Loading
Version: pbis-open-8.7.1-494.x86_64
OS/Distro: Centos 7.4.1708
Issue/Impact:
actually i dont know if this is a problem or not, as my machine is joined the domain and samba works fine with out any problems other than the annoying big issue with group members explained the issue #160 .
on the integration document after installing integration component and configuring samba you mentioned that we need to run testparm and make sure there is no error in the output, but in my case i configured samba exactly as in the document and there is no line for idmaping config, and i always receive this error
Output/Error from testparam:
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *
samba works fine by my logs are filled with the message
Output/Error in log files:
2018-12-12T10:03:54.153545+01:00 sha6130 smbd[12557]: [2018/12/12 10:03:54.153512, 1] ../source3/param/loadparm.c:2458(lp_idmap_range)
2018-12-12T10:03:54.153566+01:00 sha6130 smbd[12557]: idmap range not specified for domain '*'
2018-12-12T10:03:54.484216+01:00 sha6130 smbd[10847]: [2018/12/12 10:03:54.484178, 1] ../source3/param/loadparm.c:2458(lp_idmap_range)
2018-12-12T10:03:54.484225+01:00 sha6130 smbd[10847]: idmap range not specified for domain '*'
2018-12-12T10:03:55.271499+01:00 sha6130 smbd[10853]: [2018/12/12 10:03:55.271464, 1] ../source3/param/loadparm.c:2458(lp_idmap_range)
2018-12-12T10:03:55.271507+01:00 sha6130 smbd[10853]: idmap range not specified for domain '*'
2018-12-12T10:04:25.521451+01:00 sha6130 smbd[11188]: [2018/12/12 10:04:25.521413, 1] ../source3/param/loadparm.c:2458(lp_idmap_range)
2018-12-12T10:04:25.521471+01:00 sha6130 smbd[11188]: idmap range not specified for domain '*'
so should i simply ignore this messahe and filter it out from my rsyslog? or is there a solution for this.
Version: pbis-open-8.7.1-494.x86_64
OS/Distro: Centos 7.4.1708
Issue/Impact:
actually i dont know if this is a problem or not, as my machine is joined the domain and samba works fine with out any problems other than the annoying big issue with group members explained the issue #160 .
on the integration document after installing integration component and configuring samba you mentioned that we need to run testparm and make sure there is no error in the output, but in my case i configured samba exactly as in the document and there is no line for idmaping config, and i always receive this error
Output/Error from testparam:
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *
samba works fine by my logs are filled with the message
Output/Error in log files:
2018-12-12T10:03:54.153545+01:00 sha6130 smbd[12557]: [2018/12/12 10:03:54.153512, 1] ../source3/param/loadparm.c:2458(lp_idmap_range)
2018-12-12T10:03:54.153566+01:00 sha6130 smbd[12557]: idmap range not specified for domain '*'
2018-12-12T10:03:54.484216+01:00 sha6130 smbd[10847]: [2018/12/12 10:03:54.484178, 1] ../source3/param/loadparm.c:2458(lp_idmap_range)
2018-12-12T10:03:54.484225+01:00 sha6130 smbd[10847]: idmap range not specified for domain '*'
2018-12-12T10:03:55.271499+01:00 sha6130 smbd[10853]: [2018/12/12 10:03:55.271464, 1] ../source3/param/loadparm.c:2458(lp_idmap_range)
2018-12-12T10:03:55.271507+01:00 sha6130 smbd[10853]: idmap range not specified for domain '*'
2018-12-12T10:04:25.521451+01:00 sha6130 smbd[11188]: [2018/12/12 10:04:25.521413, 1] ../source3/param/loadparm.c:2458(lp_idmap_range)
2018-12-12T10:04:25.521471+01:00 sha6130 smbd[11188]: idmap range not specified for domain '*'
so should i simply ignore this messahe and filter it out from my rsyslog? or is there a solution for this.
0
1
Всем привет. Возникла тут проблема с вводом FS на OpenMediaVault 5 в домен Active-directory. Я настраивал по этому руководству. К сожалению для 5-го не нашел. Но после сохранения настроек я не вижу списка доменных пользователей в OMV, и не могу распределять права на общие папки. Что самое интересное, машина в домене и комманда id "username" нормально отвечает:
# id vasya
uid=635601109(vasya) gid=635600513(пользователи домена) groups=635600513(пользователи домена),635600512(администраторы домена),635600572(группа с запрещением репликации паролей rodc)
и getent тоже всё видит.
getent passwd mahsa
mahsa:*:635601108:635600513:Mahsa:/home/mahsa@test.ts:/bin/bash
все настройки точно выполнил кроме создания домашних папок, мне это не нужно, только авторизация для CIFS..
Подскажите в чем проблема кто знает. Раньше года 3-4 назад настраивал правда через winbind, но тогда и версии были другие, Debian 7, ф сейчас уже 10.7.
Ниже приведены листинги файлов конфигурации.
sss
cat /etc/sssd/sssd.conf
[sssd]
domains = test.ts
config_file_version = 2
services = nss, pam
[domain/test.ts]
ad_domain = test.ts
ad_server = 1ctest.test.ts.
chpass_provider = ad
access_provider = simple
krb5_realm = TEST.TS
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad
SAMBA 4.9.5-Debian Конфиг папки не стал вставлять.
testparm -v rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[test]" Loaded services file OK. WARNING: socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 This warning is printed because you set one of the following options: SO_SNDBUF, SO_RCVBUF, SO_SNDLOWAT, SO_RCVLOWAT Modern server operating systems are tuned for high network performance in the majority of situations; when you set 'socket options' you are overriding those settings. Linux in particular has an auto-tuning mechanism for buffer sizes (SO_SNDBUF, SO_RCVBUF) that will be disabled if you specify a socket buffer size. This can potentially cripple your TCP/IP stack. Getting the 'socket options' correct can make a big difference to your performance, but getting them wrong can degrade it by just as much. As with any other low level setting, if you must make changes to it, make small changes and test the effect before making any large changes. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions # Global parameters [global] abort shutdown script = add group script = add machine script = addport command = addprinter command = add share command = add user script = add user to group script = afs token lifetime = 604800 afs username map = aio max threads = 100 algorithmic rid base = 1000 allow dcerpc auth level connect = No allow dns updates = secure only allow insecure wide links = No allow nt4 crypto = No allow trusted domains = Yes allow unsafe cluster upgrade = No apply group policies = No async smb echo handler = No auth event notification = No auto services = binddns dir = /var/lib/samba/bind-dns bind interfaces only = No browse list = Yes cache directory = /var/cache/samba change notify = Yes change share command = check password script = cldap port = 389 client ipc max protocol = default client ipc min protocol = default client ipc signing = default client lanman auth = No client ldap sasl wrapping = sign client max protocol = default client min protocol = CORE client NTLMv2 auth = Yes client plaintext auth = No client schannel = Yes client signing = default client use spnego principal = No client use spnego = Yes cluster addresses = clustering = No config backend = file config file = create krb5 conf = Yes ctdbd socket = ctdb locktime warn threshold = 0 ctdb timeout = 0 cups connection timeout = 30 cups encrypt = No cups server = dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver deadtime = 0 debug class = No debug hires timestamp = Yes debug pid = No debug prefix timestamp = No debug uid = No dedicated keytab file = default service = defer sharing violations = Yes delete group script = deleteprinter command = delete share command = delete user from group script = delete user script = dgram port = 138 disable netbios = No disable spoolss = Yes dns forwarder = dns proxy = No dns update command = /usr/sbin/samba_dnsupdate dns zone scavenging = No domain logons = No domain master = Auto dos charset = CP850 dsdb event notification = No dsdb group change notification = No dsdb password event notification = No enable asu support = No enable core files = Yes enable privileges = Yes encrypt passwords = Yes enhanced browsing = Yes enumports command = eventlog list = get quota command = getwd cache = Yes gpo update command = /usr/sbin/samba-gpupdate guest account = nobody homedir map = auto.home host msdfs = Yes hostname lookups = No idmap backend = tdb idmap cache time = 604800 idmap gid = idmap negative cache time = 120 idmap uid = include system krb5 conf = Yes init logon delay = 100 init logon delayed hosts = interfaces = iprint server = keepalive = 300 kerberos encryption types = all kerberos method = default kernel change notify = Yes kpasswd port = 464 krb5 port = 88 lanman auth = No large readwrite = Yes ldap admin dn = ldap connection timeout = 2 ldap debug level = 0 ldap debug threshold = 10 ldap delete dn = No ldap deref = auto ldap follow referral = Auto ldap group suffix = ldap idmap suffix = ldap machine suffix = ldap page size = 1000 ldap passwd sync = no ldap replication sleep = 1000 ldap server require strong auth = Yes ldap ssl = start tls ldap ssl ads = No ldap suffix = ldap timeout = 15 ldap user suffix = lm announce = Auto lm interval = 60 load printers = No local master = Yes lock directory = /var/run/samba lock spin time = 200 log file = /var/log/samba/log.%m logging = syslog log level = 2 log nt token command = logon drive = logon home = %N%U logon path = %N%Uprofile logon script = log writeable files on exit = No lpq cache time = 30 lsa over netlogon = No machine password timeout = 604800 mangle prefix = 1 mangling method = hash2 map to guest = Bad User max disk size = 0 max log size = 1000 max mux = 50 max open files = 16384 max smbd processes = 0 max stat cache size = 256 max ttl = 259200 max wins ttl = 518400 max xmit = 16644 mdns name = netbios message command = min receivefile size = 0 min wins ttl = 21600 mit kdc command = multicast dns register = No name cache timeout = 660 name resolve order = lmhosts wins host bcast nbt client socket address = 0.0.0.0 nbt port = 137 ncalrpc dir = /var/run/samba/ncalrpc netbios aliases = netbios name = OMV netbios scope = neutralize nt4 emulation = No NIS homedir = No nmbd bind explicit broadcast = Yes nsupdate command = /usr/bin/nsupdate -g ntlm auth = ntlmv2-only nt pipe support = Yes ntp signd socket directory = /var/lib/samba/ntp_signd nt status support = Yes null passwords = No obey pam restrictions = Yes old password allowed period = 60 oplock break wait time = 0 os2 driver map = os level = 20 pam password change = Yes panic action = /usr/share/samba/panic-action %d passdb backend = tdbsam passdb expand explicit = No passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* . passwd chat debug = No passwd chat timeout = 2 passwd program = /usr/bin/passwd %u password hash gpg key ids = password hash userPassword schemes = password server = * perfcount module = pid directory = /var/run/samba preferred master = Auto prefork children = 1 preload modules = printcap cache time = 750 printcap name = /dev/null private dir = /var/lib/samba/private raw NTLMv2 auth = No read raw = Yes realm = registry shares = No reject md5 clients = No reject md5 servers = No remote announce = remote browse sync = rename user script = require strong key = Yes reset on zero vc = No restrict anonymous = 0 rndc command = /usr/sbin/rndc root directory = rpc big endian = No rpc server dynamic port range = 49152-65535 rpc server port = 0 samba kcc command = /usr/sbin/samba_kcc security = AUTO server max protocol = SMB3 server min protocol = LANMAN1 server multi channel support = No server role = auto server schannel = Yes server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns server signing = default server string = %h server set primary group script = set quota command = share backend = classic show add printer wizard = Yes shutdown script = smb2 leases = Yes smb2 max credits = 8192 smb2 max read = 8388608 smb2 max trans = 8388608 smb2 max write = 8388608 smbd profiling level = off smb passwd file = /etc/samba/smbpasswd smb ports = 445 139 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 spn update command = /usr/sbin/samba_spnupdate stat cache = Yes state directory = /var/lib/samba svcctl list = syslog = 1 syslog only = No template homedir = /home/domain.com/users/%U template shell = /bin/bash time server = No timestamp logs = Yes tls cafile = tls/ca.pem tls certfile = tls/cert.pem tls crlfile = tls dh params file = tls enabled = Yes tls keyfile = tls/key.pem tls priority = NORMAL:-VERS-SSL3.0 tls verify peer = as_strict_as_possible unicode = Yes unix charset = UTF-8 unix extensions = Yes unix password sync = No use mmap = Yes username level = 0 username map = username map cache time = 0 username map script = usershare allow guests = No usershare max shares = 100 usershare owner only = Yes usershare path = /var/lib/samba/usershares usershare prefix allow list = usershare prefix deny list = usershare template share = utmp = No utmp directory = web port = 901 winbind cache time = 300 winbindd socket directory = /var/run/samba/winbindd winbind enum groups = No winbind enum users = No winbind expand groups = 0 winbind max clients = 200 winbind max domain connections = 1 winbind nested groups = Yes winbind normalize names = No winbind nss info = template winbind offline logon = No winbind reconnect delay = 30 winbind refresh tickets = No winbind request timeout = 60 winbind rpc only = No winbind scan trusted domains = Yes winbind sealed pipes = Yes winbind separator = winbind use default domain = No wins hook = wins proxy = No wins server = wins support = No workgroup = TEST write raw = Yes wtmp directory = fruit:aapl = yes idmap config * : backend = tdb access based share enum = No acl allow execute always = No acl check permissions = Yes acl group control = No acl map full control = Yes administrative share = No admin users = afs share = No aio read size = 16384 aio write behind = aio write size = 16384 allocation roundup size = 1048576 available = Yes blocking locks = Yes block size = 1024 browseable = Yes case sensitive = Auto check parent directory delete on close = No comment = copy = create mask = 0777 csc policy = manual cups options = default case = lower default devmode = Yes delete readonly = No delete veto files = No dfree cache time = 0 dfree command = directory mask = 0777 directory name cache size = 100 dmapi support = No dont descend = dos filemode = No dos filetime resolution = No dos filetimes = Yes durable handles = Yes ea support = Yes fake directory create times = No fake oplocks = No follow symlinks = Yes force create mode = 0000 force directory mode = 0000 force group = force printername = No force unknown acl user = No force user = fstype = NTFS guest ok = No guest only = No hide dot files = Yes hide files = hide special files = No hide unreadable = No hide unwriteable files = No hosts allow = hosts deny = include = inherit acls = No inherit owner = no inherit permissions = No invalid users = kernel oplocks = No kernel share modes = Yes level2 oplocks = Yes locking = Yes lppause command = lpq command = %p lpresume command = lprm command = magic output = magic script = mangled names = yes mangling char = ~ map acl inherit = No map archive = Yes map hidden = No map readonly = no map system = No max connections = 0 max print jobs = 1000 max reported print jobs = 0 min print space = 0 msdfs proxy = msdfs root = No msdfs shuffle referrals = No nt acl support = Yes ntvfs handler = unixuid, default oplocks = Yes path = posix locking = Yes postexec = preexec = preexec close = No preserve case = Yes printable = No print command = printer name = printing = bsd printjob username = %U print notify backchannel = No queuepause command = queueresume command = read list = read only = Yes root postexec = root preexec = root preexec close = No short preserve case = Yes smb encrypt = default spotlight = No store dos attributes = Yes strict allocate = No strict locking = Auto strict rename = No strict sync = Yes sync always = No use client driver = No use sendfile = Yes valid users = veto files = veto oplock files = vfs objects = volume = wide links = No write cache size = 0 write list = nsswitch
cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files systemd sss group: files systemd sss shadow: files sss gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss Hello,
(sorry for my english, i’m french and i don’t speak english very well…)
I have try to make a samba sharing in the linux server. My mission is to link the SAMBA server with a Windows AD (Windows server 2016 AD)
My configuration :
— Network 192.168.0.0/24
— 1 Server AD+DNS Windows server 2016 (192.168.0.200)
— 1 Server redundancy AD+DNS (192.168.0.201)
— 1 Server Linux with DHCP server, nginx/mariadb server and SAMBA ! CentOS 7 (192.168.202)
— 1 Client Windows 10 in the AD Domaine(192.168.0.2)
— My AD domaine is : SENSAS.local (it’s a pun in french, SENSAS, SENSAS’ionel ^^)
All windows have acces to the list of folden sharing by SAMBA, but i can’t open it ! (error of accés)
for all seting of my CentOS7 :
resolv (DNS) :
Code: Select all
[root@centos7 ~]# cat /etc/resolv.conf # Generated by NetworkManager search localdomain nameserver 192.168.0.200 nameserver 192.168.0.201 nameserver 192.168.48.2 conf SAMBA :
Code: Select all
[root@centos7 ~]# cat /etc/samba/smb.conf # Global parameters [global] load printers = No printcap name = /dev/null realm = SENSAS.LOCAL security = ADS workgroup = SENSAS idmap config * : backend = tdb cups options = raw [data] create mask = 0775 directory mask = 0775 path = /srv/samba/anonymous read only = No valid users = @"Patate@SENSAS.LOCAL" [root@centos7 ~]# testparam
Code: Select all
[root@centos7 ~]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[data]" Loaded services file OK. idmap range not specified for domain '*' ERROR: Invalid idmap range for domain *! Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] load printers = No printcap name = /dev/null realm = SENSAS.LOCAL security = ADS workgroup = SENSAS idmap config * : backend = tdb cups options = raw [data] create mask = 0775 directory mask = 0775 path = /srv/samba/anonymous read only = No valid users = @Patate@SENSAS.LOCAL [root@centos7 ~]#link of Linux with the Windows AD:
Code: Select all
[root@centos7 ~]# realm join --verbose SENSAS.local --user=administrateur The server is well in the OU of the Windows AD !
Test Kerberos connexion to the AD Windows (is OK) :
Code: Select all
[root@centos7 ~]# kinit administrateur@SENSAS.LOCAL
Password for administrateur@SENSAS.LOCAL:
[root@centos7 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: administrateur@SENSAS.LOCAL
Valid starting Expires Service principal
29/09/2018 10:04:20 29/09/2018 20:04:20 krbtgt/SENSAS.LOCAL@SENSAS.LOCAL
renew until 06/10/2018 10:04:17
[root@centos7 ~]# kdestroy
[root@centos7 ~]#
for the privilege of my folden in the server:
Code: Select all
[root@centos7 ~]# mkdir -p /srv/samba/anonymous [root@centos7 ~]# chmod -R 0775 /srv/samba/anonymous [root@centos7 ~]# chown -R nobody:nobody /srv/samba/anonymous [root@centos7 ~]# chcon -t samba_share_t /srv/samba/anonymous SElinux is off for the test:
I restart the smb/nmb service with this :
Code: Select all
[root@centos7 ~]# systemctl restart smb nmb [root@centos7 ~]# systemctl enable smb nmb for the firewall :
Code: Select all
[root@centos7 ~]# firewall-cmd --add-service=samba --permanent
[root@centos7 ~]# firewall-cmd --reload
In the OU (Patate) I have two users (Patate and banane):
https://prnt.sc/l03d6j
so if you can help me, it will be great !
Thanks in advance,
Best regard
Thomas
Hello All,
I have been learning Linux and working with Fedora Server for a little bit now. I have gotten some great help here and am now where I think 75% of Linux admins are… making that dang share work properly.
I have Fedora Server 26 and I also installed Webmin. Everything looks like its working perfect and I can access the folder and read from it, but I cannot write to it. I’ve been messing with this since last week and am ready to ask for help again.
Samba Config:
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run ‘testparm’ to verify the config is correct after
# you modified it.
[global]
realm = css.local
security = domain
guest ok = yes
map to guest = Bad User
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
create mask = 0664
directory mask = 0775
[veeam]
path = /home/veeam
public = yes
writeable = yes
comment = Veeam Backups
valid users = veeam
testparm (reading online, it appears that error is a bug but I really am not sure):
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section «[homes]»
Processing section «[printers]»
Processing section «[print$]»
Processing section «[veeam]»
Loaded services file OK.
idmap range not specified for domain ‘*’
ERROR: Invalid idmap range for domain *!
Server role: ROLE_DOMAIN_MEMBER
and ls:
drwxrwxrwx. 2 root root 6 Nov 1 10:42 /home/veeam
ANY help or suggestions are greatly appreciated. Thank you in advance for your time and knowledge!!
- Печать
Страницы: [1] 2 Все Вниз
Тема: SAMBA4+winbind+kerberos+AD (Прочитано 4385 раз)
0 Пользователей и 1 Гость просматривают эту тему.
civilization
Суть проблемы: настраиваю SAMBA-сервер на Ubuntu 16.04 (samba 4.3.11) с подключением к виндовому домену (уровня 2003 Server, но схема AD обновлена до 56-й версии).
smb.conf (только секция global):
Керберос и подключение к домену выполнены все норм. Однако в локальную базу nss доменные пользователи не маппируются.
В логах примерно следующее (winbindd-idmap):
Если
idmap config * : backend = tdb (или другой локальный бэкэнд), то маппирование отрабатывает (разумеется в общий домен, с соответствующим преобразованием SID-uid). MYDOM, как я понимаю, преобразуется самбой в mydom и не может найти реалм для авторизации. Собственно, testparm все названия доменов в idmap config выводит в нижнем регистре (просто остальные домены у меня не задействованы). Может кто сталкивался, как можно изменить такое поведение самбы и заставить увидеть указанный домен?
AnrDaemon
samba-tool testparmпод спойлер.
Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.
Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…
civilization
« Последнее редактирование: 16 Ноября 2016, 15:54:07 от civilization »
AnrDaemon
idmap config mydom : range = 1000000 – 1099999А вы в AD UNIX UID пользователям назначаете из этого диапазона?…
idmap config mydom : default = yes
idmap config mydom : backend = ad
По умолчанию там от 10к идёт вообще-то.
Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.
Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…
civilization
По умолчанию, у меня в AD вообще ничего не идёт 
, т.е. эти поля в AD пустые, я скромно надеялся, что idmap_uid их и заполнит. Для проверки сделал пользователя с заполненными полями uid и uidNumber и getent passwd опять не выдал ни одного пользователя домена (вывод в логи идентичный). Собственно, диапазон для домена в idmap был в начальных версиях конфига 10000-50000 (это ничего не давало тогда и сейчас тоже ничего не дало). Полагаю, дело всё же в трансляции имени домена в нижний регистр. Но возможно нужно присвоить uid’ы всем пользователям домена и тогда winbind сможет предоставить их в nss.
AnrDaemon
Диапазон в AD и диапазон в конфиге самбы должны совпадать.
И система должна быть настроена на смотрение в эту сторону.
cat /etc/nsswitch.confпоказывайте.
Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.
Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…
civilization
Чем задаётся диапазон в AD?
nsswitch.conf:
AnrDaemon
В AD он задаётся схемой. Но лучше её не менять. Просто настройте Самбу на 10к+ и раздайте UID/GID пользователям, которым нужен доступ к линукс-серверу.
Внимательно смотрите, какую примари группу вы даёте пользователям… Там часто подсовывается «Administrators».
Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.
Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…
civilization
Просто настройте Самбу на 10к+ и раздайте UID/GID пользователям
Про диапазон idmap в Самбе уже говорил — назначал 10к+ раньше (и теперь стоит тоже 10000-50000) — это на сложившуюся проблему не влияет. Раздавать UID/GID (как я понимаю) в AD необходимо руками? Автоматическую генерацию настроить не получится? Достаточно ли будет всем пользователям и группам домена прописать легитимные UID/GID чтобы заработал idmap, или нужно будет проверять-прописывать UID всем объектам в AD (например компьютерам)? И почему тогда не смаппировался пользователь которому я назначил корректный UID (из указанного в Самбе диапазона) и ругань на некорректный диапазон в логах idmap?
AnrDaemon
Я раздавал руками, у меня немного пользователей.
Вероятно, можно что-то сделать скриптом.
Достаточно прописать пользователям и группам, причём только тем, которые вы собираетесь использовать на линухе (ну и системным, типа Domain Users/Admins).
Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.
Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…
civilization
Тогда вопрос остаётся открытым — очевидно, что прописывание UID/GID отдельным пользователям и группам ничем не отличается от прописывания одному пользователю, а это проблему не решило (и даже никак на неё не повлияло). То же отсутствие пользователя домена в базе nss, те же записи в логах idmap. Перепробовал разные бэкэнды (tdb, rid, ad) и разные диапазоны для них — одна и та же запись в логе idmap: invalid range ‘…-…’ specified for domain ‘mydom’. Потом ошибки неинициализирован ADS. Т.е. nss получает доменных пользователей в базу если прописать для idmap config * : backend = tdb (или другой локальный) — пользователи получают uid’ы из диапазона назначенного домену *. А вот домен прописанный по имени не работает…
AnrDaemon
Вы всё слова говорите. А диагностику скрываете.
Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.
Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…
civilization
Так, словами я описал ситуацию быстро и точно, если интересны логи — скажите какие (в логе idmap ничего нового от того, что я приводил в первом посте, только имена бэкэнда и пределы диапазона меняются — смысл ровно тот же). Что касается случая с локальным бэкэндом и доменом * то лог winbind вот (здесь видно, что домен получен в верхнем регистре и доменные пользователи отрабатывают, однако при обращении getpwnam уже нижний регистр домена):
лог idmap вот:
Если этих логов не достаточно — подскажите какие нужны еще.
« Последнее редактирование: 17 Ноября 2016, 12:10:41 от civilization »
AnrDaemon
Диагностику — покажите
getent passwd с системы с настроенным
idmap config mydom : range = 10000-131071
Пользователь добавил сообщение 17 Ноября 2016, 20:32:17:
P.S.
Вотпрямщазрабочая конфигурация.
« Последнее редактирование: 17 Ноября 2016, 20:32:17 от AnrDaemon »
Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.
Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…
civilization
Показываю:
Последние 7 строк — доменные пользователи (и ниже тоже — их много, обрезал — ситуация вроде понятна). Cейчас конфигурация idmap аналогична вашей только диапазон для mydom с 10000 начинается, ну и в AD прописал uid из указанного диапазона только одному пользователю (он в конце списка и здесь обрезан, но uid idmap ему тоже назначил из диапазона домена *, а не из AD, или хотя бы просто из диапазона mydom). А, если не секрет, откуда такая граница диапазона (131071)?
« Последнее редактирование: 17 Ноября 2016, 21:30:55 от civilization »
- Печать
Страницы: [1] 2 Все Вверх
Тема как ни странно еще актуальна)
Говорю по порядку, что делал
Настроил авторизацию через Kerberos , проверка авторизации через команду kinit мое_имя@DOMEN.LOCAL проходит успешно.
Далее настраиваю Samba
Вот мой конфиг
[global]
workgroup = DOMEN
realm = DOMEN.LOCAL
security = ADS
encrypt passwords = true
dns proxy = no
socket options = TCP_NODELAY
domain master = no
local master = no
preferred master = no
os level = 0
domain logons = 0
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
После проверки командой testparm выдает ошибку
root@it-01:~# testparm
Load smb config files from /etc/samba/smb.conf
lpcfg_do_global_parameter: WARNING: The «encrypt passwords» option is deprecated
lpcfg_do_global_parameter: WARNING: The «domain logons» option is deprecated
Loaded services file OK.
Weak crypto is allowed
idmap range not specified for domain ‘*’
ERROR: Invalid idmap range for domain *!
Server role: ROLE_DOMAIN_MEMBER
ress enter to see a dump of your service definitions
# Global parameters
[global]
disable spoolss = Yes
dns proxy = No
domain master = No
load printers = No
local master = No
os level = 0
preferred master = No
printcap name = /dev/null
realm = TITAN.LOCAL
security = ADS
show add printer wizard = No
workgroup = TITAN
idmap config * : backend = tdb
Подскажите куда копать, мне обязательно нужно загнать в домен Ubuntu….
Hello,
(sorry for my english, i’m french and i don’t speak english very well…)
I have try to make a samba sharing in the linux server. My mission is to link the SAMBA server with a Windows AD (Windows server 2016 AD)
My configuration :
— Network 192.168.0.0/24
— 1 Server AD+DNS Windows server 2016 (192.168.0.200)
— 1 Server redundancy AD+DNS (192.168.0.201)
— 1 Server Linux with DHCP server, nginx/mariadb server and SAMBA ! CentOS 7 (192.168.202)
— 1 Client Windows 10 in the AD Domaine(192.168.0.2)
— My AD domaine is : SENSAS.local (it’s a pun in french, SENSAS, SENSAS’ionel ^^)
All windows have acces to the list of folden sharing by SAMBA, but i can’t open it ! (error of accés)
for all seting of my CentOS7 :
resolv (DNS) :
Code: Select all
[root@centos7 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain
nameserver 192.168.0.200
nameserver 192.168.0.201
nameserver 192.168.48.2
conf SAMBA :
Code: Select all
[root@centos7 ~]# cat /etc/samba/smb.conf
# Global parameters
[global]
load printers = No
printcap name = /dev/null
realm = SENSAS.LOCAL
security = ADS
workgroup = SENSAS
idmap config * : backend = tdb
cups options = raw
[data]
create mask = 0775
directory mask = 0775
path = /srv/samba/anonymous
read only = No
valid users = @"Patate@SENSAS.LOCAL"
[root@centos7 ~]#
testparam
Code: Select all
[root@centos7 ~]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[data]"
Loaded services file OK.
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
load printers = No
printcap name = /dev/null
realm = SENSAS.LOCAL
security = ADS
workgroup = SENSAS
idmap config * : backend = tdb
cups options = raw
[data]
create mask = 0775
directory mask = 0775
path = /srv/samba/anonymous
read only = No
valid users = @Patate@SENSAS.LOCAL
[root@centos7 ~]#link of Linux with the Windows AD:
Code: Select all
[root@centos7 ~]# realm join --verbose SENSAS.local --user=administrateur
The server is well in the OU of the Windows AD !
Test Kerberos connexion to the AD Windows (is OK) :
Code: Select all
[root@centos7 ~]# kinit administrateur@SENSAS.LOCAL
Password for administrateur@SENSAS.LOCAL:
[root@centos7 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: administrateur@SENSAS.LOCAL
Valid starting Expires Service principal
29/09/2018 10:04:20 29/09/2018 20:04:20 krbtgt/SENSAS.LOCAL@SENSAS.LOCAL
renew until 06/10/2018 10:04:17
[root@centos7 ~]# kdestroy
[root@centos7 ~]#
for the privilege of my folden in the server:
Code: Select all
[root@centos7 ~]# mkdir -p /srv/samba/anonymous
[root@centos7 ~]# chmod -R 0775 /srv/samba/anonymous
[root@centos7 ~]# chown -R nobody:nobody /srv/samba/anonymous
[root@centos7 ~]# chcon -t samba_share_t /srv/samba/anonymous
SElinux is off for the test:
I restart the smb/nmb service with this :
Code: Select all
[root@centos7 ~]# systemctl restart smb nmb
[root@centos7 ~]# systemctl enable smb nmb
for the firewall :
Code: Select all
[root@centos7 ~]# firewall-cmd --add-service=samba --permanent
[root@centos7 ~]# firewall-cmd --reload
In the OU (Patate) I have two users (Patate and banane):
https://prnt.sc/l03d6j
so if you can help me, it will be great !
Thanks in advance,
Best regard
Thomas
0
1
Всем привет. Возникла тут проблема с вводом FS на OpenMediaVault 5 в домен Active-directory. Я настраивал по этому руководству. К сожалению для 5-го не нашел. Но после сохранения настроек я не вижу списка доменных пользователей в OMV, и не могу распределять права на общие папки. Что самое интересное, машина в домене и комманда id "username" нормально отвечает:
# id vasya
uid=635601109(vasya) gid=635600513(пользователи домена) groups=635600513(пользователи домена),635600512(администраторы домена),635600572(группа с запрещением репликации паролей rodc)
и getent тоже всё видит.
getent passwd mahsa
mahsa:*:635601108:635600513:Mahsa:/home/mahsa@test.ts:/bin/bash
все настройки точно выполнил кроме создания домашних папок, мне это не нужно, только авторизация для CIFS..
Подскажите в чем проблема кто знает. Раньше года 3-4 назад настраивал правда через winbind, но тогда и версии были другие, Debian 7, ф сейчас уже 10.7.
Ниже приведены листинги файлов конфигурации.
sss
cat /etc/sssd/sssd.conf
[sssd]
domains = test.ts
config_file_version = 2
services = nss, pam
[domain/test.ts]
ad_domain = test.ts
ad_server = 1ctest.test.ts.
chpass_provider = ad
access_provider = simple
krb5_realm = TEST.TS
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad
SAMBA 4.9.5-Debian Конфиг папки не стал вставлять.
testparm -v
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[test]"
Loaded services file OK.
WARNING: socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
This warning is printed because you set one of the
following options: SO_SNDBUF, SO_RCVBUF, SO_SNDLOWAT,
SO_RCVLOWAT
Modern server operating systems are tuned for
high network performance in the majority of situations;
when you set 'socket options' you are overriding those
settings.
Linux in particular has an auto-tuning mechanism for
buffer sizes (SO_SNDBUF, SO_RCVBUF) that will be
disabled if you specify a socket buffer size. This can
potentially cripple your TCP/IP stack.
Getting the 'socket options' correct can make a big
difference to your performance, but getting them wrong
can degrade it by just as much. As with any other low
level setting, if you must make changes to it, make
small changes and test the effect before making any
large changes.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
# Global parameters
[global]
abort shutdown script =
add group script =
add machine script =
addport command =
addprinter command =
add share command =
add user script =
add user to group script =
afs token lifetime = 604800
afs username map =
aio max threads = 100
algorithmic rid base = 1000
allow dcerpc auth level connect = No
allow dns updates = secure only
allow insecure wide links = No
allow nt4 crypto = No
allow trusted domains = Yes
allow unsafe cluster upgrade = No
apply group policies = No
async smb echo handler = No
auth event notification = No
auto services =
binddns dir = /var/lib/samba/bind-dns
bind interfaces only = No
browse list = Yes
cache directory = /var/cache/samba
change notify = Yes
change share command =
check password script =
cldap port = 389
client ipc max protocol = default
client ipc min protocol = default
client ipc signing = default
client lanman auth = No
client ldap sasl wrapping = sign
client max protocol = default
client min protocol = CORE
client NTLMv2 auth = Yes
client plaintext auth = No
client schannel = Yes
client signing = default
client use spnego principal = No
client use spnego = Yes
cluster addresses =
clustering = No
config backend = file
config file =
create krb5 conf = Yes
ctdbd socket =
ctdb locktime warn threshold = 0
ctdb timeout = 0
cups connection timeout = 30
cups encrypt = No
cups server =
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
deadtime = 0
debug class = No
debug hires timestamp = Yes
debug pid = No
debug prefix timestamp = No
debug uid = No
dedicated keytab file =
default service =
defer sharing violations = Yes
delete group script =
deleteprinter command =
delete share command =
delete user from group script =
delete user script =
dgram port = 138
disable netbios = No
disable spoolss = Yes
dns forwarder =
dns proxy = No
dns update command = /usr/sbin/samba_dnsupdate
dns zone scavenging = No
domain logons = No
domain master = Auto
dos charset = CP850
dsdb event notification = No
dsdb group change notification = No
dsdb password event notification = No
enable asu support = No
enable core files = Yes
enable privileges = Yes
encrypt passwords = Yes
enhanced browsing = Yes
enumports command =
eventlog list =
get quota command =
getwd cache = Yes
gpo update command = /usr/sbin/samba-gpupdate
guest account = nobody
homedir map = auto.home
host msdfs = Yes
hostname lookups = No
idmap backend = tdb
idmap cache time = 604800
idmap gid =
idmap negative cache time = 120
idmap uid =
include system krb5 conf = Yes
init logon delay = 100
init logon delayed hosts =
interfaces =
iprint server =
keepalive = 300
kerberos encryption types = all
kerberos method = default
kernel change notify = Yes
kpasswd port = 464
krb5 port = 88
lanman auth = No
large readwrite = Yes
ldap admin dn =
ldap connection timeout = 2
ldap debug level = 0
ldap debug threshold = 10
ldap delete dn = No
ldap deref = auto
ldap follow referral = Auto
ldap group suffix =
ldap idmap suffix =
ldap machine suffix =
ldap page size = 1000
ldap passwd sync = no
ldap replication sleep = 1000
ldap server require strong auth = Yes
ldap ssl = start tls
ldap ssl ads = No
ldap suffix =
ldap timeout = 15
ldap user suffix =
lm announce = Auto
lm interval = 60
load printers = No
local master = Yes
lock directory = /var/run/samba
lock spin time = 200
log file = /var/log/samba/log.%m
logging = syslog
log level = 2
log nt token command =
logon drive =
logon home = \%N%U
logon path = \%N%Uprofile
logon script =
log writeable files on exit = No
lpq cache time = 30
lsa over netlogon = No
machine password timeout = 604800
mangle prefix = 1
mangling method = hash2
map to guest = Bad User
max disk size = 0
max log size = 1000
max mux = 50
max open files = 16384
max smbd processes = 0
max stat cache size = 256
max ttl = 259200
max wins ttl = 518400
max xmit = 16644
mdns name = netbios
message command =
min receivefile size = 0
min wins ttl = 21600
mit kdc command =
multicast dns register = No
name cache timeout = 660
name resolve order = lmhosts wins host bcast
nbt client socket address = 0.0.0.0
nbt port = 137
ncalrpc dir = /var/run/samba/ncalrpc
netbios aliases =
netbios name = OMV
netbios scope =
neutralize nt4 emulation = No
NIS homedir = No
nmbd bind explicit broadcast = Yes
nsupdate command = /usr/bin/nsupdate -g
ntlm auth = ntlmv2-only
nt pipe support = Yes
ntp signd socket directory = /var/lib/samba/ntp_signd
nt status support = Yes
null passwords = No
obey pam restrictions = Yes
old password allowed period = 60
oplock break wait time = 0
os2 driver map =
os level = 20
pam password change = Yes
panic action = /usr/share/samba/panic-action %d
passdb backend = tdbsam
passdb expand explicit = No
passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
passwd chat debug = No
passwd chat timeout = 2
passwd program = /usr/bin/passwd %u
password hash gpg key ids =
password hash userPassword schemes =
password server = *
perfcount module =
pid directory = /var/run/samba
preferred master = Auto
prefork children = 1
preload modules =
printcap cache time = 750
printcap name = /dev/null
private dir = /var/lib/samba/private
raw NTLMv2 auth = No
read raw = Yes
realm =
registry shares = No
reject md5 clients = No
reject md5 servers = No
remote announce =
remote browse sync =
rename user script =
require strong key = Yes
reset on zero vc = No
restrict anonymous = 0
rndc command = /usr/sbin/rndc
root directory =
rpc big endian = No
rpc server dynamic port range = 49152-65535
rpc server port = 0
samba kcc command = /usr/sbin/samba_kcc
security = AUTO
server max protocol = SMB3
server min protocol = LANMAN1
server multi channel support = No
server role = auto
server schannel = Yes
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns
server signing = default
server string = %h server
set primary group script =
set quota command =
share backend = classic
show add printer wizard = Yes
shutdown script =
smb2 leases = Yes
smb2 max credits = 8192
smb2 max read = 8388608
smb2 max trans = 8388608
smb2 max write = 8388608
smbd profiling level = off
smb passwd file = /etc/samba/smbpasswd
smb ports = 445 139
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
spn update command = /usr/sbin/samba_spnupdate
stat cache = Yes
state directory = /var/lib/samba
svcctl list =
syslog = 1
syslog only = No
template homedir = /home/domain.com/users/%U
template shell = /bin/bash
time server = No
timestamp logs = Yes
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls crlfile =
tls dh params file =
tls enabled = Yes
tls keyfile = tls/key.pem
tls priority = NORMAL:-VERS-SSL3.0
tls verify peer = as_strict_as_possible
unicode = Yes
unix charset = UTF-8
unix extensions = Yes
unix password sync = No
use mmap = Yes
username level = 0
username map =
username map cache time = 0
username map script =
usershare allow guests = No
usershare max shares = 100
usershare owner only = Yes
usershare path = /var/lib/samba/usershares
usershare prefix allow list =
usershare prefix deny list =
usershare template share =
utmp = No
utmp directory =
web port = 901
winbind cache time = 300
winbindd socket directory = /var/run/samba/winbindd
winbind enum groups = No
winbind enum users = No
winbind expand groups = 0
winbind max clients = 200
winbind max domain connections = 1
winbind nested groups = Yes
winbind normalize names = No
winbind nss info = template
winbind offline logon = No
winbind reconnect delay = 30
winbind refresh tickets = No
winbind request timeout = 60
winbind rpc only = No
winbind scan trusted domains = Yes
winbind sealed pipes = Yes
winbind separator =
winbind use default domain = No
wins hook =
wins proxy = No
wins server =
wins support = No
workgroup = TEST
write raw = Yes
wtmp directory =
fruit:aapl = yes
idmap config * : backend = tdb
access based share enum = No
acl allow execute always = No
acl check permissions = Yes
acl group control = No
acl map full control = Yes
administrative share = No
admin users =
afs share = No
aio read size = 16384
aio write behind =
aio write size = 16384
allocation roundup size = 1048576
available = Yes
blocking locks = Yes
block size = 1024
browseable = Yes
case sensitive = Auto
check parent directory delete on close = No
comment =
copy =
create mask = 0777
csc policy = manual
cups options =
default case = lower
default devmode = Yes
delete readonly = No
delete veto files = No
dfree cache time = 0
dfree command =
directory mask = 0777
directory name cache size = 100
dmapi support = No
dont descend =
dos filemode = No
dos filetime resolution = No
dos filetimes = Yes
durable handles = Yes
ea support = Yes
fake directory create times = No
fake oplocks = No
follow symlinks = Yes
force create mode = 0000
force directory mode = 0000
force group =
force printername = No
force unknown acl user = No
force user =
fstype = NTFS
guest ok = No
guest only = No
hide dot files = Yes
hide files =
hide special files = No
hide unreadable = No
hide unwriteable files = No
hosts allow =
hosts deny =
include =
inherit acls = No
inherit owner = no
inherit permissions = No
invalid users =
kernel oplocks = No
kernel share modes = Yes
level2 oplocks = Yes
locking = Yes
lppause command =
lpq command = %p
lpresume command =
lprm command =
magic output =
magic script =
mangled names = yes
mangling char = ~
map acl inherit = No
map archive = Yes
map hidden = No
map readonly = no
map system = No
max connections = 0
max print jobs = 1000
max reported print jobs = 0
min print space = 0
msdfs proxy =
msdfs root = No
msdfs shuffle referrals = No
nt acl support = Yes
ntvfs handler = unixuid, default
oplocks = Yes
path =
posix locking = Yes
postexec =
preexec =
preexec close = No
preserve case = Yes
printable = No
print command =
printer name =
printing = bsd
printjob username = %U
print notify backchannel = No
queuepause command =
queueresume command =
read list =
read only = Yes
root postexec =
root preexec =
root preexec close = No
short preserve case = Yes
smb encrypt = default
spotlight = No
store dos attributes = Yes
strict allocate = No
strict locking = Auto
strict rename = No
strict sync = Yes
sync always = No
use client driver = No
use sendfile = Yes
valid users =
veto files =
veto oplock files =
vfs objects =
volume =
wide links = No
write cache size = 0
write list =
nsswitch
cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd sss
group: files systemd sss
shadow: files sss
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss