4.2rc2 and winbindd

Michael Adam obnox at samba.org
Sun Oct 19 16:55:15 MDT 2014 

On 2014-10-19 at 13:46 +0100, Rowland Penny wrote:
> OK, I have compiled 4.2rc2 on Debian 7.5 running in a VM and set up
> a test DC. this was set up to test the new (old?) winbindd. From
> what I have read this is exactly the same daemon that would be run
> if I setup a client and presumably needs the same configuration in
> smb.conf.
> 
> Therefore, after provision, I changed smb.conf to this:
> 
> # Global parameters
> [global]
>         workgroup = EXAMPLE
>         realm = example.com
>         netbios name = DEBDC
>         server role = active directory domain controller
>         dns forwarder = 8.8.8.8
>         idmap_ldb:use rfc2307 = yes
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = secrets and keytab
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind use default domain = yes
>         winbind expand groups = 4
>         winbind nss info = rfc2307
>         winbind refresh tickets = Yes
>         winbind normalize names = Yes
>         idmap config * : backend = tdb
>         idmap config * : range = 2000-9999
>         idmap config HOME : backend  = ad
>         idmap config HOME : range = 10000-999999
>         idmap config HOME : schema_mode = rfc2307
>         log level = 9
> 
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/example.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
> 
> This is based on a working samba 4.1.6 client.
> 
> I gave Domain Users a gidNumber, created a user, gave the user a
> uidNumber and the loginShell & unixHomeDirectory attributes.
> 
> Everything else is setup as standard.
> 
> wbinfo -u shows all domain users, wbinfo -g shows all domain groups.
> 
> getent passwd & getent group, do not display anything from the domain
> 
> getent group Domain\ Users displays:
> 
> domain_users:x:10000:
> 
> getent passwd rowland displays:
> 
> rowland:*:10000:10000:Rowland Penny:/home/%D/%U:/bin/false
> 
> As you can see, like the old builtin winbind, the users uidNumber
> and the Domain Users gidNumber are displayed. The unixHomeDirectory
> & loginShell attributes do not seem to be pulled from AD, are they
> supposed to be ?
> 
> Am I barking up the wrong tree ? Am I doing something wrong or not
> doing something I should ?

While I have not tested this myself yet, it is well possible
that you have found a problem with the still very new
samba-winbindd-setup.

For a start, with a few remarks I can only try and guide you to
test it yourself, and possibly find the problem, but Andrew
should comment, indeed.

Could you set these

>         winbind use default domain = yes
>         winbind normalize names = Yes

to "no? Especially the default domain.

It is strange that in your example, "domain users", which should
be of the primary domain EXAMPLE, is resolved to 10000 of the
HOME home domain... Does that HOME domain exist in fact?

Could you then test the atomic winbindd id mapping and name
resolution commands instead of the aggregate nsswitch commands
to test things:

wbinfo -n EXAMPLE\\Domain\ Users
# --> SID
wbinfo -s SID
wbinfo --sid-to-gid SID
wbinfo -n EXAMPLE\\rowland
# --> SID2
wbinfo -n SID2
wbinfo --sid-to-uid SID2

These should work. Please paste the results.
Let's see further after that.

I am not certan whether winbindd runs with some special
parameters in the samba-ad setup. I would need dig into the
code for that but it is too late Sunday night for that...
More late. :-)

Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20141020/38979783/attachment.pgp>

More information about the samba-technical mailing list