On Fri, May 24, 2019 at 01:13:38PM +0200, Alexander Fieroch wrote:
> Am 20.05.19 um 17:22 schrieb Sumit Bose:
> > Hi,
>
> Hi!
>
> > the recommendation is to use both.
>
> > Recent version of Samba require winbind to run on domain members. The
> > reason is that legacy code was removed from the smbd process which older
> > versions used as a fallback to communicate with an AD DC. Now smbd needs
> > winbind to be able to communicate with AD.
> >
> > But you still can use SSSD for all other system services, winbind will
> > be used exclusively by smbd.
> >
> > Following changes are needed (I'm sorry but I'm not too familiar with
> > the SSSD packages in Ubuntu, so I hope I'm right about the package
> > names).
> >
> > First, I assume you have the libwbclient-sssd package installed to
> > redirect requests for winbind to SSSD. Please remove this package and
> > make sure libwbclient0 is installed.
> >
> > To make sure the winbind and SSSD use the same id-mapping please add
> > something like the following to smb.conf:
> >
> > idmap config <AD-DOMAIN-SHORTNAME> : backend = sss
> > idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 100000-199999
> >
> > this tells winbind to ask SSSD which POSIX IDs to use for Windows users
> > and groups.
>
> Thank you very much!
>
> Ho do I have to adapt the range to our AD? I'm not sure about these values.
> Our AD users have an ID between 10000 and 23000, our groups have IDs between
> 31000 and 33000. We only have one domain.
>
> So is it save to set 10000 as minimum range value and 33000 as maximum?
>
> idmap config * : backend = tdb
> idmap config * : range = 1000-5000
> idmap config DOMAIN : backend = sss
> idmap config DOMAIN : range = 10000-33000
Hi,
that's ok, just keep in mind that you have to increase the upper limit
in case your GID become larger than 33000.
>
> > On the SSSD side please disable the automatic host key renewable by
> > setting
> >
> > ad_maximum_machine_account_password_age = 0
> >
> > in the [domain/...] section of sssd.conf.
>
> Does sssd renew the machine account password automatically?
Yes, recent versions do the automatically is adcli is installed.
>
>
> > Depending on how you joined the AD domain and if SSSD already renewed
> > the machine account password, it might be necesary to re-join the domain
> > with the 'net ads join ...' command or even easier with 'realm join
> > --membership-software=samba ....' to set all the needed data winbind
> > needs for operation. You can check by trying to start winbind. If it
> > starts without errors all should be fine, otherwise please try to
> > rejoin.
>
>
> I did some tests with the new configuration above...
> Previously I joined my clients to AD with realm and not "net ads join".
> An additional "realm join --membership-software=samba ..." fails with
>
> realm: Already joined to this domain
>
> So I have to remove clients first with "realm leave --remove".
> Now it is working for me (including winbind) and samba sharing on ubuntu
> 19.04. I used
>
> $ realm join --user-principal=host/hostname@DOMAIN
> --automatic-id-mapping=no --client-software=sssd --membership-software=samba
>
>
> The command "realm list" lists two domains. Is this normal behavior?
Yes, that's expected. realmd does not store a state somewhere, it looks
at existing configurations and in your case both are avaiable.
>
> # realm list
> DOMAIN
> type: kerberos
> realm-name: DOMAIN
> domain-name: DOMAIN
> configured: kerberos-member
> server-software: active-directory
> client-software: winbind
> required-package: winbind
> required-package: libpam-winbind
> required-package: samba-common-bin
> login-formats: DOMAIN\%U
> login-policy: allow-any-login
> DOMAIN
> type: kerberos
> realm-name: DOMAIN
> domain-name: DOMAIN
> configured: kerberos-member
> server-software: active-directory
> client-software: sssd
> required-package: sssd-tools
> required-package: sssd
> required-package: libnss-sss
> required-package: libpam-sss
> required-package: adcli
> required-package: samba-common-bin
> login-formats: %U
> login-policy: allow-realm-logins
>
>
>
> CentOS
> ======
> Unfortunately I do not get samba shares working on a centos 7 test-vm.
> I use the same configuration as with ubuntu where it is working.
> "gentent passwd" and "wbinfo -u" are both working and show me the AD users
> list.
> But network shares are not accessible/working.
>
> $ smbclient -U centos7/admin -L //centos7
> do_connect: Connection to centos7 failed (Error NT_STATUS_HOST_UNREACHABLE)
Can you send the full debug output of the call
$ smbclient -U centos7/admin -L //centos7 -d 10
bye,
Sumit
>
>
>
> # yum list installed | grep winbind
> samba-winbind.x86_64 4.8.3-4.el7 @base
> samba-winbind-clients.x86_64 4.8.3-4.el7 @base
> samba-winbind-modules.x86_64 4.8.3-4.el7 @base
>
> Something has to be different on CentOS/RedHat with samba 4.8.
>
>
> /var/log/samba/log.winbindd:
>
> [2019/05/24 12:55:50.100437, 0]
> ../source3/winbindd/winbindd.c:239(winbindd_sig_term_handler)
> Got sig[15] terminate (is_parent=1)
> [2019/05/24 12:55:50.203135, 0]
> ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
> initialize_winbindd_cache: clearing cache and re-creating with version
> number 2
> [2019/05/24 12:55:50.206805, 0]
> ../lib/util/become_daemon.c:138(daemon_ready)
> daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to
> serve connections
> [2019/05/24 12:58:15.204925, 0]
> ../source3/winbindd/winbindd.c:239(winbindd_sig_term_handler)
> Got sig[15] terminate (is_parent=1)
> [2019/05/24 12:58:15.256253, 0]
> ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
> initialize_winbindd_cache: clearing cache and re-creating with version
> number 2
> [2019/05/24 12:58:15.259906, 0]
> ../lib/util/become_daemon.c:138(daemon_ready)
> daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to
> serve connections
>
>
> Any hints which configuration I have to change or which additional packages
> I need?
>
>
> Thanks!
>
> Best regards,
> Alexander
>
>
> > HTH
> >
> > bye,
> > Sumit
> >
> > > Or is it not possible anymore to use only SSSD with samba shares without
> > > winbind?
> > >
> > >
> > > Thanks!
> > > Best regards
> > >
> > >
> > > /etc/samba/smb.conf:
> > > [global]
> > > disable netbios = Yes
> > > dns proxy = No
> > > domain master = No
> > > kerberos method = system keytab
> > > local master = No
> > > log file = /var/log/samba/log.%m
> > > map to guest = Bad User
> > > max log size = 1000
> > > obey pam restrictions = Yes
> > > pam password change = Yes
> > > panic action = /usr/share/samba/panic-action %d
> > > passwd chat = *Enter\snew\s*\spassword:* %n\n
> > > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> > > passwd program = /usr/bin/passwd %u
> > > realm = DOMAIN
> > > security = ADS
> > > server role = member server
> > > server string = %h %a
> > > syslog = 0
> > > unix password sync = Yes
> > > usershare allow guests = Yes
> > > workgroup = DOMAIN
> > >
> > >
> > >
> > >
> > > ----- End forwarded message -----
> > > _______________________________________________
> > > sssd-users mailing list -- [email protected]
> > > To unsubscribe send an email to [email protected]
> > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> > > https://lists.fedorahosted.org/archives/list/[email protected]
>
>
> --
> Dipl.-Inf. Alexander Fieroch
> Max-Planck-Institut für molekulare Physiologie
> Zentrale Einrichtung EDV
> Otto-Hahn-Str. 11
> D-44227 Dortmund
> Tel.: +49 (231) 133-2680
>
>
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
