Bug 1740986

The net command doesn't need to be run if winbind is running and Samba is configured correctly. It is likely that the customer is running sssd and did not start winbind which caused those issues.

Hi Andreas,

Thanks for the feedback.

I have reached out to the customer and here's what he has to say:
-----
I'm afraid that's not correct, we do start winbind before starting samba.
-----

Any other thoughts?

Thanks and regards,

Glen

Hi, I seems to me that this issue was addressed upstream and the patch is actually included in the latest samba package samba-4.10.4-1.el7, please try using this package.

Hi Isaac,

Customer found that Samba version 4.10.x is available upstream but not on the RHEL 7 repos. Is there any chance this will be ported in RHEL 7?

Thanks and regards,

Glen

Problems could happen if winbind is not running or idmap is not set up correctly. If this is the case there should be no problems. However we improved the code in this area.

Version:
samba-common-4.10.4-9.el7.noarch
samba-libs-4.10.4-9.el7.x86_64
samba-common-tools-4.10.4-9.el7.x86_64
samba-4.10.4-9.el7.x86_64
samba-common-libs-4.10.4-9.el7.x86_64
samba-winbind-modules-4.10.4-9.el7.x86_64
samba-winbind-clients-4.10.4-9.el7.x86_64
samba-client-libs-4.10.4-9.el7.x86_64
samba-winbind-4.10.4-9.el7.x86_64

1. Test using winbind and samba
================================

1. Join system to Windows 2012 R2 using realm with winbind and samba

[root@qe-blade-11 ~]# realm join -U Administrator --client-software=winbind --membership-software=samba -v CYGNUS.TEST
 * Resolving: _ldap._tcp.cygnus.test
 * Performing LDAP DSE lookup on: 10.65.201.120
 * Performing LDAP DSE lookup on: 2620:52:0:41c9:3ccf:487d:ca5b:5895
 * Successfully discovered: cygnus.test
Password for Administrator:
 * Required files: /usr/libexec/oddjob/mkhomedir, /usr/sbin/oddjobd, /usr/bin/wbinfo, /usr/sbin/winbindd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.8231B0 -U Administrator ads join cygnus.test
Enter Administrator's password:DNS update failed: NT_STATUS_UNSUCCESSFUL

Using short domain name -- CYGNUS
Joined 'QE-BLADE-11' to dns domain 'cygnus.test'
DNS Update for qe-blade-11.idmqe.lab.eng.bos.redhat.com failed: ERROR_DNS_GSS_ERROR
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.8231B0 -U Administrator ads keytab create
Enter Administrator's password:
 * /usr/bin/systemctl enable winbind.service
Created symlink from /etc/systemd/system/multi-user.target.wants/winbind.service to /usr/lib/systemd/system/winbind.service.
 * /usr/bin/systemctl restart winbind.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablewinbind --enablewinbindauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
 * Successfully enrolled machine in realm

2. Run testparam

[root@qe-blade-11 samba]# net groupmap list
Guests (S-1-5-32-546) -> BUILTIN\guests
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Users (S-1-5-32-545) -> BUILTIN\users
[root@qe-blade-11 samba]# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        kerberos method = system keytab
        printcap name = cups
        realm = CYGNUS.TEST
        security = ADS
        template homedir = /home/%U@%D
        template shell = /bin/bash
        winbind offline logon = Yes
        winbind refresh tickets = Yes
        workgroup = CYGNUS
        idmap config * : range = 10000-999999
        idmap config cygnus : backend = rid
        idmap config cygnus : range = 2000000-2999999
        idmap config * : backend = tdb
        cups options = raw

[homes] 
        browseable = No
        comment = Home Directories
        inherit acls = Yes
        read only = No
        valid users = %S %D%w%S


[printers]
        browseable = No   
        comment = All Printers
        create mask = 0600
        path = /var/tmp   
        printable = Yes   


[print$]
        comment = Printer Drivers
        create mask = 0664
        directory mask = 0775
        force group = @printadmin
        path = /var/lib/samba/drivers
        write list = @printadmin root

3. Start smb service and verify net groupmap list lists builtin groups

[root@qe-blade-11 samba]# systemctl start smb
[root@qe-blade-11 samba]# net groupmap list
Guests (S-1-5-32-546) -> BUILTIN\guests
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Users (S-1-5-32-545) -> BUILTIN\users
[root@qe-blade-11 samba]# testparm


Test using sssd and samba
==========================
[root@qe-blade-11 ~]# realm join -U Administrator --client-software=sssd --membership-software=samba -v CYGNUS.TEST
 * Resolving: _ldap._tcp.cygnus.test
 * Performing LDAP DSE lookup on: 10.65.201.120
 * Performing LDAP DSE lookup on: 2620:52:0:41c9:3ccf:487d:ca5b:5895
 * Successfully discovered: cygnus.test
Password for Administrator: 
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.RJSIC0 -U Administrator ads join cygnus.test
Enter Administrator's password:DNS update failed: NT_STATUS_UNSUCCESSFUL

Using short domain name -- CYGNUS
Joined 'QE-BLADE-11' to dns domain 'cygnus.test'
DNS Update for qe-blade-11.idmqe.lab.eng.bos.redhat.com failed: ERROR_DNS_GSS_ERROR
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.RJSIC0 -U Administrator ads keytab create
Enter Administrator's password:
 * /usr/bin/systemctl enable sssd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service.
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
 * Successfully enrolled machine in realm


2. Configure  /etc/samba/smb.conf as below:

[global]
        server string = File Server
        passdb backend = tdbsam
        # log files split per-machine:
        log file = /var/log/samba/log.%m
        # maximum size of 200KB per log file, then rotate:
        max log size = 200
        log level = 2
        # Domain Config
        realm = CYGNUS.TEST
        workgroup = CYGNUS
        security = ADS
        kerberos method = secrets and keytab
        idmap config * : backend = autorid
        idmap config * : range = 1000000-19999999
        idmap config * : rangesize = 1000000
        template shell = /bin/bash
        template homedir = /home/%U


[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
[share1]

        path = /mnt/samba/share1
        comment = test share1
        writable = yes
        printable = no
</snip>

3. start winbind and smb service

[root@qe-blade-11 samba]# net groupmap list
Guests (S-1-5-32-546) -> 1000002
Administrators (S-1-5-32-544) -> 1000000
Users (S-1-5-32-545) -> 1000001

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1084