[Samba] How winbindd is working on DC/member? It ignores rfc2703 on DC, and not showing all users on member server... Where is a error?
Rowland Penny
rowlandpenny at googlemail.com
Mon Oct 28 06:27:56 MDT 2013
On 28/10/13 11:54, Alex Wakizashi wrote:
> Hi all,
>
> Still looking for the best way to achieve consistent GID/UID mapping
> on Linux servers/clients, in heterogeneous environment (Linux,
> Windows, CIFS, NFS).
> Current problems with UID/GID resolution prevents from using Samba4 in
> environment with backups (where data may be restored on another
> server) and mixed Linux/Windows workstations.
>
> Just recently installed fresh Samba 4.1.0 on the server as DC, and
> completely confused by how winbind is working.
>
> DC provisioned as:
>
> samba-tool domain provision --use-rfc2307 --domain=SAMBA
> --realm=samba.local.net --adminpass='<Password>'
> --dns-backend=BIND9_DLZ --server-role=dc
>
> DNS is confirured, kerberos too, kinit/klist working fine.
>
> Samba and NSS configuration:
>
> --- smb.conf ---
> # Global parameters
> [global]
> workgroup = SAMBA
> realm = samba.local.net
> netbios name = NAS
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/samba.local.net/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> --- smb.conf ---
>
> --- nsswitch.conf ---
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> hosts: files dns
> networks: files
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> netgroup: nis
> --- nsswitch.conf ---
>
> Have created new user:
>
> samba-tool user add Wakizashi --use-username-as-cn --given-name=Alex
> --surname=Wakizashi --uid-number=1001
>
> And modified RFC attributes, result:
>
> root at nas:~# ldbsearch -k yes -H ldap://nas
> "(sAMAccountName=wakizashi)" sAMAccountName uid loginShell
> unixHomeDirectory
> # record 1
> dn: CN=Wakizashi,CN=Users,DC=samba,DC=local,DC=net
> sAMAccountName: Wakizashi
> unixHomeDirectory: /home/wakizashi
> uid: wakizashi
> loginShell: /bin/bash
>
> Problems:
>
> 1. Just after Samba install "id" reports no user "wakizashi", after
> reboot it started to resolve both "Wakizashi" and "wakizashi", as well
> as "Administrator", etc.
>
> 2. I can see users in the domain, but seems like winbindd ignores the
> frc2703 attributes:
> - cut -
> root at nas:~# getent passwd
> root:x:0:0:root:/root:/bin/bash
> ....
> ntp:x:107:112::/home/ntp:/bin/false
> nslcd:x:108:113:nslcd name service LDAP connection
> daemon,,,:/var/run/nslcd/:/bin/false
> SAMBA\Administrator:*:0:100::/home/SAMBA/Administrator:/bin/false
> SAMBA\Guest:*:3000011:3000012::/home/SAMBA/Guest:/bin/false
> SAMBA\krbtgt:*:3000017:100::/home/SAMBA/krbtgt:/bin/false
> SAMBA\dns-nas:*:3000018:100::/home/SAMBA/dns-nas:/bin/false
> SAMBA\Wakizashi:*:1001:100:Alex Wakizashi:/home/SAMBA/Wakizashi:/bin/false
> - cut -
>
> So, as you can see, there are rfc2703 attributes: uid, shell and home
> directory, but winbindd just ignores these, and uses crazy
> "SAMBA\wakizashi" username, wrong home directory, wrong shell.
>
> 3. Still some groups IDs are not resolvable:
> root at nas:~# ls -la /var/lib/samba/sysvol/
> total 20
> drwxrwx---+ 3 SAMBA\Administrator 3000000 4096 Oct 28 03:09 .
> drwxr-xr-x 10 SAMBA\Administrator root 4096 Oct 28 03:09 ..
> drwxrwx---+ 4 SAMBA\Administrator 3000000 4096 Oct 28 03:09 samba.local.net
>
> As I can see, there is GID 3000000. What is it?
>
> root at nas:~# wbinfo -s `wbinfo -G 3000000 `
> BUILTIN\Administrators 4
>
> So, why this is not resolved by winbindd?
>
> Same with ACL:
>
> root at nas:~# getfacl /var/lib/samba/sysvol/
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol/
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> Why there are unresolved GIDs?
>
> root at nas:~# wbinfo -s `wbinfo -G 3000001 `
> BUILTIN\Server Operators 4
> root at nas:~# wbinfo -s `wbinfo -G 3000002 `
> NT AUTHORITY\SYSTEM 5
> root at nas:~# wbinfo -s `wbinfo -G 3000003 `
> NT AUTHORITY\Authenticated Users 5
>
>
> 3. Ok, let's try winbind on member server.
>
> Have installed CHEETAH with following config (Just from Wiki):
>
> --- smb.conf AD member ---
> [global]
>
> workgroup = SAMBA
> security = ADS
> realm = SAMBA.LOCAL.NET
> encrypt passwords = yes
>
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config SAMBA:backend = ad
> idmap config SAMBA:schema_mode = rfc2307
> idmap config SAMBA:range = 3000000-4000000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> [test]
> path = /home/test
> read only = no
>
> --- smb.conf AD member ---
>
> Services has been forcibly restarted - to make sure, that everything
> has been reloaded.
>
> root at cheetah:~# getent passwd
> root:x:0:0:root:/root:/bin/bash
> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
> ...
> wakizashi:x:1001:100::/home/wakizashi:/bin/bash
> gdm:x:110:115:Gnome Display Manager:/var/lib/gdm:/bin/false
> avahi:x:111:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
> ntp:x:112:120::/home/ntp:/bin/false
> libvirt-qemu:x:113:121:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
> vde2-net:x:114:124::/var/run/vde2:/bin/false
> nslcd:x:115:125:nslcd name service LDAP connection
> daemon,,,:/var/run/nslcd/:/bin/false
> guest:*:3000011:3000012:Guest:/home/guest:/bin/false
>
> Hmmm... Where is "Administrator"? Where is a "krb-tgt"?
>
> BTW - Guest have all needed rfc2703 attributes, as well as other
> users, so supposed to get shell and homedir correctly... But even in
> this case it's not resolvable by system:
>
> root at cheetah:~# id guest
> id: guest: No such user
> root at cheetah:~# id administrator
> id: administrator: No such user
> root at cheetah:~# id SAMBA\\Guest
> id: SAMBA\Guest: No such user
> root at cheetah:~# id SAMBA\\guest
> id: SAMBA\guest: No such user
>
> Even worse - no any user visible, even the "Guest", which is in "getent passwd"
>
> And of course, here are issue with denying access to Administrator
> (and other users too, except "wakizashi," which is available locally
> from /etc/passwd):
>
> [2013/10/28 15:32:44.525754, 3]
> ../source3/smbd/sesssetup.c:138(reply_sesssetup_and_X_spnego)
> Doing spnego session setup
> [2013/10/28 15:32:44.525773, 3]
> ../source3/smbd/sesssetup.c:179(reply_sesssetup_and_X_spnego)
> NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
> [2013/10/28 15:32:44.538199, 3]
> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
> Found account name from PAC: Wakizashi [Alex Wakizashi]
> [2013/10/28 15:32:44.538250, 3]
> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
> Kerberos ticket principal name is [wakizashi at SAMBA.LOCAL.NET]
> [2013/10/28 15:32:44.538419, 3] ../source3/param/loadparm.c:4838(lp_load_ex)
> lp_load_ex: refreshing parameters
> [2013/10/28 15:32:44.538489, 3] ../source3/param/loadparm.c:750(init_globals)
> Initialising global parameters
> [2013/10/28 15:32:44.538546, 3] ../lib/util/params.c:550(pm_process)
> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
> [2013/10/28 15:32:44.538563, 3] ../source3/param/loadparm.c:3564(do_section)
> Processing section "[global]"
> [2013/10/28 15:32:44.538719, 2] ../source3/param/loadparm.c:3581(do_section)
> Processing section "[test]"
> [2013/10/28 15:32:44.538761, 3] ../source3/param/loadparm.c:1773(lp_add_ipc)
> adding IPC service
> [2013/10/28 15:32:44.539384, 3]
> ../source3/smbd/password.c:144(register_homes_share)
> Adding homes service for user 'wakizashi' using home directory:
> '/home/wakizashi'
> [2013/10/28 15:32:44.539627, 3] ../source3/smbd/process.c:1795(process_smb)
> Transaction 2 of length 84 (0 toread)
> [2013/10/28 15:32:44.539667, 3] ../source3/smbd/process.c:1398(switch_message)
> switch message SMBtconX (pid 15953) conn 0x0
> [2013/10/28 15:32:44.539796, 3] ../source3/lib/access.c:338(allow_access)
> Allowed connection from cheetah (127.0.0.1)
> [2013/10/28 15:32:44.539879, 3]
> ../source3/smbd/service.c:612(make_connection_snum)
> Connect path is '/tmp' for service [IPC$]
> [2013/10/28 15:32:44.539944, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
> Initialising default vfs hooks
> [2013/10/28 15:32:44.539987, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
> Initialising custom vfs hooks from [/[Default VFS]/]
> [2013/10/28 15:32:44.540102, 3]
> ../source3/smbd/service.c:848(make_connection_snum)
> cheetah (ipv4:127.0.0.1:38217) connect to service IPC$ initially as
> user wakizashi (uid=1001, gid=100) (pid 15953)
> ...
> [2013/10/28 15:35:11.002140, 3]
> ../source3/smbd/sesssetup.c:138(reply_sesssetup_and_X_spnego)
> Doing spnego session setup
> [2013/10/28 15:35:11.002169, 3]
> ../source3/smbd/sesssetup.c:179(reply_sesssetup_and_X_spnego)
> NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
> [2013/10/28 15:35:11.014682, 3]
> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
> Found account name from PAC: Administrator []
> [2013/10/28 15:35:11.014726, 3]
> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
> Kerberos ticket principal name is [administrator at SAMBA.LOCAL.NET]
> [2013/10/28 15:35:11.032130, 1]
> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> Username SAMBA\administrator is invalid on this system
> [2013/10/28 15:35:11.032176, 1]
> ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
> Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
> [2013/10/28 15:35:11.032209, 1]
> ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
> Failed to generate session_info (user and group token) for session
> setup: NT_STATUS_ACCESS_DENIED
> [2013/10/28 15:35:11.032288, 3] ../source3/smbd/error.c:82(error_packet_set)
> NT error packet at ../source3/smbd/sesssetup.c(279) cmd=115
> (SMBsesssetupX) NT_STATUS_ACCESS_DENIED
> [2013/10/28 15:35:11.032927, 3]
> ../source3/smbd/server_exit.c:212(exit_server_common)
> Server exit (failed to receive smb request)
>
> Could someone, please, explain - how to set up Samba correctly, at
> least to provide users/groups on the CD and member servers?
>
> So far, default installation and documentation does not provide
> reasonable way to get working environment...
>
> I'm completely lost with it. Sometimes it working, sometimes - not.
>
> Yes, there is a way with nslcd, but it's just workaround, requiring
> additional scripts... But how to make SAMBA working just with it's
> standard services, like winbindd?
>
> And of course - if there is anything I can do for the Samba team -
> will be glad to help. Hope to see SAMBA replacing Windows Server and
> AD completely :)
> Issues, mentioned above, are reproducible on my virtual machines
> (Debian Wheezy), may provide access to these, if needed.
>
> Regards,
> Alex
Hi, the problem is that winbind on the S4 server only knows about the
uidNumber & gidnumber, you can change the shell by putting 'template
shell = /bin/bash' into smb.conf but you are stuck with
/home/DOMAIN/USER as it is hard coded into winbind.
The devs say that they will replace S4 winbind with the winbind from S3
which is a much different beast, but I do not know when this will happen.
If you want your Linux users to log into the S4 server, then my advice
is to take a look at sssd, you will then get consistent UID/GID's.
Rowland
More information about the samba
mailing list