Samba4 Linux user has two uid's [SOLVED}

Rowland Penny repenny at f2s.com
Tue Apr 2 12:11:55 MDT 2013 

On 27/03/13 13:52, Rowland Penny wrote:
> On 26/03/13 17:29, Thomas Simmons wrote:
>> I'm sorry, the smb.conf I provided is missing this:
>>
>>           idmap config * : backend = tdb
>>           idmap config * : range = 900000-910000
>>
>> Kill your winbindd process, add that to smb.conf and run 'net cache
>> flush'. Start winbindd back up and you should be good to go.
>
> Hi Thomas, I did have something very similar to the above in my 
> smb.conf and after doing all I can think of, I am still getting the 
> same problem, with the line: 'idmap config EXAMPLE:backend = ad' in my 
> smb.conf, I get no domain users. If I swap 'ad' for 'rid', I do get 
> domain users.
>
> This is the smb.conf I have been using:
>
> [global]
>         workgroup = EXAMPLE
>         realm = example.com
>         preferred master = no
>         server string = ubuntu client
>         security = ads
>         encrypt passwords = yes
>         log level = 3
>
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = secrets and keytab
>
>         idmap config *:backend = tdb
>         idmap config *:range = 10000-20000
>
>         idmap config EXAMPLE:default = yes
>         idmap config EXAMPLE:backend = ad
>         idmap config EXAMPLE:schema mode = rfc2307
>         idmap config EXAMPLE:range = 3000000-31000000
>
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind nested groups = yes
>         winbind use default domain = yes
>         winbind nss info = rfc2307
>         winbind refresh tickets = Yes
>
>         template homedir = /home/%D/%U
>         template shell = /bin/bash
>
> This is an ldif file of a user on the Samba4 AD server
>
> dn: CN=testuser,CN=Users,DC=example,DC=com
> cn: testuser
> instanceType: 4
> whenCreated: 20130320122306.0Z
> uSNCreated: 3778
> name: testuser
> objectGUID:: siE+gJgV2kKaQO0qslOkVg==
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAAtvprU8QVtn/NH/GlUQQAAA==
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: testuser
> sAMAccountType: 805306368
> userPrincipalName: testuser at example.com
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
> pwdLastSet: 130082557870000000
> userAccountControl: 512
> uidNumber: 3000016
> gidNumber: 100
> unixHomeDirectory: /example/EXAMPLE/testuser
> loginShell: /bin/bash
> profilePath: \\adserver\profiles\testuser
> exampleDrive: Z:
> exampleDirectory: \\adserver\home\testuser
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> whenChanged: 20130326132819.0Z
> uSNChanged: 3855
> distinguishedName: CN=testuser,CN=Users,DC=example,DC=com
>
> And this is what I find in '/var/log/samba/log.winbindd-idmap' after I 
> run 'getent passwd'
>
>  [2013/03/27 13:22:08.697614,  0] 
> winbindd/idmap_tdb.c:149(idmap_tdb_upgrade)
>   Upgrading winbindd_idmap.tdb from an old version
> [2013/03/27 13:22:08.747114,  3] winbindd/idmap.c:230(idmap_init_domain)
>   idmap backend ad not found
> [2013/03/27 13:22:08.748825,  2] lib/module.c:64(do_smb_load_module)
>   Module '/usr/lib/samba/idmap/ad.so' loaded
> [2013/03/27 13:22:08.749165,  3] libsmb/namequery.c:2533(get_dc_list)
>   get_dc_list: preferred server list: "adserver.example.com, *"
> [2013/03/27 13:22:08.762494,  3] libads/ldap.c:640(ads_connect)
>   Successfully contacted LDAP server 192.168.0.10
> [2013/03/27 13:22:08.762828,  3] libsmb/namequery.c:2533(get_dc_list)
>   get_dc_list: preferred server list: "adserver.example.com, *"
> [2013/03/27 13:22:08.763190,  3] libsmb/namequery.c:2533(get_dc_list)
>   get_dc_list: preferred server list: "adserver.example.com, *"
> [2013/03/27 13:22:08.777696,  3] libads/ldap.c:640(ads_connect)
>   Successfully contacted LDAP server 192.168.0.10
> [2013/03/27 13:22:08.780683,  3] libads/ldap.c:694(ads_connect)
>   Connected to LDAP server adserver.example.com
> [2013/03/27 13:22:08.807827,  3] libads/sasl.c:869(ads_sasl_spnego_bind)
>   ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> [2013/03/27 13:22:08.808305,  3] libads/sasl.c:869(ads_sasl_spnego_bind)
>   ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> [2013/03/27 13:22:08.808456,  3] libads/sasl.c:869(ads_sasl_spnego_bind)
>   ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> [2013/03/27 13:22:08.808604,  3] libads/sasl.c:878(ads_sasl_spnego_bind)
>   ads_sasl_spnego_bind: got server principal name = 
> not_defined_in_RFC4178 at please_ignore
> [2013/03/27 13:22:08.809768,  3] libsmb/clikrb5.c:787(ads_krb5_mk_req)
>   ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache 
> found)
> [2013/03/27 13:22:08.966573,  3] 
> libsmb/clikrb5.c:632(ads_cleanup_expired_creds)
>   ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] 
> expiration Wed, 27 Mar 2013 23:22:08 GMT
> [2013/03/27 13:22:08.966866,  3] libsmb/clikrb5.c:840(ads_krb5_mk_req)
>   ads_krb5_mk_req: server marked as OK to delegate to, building 
> forwardable TGT
> [2013/03/27 13:22:09.543036,  1] 
> winbindd/idmap_ad.c:657(idmap_ad_sids_to_unixids)
>   Could not get unix ID
> [2013/03/27 13:22:09.549311,  1] 
> winbindd/idmap_ad.c:657(idmap_ad_sids_to_unixids)
>   Could not get unix ID
> [2013/03/27 13:22:09.554357,  1] 
> winbindd/idmap_ad.c:657(idmap_ad_sids_to_unixids)
>   Could not get unix ID
> [2013/03/27 13:22:09.614386,  1] 
> winbindd/idmap_ad.c:657(idmap_ad_sids_to_unixids)
>   Could not get unix ID
> [2013/03/27 13:22:09.625233,  1] 
> winbindd/idmap_ad.c:657(idmap_ad_sids_to_unixids)
>   Could not get unix ID
> [2013/03/27 13:22:09.630888,  1] 
> winbindd/idmap_ad.c:657(idmap_ad_sids_to_unixids)
>   Could not get unix ID
>
> Does anybody have any suggestions how I can get this to work, I am 
> being driven to distraction by this and it is probably something I am 
> doing or not doing.
>
> Rowland
>
>
OK, I can now get the same uid & gid numbers on the server and clients, 
to do this was in fact very easy, DON'T USE WINBIND, use sssd instead.

Example:

On the Samba4 server:
getent passwd rowland
rowland:*:1201401105:1201400513:rowland:/home/DOMAIN/rowland:/bin/bash

On the client:
getent passwd rowland
rowland:*:1201401105:1201400513:rowland:/home/DOMAIN/rowland:/bin/bash

Rowland

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba-technical mailing list