Article 6EFZZ Squid + SquidGuard + AD + Samba and Winbind

Squid + SquidGuard + AD + Samba and Winbind

by
Renobr
from LinuxQuestions.org on (#6EFZZ)
Hello guys, All good?

I'm facing some trouble, I'm trying to join my server proxy to authenticate against my AD, I faced some errors with my winbind using some scripts I got from the internet and it won't work because it uses some sintaxes that are not used anymore, like auth methods.

I'm running Debian 12, i think my krb5 file is ok, because I managed to use kinit to join my server on the AD, now, my SMB file, if I try to change it's role to member server, and restart the winbind service, it'll give me an error.

So I don't know what else i can do.

I hope someone can help me.

Obs:. This smb1.conf won't let me change the server role from standalone server to member server. Now, smb2.conf will give me this error and nothing more.

Quote:
Copyright Andrew Tridgell and the Samba Team 1992-2022
winbindd[11481]: [2023/09/05 18:29:42.118361, 0] ../../source3/winbindd/winbindd_cache.c:3117(initialize_winbindd_cache)
winbindd[11481]: initialize_winbindd_cache: clearing cache and re-creating with version number 2
winbindd[11481]: [2023/09/05 18:29:42.121795, 0] ../../source3/winbindd/winbindd_util.c:1235(init_domain_list)
winbindd[11481]: Could not fetch our SID - did we join?
winbindd[11481]: [2023/09/05 18:29:42.121905, 0] ../../source3/winbindd/winbindd.c:1177(winbindd_register_handlers)
winbindd[11481]: unable to initialize domain list

I'll list the files that edited in my journey.

krb5.conf

Code:[libdefaults]

# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
rdns = false
# dns_lookup_kdc = true

# The following libdefaults parameters are only for Heimdal Kerberos.
default_realm = MYDOMAIN.SG.GP.TT
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}

fcc-mit-ticketflags = true
}
udp_preference_limit = 0

[realms]
MYDOMAIN.SG.GP.TT = {
kdc = AD.MYDOMAIN.SG.GP.TT
admin_server = AD.MYDOMAIN.SG.GP.TT
default_domain = MYDOMAIN.SG.GP.TT
}

# ATHENA.MIT.EDU = {
# kdc = kerberos.mit.edu
# kdc = kerberos-1.mit.edu
# kdc = kerberos-2.mit.edu:88
# admin_server = kerberos.mit.edu
# default_domain = mit.edu
# }
# ZONE.MIT.EDU = {
# kdc = casio.mit.edu
# kdc = seiko.mit.edu
# admin_server = casio.mit.edu
# }
# CSAIL.MIT.EDU = {
# admin_server = kerberos.csail.mit.edu
# default_domain = csail.mit.edu
# }
# IHTFP.ORG = {
# kdc = kerberos.ihtfp.org
# admin_server = kerberos.ihtfp.org
# }
# 1TS.ORG = {
# kdc = kerberos.1ts.org
# admin_server = kerberos.1ts.org
# }
# ANDREW.CMU.EDU = {
# admin_server = kerberos.andrew.cmu.edu
# default_domain = andrew.cmu.edu
# }
# CS.CMU.EDU = {
# kdc = kerberos-1.srv.cs.cmu.edu
# kdc = kerberos-2.srv.cs.cmu.edu
# kdc = kerberos-3.srv.cs.cmu.edu
# admin_server = kerberos.cs.cmu.edu
# }
# DEMENTIA.ORG = {
# kdc = kerberos.dementix.org
# kdc = kerberos2.dementix.org
# admin_server = kerberos.dementix.org
# }
# stanford.edu = {
# kdc = krb5auth1.stanford.edu
# kdc = krb5auth2.stanford.edu
# kdc = krb5auth3.stanford.edu
# master_kdc = krb5auth1.stanford.edu
# admin_server = krb5-admin.stanford.edu
# default_domain = stanford.edu
# }
# UTORONTO.CA = {
# kdc = kerberos1.utoronto.ca
# kdc = kerberos2.utoronto.ca
# kdc = kerberos3.utoronto.ca
# admin_server = kerberos1.utoronto.ca
# default_domain = utoronto.ca
# }

[domain_realm]
.MYDOMAIN.SG.GP.TT = MYDOMAIN.SG.GP.TT
MYDOMAIN.SG.GP.TT = MYDOMAIN.SG.GP.TT
# .mit.edu = ATHENA.MIT.EDU
# mit.edu = ATHENA.MIT.EDU
# .media.mit.edu = MEDIA-LAB.MIT.EDU
# media.mit.edu = MEDIA-LAB.MIT.EDU
# .csail.mit.edu = CSAIL.MIT.EDU
# csail.mit.edu = CSAIL.MIT.EDU
# .whoi.edu = ATHENA.MIT.EDU
# whoi.edu = ATHENA.MIT.EDU
# .stanford.edu = stanford.edu
# .slac.stanford.edu = SLAC.STANFORD.EDU
# .toronto.edu = UTORONTO.CA
# .utoronto.ca = UTORONTO.CA

[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.logsmb1.conf

Code:#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
# - When such options are commented with ";", the proposed setting
# differs from the default Samba behaviour
# - When commented with "#", the proposed setting is the default
# behaviour of Samba but the option is considered important
# enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.

#======================= Global Settings =======================

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = MYDOMAIN
realm = MYDOMAIN.SG.GP.TT
server string = PROXY SERVER
# security = ADS
netbios name = PROXY
#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0

wins server = 192.168.1.123
dns proxy = no
ldap ssl = no

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes

#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
log level = 2

# Cap the size of the individual log files (in KiB).
max log size = 500

# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
# Append syslog@1 if you want important messages to be sent to syslog too.
logging = file

# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d

os level = 233
domain master = no
preferred master = no

####### Authentication #######

# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server

password server = 192.168.1.123

obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
encrypt passwords = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user

########## Domains ###########

#
# The following settings only takes effect if 'server role = classic
# primary domain controller', 'server role = classic backup domain controller'
# or 'domain logons' is set
#
domain logons = no

# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
; logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
# logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
; logon drive = H:
# logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
; logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/useradd --create-home %u

# This allows machine accounts to be created on the domain controller via the
# SAMR RPC pipe.
# The following assumes a "machines" group exists on the system
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.
; add group script = /usr/sbin/addgroup --force-badname %g

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MYDOMAIN.SG.GP.TT : backend = tdb
idmap config MYDOMAIN.SG.GP.TT : range = 100000-999999
template shell = /bin/bash

bind interfaces only = yes
winbind separator = /
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind cache time = 15

local master = no

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 means that usershare is disabled.
# usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes

#======================= Share Definitions =======================

[homes]
comment = Home Directories
browseable = no

# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
read only = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
directory mask = 0700

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
valid users = %S

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700

[printers]
comment = All Printers
browseable = no
path = /var/tmp
printable = yes
guest ok = no
read only = yes
create mask = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
load printers = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
; write list = root, @lpadminsmb2.conf

Code:
dns proxy = No
domain master = no
idmap uid = 10000-20000
idmap gid = 10000-20000
ldap ssl = no
load printers = No
local master = No
log file = /var/log/samba/log.%m
max log size = 500
netbios name = PROXYVM3
os level = 233
password server = 10.1.0.212
preferred master = No
realm = PRAIAGRANDE.SP.GOV.BR
security = ADS
server string = PROXY SERVER
winbind cache time = 15
winbind enum groups = Yes
winbind enum users = Yes
winbind separator = +
winbind use default domain = Yes
wins server = 10.1.0.212
workgroup = PRAIAGRANDE
idmap config * : range = 10000-20000
idmap config * : backend = tdb
kdc.conf

Code:[kdcdefaults]
kdc_ports = 750,88

[realms]
MYDOMAIN.SG.GP.TT = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = aes256-cts
supported_enctypes = aes256-cts:normal aes128-cts:normal
default_principal_flags = +preauth
}krb5-kdc

Code:# Automatically generated. Only the value of DAEMON_ARGS will be preserved.
# If you change anything in this file other than DAEMON_ARGS, first run
# dpkg-reconfigure krb5-kdc and disable managing the KDC configuration with
# debconf. Otherwise, changes will be overwritten.

KRB4_MODE=disable
RUN_KRB524D=falsensswitch.conf

Code:# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind sss
group: compat winbind sss
shadow: files systemd sss
gshadow: files systemd

hosts: files dns
networks: files

protocols: db files
services: db files sss
ethers: db files
rpc: db files

netgroup: nis sss
automount: sss
External Content
Source RSS or Atom Feed
Feed Location https://feeds.feedburner.com/linuxquestions/latest
Feed Title LinuxQuestions.org
Feed Link https://www.linuxquestions.org/questions/
Reply 0 comments