4.2rc2 and winbindd

Rowland Penny repenny241155 at gmail.com
Mon Oct 20 02:24:30 MDT 2014 

On 19/10/14 23:55, Michael Adam wrote:
> On 2014-10-19 at 13:46 +0100, Rowland Penny wrote:
>> OK, I have compiled 4.2rc2 on Debian 7.5 running in a VM and set up
>> a test DC. this was set up to test the new (old?) winbindd. From
>> what I have read this is exactly the same daemon that would be run
>> if I setup a client and presumably needs the same configuration in
>> smb.conf.
>>
>> Therefore, after provision, I changed smb.conf to this:
>>
>> # Global parameters
>> [global]
>>          workgroup = EXAMPLE
>>          realm = example.com
>>          netbios name = DEBDC
>>          server role = active directory domain controller
>>          dns forwarder = 8.8.8.8
>>          idmap_ldb:use rfc2307 = yes
>>          dedicated keytab file = /etc/krb5.keytab
>>          kerberos method = secrets and keytab
>>          winbind enum users = yes
>>          winbind enum groups = yes
>>          winbind use default domain = yes
>>          winbind expand groups = 4
>>          winbind nss info = rfc2307
>>          winbind refresh tickets = Yes
>>          winbind normalize names = Yes
>>          idmap config * : backend = tdb
>>          idmap config * : range = 2000-9999
>>          idmap config HOME : backend  = ad
>>          idmap config HOME : range = 10000-999999
>>          idmap config HOME : schema_mode = rfc2307
>>          log level = 9
>>
>> [netlogon]
>>          path = /usr/local/samba/var/locks/sysvol/example.com/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /usr/local/samba/var/locks/sysvol
>>          read only = No
>>
>> This is based on a working samba 4.1.6 client.
>>
>> I gave Domain Users a gidNumber, created a user, gave the user a
>> uidNumber and the loginShell & unixHomeDirectory attributes.
>>
>> Everything else is setup as standard.
>>
>> wbinfo -u shows all domain users, wbinfo -g shows all domain groups.
>>
>> getent passwd & getent group, do not display anything from the domain
>>
>> getent group Domain\ Users displays:
>>
>> domain_users:x:10000:
>>
>> getent passwd rowland displays:
>>
>> rowland:*:10000:10000:Rowland Penny:/home/%D/%U:/bin/false
>>
>> As you can see, like the old builtin winbind, the users uidNumber
>> and the Domain Users gidNumber are displayed. The unixHomeDirectory
>> & loginShell attributes do not seem to be pulled from AD, are they
>> supposed to be ?
>>
>> Am I barking up the wrong tree ? Am I doing something wrong or not
>> doing something I should ?

Hello michael, see inline comments.

> While I have not tested this myself yet, it is well possible
> that you have found a problem with the still very new
> samba-winbindd-setup.
>
> For a start, with a few remarks I can only try and guide you to
> test it yourself, and possibly find the problem, but Andrew
> should comment, indeed.
>
> Could you set these
>
>>          winbind use default domain = yes
>>          winbind normalize names = Yes
> to "no? Especially the default domain.

Done.

>
> It is strange that in your example, "domain users", which should
> be of the primary domain EXAMPLE, is resolved to 10000 of the
> HOME home domain... Does that HOME domain exist in fact?

DOH! thank you for pointing out the very obvious 'cut & paste error' ;-) 
, altering it makes no difference however.

> Could you then test the atomic winbindd id mapping and name
> resolution commands instead of the aggregate nsswitch commands
> to test things:
> wbinfo -n EXAMPLE\\Domain\ Users
> # --> SID
> wbinfo -s SID
> wbinfo --sid-to-gid SID
> wbinfo -n EXAMPLE\\rowland
> # --> SID2
> wbinfo -n SID2
> wbinfo --sid-to-uid SID2

OK, here are the results:

wbinfo -n EXAMPLE\\Domain\ Users
# --> SID --> S-1-5-21-3684522210-1888564150-245155842-513 SID_DOM_GROUP (2)
wbinfo -s S-1-5-21-3684522210-1888564150-245155842-513
EXAMPLE\Domain Users 2

wbinfo --sid-to-gid S-1-5-21-3684522210-1888564150-245155842-513
10000

wbinfo -n EXAMPLE\\rowland
# --> SID2 --> S-1-5-21-3684522210-1888564150-245155842-1103 SID_USER (1)

wbinfo -n S-1-5-21-3684522210-1888564150-245155842-1103
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name S-1-5-21-3684522210-1888564150-245155842-1103

Did you mean wbinfo -s ?

wbinfo -s S-1-5-21-3684522210-1888564150-245155842-1103
EXAMPLE\rowland 1

wbinfo --sid-to-uid S-1-5-21-3684522210-1888564150-245155842-1103
10000

But:

getent group Domain\ Users
domain users:x:10000:

getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/%D/%U:/bin/false

As you can see the users home directory & login shell are not being 
pulled from AD, in fact it is a bit worse now than before, at least 
before, you could use /home/DOMAIN/username but now ??

Thanks for the help

Rowland

>
> These should work. Please paste the results.
> Let's see further after that.
>
> I am not certan whether winbindd runs with some special
> parameters in the samba-ad setup. I would need dig into the
> code for that but it is too late Sunday night for that...
> More late. :-)
>
> Cheers - Michael

More information about the samba-technical mailing list