[Samba] Several questions about winbind[d]
Rowland Penny
rowlandpenny at googlemail.com
Thu Jun 25 09:21:23 MDT 2015
On 25/06/15 15:27, mathias dufresne wrote:
> Hi all,
>
> I'm wondering about winbind[d] behaviour.
> I tried the following with:
> auth methods = sam winbindd
> and the same with only one d:
> auth methods = sam winbind
>
> One user:
> ldbsearch -H $sam '(cn=another.fakeuser)' homeDirectory loginShell
> gidnumber uidnumber
> # record 1
> dn: CN=another.fakeuser,OU=a,OU=Standards,OU=Utilisateurs,DC=ad,DC=dgfip
> homeDirectory: */home/another.fakeuser*
> uidNumber: 1000210377
> gidNumber: 1000210377
> loginShell: */bin/bash*
>
> Seen through winbind eyes:
> wbinfo -i another.fakeuser
> another.fakeuser:*:1000210377:100:another.fakeuser:
> */home/AD/another.fakeuser*:*/bin/false*
> Using winbind in nsswitch.conf I could see the same through getent:
> getent passwd another.fakeuser
> another.fakeuser:*:1000210377:100:another.fakeuser:
> */home/AD/another.fakeuser*:*/bin/false*
>
> Regarding gidNumber I thought it was because no group with that GID was
> existing, after creating one, no change.
>
> Finally I thought about caching issue as I could have change these values
> after user craetion, so I removed /var/lib/samba/winbindd_cache.tdb after
> stopping samba, then starting it again. Same answers from getent and wbinfo.
>
> I also wondering why GID of this user is 100. I expect this 100 stand for
> "Domain users" and I imagine "Domain users" has no members as it contains
> all non-computer user objects (at least it how I see that...)
>
> ldbsearch -H $sam '(cn=administrator)' memberOf
> ..
> dn: CN=Administrator,CN=Users,DC=ad,DC=dgfip
> memberOf: CN=Administrators,CN=Builtin,DC=ad,DC=dgfip
> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=ad,DC=dgfip
> memberOf: CN=Enterprise Admins,CN=Users,DC=ad,DC=dgfip
> memberOf: CN=Schema Admins,CN=Users,DC=ad,DC=dgfip
> memberOf: CN=Domain Admins,CN=Users,DC=ad,DC=dgfip
> ..
>
>
> getent passwd administrator
> administrator:*:0:100::/home/AD/administrator:/bin/false
>
> To resume I don't understand why wbinfo does not use attributes values from
> LDB or why it rewrite it.
>
> Best regards,
>
> mathias
>
> PS: my /etc/samba/smb.conf :
>
> ---------------------------------------------------------------------------
> # Global parameters
> [global]
> workgroup = AD.DOMAIN
> realm = ad.domain.tld
> netbios name = DCname
> server role = active directory domain controller
>
> dns forwarder = A.B.C.D
> idmap_ldb:use rfc2307 = yes
>
> auth methods = sam winbindd
> #auth methods = winbind sam
> time server = yes
> wins support = yes
>
> idmap config * : backend = tdb
> idmap config * : range = 2000-999999999
> idmap config AD.DOMAIN : backend = ad
> idmap config AD.DOMAIN : schema_mode = rfc2307
> idmap config AD.DOMAIN : range = 1000000000-3999999999
>
> # Use home directory and shell information from AD
> winbind nss info = rfc2307
>
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind expand groups = 3
>
> winbind enum users = yes
> winbind enum groups = yes
>
> winbind refresh tickets = Yes
>
> server services = +smb -s3fs
> #dcerpc endpoint servers = +winreg +srvsvc
>
> #dbwrap_tdb_mutexes:* = yes
>
> #log level = 0 auth:0 sam:0 passdb:0
>
> [netlogon]
> path = /var/lib/samba/sysvol/ad.dgfip.lan/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> ---------------------------------------------------------------------------
Hi, you have fallen into the trap of believing that you can set up a DC
just like a member server, sorry but you cannot, all those winbind lines
you have added are not doing anything :-)
The xidNumber '100' is coming from idmap.ldb and is indeed 'Domain Users'
Rowland
More information about the samba
mailing list