Samba: Difference between revisions
(Created page with "Winbind works, mapping to UNIX ID's does not kinit administrator@ISLIEF.COM klist wbinfo -u wbinfo -g wbinfo -i ISLIEF/Administrator administrator:*:3500:3513::/home/ISLIEF/administrator:/bin/false wbinfo -s S-1-5-21-870187001-592863278-1011463606-1604 ISLIEF/jan 1 wbinfo -n ISLIEF/jan wbinfo -a jan Enter jan's password: plaintext password authentication succeeded Enter jan's password: challenge/response password authentication succeeded wbinfo -S S-...") |
No edit summary |
||
| (9 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
Winbind works, mapping to UNIX ID's does not | Winbind works, mapping to UNIX ID's does not | ||
Alpine doesn't use NSS because of MUSL, need other way of mapping, /etc/samba/user.map requires passwords between AD and UNIX to be in Sync. Maybe switch to SSSD? | |||
kinit administrator@ISLIEF.COM | kinit administrator@ISLIEF.COM | ||
| Line 36: | Line 38: | ||
https://www.suse.com/support/kb/doc/?id=000017458 | https://www.suse.com/support/kb/doc/?id=000017458 | ||
== NSCD == | |||
samba4 as active directory member using winbind to lookup user doesn't work on Alpine Linux because MUSL doesn't use nsswitch, however with musl nscd from pikhq authentication works, but only if the /usr/sbin/nscd process is running while trying an authentication is tried, the authentication hangs until the nscd process is stopped. | |||
https://github.com/pikhq/musl-nscd/blob/master/src/cache.c | |||
I haven't figured out where and why this works, but it is around cache_getpwuid_r | |||
COMPARISON() (res->p.pw_uid == id) | |||
Included in the call is a header, with the actual query between | |||
pthread_rwlock_rdlock(&CACHE.lock); | |||
ret = NSS_STATUS_SUCCESS; | |||
pthread_rwlock_unlock(&CACHE.lock); | |||
https://github.com/pikhq/musl-nscd/blob/master/include/cache_query.h#L39 | |||
gdb /usr/sbin/nscd | |||
info functions | |||
thread apply all backtrace | |||
gdb /usr/sbin/nscd <coredump> -ex "thread apply all bt" -ex "quit" > output.log | |||
set logging enabled on | |||
set confirm off | |||
set height off | |||
rbreak ^s[^@]*$ | |||
thread apply all backtrace | |||
gprof /usr/sbin/nscd | |||
accept(3, NULL, NULL) = 4 | |||
futex(0x56536d729fb8, FUTEX_WAKE_PRIVATE, 2147483647) = 1 | |||
poll([{fd=3, events=POLLIN}], 1, -1) = 1 ([{fd=3, revents=POLLIN}]) | |||
accept(3, NULL, NULL) = 4 | |||
futex(0x56536d729fb8, FUTEX_WAKE_PRIVATE, 2147483647) = 1 | |||
poll([{fd=3, events=POLLIN}], 1, -1) = 1 ([{fd=3, revents=POLLIN}]) | |||
accept(3, NULL, NULL) = 6 | |||
futex(0x56536d7292e0, FUTEX_WAIT_PRIVATE, 2147483648, NULL) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) | |||
--- SIGINT {si_signo=SIGINT, si_code=SI_KERNEL} --- | |||
=smb.conf= | |||
[global] | |||
allow insecure wide links = Yes | |||
bind interfaces only = Yes | |||
client min protocol = SMB2 | |||
dedicated keytab file = /etc/krb5.keytab | |||
disable netbios = Yes | |||
disable spoolss = Yes | |||
dos charset = cp866 | |||
interfaces = lo wg0 lan | |||
kerberos method = secrets and keytab | |||
log level = 3 passdb:5 auth:5 | |||
ntlm auth = mschapv2-and-ntlmv2-only | |||
printcap name = /dev/null | |||
realm = ISLIEF.COM | |||
restrict anonymous = 2 | |||
security = ADS | |||
server min protocol = SMB2 | |||
server role = member server | |||
server string = Samba Server | |||
smb ports = 445 | |||
template homedir = /home/%U | |||
template shell = /bin/ash | |||
unix charset = utf-8 | |||
username map = /etc/samba/user.map | |||
winbind cache time = 3600 | |||
winbind enum groups = Yes | |||
winbind enum users = Yes | |||
winbind offline logon = Yes | |||
winbind refresh tickets = Yes | |||
winbind separator = / | |||
winbind use default domain = Yes | |||
workgroup = ISLIEF | |||
idmap_ldb:use rfc2307 = Yes | |||
idmap config * : backend = tdb | |||
idmap config * : range = 2000-2999 | |||
idmap config islief:range = 3000-9999999 | |||
idmap config islief:backend = rid | |||
map acl inherit = Yes | |||
store dos attributes = Yes | |||
[share] | |||
path = /share | |||
read only = No | |||
valid users = ISLIEF/me | |||
[homes] | |||
comment = Home Directories | |||
read only = No | |||
valid users = %S | |||
Latest revision as of 17:32, 19 July 2024
Winbind works, mapping to UNIX ID's does not
Alpine doesn't use NSS because of MUSL, need other way of mapping, /etc/samba/user.map requires passwords between AD and UNIX to be in Sync. Maybe switch to SSSD?
kinit administrator@ISLIEF.COM klist
wbinfo -u wbinfo -g wbinfo -i ISLIEF/Administrator administrator:*:3500:3513::/home/ISLIEF/administrator:/bin/false
wbinfo -s S-1-5-21-870187001-592863278-1011463606-1604 ISLIEF/jan 1
wbinfo -n ISLIEF/jan
wbinfo -a jan Enter jan's password: plaintext password authentication succeeded Enter jan's password: challenge/response password authentication succeeded
wbinfo -S S-1-5-21-870187001-592863278-1011463606-1604 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-870187001-592863278-1011463606-1604 to uid
wbinfo -r ISLIEF/administrator 3500 3513 3572 3518 3519 3520 3512 2001 2000
wbinfo -i ISLIEF/jan failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user ISLIEF/jan
smbclient -L //10.0.0.5 -U ISLIEF/jan Password for [ISLIEF\jan]: session setup failed: NT_STATUS_LOGON_FAILURE
https://www.suse.com/support/kb/doc/?id=000017458
NSCD
samba4 as active directory member using winbind to lookup user doesn't work on Alpine Linux because MUSL doesn't use nsswitch, however with musl nscd from pikhq authentication works, but only if the /usr/sbin/nscd process is running while trying an authentication is tried, the authentication hangs until the nscd process is stopped.
https://github.com/pikhq/musl-nscd/blob/master/src/cache.c
I haven't figured out where and why this works, but it is around cache_getpwuid_r
COMPARISON() (res->p.pw_uid == id)
Included in the call is a header, with the actual query between
pthread_rwlock_rdlock(&CACHE.lock);
ret = NSS_STATUS_SUCCESS;
pthread_rwlock_unlock(&CACHE.lock);
https://github.com/pikhq/musl-nscd/blob/master/include/cache_query.h#L39
gdb /usr/sbin/nscd
info functions
thread apply all backtrace
gdb /usr/sbin/nscd <coredump> -ex "thread apply all bt" -ex "quit" > output.log
set logging enabled on
set confirm off
set height off
rbreak ^s[^@]*$
thread apply all backtrace
gprof /usr/sbin/nscd
accept(3, NULL, NULL) = 4
futex(0x56536d729fb8, FUTEX_WAKE_PRIVATE, 2147483647) = 1
poll([{fd=3, events=POLLIN}], 1, -1) = 1 ([{fd=3, revents=POLLIN}])
accept(3, NULL, NULL) = 4
futex(0x56536d729fb8, FUTEX_WAKE_PRIVATE, 2147483647) = 1
poll([{fd=3, events=POLLIN}], 1, -1) = 1 ([{fd=3, revents=POLLIN}])
accept(3, NULL, NULL) = 6
futex(0x56536d7292e0, FUTEX_WAIT_PRIVATE, 2147483648, NULL) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGINT {si_signo=SIGINT, si_code=SI_KERNEL} ---
smb.conf
[global]
allow insecure wide links = Yes
bind interfaces only = Yes
client min protocol = SMB2
dedicated keytab file = /etc/krb5.keytab
disable netbios = Yes
disable spoolss = Yes
dos charset = cp866
interfaces = lo wg0 lan
kerberos method = secrets and keytab
log level = 3 passdb:5 auth:5
ntlm auth = mschapv2-and-ntlmv2-only
printcap name = /dev/null
realm = ISLIEF.COM
restrict anonymous = 2
security = ADS
server min protocol = SMB2
server role = member server
server string = Samba Server
smb ports = 445
template homedir = /home/%U
template shell = /bin/ash
unix charset = utf-8
username map = /etc/samba/user.map
winbind cache time = 3600
winbind enum groups = Yes
winbind enum users = Yes
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind separator = /
winbind use default domain = Yes
workgroup = ISLIEF
idmap_ldb:use rfc2307 = Yes
idmap config * : backend = tdb
idmap config * : range = 2000-2999
idmap config islief:range = 3000-9999999
idmap config islief:backend = rid
map acl inherit = Yes
store dos attributes = Yes
[share]
path = /share
read only = No
valid users = ISLIEF/me
[homes]
comment = Home Directories
read only = No
valid users = %S