4.2rc2 and winbindd

Michael Adam obnox at samba.org
Mon Oct 20 02:58:23 MDT 2014


On 2014-10-20 at 09:24 +0100, Rowland Penny wrote:
> On 19/10/14 23:55, Michael Adam wrote:
> >On 2014-10-19 at 13:46 +0100, Rowland Penny wrote:
> >>OK, I have compiled 4.2rc2 on Debian 7.5 running in a VM and set up
> >>a test DC. this was set up to test the new (old?) winbindd. From
> >>what I have read this is exactly the same daemon that would be run
> >>if I setup a client and presumably needs the same configuration in
> >>smb.conf.
> >>
> >>Therefore, after provision, I changed smb.conf to this:
> >>
> >># Global parameters
> >>[global]
> >>         workgroup = EXAMPLE
> >>         realm = example.com
> >>         netbios name = DEBDC
> >>         server role = active directory domain controller
> >>         dns forwarder = 8.8.8.8
> >>         idmap_ldb:use rfc2307 = yes
> >>         dedicated keytab file = /etc/krb5.keytab
> >>         kerberos method = secrets and keytab
> >>         winbind enum users = yes
> >>         winbind enum groups = yes
> >>         winbind use default domain = yes
> >>         winbind expand groups = 4
> >>         winbind nss info = rfc2307
> >>         winbind refresh tickets = Yes
> >>         winbind normalize names = Yes
> >>         idmap config * : backend = tdb
> >>         idmap config * : range = 2000-9999
> >>         idmap config HOME : backend  = ad
> >>         idmap config HOME : range = 10000-999999
> >>         idmap config HOME : schema_mode = rfc2307
> >>         log level = 9
> >>
> >>[netlogon]
> >>         path = /usr/local/samba/var/locks/sysvol/example.com/scripts
> >>         read only = No
> >>
> >>[sysvol]
> >>         path = /usr/local/samba/var/locks/sysvol
> >>         read only = No
> >>
> >>This is based on a working samba 4.1.6 client.
> >>
> >>I gave Domain Users a gidNumber, created a user, gave the user a
> >>uidNumber and the loginShell & unixHomeDirectory attributes.
> >>
> >>Everything else is setup as standard.
> >>
> >>wbinfo -u shows all domain users, wbinfo -g shows all domain groups.
> >>
> >>getent passwd & getent group, do not display anything from the domain
> >>
> >>getent group Domain\ Users displays:
> >>
> >>domain_users:x:10000:
> >>
> >>getent passwd rowland displays:
> >>
> >>rowland:*:10000:10000:Rowland Penny:/home/%D/%U:/bin/false
> >>
> >>As you can see, like the old builtin winbind, the users uidNumber
> >>and the Domain Users gidNumber are displayed. The unixHomeDirectory
> >>& loginShell attributes do not seem to be pulled from AD, are they
> >>supposed to be ?
> >>
> >>Am I barking up the wrong tree ? Am I doing something wrong or not
> >>doing something I should ?
> 
> Hello michael, see inline comments.
> 
> >While I have not tested this myself yet, it is well possible
> >that you have found a problem with the still very new
> >samba-winbindd-setup.
> >
> >For a start, with a few remarks I can only try and guide you to
> >test it yourself, and possibly find the problem, but Andrew
> >should comment, indeed.
> >
> >Could you set these
> >
> >>         winbind use default domain = yes
> >>         winbind normalize names = Yes
> >to "no? Especially the default domain.
> 
> Done.
> 
> >
> >It is strange that in your example, "domain users", which should
> >be of the primary domain EXAMPLE, is resolved to 10000 of the
> >HOME home domain... Does that HOME domain exist in fact?
> 
> DOH! thank you for pointing out the very obvious 'cut & paste error'
> ;-) ,

Good.

> altering it makes no difference however.

Strange!

> >Could you then test the atomic winbindd id mapping and name
> >resolution commands instead of the aggregate nsswitch commands
> >to test things:
> >wbinfo -n EXAMPLE\\Domain\ Users
> ># --> SID
> >wbinfo -s SID
> >wbinfo --sid-to-gid SID
> >wbinfo -n EXAMPLE\\rowland
> ># --> SID2
> >wbinfo -n SID2
> >wbinfo --sid-to-uid SID2
> 
> OK, here are the results:
> 
> wbinfo -n EXAMPLE\\Domain\ Users
> # --> SID --> S-1-5-21-3684522210-1888564150-245155842-513 SID_DOM_GROUP (2)
> wbinfo -s S-1-5-21-3684522210-1888564150-245155842-513
> EXAMPLE\Domain Users 2
> 
> wbinfo --sid-to-gid S-1-5-21-3684522210-1888564150-245155842-513
> 10000
> 
> wbinfo -n EXAMPLE\\rowland
> # --> SID2 --> S-1-5-21-3684522210-1888564150-245155842-1103 SID_USER (1)
> 
> wbinfo -n S-1-5-21-3684522210-1888564150-245155842-1103
> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup name S-1-5-21-3684522210-1888564150-245155842-1103
> 
> Did you mean wbinfo -s ?

Yes!

> wbinfo -s S-1-5-21-3684522210-1888564150-245155842-1103
> EXAMPLE\rowland 1
> 
> wbinfo --sid-to-uid S-1-5-21-3684522210-1888564150-245155842-1103
> 10000

Looks good so far.
Could you test with more objects (user/groups)?

> But:
> 
> getent group Domain\ Users
> domain users:x:10000:

Looks OK.

> getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/%D/%U:/bin/false
> 
> As you can see the users home directory & login shell are not being
> pulled from AD, in fact it is a bit worse now than before, at least
> before, you could use /home/DOMAIN/username but now ??

This seems to be the "template home dir" and template
shell options from s3, along with the "nss info" piece
of winbindd.

- First problem is that it seems the substitutions are not done here.
  This is strange, since at least the nsswitch-level code seems
  to use it. I think we need a bug report for this.

- Second problem is that you actually want to use the nss info
  from AD (SFU) and not from the template.
  This is where the "winbind nss info" parameter comes into play.
  You can give it a list of entries of the form
  "backend[:domain]", where backend can currently be one of
  template,sfu,sfu20, and rfc2307. sfu,sfu20 and rfc2307 are
  all variants of SFU.
  You should do something like

  "winbind nss info = sfu:EXAMPLE, template"

  or vary the "sfu" in the first entry.

Let's see how that goes.

Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20141020/aebc0391/attachment.pgp>


More information about the samba-technical mailing list