Samba4 Linux user has two uid's

Thomas Simmons twsnnva at gmail.com
Mon Mar 25 18:04:45 MDT 2013 

On Mon, Mar 25, 2013 at 3:18 PM, Rowland Penny <repenny at f2s.com> wrote:
>
> On 25/03/13 18:59, Thomas Simmons wrote:
>
> On Mon, Mar 25, 2013 at 2:30 PM, Rowland Penny <repenny at f2s.com> wrote:
>>
>> On 21/03/13 20:01, Rowland Penny wrote:
>>>
>>> HI,
>>> If You join a S3 client to a S4 domain you get a different uid on the client and server i.e.
>>>
>>> Info from the client
>>> $ id user
>>> uid=21105(user) gid=20513(domain_users) groups=20513(domain_users),1101(BUILTIN\users)
>>>
>>>
>>> Info from the server
>>> # id user
>>> uid=3000016(DOMAIN\user) gid=100(users) groups=100(users)
>>>
>>> Now if you mount a share onto the client from the server via pam_script:
>>>
>>> mount -t cifs //server/dropbox /home/dropbox -o username=user,cruid=userid,sec=krb5i,multiuser,nobrl,mapchars,mfsymlinks,noserverino
>>>
>>> If a file is now created in the share by the user, the user immediately looses all rights to it from the client.
>>>
>>> Is this a CIFS problem or a Samba4 problem?
>>>
>>
>> OK, I am now coming round to think that there is something wrong with Samba 3.6.X after 3.6.3.
>> Reasons?
>> I cannot get it show domain users or groups on Samba 3.6.6 running on Mint 14, the smb.conf is identical to the one I used on 3.6.3 running on Ubuntu 12.04 which works.
>>
>> I then spent some time downloading and compiling various versions, all which failed in the same way.
>>
>> As I wasn't sure if it was the way that I was compiling samba or not, I have installed Opensuse 12.3 and again set up samba with the same smb.conf. Opensuse uses version 3.6.12. It fails in exactly the same way i.e. getent will not return domain users, only local users.
>>
>> So, unless anybody is prepared to come forward and announce that they are using a version later than 3.6.3, I must suggest that something in samba is broken.
>>
> Hello Rowland,
>
> I don't know if you missed my reply above, but I stated (link below) that I had this working on 3.6.10, compiled from source, in the thread I linked to. Apart from --with-ads and --with-shared-modules=idmap_ad, I don't know what other options I used. I spent the better part of a weekend trying to figure out my original problem (specific to the domain controller itself) which turned out to be a bug. I'll set up a test VM later today and try to duplicate what I did then. I can't imagine such critical functionality would have been broken since 3.6.3 and not have been noticed before now. Have you increased logging verbosity and checked your logs for anything? That's how I discovered the idmap_ad problem.
>
> https://lists.samba.org/archive/samba/2012-December/170552.html
>
>>
>> Rowland
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
> Yes, sorry I had missed the version you used, but it would appear that I used the same configure line as you. Could you please confirm what dependencies you installed prior to compiling and on what distro you compiled it on.
>
> The only thing I can think of doing now is to compile 3.6.10 on 12.04, then if it works, compile it on mint 14 exactly the same way and hope it works.
>
>
> Rowland
>
Hello Rowland,
I believe I initially tested this on CentOS 6.3, however I just
compiled Samba 3.6.13 on Ubuntu 12.04 with no problem.

root at ubuntu-client:~# lsb_release -d
Description:    Ubuntu 12.04.2 LTS

root at ubuntu-client:~# uname -a
Linux ubuntu-client 3.2.0-33-generic #52-Ubuntu SMP Thu Oct 18
16:29:15 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

root at ubuntu-client:~# winbindd -V
Version 3.6.13

root at ubuntu-client:~# wbinfo -u | grep tuser
tuser1
tuser2

root at ubuntu-client:~# getent passwd | grep tuser
tuser1:*:10000:10000:Test User1:/home/tuser1:/bin/sh
tuser2:*:10001:10000:Test User2:/home/tuser2:/bin/sh

To answer your questions, I installed the following dependencies (some
are not needed, but I use the same list for samba3 and 4):

apt-get -y install build-essential libpam-dev gdb python python-dev
libldap2-dev libacl1-dev libacl1 krb5-user ctdb libctdb-dev cups
libcups2-dev

I used the following option during configure:

./configure --with-shared-modules=idmap_ad

I am using the following smb.conf:

 [global]
         workgroup = TESTDOM
         realm = internal.testdom.com
         preferred master = no
         server string = ubuntu-client
         security = ads
         encrypt passwords = yes

         idmap config TESTDOM : default = yes
         idmap config TESTDOM : backend = ad
         idmap config TESTDOM : schema_mode = rfc2307
         idmap config TESTDOM : range = 10000-20000

         winbind enum users = yes
         winbind enum groups = yes
         winbind nested groups = yes
         winbind use default domain = yes

         template homedir = /home/%U
         template shell = /bin/sh

I was able to duplicate your problem in two ways:

1) Not copying samba-3.6.13/nsswitch/libnss_winbind.so to
/lib/x86_64-linux-gnu/libnss_winbind.so.2. Did you do this step?

2) If you do not have any users with a uid in the range specified in
smb.conf. For example, my "Administrator" user has a uid that is lower
than 10000, so he does not show up when running "getent passwd".

More information about the samba-technical mailing list