[Samba] AD DC, winbind and Domain Local type groups
Davor Vusir
davortvusir at gmail.com
Thu Mar 27 13:23:06 MDT 2014
Here we go again! :)
Setup: Ubuntu 12.04.4, Samba 4.1.6 compiled from sources running as AD
DC, activated winbind following the wikipage. All on the same server.
smb.conf:
[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
netbios name = DC1
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
log level = 1
disable spoolss = yes
winbind use default domain = yes
winbind separator = +
template shell = /bin/bash
template homedir = /data/home/%ACCOUNTNAME%
The story is: I activated winbind to get the possibility to login with
ssh and later add Linux and Macintosh to the Active Directory as member
clients. There is no problem logging in but first I experienced the
following:
$ ssh -Y davor at dc1
davor at odc1's password:
Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.2.0-60-generic x86_64)
Could not chdir to home directory /data/home/davor: Permission denied
-bash: /data/home/davor/.bash_profile: Permission denied
EXAMPLE+davor at dc1:/$
when it came to me that as I logged in and authenticated to AD and, the
file permissions are stored as extended attributes (the only ones I have
edited), that it had something to do with this particular group. Digging
some more I realise that the access group for the home share is with
scope Domain Local and is not enumerated with winbind (getent group).
This access group 'FileAcc-Home' was created with ADUC, so I first
thought that that was creating this problem. So I deleted it and
recreated it with samba-tool not paying attention to that it was created
with scope Global (default in MS AD DS). And it worked:
$ ssh -Y davor at dc1
davor at dc1's password:
Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.2.0-60-generic x86_64)
EXAMPLE+davor at dc1:~$ pwd
/data/home/davor
The following group was originally of group type Domain Local and was
not shown when issuing 'getent group'. As soon as it was converted to
group with scope Universal it got xidnumber 4000000. When converted to
the Global type the xidnumber remained. All other groups have numbers
from the 3000000 interval. Is there a potential conflict in the future
as groups are added and removed?
EXAMPLE+FileAcc-Common:*:4000000:
Below is some tests. My conclusion is that groups of scope Domain Local
is not found and enumerated by winbind. Nor is any of type Distribution.
This will be a problem in an environment with trusts or just following
Microsofts recommendation AGDLP ("account, global, domain local,
permission"). See http://en.wikipedia.org/wiki/AGDLP for a quick
explanation.
Regards
Davor Vusir
---
/usr/local/samba/bin/samba-tool group add SambaTool-DL-Sec
--group-scope=Domain|Global|Universal --group-type=Security|Distribution
root at dc1:~# /usr/local/samba/bin/samba-tool group add SambaTool-DL-Sec
--group-scope=Domain --group-type=Security
Added group SambaTool-DL-Sec
getent group shows nothing
root at dc1:~# /usr/local/samba/bin/wbinfo -n SambaTool-DL-Sec
S-1-5-21-3390367671-3527586854-3401016232-1128 SID_ALIAS (4)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H
/usr/local/samba/private/idmap.ldb
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1128
no matching records - cannot edit
Shows in ADUC.
root at dc1:~# /usr/local/samba/bin/samba-tool group add SambaTool-GG-Sec
--group-scope=Global --group-type=Security
Added group SambaTool-GG-Sec
root at dc1:~# getent group
EXAMPLE+SambaTool-GG-Sec:*:3000056:
root at dc1:~# /usr/local/samba/bin/wbinfo -n SambaTool-GG-Sec
S-1-5-21-3390367671-3527586854-3401016232-1129 SID_DOM_GROUP (2)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H
/usr/local/samba/private/idmap.ldb
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1129
# editing 1 records
# record 1
dn: CN=S-1-5-21-3390367671-3527586854-3401016232-1129
cn: S-1-5-21-3390367671-3527586854-3401016232-1129
objectClass: sidMap
objectSid: S-1-5-21-3390367671-3527586854-3401016232-1129
type: ID_TYPE_BOTH
xidNumber: 3000056
distinguishedName: CN=S-1-5-21-3390367671-3527586854-3401016232-1129
Shows in ADUC.
root at dc1:~# /usr/local/samba/bin/samba-tool group add SambaTool-UG-Sec
--group-scope=Universal --group-type=Security
Added group SambaTool-UG-Sec
root at dc1:~# getent group
EXAMPLE+SambaTool-UG-Sec:*:3000057:
root at dc1:~# /usr/local/samba/bin/wbinfo -n SambaTool-UG-Sec
S-1-5-21-3390367671-3527586854-3401016232-1130 SID_DOM_GROUP (2)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H
/usr/local/samba/private/idmap.ldb
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1130
# editing 1 records
# record 1
dn: CN=S-1-5-21-3390367671-3527586854-3401016232-1130
cn: S-1-5-21-3390367671-3527586854-3401016232-1130
objectClass: sidMap
objectSid: S-1-5-21-3390367671-3527586854-3401016232-1130
type: ID_TYPE_BOTH
xidNumber: 3000057
distinguishedName: CN=S-1-5-21-3390367671-3527586854-3401016232-1130
Shows in ADUC.
root at dc1:~# /usr/local/samba/bin/samba-tool group add SambaTool-DL-Distr
--group-scope=Domain --group-type=Distribution
Added group SambaTool-DL-Distr
getent group shows nothing.
root at dc1:~# /usr/local/samba/bin/wbinfo -n SambaTool-DL-Distr
S-1-5-21-3390367671-3527586854-3401016232-1131 SID_ALIAS (4)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H
/usr/local/samba/private/idmap.ldb
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1131
no matching records - cannot edit
Shows in ADUC.
root at dc1:~# /usr/local/samba/bin/samba-tool group add SambaTool-GG-Distr
--group-scope=Global --group-type=Distribution
Added group SambaTool-GG-Distr
getent group shows nothing.
root at dc1:~# /usr/local/samba/bin/wbinfo -n SambaTool-GG-Distr
S-1-5-21-3390367671-3527586854-3401016232-1132 SID_DOM_GROUP (2)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H
/usr/local/samba/private/idmap.ldb
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1132
no matching records - cannot edit
Shows in ADUC.
root at dc1:~# /usr/local/samba/bin/samba-tool group add SambaTool-UG-Distr
--group-scope=Universal --group-type=Distribution
Added group SambaTool-UG-Distr
getent group shows nothing.
root at dc1:~# /usr/local/samba/bin/wbinfo -n SambaTool-UG-Distr
S-1-5-21-3390367671-3527586854-3401016232-1133 SID_DOM_GROUP (2)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H
/usr/local/samba/private/idmap.ldb
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1133
no matching records - cannot edit
Shows in ADUC.
With ADUC:
ADUC-DL-Sec
getent group shows nothing.
root at dc1:~# /usr/local/samba/bin/wbinfo -n ADUC-DL-Sec
S-1-5-21-3390367671-3527586854-3401016232-1134 SID_ALIAS (4)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H
/usr/local/samba/private/idmap.ldb
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1134
no matching records - cannot edit
ADUC-GG-Sec
root at dc1:~# getent group
EXAMPLE+ADUC-GG-Sec:*:3000058:
root at dc1:~# /usr/local/samba/bin/wbinfo -n ADUC-GG-Sec
S-1-5-21-3390367671-3527586854-3401016232-1135 SID_DOM_GROUP (2)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H
/usr/local/samba/private/idmap.ldb
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1135
# editing 1 records
# record 1
dn: CN=S-1-5-21-3390367671-3527586854-3401016232-1135
cn: S-1-5-21-3390367671-3527586854-3401016232-1135
objectClass: sidMap
objectSid: S-1-5-21-3390367671-3527586854-3401016232-1135
type: ID_TYPE_BOTH
xidNumber: 3000058
distinguishedName: CN=S-1-5-21-3390367671-3527586854-3401016232-1135
ADUC-UG-Sec
root at dc1:~# getent group
EXAMPLE+ADUC-UG-Sec:*:3000059:
root at dc1:~# /usr/local/samba/bin/wbinfo -n ADUC-UG-Sec
S-1-5-21-3390367671-3527586854-3401016232-1136 SID_DOM_GROUP (2)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H
/usr/local/samba/private/idmap.ldb
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1136
# editing 1 records
# record 1
dn: CN=S-1-5-21-3390367671-3527586854-3401016232-1136
cn: S-1-5-21-3390367671-3527586854-3401016232-1136
objectClass: sidMap
objectSid: S-1-5-21-3390367671-3527586854-3401016232-1136
type: ID_TYPE_BOTH
xidNumber: 3000059
distinguishedName: CN=S-1-5-21-3390367671-3527586854-3401016232-1136
ADUC-DL-Distr
getent group shows nothing.
root at dc1:~# /usr/local/samba/bin/wbinfo -n ADUC-DL-Distr
S-1-5-21-3390367671-3527586854-3401016232-1137 SID_ALIAS (4)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H
/usr/local/samba/private/idmap.ldb
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1137
no matching records - cannot edit
ADUC-GG-Distr
getent group shows nothing.
root at dc1:~# /usr/local/samba/bin/wbinfo -n ADUC-GG-Distr
S-1-5-21-3390367671-3527586854-3401016232-1138 SID_DOM_GROUP (2)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H
/usr/local/samba/private/idmap.ldb
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1138
no matching records - cannot edit
ADUC-UG-Distr
getent group shows nothing.
root at dc1:~# /usr/local/samba/bin/wbinfo -n ADUC-UG-Distr
S-1-5-21-3390367671-3527586854-3401016232-1139 SID_DOM_GROUP (2)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H
/usr/local/samba/private/idmap.ldb
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1139
no matching records - cannot edit
More information about the samba
mailing list