4.2rc2 and winbindd

Rowland Penny repenny241155 at gmail.com
Mon Oct 20 02:35:17 MDT 2014


On 20/10/14 09:24, Rowland Penny wrote:
> On 19/10/14 23:55, Michael Adam wrote:
>> On 2014-10-19 at 13:46 +0100, Rowland Penny wrote:
>>> OK, I have compiled 4.2rc2 on Debian 7.5 running in a VM and set up
>>> a test DC. this was set up to test the new (old?) winbindd. From
>>> what I have read this is exactly the same daemon that would be run
>>> if I setup a client and presumably needs the same configuration in
>>> smb.conf.
>>>
>>> Therefore, after provision, I changed smb.conf to this:
>>>
>>> # Global parameters
>>> [global]
>>>          workgroup = EXAMPLE
>>>          realm = example.com
>>>          netbios name = DEBDC
>>>          server role = active directory domain controller
>>>          dns forwarder = 8.8.8.8
>>>          idmap_ldb:use rfc2307 = yes
>>>          dedicated keytab file = /etc/krb5.keytab
>>>          kerberos method = secrets and keytab
>>>          winbind enum users = yes
>>>          winbind enum groups = yes
>>>          winbind use default domain = yes
>>>          winbind expand groups = 4
>>>          winbind nss info = rfc2307
>>>          winbind refresh tickets = Yes
>>>          winbind normalize names = Yes
>>>          idmap config * : backend = tdb
>>>          idmap config * : range = 2000-9999
>>>          idmap config HOME : backend  = ad
>>>          idmap config HOME : range = 10000-999999
>>>          idmap config HOME : schema_mode = rfc2307
>>>          log level = 9
>>>
>>> [netlogon]
>>>          path = /usr/local/samba/var/locks/sysvol/example.com/scripts
>>>          read only = No
>>>
>>> [sysvol]
>>>          path = /usr/local/samba/var/locks/sysvol
>>>          read only = No
>>>
>>> This is based on a working samba 4.1.6 client.
>>>
>>> I gave Domain Users a gidNumber, created a user, gave the user a
>>> uidNumber and the loginShell & unixHomeDirectory attributes.
>>>
>>> Everything else is setup as standard.
>>>
>>> wbinfo -u shows all domain users, wbinfo -g shows all domain groups.
>>>
>>> getent passwd & getent group, do not display anything from the domain
>>>
>>> getent group Domain\ Users displays:
>>>
>>> domain_users:x:10000:
>>>
>>> getent passwd rowland displays:
>>>
>>> rowland:*:10000:10000:Rowland Penny:/home/%D/%U:/bin/false
>>>
>>> As you can see, like the old builtin winbind, the users uidNumber
>>> and the Domain Users gidNumber are displayed. The unixHomeDirectory
>>> & loginShell attributes do not seem to be pulled from AD, are they
>>> supposed to be ?
>>>
>>> Am I barking up the wrong tree ? Am I doing something wrong or not
>>> doing something I should ?
>
> Hello michael, see inline comments.
>
>> While I have not tested this myself yet, it is well possible
>> that you have found a problem with the still very new
>> samba-winbindd-setup.
>>
>> For a start, with a few remarks I can only try and guide you to
>> test it yourself, and possibly find the problem, but Andrew
>> should comment, indeed.
>>
>> Could you set these
>>
>>>          winbind use default domain = yes
>>>          winbind normalize names = Yes
>> to "no? Especially the default domain.
>
> Done.
>
>>
>> It is strange that in your example, "domain users", which should
>> be of the primary domain EXAMPLE, is resolved to 10000 of the
>> HOME home domain... Does that HOME domain exist in fact?
>
> DOH! thank you for pointing out the very obvious 'cut & paste error' 
> ;-) , altering it makes no difference however.
>
>> Could you then test the atomic winbindd id mapping and name
>> resolution commands instead of the aggregate nsswitch commands
>> to test things:
>> wbinfo -n EXAMPLE\\Domain\ Users
>> # --> SID
>> wbinfo -s SID
>> wbinfo --sid-to-gid SID
>> wbinfo -n EXAMPLE\\rowland
>> # --> SID2
>> wbinfo -n SID2
>> wbinfo --sid-to-uid SID2
>
> OK, here are the results:
>
> wbinfo -n EXAMPLE\\Domain\ Users
> # --> SID --> S-1-5-21-3684522210-1888564150-245155842-513 
> SID_DOM_GROUP (2)
> wbinfo -s S-1-5-21-3684522210-1888564150-245155842-513
> EXAMPLE\Domain Users 2
>
> wbinfo --sid-to-gid S-1-5-21-3684522210-1888564150-245155842-513
> 10000
>
> wbinfo -n EXAMPLE\\rowland
> # --> SID2 --> S-1-5-21-3684522210-1888564150-245155842-1103 SID_USER (1)
>
> wbinfo -n S-1-5-21-3684522210-1888564150-245155842-1103
> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup name S-1-5-21-3684522210-1888564150-245155842-1103
>
> Did you mean wbinfo -s ?
>
> wbinfo -s S-1-5-21-3684522210-1888564150-245155842-1103
> EXAMPLE\rowland 1
>
> wbinfo --sid-to-uid S-1-5-21-3684522210-1888564150-245155842-1103
> 10000
>
> But:
>
> getent group Domain\ Users
> domain users:x:10000:
>
> getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/%D/%U:/bin/false
>
> As you can see the users home directory & login shell are not being 
> pulled from AD, in fact it is a bit worse now than before, at least 
> before, you could use /home/DOMAIN/username but now ??
>
> Thanks for the help
>
> Rowland
>
>>
>> These should work. Please paste the results.
>> Let's see further after that.
>>
>> I am not certan whether winbindd runs with some special
>> parameters in the samba-ad setup. I would need dig into the
>> code for that but it is too late Sunday night for that...
>> More late. :-)
>>
>> Cheers - Michael
>
Hi michael, authentication works:

root at debDC:~/samba-4.2.0rc2# id rowland
uid=10000(rowland) gid=10000(domain users) groups=10000(domain 
users),3000009(BUILTIN\users)
root at debDC:~/samba-4.2.0rc2# mkdir -p /home/test/rowland
root at debDC:~/samba-4.2.0rc2# ls -la /home/test/rowland
total 8
drwxr-xr-x 2 root root 4096 Oct 20 09:30 .
drwxr-xr-x 3 root root 4096 Oct 20 09:30 ..
root at debDC:~/samba-4.2.0rc2# chown rowland:Domain\ Users /home/test/rowland
root at debDC:~/samba-4.2.0rc2# ls -la /home/test/rowland
total 8
drwxr-xr-x 2 rowland domain users 4096 Oct 20 09:30 .
drwxr-xr-x 3 root    root         4096 Oct 20 09:30 ..

Rowland



More information about the samba-technical mailing list