 |
| intelligence: an expert at work, yesterday |
This is a check-list. It is a check-list for when winbind doesn't work. It is a domain called hh3.site. The file server is called altea and the DC is called hh16. We have added a domain user called steve2 using samba-tool user add steve2. The DC and file server were both built from 4.1.9 source. The DC was provisioned without rfc2307. The IP of the DC running bind9 dlz is 192.168.1.16 and that of the file server is 192.168.1.100. If this is simply a client using DHCP, please see the notes in grey.
Remember that this is a check-list. It doesn't tell you how to do it. You've already done that. This is a last attempt. A check-list.
1. This is smb.conf on the DC
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
2. This is smb.conf on the file server
[global]
workgroup = HH3
realm = HH3.SITE
security = ADS
kerberos method = system keytab
server string = hh3.site file-server
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
idmap config * : backend = tdb
idmap config * : range = 10000-20000
idmap config HH3 : backend = ad
idmap config HH3 : range = 20001-4000000
idmap config HH3 : schema_mode = rfc2307
3. Does the group Domain Users have a gidNumber?
On the DC, take a look:
ldbsearch --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users
ldbsearch --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users
dn: CN=Domain Users,CN=Users,DC=hh3,DC=site
cn: Domain Users
description: All domain users
instanceType: 4
whenCreated: 20130605151145.0Z
uSNCreated: 3541
name: Domain Users
objectGUID: c684aa92-fd56-46d5-a4cf-8a46c459707b
objectSid: S-1-5-21-451355595-2219208293-2714859210-513
sAMAccountName: Domain Users
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hh3,DC=site
isCriticalSystemObject: TRUE
memberOf: CN=Users,CN=Builtin,DC=hh3,DC=site
gidNumber: 20513
objectClass: top
objectClass: group
whenChanged: 20140519084720.0Z
uSNChanged: 8131
distinguishedName: CN=Domain Users,CN=Users,DC=hh3,DC=site
If yes, good. If no:
ldbedit -e leafpad --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users
4. Is your domain user also a local user?
On the file server:
On the file server:
cat /etc/passwd | grep steve2
Domain users only please. If not, decide which one you wish to keep and revise your naming plan accordingly.
5. Does your domain user have a minimum of uidNumber and gidNumber?
You know how to get the dn thing on the DC now, so have a look at steve2:
dn: CN=steve2,CN=Users,DC=hh3,DC=site
cn: steve2
instanceType: 4
whenCreated: 20130605152701.0Z
uSNCreated: 3800
name: steve2
objectGUID: 3dfcb8e8-fca2-49ea-9ac8-8e1b0563a379
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-451355595-2219208293-2714859210-1107
logonCount: 0
sAMAccountType: 805306368
userPrincipalName: steve2@hh3.site
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site
pwdLastSet: 130149196210000000
userAccountControl: 66048
accountExpires: 0
unixHomeDirectory: /home/users/steve2
loginShell: /bin/bash
profilePath: \\altea\profiles\steve2
homeDrive: Z:
homeDirectory: \\altea\users\steve2
gidNumber: 20513
uidNumber: 3000021
memberOf: CN=staff2,CN=Users,DC=hh3,DC=site
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
mail: steve@steve-ss.com
sAMAccountName: steve2
whenChanged: 20140527111834.0Z
uSNChanged: 9644
distinguishedName: CN=steve2,CN=Users,DC=hh3,DC=site
If not, ldbedit him adding uidNumber and gidNumber to taste. Note: steve2 is fortunate to have a complete set of attributes which allow him to log onto both Linux and windows workstations alike and have access to the same data on both.
5. Do you have a keytab?
On the file server:
klist -k
klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/altea.hh3.site@HH3.SITE
1 host/altea.hh3.site@HH3.SITE
1 host/altea.hh3.site@HH3.SITE
1 host/altea.hh3.site@HH3.SITE
1 host/altea.hh3.site@HH3.SITE
1 host/altea@HH3.SITE
1 host/altea@HH3.SITE
1 host/altea@HH3.SITE
1 host/altea@HH3.SITE
1 host/altea@HH3.SITE
1 ALTEA$@HH3.SITE
1 ALTEA$@HH3.SITE
1 ALTEA$@HH3.SITE
1 ALTEA$@HH3.SITE
1 ALTEA$@HH3.SITE
If not:
net ads keytab create -UAdministrator
No -k? Use ktutil:
rkt /etc/krb5.conf
No -k? Use ktutil:
rkt /etc/krb5.conf
list
6. DNS I
cat /etc/HOSTNAME (or perhaps, /etc/hostname)
altea
7. DNS II
7. DNS II
Go no further until the following commands return:
hostname
altea.hh3.site
hostname -d
hh3.site
hostname -f
altea.hh3.site
hostname -s
altea
hostname -s
altea
If not, set hosts properly:
cat /etc/hosts
127.0.0.1 localhost
192.168.1.100 altea.hh3.site altea
(for a client without smbd under DHCP use instead:
127.0.0.1 altea.hh3.site altea localhost)
(for a client without smbd under DHCP use instead:
127.0.0.1 altea.hh3.site altea localhost)
and:
/etc/resolv.conf
search hh3.site
nameserver 192.168.1.16
and:
/etc/krb5.conf
[libdefaults]
default_realm = HH3.SITE
dns_lookup_realm = false
dns_lookup_kdc = true
systemd? No problem. Just add the line:
systemd? No problem. Just add the line:
default_ccache_name = /tmp/krb5cc_%{uid}
to /etc/krb5.conf
8. Still with us?
Tell nss to use winbind and some dns stuff:
/etc/nsswitch.conf
passwd: files winbind
group: files winbind
hosts: files dns
networks: files dns
9. remove nscd
10. remove the winbind cache
net cache flush
11. PAM priorities
WARNING: keep open a root terminal. Blow this and you lock yourself out. So, in this order:
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_winbind.so use_first_pass
account requisite pam_unix2.so
account required pam_winbind.so use_first_pass
password sufficient pam_winbind.so
password requisite pam_pwcheck.so cracklib
password required pam_unix2.so use_authtok
session required pam_unix2.so
session required pam_winbind.so
and rejoin:
WARNING: keep open a root terminal. Blow this and you lock yourself out. So, in this order:
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_winbind.so use_first_pass
account requisite pam_unix2.so
account required pam_winbind.so use_first_pass
password sufficient pam_winbind.so
password requisite pam_pwcheck.so cracklib
password required pam_unix2.so use_authtok
session required pam_unix2.so
session required pam_winbind.so
12. If you changed anything
leave the domain:
leave the domain:
net ads leave -UAdministrator
remove the keytab:
rm /etc/krb5.keytab
rm /etc/krb5.keytab
and rejoin:
net ads join -UAdministrator
13. I'm not allowed to say reboot
14. Restart smbd and winbind (restart winbind)
15. Do you see this?
getent passwd steve2
steve2:*:3000021:20513:steve2:/home/users/steve2:/bin/bash
If so, congratulate yourself. And remember, there is much more fun to come; you may now go back and add your shares to smb.conf.
16. No?
The links? You did of course make the links when you installed:
for 32 bit:
ln -s /usr/local/samba/lib/libnss_winbind.so /lib
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
ldconfig
16. No?
The links? You did of course make the links when you installed:
for 32 bit:
ln -s /usr/local/samba/lib/libnss_winbind.so /lib
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
ldconfig
17. winbind still doesn't work?
There is an easy alternative.