[SOLVED] Samba Domain Member - Configuration for Caching Users

OK. Today I'm using my other laptop, what I call my "household laptop", which is still running the SSSD dameon. I'm doing so because I was backing up my new main PC.

Why am I backing it up? Well, because my "real" main PC is now a VM, using virtualbox. What does that mean? It means, whereever the VM can run, is my new computer. HOWEVER, it needs a host machine to run on. That is my new laptop. The VM is a dual boot of Windows 10 and Linux, same as my old laptop. I can't remember when using it, the last time I booted Windows 10. So I'm primarily using Linux Mint now, for everything I can, and except for a few problems with the latest version, it's working just fine.

The task now? I'm running Windows 10 underneath the VM, and I'm getting tired of using it so much and being reliant on it. I thought I HAD TO, because I couldn't figure out how to disable secure boot, but somehow I managed it, by a weird name. Now, I would like to give a try to replacing Windows 10 with guess what?... Linux Mint!

However, one thing is stopping me for sure, and it's not the backup. As far as the backup is concerned, I can anytime I want, change the whole hard drive and not lose a thing. It's all backed up (Standard partimage style).

So what is stopping me is that my samba server configuration is NOT correctly caching users, when I'm not connected to the network. So, if I do my standard install, it won't allow me to leave the network connection at my house, where the server is, without still letting me log on to previously logged on users.

I'd rather do this the samba way, now that I know how, if possible. There is one hardware piece hooked up, known to not be compatible with Linux Mint, but for now I don't really need it at all. It is a VCR capture device, and what I can do, is later purchase a Mini PC, to be a server, and then on that server, I can plug in the hardware device that works not with Linux Mint, and problem solved.

Now I know that this isn't a legal forum, but could someone also tell me whether that is technically not OK in their license or not. Microsoft never gave me a clear answer, other than they obviously don't care that I'm doing that. I will NEVER I decided allow other people outside of a possible family unit use those servers. I may allow outside access but for me, not the world. I believe with Windows 11, it's not OK, but I could be wrong about win10.

Anyway, the other main question is how to get samba server caching users. If I solve that, it's enough to give this a try and see whether I miss Windows 10 underneath my VM or not. If I do, I can always restore.

Also, you should know that a lot of the reason I even care, is that I've been trying to back up my network. I have 8 gigs of RAM, and a better processor than my previous pc. However, of course when trying to back up my hard drive, I was practically ruining the backup drive and not able to back up my files, which should be simple. I've untested yet, but I think Linux Mint should give me less trouble and be straightforward in this manner. So Windows doesn't really work where Linux should. I'll have to start by formatting my ssd one more time, before I can begin the backup. Forget about me using the actual vm to do the work too, because it will just crash the whole system, windows and all. I'm fed up with little problems like this, and spending hours on them, when yes, I start to spend hours figuring out a solution at first with Linux Mint, but then, after I made it work once, it just works. They say Linux never "just works", but in my case it should just fine. I can prove that this is not a problem, by using my old laptop if you think I should.

smb.conf before my changes to allow group policy. I have to wait until I get home to post those changes. Like I said, my laptop was backing up when I left, so I left with the household laptop.

Code:

#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which 
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#    differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#    behaviour of Samba but the option is considered important
#    enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic 
# errors. 

#======================= Global Settings =======================

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   security = ADS
   workgroup = SMILEY000
   realm = smiley000.local

# server string is the equivalent of the NT Description field
   server string = %h server (Samba, Ubuntu)

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
;   interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;   bind interfaces only = yes



#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Cap the size of the individual log files (in KiB).
   max log size = 1000

# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
# Append syslog@1 if you want important messages to be sent to syslog too.
   logging = file

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller". 
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
   #server role = member server

   obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
   pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
   map to guest = Bad User

########## Domains ###########

#
# The following settings only takes effect if 'server role = classic
# primary domain controller', 'server role = classic backup domain controller'
# or 'domain logons' is set 
#

# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
#;   logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
#   logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
#;   logon drive = H:
#   logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
#;   logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe.  The example command creates a user account with a disabled Unix
# password; please adapt to your needs
 add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

# This allows machine accounts to be created on the domain controller via the 
# SAMR RPC pipe.  
# The following assumes a "machines" group exists on the system
 add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.  
 add group script = /usr/sbin/addgroup --force-badname %g

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
#;   include = /home/samba/etc/smb.conf.%m

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
   idmap config * :              backend = tdb
   idmap config * :              range   = 3000-7999
   idmap config smiley000 :      backend = autorid
   idmap config smiley000 :      range   = 10000-999999
   template shell = /bin/bash

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 means that usershare is disabled.
#   usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = yes

#username map = /etc/samba/user.map
min domain uid = 0

#======================= Share Definitions =======================

# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username
#;[homes]
#;   comment = Home Directories
#;   browseable = no

# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
#;   read only = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
#;   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
#;   directory mask = 0700

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# Un-comment the following parameter to make sure that only "username"
# can connect to \\server\username
# This might need tweaking when using external authentication schemes
#;   valid users = %S

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
#;[netlogon]
#;   comment = Network Logon Service
#;   path = /home/samba/netlogon
#;   guest ok = yes
#;   read only = yes

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
#;[profiles]
#;   comment = Users profiles
#;   path = /home/samba/profiles
#;   guest ok = no
#;   browseable = no
#;   create mask = 0600
#;   directory mask = 0700

#[printers]
#   comment = All Printers
#   browseable = no
#   path = /var/spool/samba
#   printable = yes
#   guest ok = no
#   read only = yes
#   create mask = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
#[print$]
#   comment = Printer Drivers
#   path = /var/lib/samba/printers
#   browseable = yes
#   read only = yes
#   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
#;   write list = root, @lpadmin

One thing you haven't mentioned, what is the DC ?

Your smb.conf seems to be a mixture of an AD domain member and an NT4-style domain member, it cannot be both and with 'security = ADS' it is supposed to an AD domain member.

You also appear to be using '.local' as the TLD (unless this is a placeholder for the correct one), this isn't recommended by anyone, I know that Microsoft at one time recommended using it, but that was before someone pointed out that .local is reserved for Bonjour and Avahi.

You also mentioned sssd, you should not use this with winbind.

to get winbind to cache users, you need to add a couple of lines to your smb.conf:

Code:

winbind offline logon = yes
winbind request timeout = 10

I suggest you read the smb.conf manpage

Current up to date smb.conf

Code:

#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which 
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#    differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#    behaviour of Samba but the option is considered important
#    enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic 
# errors. 

#======================= Global Settings =======================

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   security = ADS
   workgroup = SMILEY000
   realm = smiley000.local

# server string is the equivalent of the NT Description field
   server string = %h server (Samba, Ubuntu)

   apply group policies = yes
   lock directory = /var/cache/samba

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
;   interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;   bind interfaces only = yes



#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Cap the size of the individual log files (in KiB).
   max log size = 1000

# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
# Append syslog@1 if you want important messages to be sent to syslog too.
   logging = file

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller". 
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
   server role = member server

   obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
   pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
   map to guest = Bad User

########## Domains ###########

#
# The following settings only takes effect if 'server role = classic
# primary domain controller', 'server role = classic backup domain controller'
# or 'domain logons' is set 
#

# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
#;   logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
#   logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
#;   logon drive = H:
#   logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
#;   logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe.  The example command creates a user account with a disabled Unix
# password; please adapt to your needs
 add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

# This allows machine accounts to be created on the domain controller via the 
# SAMR RPC pipe.  
# The following assumes a "machines" group exists on the system
 add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.  
 add group script = /usr/sbin/addgroup --force-badname %g

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
#;   include = /home/samba/etc/smb.conf.%m

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
   idmap config * :              backend = tdb
   idmap config * :              range   = 3000-7999
   idmap config smiley000 :      backend = autorid
   idmap config smiley000 :      range   = 10000-999999
   template shell = /bin/bash

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 means that usershare is disabled.
#   usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = yes

#username map = /etc/samba/user.map
min domain uid = 0

#======================= Share Definitions =======================

# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username
#;[homes]
#;   comment = Home Directories
#;   browseable = no

# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
#;   read only = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
#;   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
#;   directory mask = 0700

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# Un-comment the following parameter to make sure that only "username"
# can connect to \\server\username
# This might need tweaking when using external authentication schemes
#;   valid users = %S

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
#;[netlogon]
#;   comment = Network Logon Service
#;   path = /home/samba/netlogon
#;   guest ok = yes
#;   read only = yes

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
#;[profiles]
#;   comment = Users profiles
#;   path = /home/samba/profiles
#;   guest ok = no
#;   browseable = no
#;   create mask = 0600
#;   directory mask = 0700

#[printers]
#   comment = All Printers
#   browseable = no
#   path = /var/spool/samba
#   printable = yes
#   guest ok = no
#   read only = yes
#   create mask = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
#[print$]
#   comment = Printer Drivers
#   path = /var/lib/samba/printers
#   browseable = yes
#   read only = yes
#   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
#;   write list = root, @lpadmin

A lot to unpack here, thanks!

Quote:

One thing you haven't mentioned, what is the DC ? Your smb.conf seems to be a mixture of an AD domain member and an NT4-style domain member, it cannot be both and with 'security = ADS' it is supposed to an AD domain member. You also appear to be using '.local' as the TLD (unless this is a placeholder for the correct one), this isn't recommended by anyone, I know that Microsoft at one time recommended using it, but that was before someone pointed out that .local is reserved for Bonjour and Avahi. You also mentioned sssd, you should not use this with winbind. to get winbind to cache users, you need to add a couple of lines to your smb.conf:

The domain controller is currently a windows server 2019 machine, that I was using to test the concept of how to use it. I will now test when I'm able to how to rename a domain, as well as testing in a production enviroment a Linux domain controller. I just can only work so fast. But as far as network work, working on servers a bit, is my goal. I'm still using Mandriva servers and they need to go, go go! Gracefully, of course. As far as the .local, I'm aware of that now. I'm going to change it piece by piece.

Quote:

Your smb.conf seems to be a mixture of an AD domain member and an NT4-style domain member, it cannot be both and with 'security = ADS' it is supposed to an AD domain member.

It understands what I mean, but I didn't know I was asking it wo mix styles. I want an AD domain, NOT an NT4 style domain.

Quote:

You also mentioned sssd, you should not use this with winbind.

Not using both on the same machine. I realize that won't work. That would be a really beginner mistake, but thanks for checking. I'm only using samba on this machine at this time. The SSSD is the otheer machine I haven't switched over yet.

Quote:

to get winbind to cache users, you need to add a couple of lines to your smb.conf:

...And these may be what I was looking for. I'll try them.

Finally, yes, I know about man pages and about online manuals. It was hard for me to find specifically what I was looking for in either without a little help. That's why I need to purchase a more up to date samba book to read and pretty much apply. I have an older one for like samba 2.??.

Here we go:

smb.conf with that feature enabled.

Code:

#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which 
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#    differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#    behaviour of Samba but the option is considered important
#    enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic 
# errors. 

#======================= Global Settings =======================

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   security = ADS
   workgroup = SMILEY000
   realm = smiley000.local

# server string is the equivalent of the NT Description field
   server string = %h server (Samba, Ubuntu)

   apply group policies = yes
   #lock directory = /var/cache/samba

   winbind offline logon = yes
   winbind request timeout = 10

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
;   interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;   bind interfaces only = yes



#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Cap the size of the individual log files (in KiB).
   max log size = 1000

# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
# Append syslog@1 if you want important messages to be sent to syslog too.
   logging = file

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller". 
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
   #server role = member server

   obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
   pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
   map to guest = Bad User

########## Domains ###########

#
# The following settings only takes effect if 'server role = classic
# primary domain controller', 'server role = classic backup domain controller'
# or 'domain logons' is set 
#

# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
#;   logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
#   logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
#;   logon drive = H:
#   logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
#;   logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe.  The example command creates a user account with a disabled Unix
# password; please adapt to your needs
 add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

# This allows machine accounts to be created on the domain controller via the 
# SAMR RPC pipe.  
# The following assumes a "machines" group exists on the system
 add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.  
 add group script = /usr/sbin/addgroup --force-badname %g

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
#;   include = /home/samba/etc/smb.conf.%m

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
   idmap config * :              backend = tdb
   idmap config * :              range   = 3000-7999
   idmap config smiley000 :      backend = autorid
   idmap config smiley000 :      range   = 10000-999999
   template shell = /bin/bash

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 means that usershare is disabled.
#   usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = yes

#username map = /etc/samba/user.map
min domain uid = 0

#======================= Share Definitions =======================

# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username
#;[homes]
#;   comment = Home Directories
#;   browseable = no

# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
#;   read only = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
#;   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
#;   directory mask = 0700

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# Un-comment the following parameter to make sure that only "username"
# can connect to \\server\username
# This might need tweaking when using external authentication schemes
#;   valid users = %S

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
#;[netlogon]
#;   comment = Network Logon Service
#;   path = /home/samba/netlogon
#;   guest ok = yes
#;   read only = yes

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
#;[profiles]
#;   comment = Users profiles
#;   path = /home/samba/profiles
#;   guest ok = no
#;   browseable = no
#;   create mask = 0600
#;   directory mask = 0700

#[printers]
#   comment = All Printers
#   browseable = no
#   path = /var/spool/samba
#   printable = yes
#   guest ok = no
#   read only = yes
#   create mask = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
#[print$]
#   comment = Printer Drivers
#   path = /var/lib/samba/printers
#   browseable = yes
#   read only = yes
#   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
#;   write list = root, @lpadmin

This correctly allows the logon to show up in the GUI options, after about a whole minute. However, it will still NOT let me log on, if it's not connected, unless it requires some other network, but a network nonetheless. I tried airplane mode for my test. Remember what I'm dealing with underneath, until I can make a replacement is windows 10, with a VM.

I heard something about having to enable pam for this, and I'm not sure whether this is correct or not. I didn't change it from the default shown on my other thread. It's clearly trying, if it got a GUI option. Before it couldn't do that. id cannot find the user, unless it can reach the DC. I'm wondering whether I must enable this before ever using a user, and it will work now for new users whom never logged on before this change, but not older users?

Can I introduce you to a command to parse your smb.conf file, this is 'testparm -s', which if you run it against your smb.conf produces a much more manageable output:

Code:

[global]
	add group script = /usr/sbin/addgroup --force-badname %g
	add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
	add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
	apply group policies = Yes
	log file = /var/log/samba/log.%m
	logging = file
	map to guest = Bad User
	max log size = 1000
	min domain uid = 0
	obey pam restrictions = Yes
	pam password change = Yes
	panic action = /usr/share/samba/panic-action %d
	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	passwd program = /usr/bin/passwd %u
	realm = SMILEY000.LOCAL
	security = ADS
	server string = %h server (Samba, Ubuntu)
	template shell = /bin/bash
	unix password sync = Yes
	usershare allow guests = Yes
	winbind offline logon = Yes
	winbind request timeout = 10
	workgroup = SMILEY000
	idmap config smiley000 : range = 10000-999999
	idmap config smiley000 : backend = autorid
	idmap config * : range = 3000-7999
	idmap config * : backend = tdb

What 'testparm' does:
It removes any commented lines (lines that start with a # or ; ).
It removes any default lines.
It will report any deprecated parameters (this doesn't mean you cannot use them, it just means that at sometime in the future they may be removed).
It will report any unknown parameters.
It will report any errors.

I suggest you remove these lines, whilst they are valid Samba parameters, they shouldn't be in a Unix domain members smb.conf:

Code:

	add group script = /usr/sbin/addgroup --force-badname %g
	add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
	add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	passwd program = /usr/bin/passwd %u
	unix password sync = Yes

I note that you are using the autorid idmap backend, this , whilst being the easiest to set up, is really meant for multiple domains (the domain the computer is joined to and any trusted domains). You cannot use 'winbind use default domain = yes' with autorid (that parameter went set to 'yes' will lead to users being reported as 'username' instead of 'DOMAIN\username'). you have also set it up incorrectly, it should be just something like this (you only need the two lines):

Code:

	idmap config * : range = 10000-999999
	idmap config * : backend = autorid

If you want to just have 'username' instead of 'SMILEY000\username' , just change 'autorid' to 'rid', add 'winbind use default domain = yes' and restart Samba.

From your smb.conf, I can see that your users Unix home directories will be stored in /home/SMILEY000, is this where you require them ?

You will need the winbind links setting up correctly for getent etc to work, on Debian based distros this requires the libpam-winbind and libnss-winbind packages and 'winbind' adding to the 'passwd' and 'group' lines in /etc/nssswitch.conf , not sure how your distro does this.

I knew about testparm, but not about -s flag. I used to never use testparm, but now days it's needed for me, so I try to remember it. Now I know about the -s flag, but I was thinking I wanted all the comments for now, until it maybe might cause a problem. HOWEVER, if those lines are not needed, maybe it is time to run that command. I know what it does now, I will not link the answer here, because you have to pick through it, but I know from your input and from searching what it does.

I fought with my backends, for idmap, and chose the one I have. HOWEVER, I probably don't want the "winbind use default domain = yes", anyway, because I like prefixing it with the domain prefix, and "just in case", though in my home I will probably never have multiple domains. Call me crazy for the last one.

Where the home is stored, is some sort of default, and I'm OK with it, unless it can cause problems. I don't require it, but I like the organization and might try to require it later.

Using Linux Mint, so however it does this, is how I have done it. But I wonder if the pam option is set wrong??? I can't tell, because the pam configuration looks pretty advanced.

It's not exactly working yet though. I will try to make a smaller smb.conf file and go from there.

Done troubleshooting for the night. I restored from an earlier time, applied my smb.conf, which misses some lines there before, and then I rebooted. I disabled manual logon, re-enabled it from the command line, because that broke the gui, and still no option. I can clearly see the option to log in to a user, as expected. But no matter what, I get an invalid password, unless I'm hooked up to the network and can reach the domain controller.

Quote:

Originally Posted by des_a Done troubleshooting for the night. I restored from an earlier time, applied my smb.conf, which misses some lines there before, and then I rebooted. I disabled manual logon, re-enabled it from the command line, because that broke the gui, and still no option. I can clearly see the option to log in to a user, as expected. But no matter what, I get an invalid password, unless I'm hooked up to the network and can reach the domain controller.

I suppose I should have mentioned this, but, for offline logon to work, the user must have logged on at least once.

I suggest you read this:

https://wiki.samba.org/index.php/PAM...Authentication

I know that is correct, I wrote it.

Quote:

suppose I should have mentioned this, but, for offline logon to work, the user must have logged on at least once.

I know that, because thats how it always works (windows, sssd). What im wondering is if it only counts it, if the code in smb.conf is written, then a user logs on who has never, and no profile. What happened is that part wasnt written, and the user has a profile. I added the code, logged onto a user with a profile, and expected that to cache. Maybe if i delete my profile and let that rebuild? The order, i assume is whats wrong. I could try with a user whos never logged on, and see if it works. The working smb.conf is whats strange.

Quote:

Originally Posted by des_a I know that, because thats how it always works (windows, sssd). What im wondering is if it only counts it, if the code in smb.conf is written, then a user logs on who has never, and no profile. What happened is that part wasnt written, and the user has a profile. I added the code, logged onto a user with a profile, and expected that to cache. Maybe if i delete my profile and let that rebuild? The order, i assume is whats wrong. I could try with a user whos never logged on, and see if it works. The working smb.conf is whats strange.

Not sure I fully understand just what you are trying to say, but winbind offline logon will only work if smb.conf is setup to allow it. Any user that will logon if a DC cannot be reached must have have logged on previously and winbind must have cached their details. It should not matter how they logon (via SSH or via a GUI such as lightdm, gdm3, etc), just as long as they do log into the computer.

I can assure you that if you follow this wikipage:

https://wiki.samba.org/index.php/PAM...Authentication

then offline logon will work.
If it doesn't work for you, then we need to find out why.

After reading the tutorial, I "think" it's correct. It's not a one to one correspondance on my distribution with the pam stuff. Here is the output of a few commands:

Code:

mileynet@main-des-linux:~$ wbinfo -K SMILEY000\\des%PNFsoundEater000$
plaintext kerberos password authentication for [SMILEY000\des] failed (requesting cctype: FILE)
Could not authenticate user [SMILEY000\des%PNFsoundEater000$] with Kerberos (ccache: FILE)
smileynet@main-des-linux:~$ id SMILEY000\\des
uid=3001(SMILEY000\des) gid=3006(SMILEY000\domain users) groups=3006(SMILEY000\domain users),3031(SMILEY000\standard_users),3030(SMILEY000\human),3029(SMILEY000\vpn_users),3028(SMILEY000\des-global),3027(SMILEY000\standard_users_r),3026(SMILEY000\internet_users),3025(SMILEY000\sguests),3024(SMILEY000\jnormal_users),3023(SMILEY000\internet_usersl2),3022(SMILEY000\normal_users),3021(SMILEY000\sguests-local),3020(SMILEY000\normal_users-local),3019(SMILEY000\internet_usersl2-local),3018(SMILEY000\standard_users_r-local),3017(SMILEY000\internet_users-local),3016(SMILEY000\des-local),3015(SMILEY000\jnormal_users-local),3014(SMILEY000\vpn_users-local),3013(SMILEY000\standard_users-local),3012(SMILEY000\human-local),3001(BUILTIN\users)
smileynet@main-des-linux:~$ wbinfo --ping-dc
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the NETLOGON for domain[] dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
smileynet@main-des-linux:~$ systemctl start winbind
smileynet@main-des-linux:~$ wbinfo -K SMILEY000\\des%PNFsoundEater000$
plaintext kerberos password authentication for [SMILEY000\des] failed (requesting cctype: FILE)
Could not authenticate user [SMILEY000\des%PNFsoundEater000$] with Kerberos (ccache: FILE)
smileynet@main-des-linux:~$ id SMILEY000\\des
uid=3001(SMILEY000\des) gid=3006(SMILEY000\domain users) groups=3006(SMILEY000\domain users),3031(SMILEY000\standard_users),3030(SMILEY000\human),3029(SMILEY000\vpn_users),3028(SMILEY000\des-global),3027(SMILEY000\standard_users_r),3026(SMILEY000\internet_users),3025(SMILEY000\sguests),3024(SMILEY000\jnormal_users),3023(SMILEY000\internet_usersl2),3022(SMILEY000\normal_users),3021(SMILEY000\sguests-local),3020(SMILEY000\normal_users-local),3019(SMILEY000\internet_usersl2-local),3018(SMILEY000\standard_users_r-local),3017(SMILEY000\internet_users-local),3016(SMILEY000\des-local),3015(SMILEY000\jnormal_users-local),3014(SMILEY000\vpn_users-local),3013(SMILEY000\standard_users-local),3012(SMILEY000\human-local),3001(BUILTIN\users)
smileynet@main-des-linux:~$ wbinfo --ping-dc
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the NETLOGON for domain[] dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
smileynet@main-des-linux:~$

I have to leave again later today. Obviously, I can't do much troubleshooting away from home. In fact, with what I'm doing to my laptop, it's nearly useless right now, away from the connected home network. I'm thinking of opening all ad ports so I can work on it away from home, but I'm resisting the urge. With my Mom's spectrum, it may not work anyway.

So I'm home for the night. I have bigger problems to worry about in general, unfortunately, so I'll be back to my Mom's tomorrow again. Long story short, even though computers can cause a problem, I don't even know that I get to stay here next month and that I will have the minimum medicine I need to try to stay and do normal stuff. But, I don't want to focus on that too much, and for the time I'm here, I want to continue to troubleshoot and maybe Monday, I can figure out the rest.

So, it seemed to be the same problem as Windows does a lot, where Windows will not count the trust or something, basically the computer name in AD. The Windows fix is to unjoin the domain, with proper reboots, and then rejoin it with proper reboots.

So I was attempting to solve the problem (or try to), the same way. I can always if this doesn't work out, and creates a mess, since I'm testing on a VM first, the concept before replacing the windows os with this machine, I can restore the VM to an earlier time. So, when unjoining the domain, and rejoining, it won't rejoin. It complains of a bad DNS update. However, nslookup still works. I haven't tried ping yet. When trying to force a dns update, it will not let me, because of missing a dns update file.

Maybe this is the bug I read about somewhere? But I couldn't understand how to solve it, if so. I'm just searching for one problem, then another to find stuff. That's where I am so far.

And by the way, I'll give a brief update of everything else, without all the details, unless I need to. Everything in my life, is an intricite web of balance. But who's life isn't, really? If one thing breaks, another thing breaks, if one thing works, another thing may not work. It's a complicated web. Although, my life, is more of a web than other people's.

I'm home again. Hopefully, I should know about my income situation this afternoon, but we'll see.