4.2rc2 and winbindd

Rowland Penny repenny241155 at gmail.com
Mon Oct 20 03:32:36 MDT 2014


On 20/10/14 09:58, Michael Adam wrote:
> On 2014-10-20 at 09:24 +0100, Rowland Penny wrote:
>> On 19/10/14 23:55, Michael Adam wrote:
>>> On 2014-10-19 at 13:46 +0100, Rowland Penny wrote:
>>>> OK, I have compiled 4.2rc2 on Debian 7.5 running in a VM and set up
>>>> a test DC. this was set up to test the new (old?) winbindd. From
>>>> what I have read this is exactly the same daemon that would be run
>>>> if I setup a client and presumably needs the same configuration in
>>>> smb.conf.
>>>>
>>>> Therefore, after provision, I changed smb.conf to this:
>>>>
>>>> # Global parameters
>>>> [global]
>>>>          workgroup = EXAMPLE
>>>>          realm = example.com
>>>>          netbios name = DEBDC
>>>>          server role = active directory domain controller
>>>>          dns forwarder = 8.8.8.8
>>>>          idmap_ldb:use rfc2307 = yes
>>>>          dedicated keytab file = /etc/krb5.keytab
>>>>          kerberos method = secrets and keytab
>>>>          winbind enum users = yes
>>>>          winbind enum groups = yes
>>>>          winbind use default domain = yes
>>>>          winbind expand groups = 4
>>>>          winbind nss info = rfc2307
>>>>          winbind refresh tickets = Yes
>>>>          winbind normalize names = Yes
>>>>          idmap config * : backend = tdb
>>>>          idmap config * : range = 2000-9999
>>>>          idmap config HOME : backend  = ad
>>>>          idmap config HOME : range = 10000-999999
>>>>          idmap config HOME : schema_mode = rfc2307
>>>>          log level = 9
>>>>
>>>> [netlogon]
>>>>          path = /usr/local/samba/var/locks/sysvol/example.com/scripts
>>>>          read only = No
>>>>
>>>> [sysvol]
>>>>          path = /usr/local/samba/var/locks/sysvol
>>>>          read only = No
>>>>
>>>> This is based on a working samba 4.1.6 client.
>>>>
>>>> I gave Domain Users a gidNumber, created a user, gave the user a
>>>> uidNumber and the loginShell & unixHomeDirectory attributes.
>>>>
>>>> Everything else is setup as standard.
>>>>
>>>> wbinfo -u shows all domain users, wbinfo -g shows all domain groups.
>>>>
>>>> getent passwd & getent group, do not display anything from the domain
>>>>
>>>> getent group Domain\ Users displays:
>>>>
>>>> domain_users:x:10000:
>>>>
>>>> getent passwd rowland displays:
>>>>
>>>> rowland:*:10000:10000:Rowland Penny:/home/%D/%U:/bin/false
>>>>
>>>> As you can see, like the old builtin winbind, the users uidNumber
>>>> and the Domain Users gidNumber are displayed. The unixHomeDirectory
>>>> & loginShell attributes do not seem to be pulled from AD, are they
>>>> supposed to be ?
>>>>
>>>> Am I barking up the wrong tree ? Am I doing something wrong or not
>>>> doing something I should ?
>> Hello michael, see inline comments.
>>
>>> While I have not tested this myself yet, it is well possible
>>> that you have found a problem with the still very new
>>> samba-winbindd-setup.
>>>
>>> For a start, with a few remarks I can only try and guide you to
>>> test it yourself, and possibly find the problem, but Andrew
>>> should comment, indeed.
>>>
>>> Could you set these
>>>
>>>>          winbind use default domain = yes
>>>>          winbind normalize names = Yes
>>> to "no? Especially the default domain.
>> Done.
>>
>>> It is strange that in your example, "domain users", which should
>>> be of the primary domain EXAMPLE, is resolved to 10000 of the
>>> HOME home domain... Does that HOME domain exist in fact?
>> DOH! thank you for pointing out the very obvious 'cut & paste error'
>> ;-) ,
> Good.
>
>> altering it makes no difference however.
> Strange!
>
>>> Could you then test the atomic winbindd id mapping and name
>>> resolution commands instead of the aggregate nsswitch commands
>>> to test things:
>>> wbinfo -n EXAMPLE\\Domain\ Users
>>> # --> SID
>>> wbinfo -s SID
>>> wbinfo --sid-to-gid SID
>>> wbinfo -n EXAMPLE\\rowland
>>> # --> SID2
>>> wbinfo -n SID2
>>> wbinfo --sid-to-uid SID2
>> OK, here are the results:
>>
>> wbinfo -n EXAMPLE\\Domain\ Users
>> # --> SID --> S-1-5-21-3684522210-1888564150-245155842-513 SID_DOM_GROUP (2)
>> wbinfo -s S-1-5-21-3684522210-1888564150-245155842-513
>> EXAMPLE\Domain Users 2
>>
>> wbinfo --sid-to-gid S-1-5-21-3684522210-1888564150-245155842-513
>> 10000
>>
>> wbinfo -n EXAMPLE\\rowland
>> # --> SID2 --> S-1-5-21-3684522210-1888564150-245155842-1103 SID_USER (1)
>>
>> wbinfo -n S-1-5-21-3684522210-1888564150-245155842-1103
>> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not lookup name S-1-5-21-3684522210-1888564150-245155842-1103
>>
>> Did you mean wbinfo -s ?
> Yes!
>
>> wbinfo -s S-1-5-21-3684522210-1888564150-245155842-1103
>> EXAMPLE\rowland 1
>>
>> wbinfo --sid-to-uid S-1-5-21-3684522210-1888564150-245155842-1103
>> 10000
> Looks good so far.
> Could you test with more objects (user/groups)?
>
>> But:
>>
>> getent group Domain\ Users
>> domain users:x:10000:
> Looks OK.
>
>> getent passwd rowland
>> rowland:*:10000:10000:Rowland Penny:/home/%D/%U:/bin/false
>>
>> As you can see the users home directory & login shell are not being
>> pulled from AD, in fact it is a bit worse now than before, at least
>> before, you could use /home/DOMAIN/username but now ??
> This seems to be the "template home dir" and template
> shell options from s3, along with the "nss info" piece
> of winbindd.
>
> - First problem is that it seems the substitutions are not done here.
>    This is strange, since at least the nsswitch-level code seems
>    to use it. I think we need a bug report for this.
>
> - Second problem is that you actually want to use the nss info
>    from AD (SFU) and not from the template.
>    This is where the "winbind nss info" parameter comes into play.
>    You can give it a list of entries of the form
>    "backend[:domain]", where backend can currently be one of
>    template,sfu,sfu20, and rfc2307. sfu,sfu20 and rfc2307 are
>    all variants of SFU.
>    You should do something like
>
>    "winbind nss info = sfu:EXAMPLE, template"
>
>    or vary the "sfu" in the first entry.
>
> Let's see how that goes.
>
> Cheers - Michael
OK Michael, I have tried all possible combinations and it makes no 
difference, no home directory and no login shell. I cannot try with any 
other users, there are no other users, I suppose I could create some, 
but I feel that I would be wasting my time, the problem surely is in the 
code and not the number of users.

The winbind setup that I added to smb.conf was 'cut & pasted' from my 
working Linux Mint 17 laptop (4.1.6) and it works. My next step will be 
to set up another VM, compile 4.2rc2 again but this time set it up as 
client against my test DC, lets see what happens ;-)

Rowland


More information about the samba-technical mailing list