become larger than 33000.
> On the SSSD side please disable the automatic host key renewable by
> setting
>
> ad_maximum_machine_account_password_age = 0
>
> in the [domain/...] section of sssd.conf.
Does sssd renew the machine account password automatically?
Yes, recent versions do the automatically is adcli is installed.
> Depending on how you joined the AD domain and if SSSD already renewed
> the machine account password, it might be necesary to re-join the domain
> with the 'net ads join ...' command or even easier with 'realm join
> --membership-software=samba ....' to set all the needed data winbind
> needs for operation. You can check by trying to start winbind. If it
> starts without errors all should be fine, otherwise please try to
> rejoin.
I did some tests with the new configuration above...
Previously I joined my clients to AD with realm and not "net ads join".
An additional "realm join --membership-software=samba ..." fails with
realm: Already joined to this domain
So I have to remove clients first with "realm leave --remove".
Now it is working for me (including winbind) and samba sharing on ubuntu
19.04. I used
$ realm join --user-principal=host/hostname@DOMAIN
--automatic-id-mapping=no --client-software=sssd --membership-software=samba
The command "realm list" lists two domains. Is this normal behavior?
Yes, that's expected. realmd does not store a state somewhere, it looks
at existing configurations and in your case both are avaiable.
# realm list
DOMAIN
type: kerberos
realm-name: DOMAIN
domain-name: DOMAIN
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: winbind
required-package: libpam-winbind
required-package: samba-common-bin
login-formats: DOMAIN\%U
login-policy: allow-any-login
DOMAIN
type: kerberos
realm-name: DOMAIN
domain-name: DOMAIN
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-realm-logins
CentOS
======
Unfortunately I do not get samba shares working on a centos 7 test-vm.
I use the same configuration as with ubuntu where it is working.
"gentent passwd" and "wbinfo -u" are both working and show me the AD
users
list.
But network shares are not accessible/working.
$ smbclient -U centos7/admin -L //centos7
do_connect: Connection to centos7 failed (Error NT_STATUS_HOST_UNREACHABLE)
Can you send the full debug output of the call
$ smbclient -U centos7/admin -L //centos7 -d 10
bye,
Sumit
# yum list installed | grep winbind
samba-winbind.x86_64 4.8.3-4.el7 @base
samba-winbind-clients.x86_64 4.8.3-4.el7 @base
samba-winbind-modules.x86_64 4.8.3-4.el7 @base
Something has to be different on CentOS/RedHat with samba 4.8.
/var/log/samba/log.winbindd:
[2019/05/24 12:55:50.100437, 0]
../source3/winbindd/winbindd.c:239(winbindd_sig_term_handler)
Got sig[15] terminate (is_parent=1)
[2019/05/24 12:55:50.203135, 0]
../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with version
number 2
[2019/05/24 12:55:50.206805, 0]
../lib/util/become_daemon.c:138(daemon_ready)
daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to
serve connections
[2019/05/24 12:58:15.204925, 0]
../source3/winbindd/winbindd.c:239(winbindd_sig_term_handler)
Got sig[15] terminate (is_parent=1)
[2019/05/24 12:58:15.256253, 0]
../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with version
number 2
[2019/05/24 12:58:15.259906, 0]
../lib/util/become_daemon.c:138(daemon_ready)
daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to
serve connections
Any hints which configuration I have to change or which additional packages
I need?
Thanks!
Best regards,
Alexander
> HTH
>
> bye,
> Sumit
>
> > Or is it not possible anymore to use only SSSD with samba shares without
> > winbind?
> >
> >
> > Thanks!
> > Best regards
> >
> >
> > /etc/samba/smb.conf:
> > [global]
> > disable netbios = Yes
> > dns proxy = No
> > domain master = No
> > kerberos method = system keytab
> > local master = No
> > log file = /var/log/samba/log.%m
> > map to guest = Bad User
> > max log size = 1000
> > obey pam restrictions = Yes
> > pam password change = Yes
> > panic action = /usr/share/samba/panic-action %d
> > passwd chat = *Enter\snew\s*\spassword:* %n\n
> > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> > passwd program = /usr/bin/passwd %u
> > realm = DOMAIN
> > security = ADS
> > server role = member server
> > server string = %h %a
> > syslog = 0
> > unix password sync = Yes
> > usershare allow guests = Yes
> > workgroup = DOMAIN
> >
> >
> >
> >
> > ----- End forwarded message -----
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
--
Dipl.-Inf. Alexander Fieroch
Max-Planck-Institut für molekulare Physiologie
Zentrale Einrichtung EDV
Otto-Hahn-Str. 11
D-44227 Dortmund
Tel.: +49 (231) 133-2680