Samba: Difference between revisions

From Braindump
Jump to navigation Jump to search
No edit summary
No edit summary
Line 61: Line 61:


gprof /usr/sbin/nscd
gprof /usr/sbin/nscd
===
[global]
        allow insecure wide links = Yes
        bind interfaces only = Yes
        client min protocol = SMB2
        dedicated keytab file = /etc/krb5.keytab
        disable netbios = Yes
        disable spoolss = Yes
        dos charset = cp866
        interfaces = lo wg0 lan
        kerberos method = secrets and keytab
        log level = 3 passdb:5 auth:5
        ntlm auth = mschapv2-and-ntlmv2-only
        printcap name = /dev/null
        realm = ISLIEF.COM
        restrict anonymous = 2
        security = ADS
        server min protocol = SMB2
        server role = member server
        server string = Samba Server
        smb ports = 445
        template homedir = /home/%U
        template shell = /bin/ash
        unix charset = utf-8
        username map = /etc/samba/user.map
        winbind cache time = 3600
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind offline logon = Yes
        winbind refresh tickets = Yes
        winbind separator = /
        winbind use default domain = Yes
        workgroup = ISLIEF
        idmap_ldb:use rfc2307 = Yes
        idmap config * : backend = tdb
        idmap config * : range = 2000-2999
        idmap config islief:range = 3000-9999999
        idmap config islief:backend = rid
        map acl inherit = Yes
        store dos attributes = Yes
[share]
        path = /share
        read only = No
        valid users = ISLIEF/me
[homes]
        comment = Home Directories
        read only = No
        valid users = %S

Revision as of 09:07, 6 January 2024

Winbind works, mapping to UNIX ID's does not

Alpine doesn't use NSS because of MUSL, need other way of mapping, /etc/samba/user.map requires passwords between AD and UNIX to be in Sync. Maybe switch to SSSD? 

kinit administrator@ISLIEF.COM
klist

wbinfo -u
wbinfo -g
wbinfo -i ISLIEF/Administrator
administrator:*:3500:3513::/home/ISLIEF/administrator:/bin/false

wbinfo -s S-1-5-21-870187001-592863278-1011463606-1604
ISLIEF/jan 1

wbinfo -n ISLIEF/jan

wbinfo -a jan
Enter jan's password:
plaintext password authentication succeeded
Enter jan's password:
challenge/response password authentication succeeded

wbinfo -S S-1-5-21-870187001-592863278-1011463606-1604
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-870187001-592863278-1011463606-1604 to uid

wbinfo -r ISLIEF/administrator
3500 3513 3572 3518 3519 3520 3512 2001 2000

wbinfo -i ISLIEF/jan
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user ISLIEF/jan

smbclient -L //10.0.0.5 -U ISLIEF/jan
Password for [ISLIEF\jan]:
session setup failed: NT_STATUS_LOGON_FAILURE

https://www.suse.com/support/kb/doc/?id=000017458

samba4 as active directory member using winbind to lookup user doesn't work on Alpine Linux because MUSL doesn't use nsswitch, however with musl nscd from pikhq authentication works, but only if the /usr/sbin/nscd process is running while trying an authentication is tried, the authentication hangs until the nscd process is stopped.

https://github.com/pikhq/musl-nscd/

I haven't figured out where and why this works.


gdb /usr/sbin/nscd

info functions


set logging enabled on

set confirm off

set height off

rbreak ^s[^@]*$


gprof /usr/sbin/nscd

=

[global]
       allow insecure wide links = Yes
       bind interfaces only = Yes
       client min protocol = SMB2
       dedicated keytab file = /etc/krb5.keytab
       disable netbios = Yes
       disable spoolss = Yes
       dos charset = cp866
       interfaces = lo wg0 lan
       kerberos method = secrets and keytab
       log level = 3 passdb:5 auth:5
       ntlm auth = mschapv2-and-ntlmv2-only
       printcap name = /dev/null
       realm = ISLIEF.COM
       restrict anonymous = 2
       security = ADS
       server min protocol = SMB2
       server role = member server
       server string = Samba Server
       smb ports = 445
       template homedir = /home/%U
       template shell = /bin/ash
       unix charset = utf-8
       username map = /etc/samba/user.map
       winbind cache time = 3600
       winbind enum groups = Yes
       winbind enum users = Yes
       winbind offline logon = Yes
       winbind refresh tickets = Yes
       winbind separator = /
       winbind use default domain = Yes
       workgroup = ISLIEF
       idmap_ldb:use rfc2307 = Yes
       idmap config * : backend = tdb
       idmap config * : range = 2000-2999
       idmap config islief:range = 3000-9999999
       idmap config islief:backend = rid
       map acl inherit = Yes
       store dos attributes = Yes

[share]
       path = /share
       read only = No
       valid users = ISLIEF/me

[homes]
       comment = Home Directories
       read only = No
       valid users = %S
Retrieved from "https://www.janmg.com/wiki/index.php?title=Samba&oldid=970"