[Samba] winbind idmap_ad rfc2037 can't read UIdnumber
Raphaël RIGNIER
r.rignier at leschartreux.net
Tue Jul 5 14:11:00 UTC 2016
Le 05/07/2016 à 09:33, Raphaël RIGNIER a écrit :
> Le 04/07/2016 à 20:09, Rowland penny a écrit :
>> On 04/07/16 18:35, Raphaël RIGNIER wrote:
>>> Hi samba team !
>>>
>>> I try to resolve for hours a problem I have with a Linux Host (Samba
>>> 4.3.9 ubutnu 16.04) as AD member.DCs are Windows 2008 R2, One is
>>> 2012 R2. Forest level is 2003 R2.
>>>
>>> my smb.conf :
>>> [GLOBAL]
>>> netbios name = CR-DEV-01
>>> security = ADS
>>> workgroup = ADDOMAIN
>>> realm = ADDOMAIN.COM
>>>
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 2000-9998
>>>
>>> idmap config ADDOMAIN:backend = ad
>>> idmap config ADDOMAIN:schema_mode = rfc2307
>>> idmap config ADDOMAIN:range = 9999-999999
>>>
>>> winbind nss info = rfc2307
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind use default domain = yes
>>>
>>> 9999 start range is "Domain's user" GidNumber. To have a default
>>> primary group.
>>> Shared uid and gid starts with 10000.
>>>
>>> The test for groups :
>>> --------------
>>> # net ads search '(SamAccountName=info2)' samaccountname gidnumber -P
>>> Got 1 replies
>>>
>>> sAMAccountName: info2
>>> gidNumber: 10002
>>> ------------------
>>> # getent group info2
>>> info2:x:10002:
>>> ------------------
>>> All is OK
>>>
>>>
>>>
>>> For the User, it is not working as expected :
>>> -------------
>>> # net ads search '(SamAccountName=b.btstest)' samaccountName
>>> uinumber gidnumber gecos -P
>>> Got 1 replies
>>>
>>> sAMAccountName: b.btstest
>>> --------------------------------
>>> No uidnumber,gidnumber,gecos ?
>>>
>>> Same search with admin account :
>>> ------------------------
>>> net ads search '(SamAccountName=b.btstest)' samaccountName uinumber
>>> gidnumber gecos -U administrator
>>> Enter administrator's password:
>>> Got 1 replies
>>>
>>> sAMAccountName: b.btstest
>>> uidNumber: 13367
>>> gidNumber: 10002
>>> gecos: BTSTEST B
>>> ---------------
>>>
>>> -----
>>> #getent passwd b.btstest (no output)
>>> ------
>>> Winbind output
>>> ------
>>> getpwnam b.btstest
>>> Could not convert sid
>>> S-1-5-21-4272071638-3509717963-3151537417-7471: NT_STATUS_NONE_MAPPED
>>> ----------
>>> This is the same for all mapped AD users (3042 users).
>>>
>>> Does Winbind makes queries on DCs with machine account ?
>>> Does that mean bad AD schema ?
>>>
>>> Strange behavior.
>>>
>>> Thanks for help.
>>>
>>
>> What 'libpam-*' packages do you have installed ?
>>
>> What have you got in /etc/nsswitch.conf
>>
>> Rowland
>>
>>
> AFAIK, libpam is not used at this stage of test. Only libnss_winbind
> should be used.
> Here is the libpam list :
>
> ii libpam-cap:amd64 1:2.24-12
> ii libpam-ck-connector:amd64 0.4.6-5
> ii libpam-gnome-keyring:amd64 3.18.3-0ubuntu2
> ii libpam-krb5:amd64 4.7-2
> ii libpam-modules:amd64 1.1.8-3.2ubuntu2
> ii libpam-modules-bin 1.1.8-3.2ubuntu2
> ii libpam-runtime 1.1.8-3.2ubuntu2
> ii libpam-systemd:amd64 229-4ubuntu6
> ii libpam-winbind:amd64 2:4.3.9+dfsg-0ubuntu0.16.04.2
> ii libpam0g:amd64 1.1.8-3.2ubuntu2
>
> pam_krb5 (my old auth method) is disabled via pam-update-auth
>
> my /etc/nsswitch.conf
> passwd: compat winbind
> group: compat winbind
> #passwd: compat ldap
> #group: compat ldap
> shadow: compat
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
>
I have checked PosixGroup and PosixAccount schema rights on the DC and
those are the same.
Rejoin of llinux host did nothing. Still investigating.
More information about the samba
mailing list