Ошибка invalid idmap range for domain

openSUSE Forums

Loading

Источник

Choosing an idmap backend
It can appear to be a complex decision choosing which winbind idmap backend to use, hopefully reading this can point you to the one to use.

If you require users and groups to have the same IDs everywhere, or have different login shells and Unix home directory paths, then you need to use the winbind idmap ‘ad’ backend and add RFC2307 attributes to AD.

If you use the ‘ad’ backend, the RFC2307 attributes (uidNumber, gidNumber, etc) are not added automatically when users or groups are created, you must add them manually.

The ID numbers found on a DC (numbers in the 3000000 range) are NOT rfc2307 attributes They cannot and will not be used on Unix Domain Members, you can add uidNumber & gidNumber attributes to AD and use the winbind ‘ad’ backend on Unix Domain Members. If you do decide to add uidNumber & gidNumber attributes to AD, you do not need to use numbers in the 3000000 range and it would definitely be a good idea to use a different range.

If you only need users and groups to have Unix IDs, you can use the ‘autorid’ or ‘rid’ idmap winbind backend.

The ‘autorid’ or ‘rid’ idmap winbind backends calculate the user and group IDs from the Windows RID. If you use the same [global] section of the smb.conf on every Unix domain member, you will get the same IDs. Using these idmap backends, you do not add anything to AD and any added RFC2307 attributes will be ignored. When using these backends you can set the ‘template shell’ and ‘template homedir’ parameters in the smb.conf global section and everyone will get the login shell and Unix home directory path you set. If you do not set ‘template shell’ or ‘template homedir’, the defaults, ‘/bin/false’ and ‘/home/%D/%U’ , will be used.

Once you Have decided which winbind idmap backend to use, you have to choose the ranges to use with ‘idmap config’ in smb.conf.

By default on a Unix domain member, there are multiple blocks of users & groups:

The local system users & groups: These will be from 0-999
The local Unix users and groups: These start at 1000
The SAMDOM domain users and groups: ADUC, by default, starts these at 10000
The default domain ‘*’ also known as the ‘well Known SIDs’: ???
Trusted domains: ???
Anything that isn’t a ‘well Known SID’ or a member of SAMDOM or a trusted domain: ???

As you can see from the above, if you are creating a new domain, you shouldn’t set either the default domain ‘*’ or the ‘SAMDOM’ ranges to start at 999 or less, as they would interfere with the local system users & groups. You also should leave a space for any local Unix users & groups, so starting the ‘idmap config’ ranges at 3000 seems to be a good compromise.

Bearing the above information in mind, you could set the ‘idmap config’ ranges to the following:

Domain Range

  • 3000-7999
    DOMAIN 10000-999999
    You could also have any trusted domains starting at:

Domain Range
TRUSTED 1000000-9999999
If you set the default domain ‘*’ range above the ‘SAMDOM’ domain range, the ranges will conflict if the domain grows to the point that the next ID would be the same as the default domain range start ID.

With the above suggested ranges, no range will overlap or interfere with another.

You may also have seen examples of the ‘*’ range being used for everything, this should only be used with the ‘autorid’ idmap backend.

Setting up a Basic smb.conf File
Before joining the domain, configure the domain member’s smb.conf file:

To locate the file, enter:

smbd -b | grep CONFIGFILE

CONFIGFILE: /etc/samba/smb.conf
To create a basic smb.conf using the ‘autorid’ idmap backend, you will need something like this:

[global]
security = ADS
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM

   log file = /var/log/samba/%m.log
   log level = 1

   # Default ID mapping configuration using the autorid
   # idmap backend. This will work out of the box for simple setups
   # as well as complex setups with trusted domains.
   idmap config * : backend = autorid
   idmap config * : range = 10000-9999999

For information on the parameters, see the smb.conf(5) man page.

The following table lists the most important idmap backends with links to their documentation, click the relevant Documentation link for how to setup each idmap backend:

Back End Documentation Man Page
ad idmap config ad idmap_ad(8)
rid idmap config rid idmap_rid(8)
autorid idmap config autorid idmap_autorid(8)
hash idmap_hash(8)
ldap idmap_ldap(8)
nss idmap_nss(8)
Add an additional ID mapping configuration for every domain. The ID ranges of the default (*) domain and other domains configured in the smb.conf file must not overlap.

Mapping the Domain Administrator Account to the Local root User
Samba enables you to map domain accounts to a local account. Use this feature to execute file operations on the domain member’s file system as a different user than the account that requested the operation on the client.

You should map the domain Administrator account to the local root account on a Unix domain member. Configuring the mapping allows the domain Administrator to execute file operations as root on the Unix domain member. When you map Administrator to the root account, Administrator will be unknown to the OS and will not be able to log onto a Unix domain member. Only follow the method below to map Administrator to root, never give Administrator a uidNumber attribute, doing this will break the default Administrator mapping on a Samba AD DC.
If you have changed the domain Administrator account name, use the new admin name in the following instead of Administrator.

To map the domain administrator to the local root account:

Add the following parameter to the [global] section of your smb.conf file:
username map = /usr/local/samba/etc/user.map
Create the /usr/local/samba/etc/user.map file with the following content:
!root = SAMDOMAdministrator
When using the ad ID mapping back end, never set a uidNumber attribute for the domain Administrator account. If the account has the attribute set, the value will override the local UID 0 of the root user on Samba AD DC’s and thus the mapping fails.
For further details, see username map parameter in the smb.conf(5) man page.

Joining the Domain
To join the host to an Active Directory (AD), enter:

net ads join -U administrator

Enter administrator’s password: Passw0rd
Using short domain name – SAMDOM
Joined ‘M1’ to dns domain ‘samdom.example.com’
When you join a computer to an AD domain with net ads join, the computers forward dns record should be created (if not already existing), but, if your computer has a fixed ipaddress, you will have to create the reverse PTR record yourself.

To join the host to an NT4 domain, enter:

net rpc join -U administrator

Enter administrator’s password: Passw0rd
Joined domain SAMDOM.
Joining the Domain with samba-tool (>4.15.0 only)
Before Samba 4.15.0 , you could not join a Unix domain member using samba-tool domain join, this option was unsupported, did not work and would cause problems with your AD replication. You can only use samba-tool domain join if the Unix domain member has Samba >= 4.15.0 installed.
To join the host to an Active Directory (AD), enter:

samba-tool domain join samdom.example.com MEMBER -U administrator

If you have problems joining the domain, check your configuration. For further help, see Troubleshooting Samba Domain Members.

Configuring the Name Service Switch
To enable the name service switch (NSS) library to make domain users and groups available to the local system:

Append the winbind entry to the following databases in the /etc/nsswitch.conf file:
passwd: files winbind
group: files winbind
Keep the files entry as first source for both databases. This enables NSS to look up domain users and groups from the /etc/passwd and /etc/group files before querying the Winbind service.
Do not add the winbind entry to the NSS shadow database. This can cause the wbinfo utility fail.
If there’s a line containing an initgroups directive, add [success=continue] winbind, otherwise the NSS library will not ask winbindd for a user’s additional group memberships. Do not add the initgroups line if it does not exist.
Do not use the same user names in the local /etc/passwd file as in the domain.
If you compiled Samba, add symbolic links from the libnss_winbind library to the operating system’s library path. For details, see libnss_winbind Links. If you used packages to install Samba, the link is usually created automatically.
Starting the Services
Start the following services to have a fully functioning Unix domain member:

The smbd service
The nmbd service
The winbindd service

If you do not require Network Browsing, you do not need to start the nmbd service on a Unix domain member.

The latest versions of Samba (from 4.11.0) now only use SMBv2 as the minimum client & server protocols. This means that anything that relies on SMBv1 will not work, unless you manually set client min protocol = NT1 and server min protocol = NT1 in smb.conf. Samba no longer recommends using SMBv1.

You must not start the samba service on a domain member. This service is required only on Active Directory (AD) domain controllers (DC).

Samba does not provide System V init scripts, systemd, upstart, or service files for other init services.

If you installed Samba using packages, use the script or service configuration file provided by the package to start Samba.
If you built Samba, see your distribution’s documentation for how to create a script or configuration to start services.

Testing the Winbindd Connectivity
Sending a Winbindd Ping
To verify if the Winbindd service is able to connect to Active Directory (AD) Domain Controllers (DC) or a primary domain controller (PDC), enter:

wbinfo —ping-dc

checking the NETLOGON for domain[SAMDOM] dc connection to “DC.SAMDOM.EXAMPLE.COM” succeeded
If the previous command fails, verify:

That the winbindd service is running.
Your smb.conf file is set up correctly.

Using Domain Accounts and Groups in Operating System Commands
Looking up Domain Users and Groups
The libnss_winbind library enables you to look up domain users and groups. For example:

To look up the domain user SAMDOMdemo01:

getent passwd SAMDOMdemo01

SAMDOMdemo01:*:10000:10000:demo01:/home/demo01:/bin/bash
To look up the domain group Domain Users:

getent group “SAMDOMDomain Users”

SAMDOMdomain users❌10000:

Assigning File Permissions to Domain Users and Groups
The name service switch (NSS) library enables you to use domain user accounts and groups in commands. For example to set the owner of a file to the demo01 domain user and the group to the Domain Users domain group, enter:

chown “SAMDOMdemo01:SAMDOMdomain users” file.txt

Setting up Additional Services on the Domain Member
On a Samba domain member, you can additionally set up:

File shares to act as a file server. For details, see Samba File Serving.
Print services to act as a print server. For details, see Print Server Support.
PAM authentication of domain users for local services. For details, see Authenticating Domain Users Using PAM.

Troubleshooting
For details, see Troubleshooting Samba Domain Members.

For details, please see https://wiki.samba.org/index.php/setting_up_samba_a_a_domain_member

Источник

Version: pbis-open-8.7.1-494.x86_64
OS/Distro: Centos 7.4.1708
Issue/Impact:

actually i dont know if this is a problem or not, as my machine is joined the domain and samba works fine with out any problems other than the annoying big issue with group members explained the issue #160 .
on the integration document after installing integration component and configuring samba you mentioned that we need to run testparm and make sure there is no error in the output, but in my case i configured samba exactly as in the document and there is no line for idmaping config, and i always receive this error

Output/Error from testparam:

idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *

samba works fine by my logs are filled with the message

Output/Error in log files:

2018-12-12T10:03:54.153545+01:00 sha6130 smbd[12557]: [2018/12/12 10:03:54.153512,  1] ../source3/param/loadparm.c:2458(lp_idmap_range)
2018-12-12T10:03:54.153566+01:00 sha6130 smbd[12557]:   idmap range not specified for domain '*'
2018-12-12T10:03:54.484216+01:00 sha6130 smbd[10847]: [2018/12/12 10:03:54.484178,  1] ../source3/param/loadparm.c:2458(lp_idmap_range)
2018-12-12T10:03:54.484225+01:00 sha6130 smbd[10847]:   idmap range not specified for domain '*'
2018-12-12T10:03:55.271499+01:00 sha6130 smbd[10853]: [2018/12/12 10:03:55.271464,  1] ../source3/param/loadparm.c:2458(lp_idmap_range)
2018-12-12T10:03:55.271507+01:00 sha6130 smbd[10853]:   idmap range not specified for domain '*'
2018-12-12T10:04:25.521451+01:00 sha6130 smbd[11188]: [2018/12/12 10:04:25.521413,  1] ../source3/param/loadparm.c:2458(lp_idmap_range)
2018-12-12T10:04:25.521471+01:00 sha6130 smbd[11188]:   idmap range not specified for domain '*'

so should i simply ignore this messahe and filter it out from my rsyslog? or is there a solution for this.

Источник

Version: pbis-open-8.7.1-494.x86_64
OS/Distro: Centos 7.4.1708
Issue/Impact:

actually i dont know if this is a problem or not, as my machine is joined the domain and samba works fine with out any problems other than the annoying big issue with group members explained the issue #160 .
on the integration document after installing integration component and configuring samba you mentioned that we need to run testparm and make sure there is no error in the output, but in my case i configured samba exactly as in the document and there is no line for idmaping config, and i always receive this error

Output/Error from testparam:

idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *

samba works fine by my logs are filled with the message

Output/Error in log files:

2018-12-12T10:03:54.153545+01:00 sha6130 smbd[12557]: [2018/12/12 10:03:54.153512,  1] ../source3/param/loadparm.c:2458(lp_idmap_range)
2018-12-12T10:03:54.153566+01:00 sha6130 smbd[12557]:   idmap range not specified for domain '*'
2018-12-12T10:03:54.484216+01:00 sha6130 smbd[10847]: [2018/12/12 10:03:54.484178,  1] ../source3/param/loadparm.c:2458(lp_idmap_range)
2018-12-12T10:03:54.484225+01:00 sha6130 smbd[10847]:   idmap range not specified for domain '*'
2018-12-12T10:03:55.271499+01:00 sha6130 smbd[10853]: [2018/12/12 10:03:55.271464,  1] ../source3/param/loadparm.c:2458(lp_idmap_range)
2018-12-12T10:03:55.271507+01:00 sha6130 smbd[10853]:   idmap range not specified for domain '*'
2018-12-12T10:04:25.521451+01:00 sha6130 smbd[11188]: [2018/12/12 10:04:25.521413,  1] ../source3/param/loadparm.c:2458(lp_idmap_range)
2018-12-12T10:04:25.521471+01:00 sha6130 smbd[11188]:   idmap range not specified for domain '*'

so should i simply ignore this messahe and filter it out from my rsyslog? or is there a solution for this.


0

1

Всем привет. Возникла тут проблема с вводом FS на OpenMediaVault 5 в домен Active-directory. Я настраивал по этому руководству. К сожалению для 5-го не нашел. Но после сохранения настроек я не вижу списка доменных пользователей в OMV, и не могу распределять права на общие папки. Что самое интересное, машина в домене и комманда id "username" нормально отвечает:

# id vasya
uid=635601109(vasya) gid=635600513(пользователи домена) groups=635600513(пользователи домена),635600512(администраторы домена),635600572(группа с запрещением репликации паролей rodc)

и getent тоже всё видит.

getent passwd mahsa
mahsa:*:635601108:635600513:Mahsa:/home/mahsa@test.ts:/bin/bash

все настройки точно выполнил кроме создания домашних папок, мне это не нужно, только авторизация для CIFS..
Подскажите в чем проблема кто знает. Раньше года 3-4 назад настраивал правда через winbind, но тогда и версии были другие, Debian 7, ф сейчас уже 10.7.
Ниже приведены листинги файлов конфигурации.
sss

cat /etc/sssd/sssd.conf

[sssd]
domains = test.ts
config_file_version = 2
services = nss, pam


[domain/test.ts]
ad_domain = test.ts
ad_server = 1ctest.test.ts.
chpass_provider = ad
access_provider = simple

krb5_realm = TEST.TS
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad

SAMBA 4.9.5-Debian Конфиг папки не стал вставлять.

testparm -v rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[test]" Loaded services file OK. WARNING: socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 This warning is printed because you set one of the following options: SO_SNDBUF, SO_RCVBUF, SO_SNDLOWAT, SO_RCVLOWAT Modern server operating systems are tuned for high network performance in the majority of situations; when you set 'socket options' you are overriding those settings. Linux in particular has an auto-tuning mechanism for buffer sizes (SO_SNDBUF, SO_RCVBUF) that will be disabled if you specify a socket buffer size. This can potentially cripple your TCP/IP stack. Getting the 'socket options' correct can make a big difference to your performance, but getting them wrong can degrade it by just as much. As with any other low level setting, if you must make changes to it, make small changes and test the effect before making any large changes. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions # Global parameters [global] abort shutdown script = add group script = add machine script = addport command = addprinter command = add share command = add user script = add user to group script = afs token lifetime = 604800 afs username map = aio max threads = 100 algorithmic rid base = 1000 allow dcerpc auth level connect = No allow dns updates = secure only allow insecure wide links = No allow nt4 crypto = No allow trusted domains = Yes allow unsafe cluster upgrade = No apply group policies = No async smb echo handler = No auth event notification = No auto services = binddns dir = /var/lib/samba/bind-dns bind interfaces only = No browse list = Yes cache directory = /var/cache/samba change notify = Yes change share command = check password script = cldap port = 389 client ipc max protocol = default client ipc min protocol = default client ipc signing = default client lanman auth = No client ldap sasl wrapping = sign client max protocol = default client min protocol = CORE client NTLMv2 auth = Yes client plaintext auth = No client schannel = Yes client signing = default client use spnego principal = No client use spnego = Yes cluster addresses = clustering = No config backend = file config file = create krb5 conf = Yes ctdbd socket = ctdb locktime warn threshold = 0 ctdb timeout = 0 cups connection timeout = 30 cups encrypt = No cups server = dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver deadtime = 0 debug class = No debug hires timestamp = Yes debug pid = No debug prefix timestamp = No debug uid = No dedicated keytab file = default service = defer sharing violations = Yes delete group script = deleteprinter command = delete share command = delete user from group script = delete user script = dgram port = 138 disable netbios = No disable spoolss = Yes dns forwarder = dns proxy = No dns update command = /usr/sbin/samba_dnsupdate dns zone scavenging = No domain logons = No domain master = Auto dos charset = CP850 dsdb event notification = No dsdb group change notification = No dsdb password event notification = No enable asu support = No enable core files = Yes enable privileges = Yes encrypt passwords = Yes enhanced browsing = Yes enumports command = eventlog list = get quota command = getwd cache = Yes gpo update command = /usr/sbin/samba-gpupdate guest account = nobody homedir map = auto.home host msdfs = Yes hostname lookups = No idmap backend = tdb idmap cache time = 604800 idmap gid = idmap negative cache time = 120 idmap uid = include system krb5 conf = Yes init logon delay = 100 init logon delayed hosts = interfaces = iprint server = keepalive = 300 kerberos encryption types = all kerberos method = default kernel change notify = Yes kpasswd port = 464 krb5 port = 88 lanman auth = No large readwrite = Yes ldap admin dn = ldap connection timeout = 2 ldap debug level = 0 ldap debug threshold = 10 ldap delete dn = No ldap deref = auto ldap follow referral = Auto ldap group suffix = ldap idmap suffix = ldap machine suffix = ldap page size = 1000 ldap passwd sync = no ldap replication sleep = 1000 ldap server require strong auth = Yes ldap ssl = start tls ldap ssl ads = No ldap suffix = ldap timeout = 15 ldap user suffix = lm announce = Auto lm interval = 60 load printers = No local master = Yes lock directory = /var/run/samba lock spin time = 200 log file = /var/log/samba/log.%m logging = syslog log level = 2 log nt token command = logon drive = logon home = %N%U logon path = %N%Uprofile logon script = log writeable files on exit = No lpq cache time = 30 lsa over netlogon = No machine password timeout = 604800 mangle prefix = 1 mangling method = hash2 map to guest = Bad User max disk size = 0 max log size = 1000 max mux = 50 max open files = 16384 max smbd processes = 0 max stat cache size = 256 max ttl = 259200 max wins ttl = 518400 max xmit = 16644 mdns name = netbios message command = min receivefile size = 0 min wins ttl = 21600 mit kdc command = multicast dns register = No name cache timeout = 660 name resolve order = lmhosts wins host bcast nbt client socket address = 0.0.0.0 nbt port = 137 ncalrpc dir = /var/run/samba/ncalrpc netbios aliases = netbios name = OMV netbios scope = neutralize nt4 emulation = No NIS homedir = No nmbd bind explicit broadcast = Yes nsupdate command = /usr/bin/nsupdate -g ntlm auth = ntlmv2-only nt pipe support = Yes ntp signd socket directory = /var/lib/samba/ntp_signd nt status support = Yes null passwords = No obey pam restrictions = Yes old password allowed period = 60 oplock break wait time = 0 os2 driver map = os level = 20 pam password change = Yes panic action = /usr/share/samba/panic-action %d passdb backend = tdbsam passdb expand explicit = No passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* . passwd chat debug = No passwd chat timeout = 2 passwd program = /usr/bin/passwd %u password hash gpg key ids = password hash userPassword schemes = password server = * perfcount module = pid directory = /var/run/samba preferred master = Auto prefork children = 1 preload modules = printcap cache time = 750 printcap name = /dev/null private dir = /var/lib/samba/private raw NTLMv2 auth = No read raw = Yes realm = registry shares = No reject md5 clients = No reject md5 servers = No remote announce = remote browse sync = rename user script = require strong key = Yes reset on zero vc = No restrict anonymous = 0 rndc command = /usr/sbin/rndc root directory = rpc big endian = No rpc server dynamic port range = 49152-65535 rpc server port = 0 samba kcc command = /usr/sbin/samba_kcc security = AUTO server max protocol = SMB3 server min protocol = LANMAN1 server multi channel support = No server role = auto server schannel = Yes server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns server signing = default server string = %h server set primary group script = set quota command = share backend = classic show add printer wizard = Yes shutdown script = smb2 leases = Yes smb2 max credits = 8192 smb2 max read = 8388608 smb2 max trans = 8388608 smb2 max write = 8388608 smbd profiling level = off smb passwd file = /etc/samba/smbpasswd smb ports = 445 139 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 spn update command = /usr/sbin/samba_spnupdate stat cache = Yes state directory = /var/lib/samba svcctl list = syslog = 1 syslog only = No template homedir = /home/domain.com/users/%U template shell = /bin/bash time server = No timestamp logs = Yes tls cafile = tls/ca.pem tls certfile = tls/cert.pem tls crlfile = tls dh params file = tls enabled = Yes tls keyfile = tls/key.pem tls priority = NORMAL:-VERS-SSL3.0 tls verify peer = as_strict_as_possible unicode = Yes unix charset = UTF-8 unix extensions = Yes unix password sync = No use mmap = Yes username level = 0 username map = username map cache time = 0 username map script = usershare allow guests = No usershare max shares = 100 usershare owner only = Yes usershare path = /var/lib/samba/usershares usershare prefix allow list = usershare prefix deny list = usershare template share = utmp = No utmp directory = web port = 901 winbind cache time = 300 winbindd socket directory = /var/run/samba/winbindd winbind enum groups = No winbind enum users = No winbind expand groups = 0 winbind max clients = 200 winbind max domain connections = 1 winbind nested groups = Yes winbind normalize names = No winbind nss info = template winbind offline logon = No winbind reconnect delay = 30 winbind refresh tickets = No winbind request timeout = 60 winbind rpc only = No winbind scan trusted domains = Yes winbind sealed pipes = Yes winbind separator = winbind use default domain = No wins hook = wins proxy = No wins server = wins support = No workgroup = TEST write raw = Yes wtmp directory = fruit:aapl = yes idmap config * : backend = tdb access based share enum = No acl allow execute always = No acl check permissions = Yes acl group control = No acl map full control = Yes administrative share = No admin users = afs share = No aio read size = 16384 aio write behind = aio write size = 16384 allocation roundup size = 1048576 available = Yes blocking locks = Yes block size = 1024 browseable = Yes case sensitive = Auto check parent directory delete on close = No comment = copy = create mask = 0777 csc policy = manual cups options = default case = lower default devmode = Yes delete readonly = No delete veto files = No dfree cache time = 0 dfree command = directory mask = 0777 directory name cache size = 100 dmapi support = No dont descend = dos filemode = No dos filetime resolution = No dos filetimes = Yes durable handles = Yes ea support = Yes fake directory create times = No fake oplocks = No follow symlinks = Yes force create mode = 0000 force directory mode = 0000 force group = force printername = No force unknown acl user = No force user = fstype = NTFS guest ok = No guest only = No hide dot files = Yes hide files = hide special files = No hide unreadable = No hide unwriteable files = No hosts allow = hosts deny = include = inherit acls = No inherit owner = no inherit permissions = No invalid users = kernel oplocks = No kernel share modes = Yes level2 oplocks = Yes locking = Yes lppause command = lpq command = %p lpresume command = lprm command = magic output = magic script = mangled names = yes mangling char = ~ map acl inherit = No map archive = Yes map hidden = No map readonly = no map system = No max connections = 0 max print jobs = 1000 max reported print jobs = 0 min print space = 0 msdfs proxy = msdfs root = No msdfs shuffle referrals = No nt acl support = Yes ntvfs handler = unixuid, default oplocks = Yes path = posix locking = Yes postexec = preexec = preexec close = No preserve case = Yes printable = No print command = printer name = printing = bsd printjob username = %U print notify backchannel = No queuepause command = queueresume command = read list = read only = Yes root postexec = root preexec = root preexec close = No short preserve case = Yes smb encrypt = default spotlight = No store dos attributes = Yes strict allocate = No strict locking = Auto strict rename = No strict sync = Yes sync always = No use client driver = No use sendfile = Yes valid users = veto files = veto oplock files = vfs objects = volume = wide links = No write cache size = 0 write list =

nsswitch

cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files systemd sss group: files systemd sss shadow: files sss gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss

Hello,

(sorry for my english, i’m french and i don’t speak english very well…)

I have try to make a samba sharing in the linux server. My mission is to link the SAMBA server with a Windows AD (Windows server 2016 AD)
My configuration :

— Network 192.168.0.0/24
— 1 Server AD+DNS Windows server 2016 (192.168.0.200)
— 1 Server redundancy AD+DNS (192.168.0.201)
— 1 Server Linux with DHCP server, nginx/mariadb server and SAMBA ! CentOS 7 (192.168.202)
— 1 Client Windows 10 in the AD Domaine(192.168.0.2)
— My AD domaine is : SENSAS.local (it’s a pun in french, SENSAS, SENSAS’ionel ^^)

All windows have acces to the list of folden sharing by SAMBA, but i can’t open it ! (error of accés)
for all seting of my CentOS7 :

resolv (DNS) :

Code: Select all

[root@centos7 ~]# cat /etc/resolv.conf # Generated by NetworkManager search localdomain nameserver 192.168.0.200 nameserver 192.168.0.201 nameserver 192.168.48.2

conf SAMBA :

Code: Select all

[root@centos7 ~]# cat /etc/samba/smb.conf # Global parameters [global] load printers = No printcap name = /dev/null realm = SENSAS.LOCAL security = ADS workgroup = SENSAS idmap config * : backend = tdb cups options = raw [data] create mask = 0775 directory mask = 0775 path = /srv/samba/anonymous read only = No valid users = @"Patate@SENSAS.LOCAL" [root@centos7 ~]#

testparam

Code: Select all

[root@centos7 ~]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[data]" Loaded services file OK. idmap range not specified for domain '*' ERROR: Invalid idmap range for domain *! Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] load printers = No printcap name = /dev/null realm = SENSAS.LOCAL security = ADS workgroup = SENSAS idmap config * : backend = tdb cups options = raw [data] create mask = 0775 directory mask = 0775 path = /srv/samba/anonymous read only = No valid users = @Patate@SENSAS.LOCAL [root@centos7 ~]#

link of Linux with the Windows AD:

Code: Select all

[root@centos7 ~]# realm join --verbose SENSAS.local --user=administrateur

The server is well in the OU of the Windows AD !

Test Kerberos connexion to the AD Windows (is OK) :

Code: Select all

[root@centos7 ~]# kinit administrateur@SENSAS.LOCAL
Password for administrateur@SENSAS.LOCAL:
[root@centos7 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: administrateur@SENSAS.LOCAL
Valid starting       Expires              Service principal
29/09/2018 10:04:20  29/09/2018 20:04:20  krbtgt/SENSAS.LOCAL@SENSAS.LOCAL
renew until 06/10/2018 10:04:17
[root@centos7 ~]# kdestroy
[root@centos7 ~]#

for the privilege of my folden in the server:

Code: Select all

[root@centos7 ~]# mkdir -p /srv/samba/anonymous [root@centos7 ~]# chmod -R 0775 /srv/samba/anonymous [root@centos7 ~]# chown -R nobody:nobody /srv/samba/anonymous [root@centos7 ~]# chcon -t samba_share_t /srv/samba/anonymous

SElinux is off for the test:

I restart the smb/nmb service with this :

Code: Select all

[root@centos7 ~]# systemctl restart smb nmb [root@centos7 ~]# systemctl enable smb nmb

for the firewall :

Code: Select all

[root@centos7 ~]# firewall-cmd --add-service=samba --permanent
[root@centos7 ~]# firewall-cmd --reload

In the OU (Patate) I have two users (Patate and banane):
https://prnt.sc/l03d6j

so if you can help me, it will be great !
Thanks in advance,
Best regard
Thomas

Hello All,

I have been learning Linux and working with Fedora Server for a little bit now.  I have gotten some great help here and am now where I think 75% of Linux admins are… making that dang share work properly.

I have Fedora Server 26 and I also installed Webmin. Everything looks like its working perfect and I can access the folder and read from it, but I cannot write to it. I’ve been messing with this since last week and am ready to ask for help again. :)

Samba Config:

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run ‘testparm’ to verify the config is correct after
# you modified it.

[global]
  realm = css.local
  security = domain
  guest ok = yes
  map to guest = Bad User
  passdb backend = tdbsam
  printing = cups
  printcap name = cups
  load printers = yes
  cups options = raw

[homes]
  comment = Home Directories
  valid users = %S, %D%w%S
  browseable = No
  read only = No
  inherit acls = Yes

[printers]
  comment = All Printers
  path = /var/tmp
  printable = Yes
  create mask = 0600
  browseable = No

[print$]
  comment = Printer Drivers
  path = /var/lib/samba/drivers
  write list = root
  create mask = 0664
  directory mask = 0775

[veeam]
  path = /home/veeam
  public = yes
  writeable = yes
  comment = Veeam Backups
  valid users = veeam

testparm (reading online, it appears that error is a bug but I really am not sure):

Load smb config files from /etc/samba/smb.conf                                  

rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)      

Processing section «[homes]»                                                    

Processing section «[printers]»                                                

Processing section «[print$]»                                                  

Processing section «[veeam]»                                                    

Loaded services file OK.                                                        

idmap range not specified for domain ‘*’                                        

ERROR: Invalid idmap range for domain *!                                        

Server role: ROLE_DOMAIN_MEMBER  

and ls:

drwxrwxrwx. 2 root root 6 Nov  1 10:42 /home/veeam   

ANY help or suggestions are greatly appreciated.  Thank you in advance for your time and knowledge!!

  • Печать

Страницы: [1] 2  Все   Вниз

Тема: SAMBA4+winbind+kerberos+AD  (Прочитано 4385 раз)

0 Пользователей и 1 Гость просматривают эту тему.

Оффлайн
civilization

Суть проблемы: настраиваю SAMBA-сервер на Ubuntu 16.04 (samba 4.3.11) с подключением к виндовому домену (уровня 2003 Server, но схема AD обновлена до 56-й версии).

smb.conf (только секция global):

Керберос и подключение к домену выполнены все норм. Однако в локальную базу nss доменные пользователи не маппируются.
В логах примерно следующее (winbindd-idmap):

Если

idmap config * : backend = tdb (или другой локальный бэкэнд), то маппирование отрабатывает (разумеется в общий домен, с соответствующим преобразованием SID-uid). MYDOM, как я понимаю, преобразуется самбой в mydom и не может найти реалм для авторизации. Собственно, testparm все названия доменов в idmap config выводит в нижнем регистре (просто остальные домены у меня не задействованы). Может кто сталкивался, как можно изменить такое поведение самбы и заставить увидеть указанный домен?

Оффлайн
AnrDaemon

samba-tool testparmпод спойлер.

Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.

Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…

Оффлайн
civilization

« Последнее редактирование: 16 Ноября 2016, 15:54:07 от civilization »

Оффлайн
AnrDaemon

        idmap config mydom : range = 1000000 – 1099999
        idmap config mydom : default = yes
        idmap config mydom : backend = adА вы в AD UNIX UID пользователям назначаете из этого диапазона?…
По умолчанию там от 10к идёт вообще-то.

Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.

Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…

Оффлайн
civilization

По умолчанию, у меня в AD вообще ничего не идёт  ???, т.е. эти поля в AD пустые, я скромно надеялся, что idmap_uid их и заполнит. Для проверки сделал пользователя с заполненными полями uid и uidNumber и getent passwd опять не выдал ни одного пользователя домена (вывод в логи идентичный). Собственно, диапазон для домена в idmap был в начальных версиях конфига 10000-50000 (это ничего не давало тогда и сейчас тоже ничего не дало). Полагаю, дело всё же в трансляции имени домена в нижний регистр. Но возможно нужно присвоить uid’ы всем пользователям домена и тогда winbind сможет предоставить их в nss.

Оффлайн
AnrDaemon

Диапазон в AD и диапазон в конфиге самбы должны совпадать.
И система должна быть настроена на смотрение в эту сторону.

cat /etc/nsswitch.confпоказывайте.

Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.

Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…

Оффлайн
civilization

Чем задаётся диапазон в AD?
nsswitch.conf:

Оффлайн
AnrDaemon

В AD он задаётся схемой. Но лучше её не менять. Просто настройте Самбу на 10к+ и раздайте UID/GID пользователям, которым нужен доступ к линукс-серверу.
Внимательно смотрите, какую примари группу вы даёте пользователям… Там часто подсовывается «Administrators».

Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.

Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…

Оффлайн
civilization

Просто настройте Самбу на 10к+ и раздайте UID/GID пользователям

Про диапазон idmap в Самбе уже говорил — назначал 10к+ раньше (и теперь стоит тоже 10000-50000) — это на сложившуюся проблему не влияет. Раздавать UID/GID (как я понимаю) в AD необходимо руками? Автоматическую генерацию настроить не получится? Достаточно ли будет всем пользователям и группам домена прописать легитимные UID/GID чтобы заработал idmap, или нужно будет проверять-прописывать UID всем объектам в AD (например компьютерам)? И почему тогда не смаппировался пользователь которому я назначил корректный UID (из указанного в Самбе диапазона) и ругань на некорректный диапазон в логах idmap?

Оффлайн
AnrDaemon

Я раздавал руками, у меня немного пользователей.
Вероятно, можно что-то сделать скриптом.
Достаточно прописать пользователям и группам, причём только тем, которые вы собираетесь использовать на линухе (ну и системным, типа Domain Users/Admins).

Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.

Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…

Оффлайн
civilization

Тогда вопрос остаётся открытым — очевидно, что прописывание UID/GID отдельным пользователям и группам ничем не отличается от прописывания одному пользователю, а это проблему не решило (и даже никак на неё не повлияло). То же отсутствие пользователя домена в базе nss, те же записи в логах idmap. Перепробовал разные бэкэнды (tdb, rid, ad) и разные диапазоны для них — одна и та же запись в логе idmap: invalid range ‘…-…’ specified for domain ‘mydom’. Потом ошибки неинициализирован ADS. Т.е. nss получает доменных пользователей в базу если прописать для idmap config * : backend = tdb (или другой локальный) — пользователи получают uid’ы из диапазона назначенного домену *. А вот домен прописанный по имени не работает…

Оффлайн
AnrDaemon

Вы всё слова говорите. А диагностику скрываете.

Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.

Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…

Оффлайн
civilization

Так, словами я описал ситуацию быстро и точно, если интересны логи — скажите какие (в логе idmap ничего нового от того, что я приводил в первом посте, только имена бэкэнда и пределы диапазона меняются — смысл ровно тот же). Что касается случая с локальным бэкэндом и доменом * то лог winbind вот (здесь видно, что домен получен в верхнем регистре и доменные пользователи отрабатывают, однако при обращении getpwnam уже нижний регистр домена):

лог idmap вот:

Если этих логов не достаточно — подскажите какие нужны еще.

« Последнее редактирование: 17 Ноября 2016, 12:10:41 от civilization »

Оффлайн
AnrDaemon

Диагностику — покажите

getent passwd с системы с настроенным

idmap config mydom : range = 10000-131071

Пользователь добавил сообщение 17 Ноября 2016, 20:32:17:

P.S.
Вотпрямщазрабочая конфигурация.

« Последнее редактирование: 17 Ноября 2016, 20:32:17 от AnrDaemon »

Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.

Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…

Оффлайн
civilization

Показываю:

Последние 7 строк — доменные пользователи (и ниже тоже — их много, обрезал — ситуация вроде понятна). Cейчас конфигурация idmap аналогична вашей только диапазон для mydom с 10000 начинается, ну и в AD прописал uid из указанного диапазона только одному пользователю (он в конце списка и здесь обрезан, но uid idmap ему тоже назначил из диапазона домена *, а не из AD, или хотя бы просто из диапазона mydom). А, если не секрет, откуда такая граница диапазона (131071)?

« Последнее редактирование: 17 Ноября 2016, 21:30:55 от civilization »

  • Печать

Страницы: [1] 2  Все   Вверх

Тема как ни странно еще актуальна)
Говорю по порядку, что делал
Настроил авторизацию через Kerberos , проверка авторизации через команду kinit мое_имя@DOMEN.LOCAL проходит успешно.

Далее настраиваю Samba
Вот мой конфиг
[global]
workgroup = DOMEN
realm = DOMEN.LOCAL
security = ADS

encrypt passwords = true
dns proxy = no
socket options = TCP_NODELAY

domain master = no
local master = no
preferred master = no
os level = 0
domain logons = 0
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes

После проверки командой testparm выдает ошибку
root@it-01:~# testparm
Load smb config files from /etc/samba/smb.conf
lpcfg_do_global_parameter: WARNING: The «encrypt passwords» option is deprecated
lpcfg_do_global_parameter: WARNING: The «domain logons» option is deprecated
Loaded services file OK.
Weak crypto is allowed
idmap range not specified for domain ‘*’
ERROR: Invalid idmap range for domain *!

Server role: ROLE_DOMAIN_MEMBER

ress enter to see a dump of your service definitions

# Global parameters
[global]
disable spoolss = Yes
dns proxy = No
domain master = No
load printers = No
local master = No
os level = 0
preferred master = No
printcap name = /dev/null
realm = TITAN.LOCAL
security = ADS
show add printer wizard = No
workgroup = TITAN
idmap config * : backend = tdb

Подскажите куда копать, мне обязательно нужно загнать в домен Ubuntu….

Источник

Hello,

(sorry for my english, i’m french and i don’t speak english very well…)

I have try to make a samba sharing in the linux server. My mission is to link the SAMBA server with a Windows AD (Windows server 2016 AD)
My configuration :

— Network 192.168.0.0/24
— 1 Server AD+DNS Windows server 2016 (192.168.0.200)
— 1 Server redundancy AD+DNS (192.168.0.201)
— 1 Server Linux with DHCP server, nginx/mariadb server and SAMBA ! CentOS 7 (192.168.202)
— 1 Client Windows 10 in the AD Domaine(192.168.0.2)
— My AD domaine is : SENSAS.local (it’s a pun in french, SENSAS, SENSAS’ionel ^^)

All windows have acces to the list of folden sharing by SAMBA, but i can’t open it ! (error of accés)
for all seting of my CentOS7 :

resolv (DNS) :

Code: Select all

[root@centos7 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain
nameserver 192.168.0.200
nameserver 192.168.0.201
nameserver 192.168.48.2

conf SAMBA :

Code: Select all

[root@centos7 ~]# cat /etc/samba/smb.conf

# Global parameters
[global]
        load printers = No
        printcap name = /dev/null
        realm = SENSAS.LOCAL
        security = ADS
        workgroup = SENSAS
        idmap config * : backend = tdb
        cups options = raw


[data]
        create mask = 0775
        directory mask = 0775
        path = /srv/samba/anonymous
        read only = No
        valid users = @"Patate@SENSAS.LOCAL"
[root@centos7 ~]#

testparam

Code: Select all

[root@centos7 ~]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[data]"
Loaded services file OK.
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        load printers = No
        printcap name = /dev/null
        realm = SENSAS.LOCAL
        security = ADS
        workgroup = SENSAS
        idmap config * : backend = tdb
        cups options = raw


[data]
        create mask = 0775
        directory mask = 0775
        path = /srv/samba/anonymous
        read only = No
        valid users = @Patate@SENSAS.LOCAL
[root@centos7 ~]#

link of Linux with the Windows AD:

Code: Select all

[root@centos7 ~]# realm join --verbose SENSAS.local --user=administrateur

The server is well in the OU of the Windows AD !

Test Kerberos connexion to the AD Windows (is OK) :

Code: Select all

[root@centos7 ~]# kinit administrateur@SENSAS.LOCAL
Password for administrateur@SENSAS.LOCAL:
[root@centos7 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: administrateur@SENSAS.LOCAL

Valid starting       Expires              Service principal
29/09/2018 10:04:20  29/09/2018 20:04:20  krbtgt/SENSAS.LOCAL@SENSAS.LOCAL
        renew until 06/10/2018 10:04:17
[root@centos7 ~]# kdestroy
[root@centos7 ~]#

for the privilege of my folden in the server:

Code: Select all

[root@centos7 ~]# mkdir -p /srv/samba/anonymous
[root@centos7 ~]# chmod -R 0775 /srv/samba/anonymous
[root@centos7 ~]# chown -R nobody:nobody /srv/samba/anonymous
[root@centos7 ~]# chcon -t samba_share_t /srv/samba/anonymous

SElinux is off for the test:

I restart the smb/nmb service with this :

Code: Select all

[root@centos7 ~]# systemctl restart smb nmb
[root@centos7 ~]# systemctl enable smb nmb

for the firewall :

Code: Select all

[root@centos7 ~]# firewall-cmd --add-service=samba --permanent
[root@centos7 ~]# firewall-cmd --reload

In the OU (Patate) I have two users (Patate and banane):
https://prnt.sc/l03d6j

so if you can help me, it will be great !
Thanks in advance,
Best regard
Thomas

Источник

Понравилась статья? Поделить с друзьями:
  • Ошибка invalid handle как исправить ошибку
  • Ошибка invalid function or declaration
  • Ошибка invalid floating point operation что это
  • Ошибка invalid floating point operation как исправить
  • Ошибка invalid file version при запуске pvz