4.2rc2 and winbindd

Michael Adam obnox at samba.org
Mon Oct 20 05:44:42 MDT 2014 

On 2014-10-20 at 10:32 +0100, Rowland Penny wrote:
> On 20/10/14 09:58, Michael Adam wrote:
> >On 2014-10-20 at 09:24 +0100, Rowland Penny wrote:
> >>On 19/10/14 23:55, Michael Adam wrote:
> >>>On 2014-10-19 at 13:46 +0100, Rowland Penny wrote:
> >>>>OK, I have compiled 4.2rc2 on Debian 7.5 running in a VM and set up
> >>>>a test DC. this was set up to test the new (old?) winbindd. From
> >>>>what I have read this is exactly the same daemon that would be run
> >>>>if I setup a client and presumably needs the same configuration in
> >>>>smb.conf.
> >>>>
> >>>>Therefore, after provision, I changed smb.conf to this:
> >>>>
> >>>># Global parameters
> >>>>[global]
> >>>>         workgroup = EXAMPLE
> >>>>         realm = example.com
> >>>>         netbios name = DEBDC
> >>>>         server role = active directory domain controller
> >>>>         dns forwarder = 8.8.8.8
> >>>>         idmap_ldb:use rfc2307 = yes
> >>>>         dedicated keytab file = /etc/krb5.keytab
> >>>>         kerberos method = secrets and keytab
> >>>>         winbind enum users = yes
> >>>>         winbind enum groups = yes
> >>>>         winbind use default domain = yes
> >>>>         winbind expand groups = 4
> >>>>         winbind nss info = rfc2307
> >>>>         winbind refresh tickets = Yes
> >>>>         winbind normalize names = Yes
> >>>>         idmap config * : backend = tdb
> >>>>         idmap config * : range = 2000-9999
> >>>>         idmap config HOME : backend  = ad
> >>>>         idmap config HOME : range = 10000-999999
> >>>>         idmap config HOME : schema_mode = rfc2307
> >>>>         log level = 9
> >>>>
> >>>>[netlogon]
> >>>>         path = /usr/local/samba/var/locks/sysvol/example.com/scripts
> >>>>         read only = No
> >>>>
> >>>>[sysvol]
> >>>>         path = /usr/local/samba/var/locks/sysvol
> >>>>         read only = No
> >>>>
> >>>>This is based on a working samba 4.1.6 client.
> >>>>
> >>>>I gave Domain Users a gidNumber, created a user, gave the user a
> >>>>uidNumber and the loginShell & unixHomeDirectory attributes.
> >>>>
> >>>>Everything else is setup as standard.
> >>>>
> >>>>wbinfo -u shows all domain users, wbinfo -g shows all domain groups.
> >>>>
> >>>>getent passwd & getent group, do not display anything from the domain
> >>>>
> >>>>getent group Domain\ Users displays:
> >>>>
> >>>>domain_users:x:10000:
> >>>>
> >>>>getent passwd rowland displays:
> >>>>
> >>>>rowland:*:10000:10000:Rowland Penny:/home/%D/%U:/bin/false
> >>>>
> >>>>As you can see, like the old builtin winbind, the users uidNumber
> >>>>and the Domain Users gidNumber are displayed. The unixHomeDirectory
> >>>>& loginShell attributes do not seem to be pulled from AD, are they
> >>>>supposed to be ?
> >>>>
> >>>>Am I barking up the wrong tree ? Am I doing something wrong or not
> >>>>doing something I should ?
> >>Hello michael, see inline comments.
> >>
> >>>While I have not tested this myself yet, it is well possible
> >>>that you have found a problem with the still very new
> >>>samba-winbindd-setup.
> >>>
> >>>For a start, with a few remarks I can only try and guide you to
> >>>test it yourself, and possibly find the problem, but Andrew
> >>>should comment, indeed.
> >>>
> >>>Could you set these
> >>>
> >>>>         winbind use default domain = yes
> >>>>         winbind normalize names = Yes
> >>>to "no? Especially the default domain.
> >>Done.
> >>
> >>>It is strange that in your example, "domain users", which should
> >>>be of the primary domain EXAMPLE, is resolved to 10000 of the
> >>>HOME home domain... Does that HOME domain exist in fact?
> >>DOH! thank you for pointing out the very obvious 'cut & paste error'
> >>;-) ,
> >Good.
> >
> >>altering it makes no difference however.
> >Strange!
> >
> >>>Could you then test the atomic winbindd id mapping and name
> >>>resolution commands instead of the aggregate nsswitch commands
> >>>to test things:
> >>>wbinfo -n EXAMPLE\\Domain\ Users
> >>># --> SID
> >>>wbinfo -s SID
> >>>wbinfo --sid-to-gid SID
> >>>wbinfo -n EXAMPLE\\rowland
> >>># --> SID2
> >>>wbinfo -n SID2
> >>>wbinfo --sid-to-uid SID2
> >>OK, here are the results:
> >>
> >>wbinfo -n EXAMPLE\\Domain\ Users
> >># --> SID --> S-1-5-21-3684522210-1888564150-245155842-513 SID_DOM_GROUP (2)
> >>wbinfo -s S-1-5-21-3684522210-1888564150-245155842-513
> >>EXAMPLE\Domain Users 2
> >>
> >>wbinfo --sid-to-gid S-1-5-21-3684522210-1888564150-245155842-513
> >>10000
> >>
> >>wbinfo -n EXAMPLE\\rowland
> >># --> SID2 --> S-1-5-21-3684522210-1888564150-245155842-1103 SID_USER (1)
> >>
> >>wbinfo -n S-1-5-21-3684522210-1888564150-245155842-1103
> >>failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
> >>Could not lookup name S-1-5-21-3684522210-1888564150-245155842-1103
> >>
> >>Did you mean wbinfo -s ?
> >Yes!
> >
> >>wbinfo -s S-1-5-21-3684522210-1888564150-245155842-1103
> >>EXAMPLE\rowland 1
> >>
> >>wbinfo --sid-to-uid S-1-5-21-3684522210-1888564150-245155842-1103
> >>10000
> >Looks good so far.
> >Could you test with more objects (user/groups)?
> >
> >>But:
> >>
> >>getent group Domain\ Users
> >>domain users:x:10000:
> >Looks OK.
> >
> >>getent passwd rowland
> >>rowland:*:10000:10000:Rowland Penny:/home/%D/%U:/bin/false
> >>
> >>As you can see the users home directory & login shell are not being
> >>pulled from AD, in fact it is a bit worse now than before, at least
> >>before, you could use /home/DOMAIN/username but now ??
> >This seems to be the "template home dir" and template
> >shell options from s3, along with the "nss info" piece
> >of winbindd.
> >
> >- First problem is that it seems the substitutions are not done here.
> >   This is strange, since at least the nsswitch-level code seems
> >   to use it. I think we need a bug report for this.
> >
> >- Second problem is that you actually want to use the nss info
> >   from AD (SFU) and not from the template.
> >   This is where the "winbind nss info" parameter comes into play.
> >   You can give it a list of entries of the form
> >   "backend[:domain]", where backend can currently be one of
> >   template,sfu,sfu20, and rfc2307. sfu,sfu20 and rfc2307 are
> >   all variants of SFU.
> >   You should do something like
> >
> >   "winbind nss info = sfu:EXAMPLE, template"
> >
> >   or vary the "sfu" in the first entry.
> >
> >Let's see how that goes.
> >
> >Cheers - Michael
> 
> OK Michael, I have tried all possible combinations and it makes no
> difference, no home directory and no login shell. I cannot try with
> any other users, there are no other users, I suppose I could create
> some,

Yeah that was my request.

> but I feel that I would be wasting my time, the problem surely
> is in the code and not the number of users.

I was trying to see whether the id mapping works with more
than one example. I do of course not expect the homedir/shell
info to be correct for a second/third/... user. ;-)

> The winbind setup that I added to smb.conf was 'cut & pasted' from
> my working Linux Mint 17 laptop (4.1.6) and it works. My next step
> will be to set up another VM, compile 4.2rc2 again but this time set
> it up as client against my test DC, lets see what happens ;-)

Ok. I think the DC-with-winbindd scenario is special here,
just need to understand, how so.

Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20141020/4f0c1f96/attachment.pgp>

More information about the samba-technical mailing list