[Samba] idmap_ad and RFC2370 (inconsistent results)
Stefano Pardini
stefanopardini at gmail.com
Mon Aug 8 15:33:59 UTC 2016
Hi everyone.
I'm encountering problems with the management of the id of the users,
in the DC and in the domain members (RFC2370).
I'm using Samba Version 4.2.10-Debian on Debian8.5.
This is the DC configuration / result.
root at samba4:/var/lib/samba# cat /etc/samba/smb.conf |grep -v '#'
[global]
workgroup = MYNET
realm = ad.mynet.lan
netbios name = SAMBA4
server role = active directory domain controller
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, smb
server services = -s3fs -dns
dcerpc endpoint servers = +winreg +srvsvc
interfaces = 192.168.10.7
log file = /var/log/samba/mynet.log
syslog = 0
log level = 3 passdb:0 auth:0 winbind:0 vfs:0
vfs objects = full_audit
idmap_ldb:use rfc2307 = yes
winbind nss info = rfc2307
idmap config *:backend = tdb
idmap config *:range = 10000-49999
idmap config MYNET:backend = ad
idmap config MYNET:schema_mode = rfc2307
idmap config MYNET:range = 50000-99999
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind normalize names = Yes
dsdb:schema update allowed = true
tls enabled = yes
tls keyfile = /etc/samba/certs/samba4.server.mynet.lan.key
tls certfile = /etc/samba/certs/samba4.server.mynet.lan.crt
kerberos method = system keytab
client ldap sasl wrapping = sign
allow dns updates = nonsecure and secure
nsupdate command = /usr/bin/nsupdate -g
ldap server require strong auth = No
[netlogon]
path = /var/lib/samba/sysvol/ad.mynet.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
This is the result of the provisioning operation.
root at samba4:~# /usr/bin/samba-tool domain provision
--realm=ad.mynet.lan --domain=MYNET --adminpass='p4ssw0rd'
--server-role=dc --dns-backend=BIND9_DLZ --function-level=2008_R2
--use-xattr=yes --host-ip=192.168.10.7 --use-rfc2307
...
Server Role: active directory domain controller
Hostname: samba4
NetBIOS Domain: MYNET
DNS Domain: ad.mynet.lan
DOMAIN SID: S-1-5-21-1682454527-3772531157-3555914497
root at samba4:~# head /etc/nsswitch.conf |grep -v '#'
passwd: compat winbind
group: compat winbind
root at samba4:/var/lib/samba# getent passwd testuser
MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false
root at samba4:/var/lib/samba# id testuser
uid=10001(MYNET\testuser) gid=100(users) groups=100(users)
root at adclient:/etc/samba# wbinfo -i testuser
MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false
This is the domain member configuration / result.
root at adclient:/etc/samba# id testuser
uid=10005(testuser) gid=10000(domain users) groups=10000(domain
users),10023(BUILTIN\users)
root at adclient:/etc/samba# getent passwd testuser
testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false
root at adclient:/etc/samba# wbinfo -i testuser
testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false
root at adclient:~# head /etc/nsswitch.conf |grep -v '#'
passwd: compat winbind
group: compat winbind
root at adclient:~# net ads info
LDAP server: 192.168.10.7
LDAP server name: samba4.ad.mynet.lan
Realm: AD.MYNET.LAN
Bind Path: dc=AD,dc=MYNET,dc=LAN
LDAP port: 389
Server time: Mon, 08 Aug 2016 16:22:35 CEST
KDC server: 192.168.10.7
Server time offset: 25
root at adclient:~# net ads testjoin
Join is OK
root at adclient:/etc/ldap# cat /etc/samba/smb.conf |grep -v '#'
[global]
netbios name = ADCLIENT
security = ads
workgroup = MYNET
realm = AD.MYNET.LAN
server string = Active Directory Domain Member (test)
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
log file = /var/log/samba/mynet.log
syslog = 0
log level = 3 passdb:0 auth:0 winbind:0 vfs:0
idmap config MYNET:backend = ad
idmap config MYNET:schema_mode = rfc2307
idmap config MYNET:range = 50000-99999
winbind nss info = rfc2307
idmap_ldb:use rfc2307 = yes
This is a ldapsearch result for 'testuser'.
root at samba4:/var/lib/samba# ldapsearch -x -h samba4.server.mynet.lan
-b 'ou=Teachers,ou=Users,ou=MyNet,dc=ad,dc=mynet,dc=lan' -D
'administrator at ad.mynet.lan' -w 'p4ssw0rd'
'(&(objectClass=person)(sAMAccountName=testuser))'
...
uidNumber: 10001
unixHomeDirectory: /home/testuser
gidNumber: 10000
msSFU30Name: testuser
unixUserPassword: ABCD!efgh12345$67890
uid: testuser
loginShell: /bin/bash
...
As you can see, the NIS attributes are correcty stored inside the LDAP tree.
But the results are very different in each location.
In the DC: uidNumber and gidNumber are correctly extracted and viewed
(but the loginShell and unixHomeDirectory are wrong).
In the domain member: everything is independent from the AD stored user.
I'm alredy deleted the winbind cache with 'net cache flush' command,
tried to leave and join again the domain, and removed the *tdb files.
I've created 'testuser' with the ADUC utility running on Windows7
(I've enabled the UNIX attributes section).
Thanks in advance for your help.
More information about the samba
mailing list