Samba4 Linux user has two uid's

Rowland Penny repenny at f2s.com
Tue Mar 26 10:22:14 MDT 2013 

On 26/03/13 00:04, Thomas Simmons wrote:
> On Mon, Mar 25, 2013 at 3:18 PM, Rowland Penny <repenny at f2s.com> wrote:
>> On 25/03/13 18:59, Thomas Simmons wrote:
>>
>> On Mon, Mar 25, 2013 at 2:30 PM, Rowland Penny <repenny at f2s.com> wrote:
>>> On 21/03/13 20:01, Rowland Penny wrote:
>>>> HI,
>>>> If You join a S3 client to a S4 domain you get a different uid on the client and server i.e.
>>>>
>>>> Info from the client
>>>> $ id user
>>>> uid=21105(user) gid=20513(domain_users) groups=20513(domain_users),1101(BUILTIN\users)
>>>>
>>>>
>>>> Info from the server
>>>> # id user
>>>> uid=3000016(DOMAIN\user) gid=100(users) groups=100(users)
>>>>
>>>> Now if you mount a share onto the client from the server via pam_script:
>>>>
>>>> mount -t cifs //server/dropbox /home/dropbox -o username=user,cruid=userid,sec=krb5i,multiuser,nobrl,mapchars,mfsymlinks,noserverino
>>>>
>>>> If a file is now created in the share by the user, the user immediately looses all rights to it from the client.
>>>>
>>>> Is this a CIFS problem or a Samba4 problem?
>>>>
>>> OK, I am now coming round to think that there is something wrong with Samba 3.6.X after 3.6.3.
>>> Reasons?
>>> I cannot get it show domain users or groups on Samba 3.6.6 running on Mint 14, the smb.conf is identical to the one I used on 3.6.3 running on Ubuntu 12.04 which works.
>>>
>>> I then spent some time downloading and compiling various versions, all which failed in the same way.
>>>
>>> As I wasn't sure if it was the way that I was compiling samba or not, I have installed Opensuse 12.3 and again set up samba with the same smb.conf. Opensuse uses version 3.6.12. It fails in exactly the same way i.e. getent will not return domain users, only local users.
>>>
>>> So, unless anybody is prepared to come forward and announce that they are using a version later than 3.6.3, I must suggest that something in samba is broken.
>>>
>> Hello Rowland,
>>
>> I don't know if you missed my reply above, but I stated (link below) that I had this working on 3.6.10, compiled from source, in the thread I linked to. Apart from --with-ads and --with-shared-modules=idmap_ad, I don't know what other options I used. I spent the better part of a weekend trying to figure out my original problem (specific to the domain controller itself) which turned out to be a bug. I'll set up a test VM later today and try to duplicate what I did then. I can't imagine such critical functionality would have been broken since 3.6.3 and not have been noticed before now. Have you increased logging verbosity and checked your logs for anything? That's how I discovered the idmap_ad problem.
>>
>> https://lists.samba.org/archive/samba/2012-December/170552.html
>>
>>> Rowland
>>>
>>> --
>>> This message has been scanned for viruses and
>>> dangerous content by MailScanner, and is
>>> believed to be clean.
>>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>>
>> Yes, sorry I had missed the version you used, but it would appear that I used the same configure line as you. Could you please confirm what dependencies you installed prior to compiling and on what distro you compiled it on.
>>
>> The only thing I can think of doing now is to compile 3.6.10 on 12.04, then if it works, compile it on mint 14 exactly the same way and hope it works.
>>
>>
>> Rowland
>>
> Hello Rowland,
> I believe I initially tested this on CentOS 6.3, however I just
> compiled Samba 3.6.13 on Ubuntu 12.04 with no problem.
>
> root at ubuntu-client:~# lsb_release -d
> Description:    Ubuntu 12.04.2 LTS
>
> root at ubuntu-client:~# uname -a
> Linux ubuntu-client 3.2.0-33-generic #52-Ubuntu SMP Thu Oct 18
> 16:29:15 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
>
> root at ubuntu-client:~# winbindd -V
> Version 3.6.13
>
> root at ubuntu-client:~# wbinfo -u | grep tuser
> tuser1
> tuser2
>
> root at ubuntu-client:~# getent passwd | grep tuser
> tuser1:*:10000:10000:Test User1:/home/tuser1:/bin/sh
> tuser2:*:10001:10000:Test User2:/home/tuser2:/bin/sh
>
> To answer your questions, I installed the following dependencies (some
> are not needed, but I use the same list for samba3 and 4):
>
> apt-get -y install build-essential libpam-dev gdb python python-dev
> libldap2-dev libacl1-dev libacl1 krb5-user ctdb libctdb-dev cups
> libcups2-dev
>
> I used the following option during configure:
>
> ./configure --with-shared-modules=idmap_ad
>
> I am using the following smb.conf:
>
>   [global]
>           workgroup = TESTDOM
>           realm = internal.testdom.com
>           preferred master = no
>           server string = ubuntu-client
>           security = ads
>           encrypt passwords = yes
>
>           idmap config TESTDOM : default = yes
>           idmap config TESTDOM : backend = ad
>           idmap config TESTDOM : schema_mode = rfc2307
>           idmap config TESTDOM : range = 10000-20000
>
>           winbind enum users = yes
>           winbind enum groups = yes
>           winbind nested groups = yes
>           winbind use default domain = yes
>
>           template homedir = /home/%U
>           template shell = /bin/sh
>
> I was able to duplicate your problem in two ways:
>
> 1) Not copying samba-3.6.13/nsswitch/libnss_winbind.so to
> /lib/x86_64-linux-gnu/libnss_winbind.so.2. Did you do this step?
>
> 2) If you do not have any users with a uid in the range specified in
> smb.conf. For example, my "Administrator" user has a uid that is lower
> than 10000, so he does not show up when running "getent passwd".
>
>

Hi Thomas, first thanks for your help, it is very much appreciated.

I started with a fresh install of Ubuntu 12.04 server and setup Samba as 
per your info and again got no domain users.

After a bit of panicking, I checked everything again, deleted all cache 
files and rejoined the domain again but still no domain users. I then, 
after a bit of thought, reset smb.conf to use the rid backend (this is 
what I was using originally)

i.e. I replaced:
                          idmap config HOME:backend = ad
                          idmap config HOME:schema mode = rfc2307
      with:
                          idmap config HOME:backend = rid

    restarted smbd, nmbd and winbind, I then got the domain users.

I then swapped the lines back, restarted samba again and again got the 
domain users.

I then carried out the same process on Mint 14, but this time I 
downloaded the 3.6.13 tarball and used this. I got the same thing, no 
domain users until I set the backend to rid.

So for me it would seem that the ad backend will not pull the info from 
the domain, but will use locally  cached info.

Rowland



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba-technical mailing list