Re: [Samba] samba4 missing group membership with getent group
Ah, it's magic, or to put it another way (not being a programmer) I do not know how it works ;-) You set up Samba as normal but without any references to winbind, then join to the domain, sssd then uses the /etc/krb5.keytab created by the join and away you go. hope this helps Rowland On 24 June 2013 21:30, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Rowland, I haven't used sssd yet. But it's on my schedule for learning and Wiki HowTo. Your config well be a good start for that. Am 24.06.2013 19:47, schrieb Rowland Penny: ... Thats it, no special user, no passwords, it just works, I haven't found any problems yet, touch wood. How does it work? I mean, is there a keytab or anything? Or how does AD know that the retrieving of information are allowed? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
On Mon, 2013-06-24 at 18:21 +0200, Marc Muehlfeld wrote: Hello Rowland, Am 24.06.2013 12:26, schrieb Rowland Penny: As far as I can see, the only way to get getent on the S4 server to show groupmembers is to use sssd nslcd works great for that job here, too. Hi nslcd is simplicity itself but we couldn't get it going for nested groups. Also it doesn't do dynamic dns updates, which sssd throws in for free and unless you use nscd, it's slow. Maybe your wiki could include the config for kerberised binds to the S4 ldap? This is all you need: /etc/nslcd.conf uid nslcd gid nslcd uri ldap://your.f.q.d.n base dc=foo,dc=bar map passwd uid samAccountName mappasswd homeDirectory unixHomeDirectory sasl_mech GSSAPI sasl_realm YOUR.REALM krb5_ccname /tmp/nslcd.tkt Hope you get a chance to have a play with sssd. It would be good to hear other views on how it compares with winbind and nslcd. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
Hi that's my setting today (AD with 4.06 and files server with 3.6). Working great, but my goal is really to get rid of that (just one machine). thanks and regards philippe From: Ali Bendriss [mailto:ali.bendr...@gmail.com] Sent: Friday, June 21, 2013 3:39 PM To: samba@lists.samba.org Cc: Rowland Penny; Simonet Philippe, ITS-OUS-OP-IFM-NW-IPE Subject: Re: [Samba] samba4 missing group membership with getent group On Friday, June 21, 2013 10:12:26 AM Rowland Penny wrote: Hi, well yet another reason to use sssd instead of winbind. [...] Hi, An other option is to use samba AD in one server and the file server (smbd + winbindd) in an other. Since I've done that (last year I think) I've got no problem at all. At first you may think that it's to much resources (2 servers or vm) but it's really flexible and easy to maintain. -- Ali -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
If you are using S4 as an ADDC then you are using the builtin winbind and as far as I can see, this cannot provide group memberships via getent. I could be wrong but I believe that all the builtin winbind pulls from AD is the users name users primary group. These are either via some algorithm or via rfc2307 uidNumber gidNumber that must be added manually. As far as I can see, the only way to get getent on the S4 server to show groupmembers is to use sssd If you want to use the S4 server also as a fileserver, you must ensure that the users have the same uidNumber everywhere. This means that you must use rfc2307 attributes and use something to pull them, i.e the winbind ad backend or sssd, the winbind rid backend will not do - it will never give you the same uidNumber on the S3 clients as on the S4 AD server. On 24 June 2013 07:05, philippe.simo...@swisscom.com wrote: Hi ** ** that’s my setting today (AD with 4.06 and files server with 3.6). Working great, but my goal is really to get rid of that (just one machine). thanks and regards ** ** philippe ** ** *From:* Ali Bendriss [mailto:ali.bendr...@gmail.com] *Sent:* Friday, June 21, 2013 3:39 PM *To:* samba@lists.samba.org *Cc:* Rowland Penny; Simonet Philippe, ITS-OUS-OP-IFM-NW-IPE *Subject:* Re: [Samba] samba4 missing group membership with getent group** ** ** ** On Friday, June 21, 2013 10:12:26 AM Rowland Penny wrote: Hi, well yet another reason to use sssd instead of winbind. [...] Hi, An other option is to use samba AD in one server and the file server (smbd + winbindd) in an other. Since I've done that (last year I think) I've got no problem at all. At first you may think that it's to much resources (2 servers or vm) but it's really flexible and easy to maintain. -- Ali -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
Hello Rowland, Am 24.06.2013 12:26, schrieb Rowland Penny: As far as I can see, the only way to get getent on the S4 server to show groupmembers is to use sssd nslcd works great for that job here, too. The nslcd.conf is almost the same like I wrote here: http://wiki.samba.org/index.php/Samba4/beyond#Nslcd:_User.2FGroups_from_AD_through_openLDAP_proxy I'll publish the nslcd config for directly getting the data from AD, the next days in the wiki, too. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
Hi Marc, ok it looks like anything will work on an S4 server apart from winbind ;-) My working /etc/sssd/sssd.conf on the S4 server is: [sssd] config_file_version = 2 domains = example.com services = nss, pam [nss] [pam] [domain/example.com] description = AD domain with Samba 4 server cache_credentials = true id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap krb5_realm = EXAMPLE.COM ldap_referrals = false ldap_sasl_mech = GSSAPI ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_name = sAMAccountName Thats it, no special user, no passwords, it just works, I haven't found any problems yet, touch wood. And when 1.10.0 gets released (it's in beta at the moment) it gets even better: [sssd] config_file_version = 2 domains = example.com services = nss, pam [nss] [pam] [domain/example.com] description = AD domain with Samba 4 server cache_credentials = true enumerate = False id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad Rowland On 24 June 2013 17:21, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Rowland, Am 24.06.2013 12:26, schrieb Rowland Penny: As far as I can see, the only way to get getent on the S4 server to show groupmembers is to use sssd nslcd works great for that job here, too. The nslcd.conf is almost the same like I wrote here: http://wiki.samba.org/index.**php/Samba4/beyond#Nslcd:_User.** 2FGroups_from_AD_through_**openLDAP_proxyhttp://wiki.samba.org/index.php/Samba4/beyond#Nslcd:_User.2FGroups_from_AD_through_openLDAP_proxy I'll publish the nslcd config for directly getting the data from AD, the next days in the wiki, too. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
Hello Rowland, I haven't used sssd yet. But it's on my schedule for learning and Wiki HowTo. Your config well be a good start for that. Am 24.06.2013 19:47, schrieb Rowland Penny: ... Thats it, no special user, no passwords, it just works, I haven't found any problems yet, touch wood. How does it work? I mean, is there a keytab or anything? Or how does AD know that the retrieving of information are allowed? Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
On Fri, 2013-06-21 at 06:23 +, philippe.simo...@swisscom.com wrote: Hi Samba users but getent group does not return group/user membership : TEST3\g1:*:327: any advices ? It doesn't work for groups:( use: getent group TEST\g1 hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
Hi Steve getent group TEST3\g1 give an empty result, and getent group TEST3\\g1 with the same result as getent group g1, without user/group membership. in fact my problem goes further : shares access control (write list, ...) does not work for @g1, only with u1 ... Philippe -Original Message- From: samba-boun...@lists.samba.org [mailto:samba- boun...@lists.samba.org] On Behalf Of steve Sent: Friday, June 21, 2013 9:31 AM To: samba@lists.samba.org Subject: Re: [Samba] samba4 missing group membership with getent group On Fri, 2013-06-21 at 06:23 +, philippe.simo...@swisscom.com wrote: Hi Samba users but getent group does not return group/user membership : TEST3\g1:*:327: any advices ? It doesn't work for groups:( use: getent group TEST\g1 hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
Hi, well yet another reason to use sssd instead of winbind. When I turned on winbind in /etc/nsswitch.conf on my test S4 server, I get: id user uid=3001106(HOME\user) gid=20513(HOME\Domain Users) groups=20513(HOME\Domain Users),21110(HOME\linuxusers) getent group linuxusers HOME\linuxusers:*:21110: But when I turn sssd back on instead of winbind: id user uid=3001106(user) gid=20513(Domain Users) groups=20513(Domain Users),21110(linuxusers) getent group linuxusers linuxusers:*:21110:user Oh look, getent displays group users! Also I would suggest forgetting using @group in smb.conf and use ACL's instead. Rowland On 21 June 2013 09:36, philippe.simo...@swisscom.com wrote: Hi Steve getent group TEST3\g1 give an empty result, and getent group TEST3\\g1 with the same result as getent group g1, without user/group membership. in fact my problem goes further : shares access control (write list, ...) does not work for @g1, only with u1 ... Philippe -Original Message- From: samba-boun...@lists.samba.org [mailto:samba- boun...@lists.samba.org] On Behalf Of steve Sent: Friday, June 21, 2013 9:31 AM To: samba@lists.samba.org Subject: Re: [Samba] samba4 missing group membership with getent group On Fri, 2013-06-21 at 06:23 +, philippe.simo...@swisscom.com wrote: Hi Samba users but getent group does not return group/user membership : TEST3\g1:*:327: any advices ? It doesn't work for groups:( use: getent group TEST\g1 hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
On Fri, 2013-06-21 at 08:36 +, philippe.simo...@swisscom.com wrote: Hi Steve getent group TEST3\g1 give an empty result, and getent group TEST3\\g1 with the same result as getent group g1, without user/group membership. in fact my problem goes further : shares access control (write list, ...) does not work for @g1, only with u1 ... Philippe Oh dear. I know the feeling. You can wait for someone who knows winbind to read and help or, if you want it to just work, use sssd or nslcd and forget winbind. The latter you can do now. . . hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
On Fri, 2013-06-21 at 10:12 +0100, Rowland Penny wrote: Hi, well yet another reason to use sssd instead of winbind. When I turned on winbind in /etc/nsswitch.conf on my test S4 server, Also I would suggest forgetting using @group in smb.conf and use ACL's instead. Didn't see this, but absolutely. Use acl's. Have you ever tried referring to man smb.conf. Phew! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
On Friday, June 21, 2013 10:12:26 AM Rowland Penny wrote: Hi, well yet another reason to use sssd instead of winbind. [...] Hi, An other option is to use samba AD in one server and the file server (smbd + winbindd) in an other. Since I've done that (last year I think) I've got no problem at all. At first you may think that it's to much resources (2 servers or vm) but it's really flexible and easy to maintain. -- Ali -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
On Fri, 2013-06-21 at 15:39 +0200, Ali Bendriss wrote: On Friday, June 21, 2013 10:12:26 AM Rowland Penny wrote: Hi, well yet another reason to use sssd instead of winbind. [...] Hi, An other option is to use samba AD in one server and the file server (smbd + winbindd) in an other. Since I've done that (last year I think) I've got no problem at all. At first you may think that it's to much resources (2 servers or vm) but it's really flexible and easy to maintain. Hi, That's a good idea but we don't know what setup the OP has, we only know that getent group doesn't work. In any case, if he wants to see getent password work with the setup you suggest, he's going to have to configure winbind in at least two distinct ways, once for the DC and once for the file server. He will also have to edit smb.conf. Or maybe, he could get away with not using getent at all on the DC? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba