[Samba] w2k3 r2/winbind/idmap - 3.0.23a

Neal A. Lucier nlucier at math.purdue.edu
Fri Jul 28 17:08:02 GMT 2006 

I believe I have a config problem, but let me first explain what I'm 
trying to accomplish and then I'll dump all the logs, etc.

w2k3 r2 domain server: hilbert.math.purdue.edu
samba server: gram.math.purdue.edu
realm: MATH.PURDUE.EDU
domain: MATH

Currently my entire environment is all Solaris, with users stored in 
LDAP and home directories shared via NFS.  I am using Sun's Identity 
Synchronization for Windows to populate my w2k3 r2 server with users and 
to ensure that the rfc2307 attributes are synced with my LDAP source.

I only want to use Samba to share out home directories, but only for 
Domain Users that have rfc2307 attributes defined for them; i.e., in my 
current config "Administrator" cannot authenticate to my Samba server 
and that's fine by me.  In addition to this, I want the home directory 
to be owned by MATH\username instead of GRAM\username.

In my current config I'm using nss_winbind against my ADS source, though 
I would prefer to use nss_ldap against my LDAP source; otherwise, samba 
has to run in a zone on my NFS server (not a show stopper).

Currently my home directory is showing in Windows with Owner:
S-1-5-21-3626241743-3430010330-1169397157-2002
and with Group
MATH\unix-other

I think the root of the problem is that I can do uid->uidNumber but not 
uidNumber->uid on gram using winbind.

root at gram samba-3.0.23a # cat lib/smb.conf
[global]
         workgroup = MATH
         realm = MATH.PURDUE.EDU
         security = ads
         encrypt passwords = yes
         idmap backend = ad
         idmap uid = 1000-10000
         idmap gid = 1000-10000
         lanman auth = no
         ntlm auth = no
         winbind enum users = yes
         winbind enum groups = yes
         winbind nss info = rfc2307

[homes]
         comment = Home Directories
         valid users = %S
         read only = No
         browseable = No

root at gram samba-3.0.23a # bin/net getlocalsid
SID for domain GRAM is: S-1-5-21-3626241743-3430010330-1169397157

root at gram samba-3.0.23a # getent passwd "MATH\nlucier"
MATH\nlucier:*:501:1:Neal Antoine Lucier:/home/nlucier:/bin/tcsh

root at gram samba-3.0.23a # getent passwd 501
root at gram samba-3.0.23a #

root at gram samba-3.0.23a # getent group "MATH\unix-other"
MATH\unix-other:x:1:

root at gram samba-3.0.23a # getent group 1
other::1:root

root at gram /home # ls -l /home
total 2
drwxr-xr-x  16 501      other        512 Jul 25 11:40 nlucier/

root at gram samba-3.0.23a # grep winbind /etc/nsswitch.conf
passwd:     files winbind
group:      files winbind


****This is the log of the user nlucier connecting from HILBERT and 
selecting "properties" on a folder in the home directory******

root at gram samba-3.0.23a # cat var/log.smbd
[2006/07/28 12:50:16, 0] smbd/server.c:main(847)
   smbd version 3.0.23a started.
   Copyright Andrew Tridgell and the Samba Team 1992-2006
[2006/07/28 12:50:17, 0] smbd/server.c:main(881)
   standard input is not a socket, assuming -D option
[2006/07/28 12:50:17, 0] auth/auth_util.c:create_builtin_administrators(763)
   create_builtin_administrators: Failed to create Administrators
[2006/07/28 12:50:17, 0] auth/auth_util.c:create_local_nt_token(872)
   create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2006/07/28 12:50:17, 0] auth/auth_util.c:create_builtin_users(729)
   create_builtin_users: Failed to create Users
[2006/07/28 12:50:17, 0] auth/auth_util.c:create_local_nt_token(899)
   create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2006/07/28 12:50:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(310)
   Username MATH\HILBERT$ is invalid on this system
[2006/07/28 12:50:23, 0] auth/auth_util.c:create_builtin_administrators(763)
   create_builtin_administrators: Failed to create Administrators
[2006/07/28 12:50:23, 0] auth/auth_util.c:create_local_nt_token(872)
   create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2006/07/28 12:50:23, 0] auth/auth_util.c:create_builtin_users(729)
   create_builtin_users: Failed to create Users
[2006/07/28 12:50:23, 0] auth/auth_util.c:create_local_nt_token(899)
   create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2006/07/28 12:50:23, 1] smbd/service.c:make_connection_snum(941)
   128.210.3.22 (128.210.3.22) connect to service nlucier initially as 
user MATH\nlucier (uid=501, gid=1) (pid 25797)
[2006/07/28 12:50:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(310)
   Username MATH\HILBERT$ is invalid on this system
[2006/07/28 12:50:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(310)
   Username MATH\HILBERT$ is invalid on this system
[2006/07/28 12:50:35, 0] auth/auth_util.c:create_builtin_administrators(763)
   create_builtin_administrators: Failed to create Administrators
[2006/07/28 12:50:35, 0] auth/auth_util.c:create_local_nt_token(872)
   create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2006/07/28 12:50:35, 0] auth/auth_util.c:create_builtin_users(729)
   create_builtin_users: Failed to create Users
[2006/07/28 12:50:35, 0] auth/auth_util.c:create_local_nt_token(899)
   create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2006/07/28 12:50:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(310)
   Username MATH\HILBERT$ is invalid on this system
[2006/07/28 12:50:36, 0] auth/auth_util.c:create_builtin_administrators(763)
   create_builtin_administrators: Failed to create Administrators
[2006/07/28 12:50:36, 0] auth/auth_util.c:create_local_nt_token(872)
   create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2006/07/28 12:50:36, 0] auth/auth_util.c:create_builtin_users(729)
   create_builtin_users: Failed to create Users
[2006/07/28 12:50:36, 0] auth/auth_util.c:create_local_nt_token(899)
   create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2006/07/28 12:50:37, 0] auth/auth_util.c:create_builtin_administrators(763)
   create_builtin_administrators: Failed to create Administrators
[2006/07/28 12:50:37, 0] auth/auth_util.c:create_local_nt_token(872)
   create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2006/07/28 12:50:37, 0] auth/auth_util.c:create_builtin_users(729)
   create_builtin_users: Failed to create Users
[2006/07/28 12:50:37, 0] auth/auth_util.c:create_local_nt_token(899)
   create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2006/07/28 12:50:37, 0] auth/auth_util.c:create_builtin_administrators(763)
   create_builtin_administrators: Failed to create Administrators
[2006/07/28 12:50:37, 0] auth/auth_util.c:create_local_nt_token(872)
   create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2006/07/28 12:50:37, 0] auth/auth_util.c:create_builtin_users(729)
   create_builtin_users: Failed to create Users
[2006/07/28 12:50:37, 0] auth/auth_util.c:create_local_nt_token(899)
   create_local_nt_token: Failed to create BUILTIN\Administrators group!

***LDIF dumps from ADS****
dn: CN=Neal Antoine Lucier,CN=Users,DC=math,DC=purdue,DC=edu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Neal Antoine Lucier
sn: Lucier
givenName: Neal
initials: A
distinguishedName: CN=Neal Antoine Lucier,CN=Users,DC=math,DC=purdue,DC=edu
instanceType: 4
whenCreated: 20060724205917.0Z
whenChanged: 20060727203240.0Z
displayName: Neal Antoine Lucier
uSNCreated: 14046
memberOf: CN=Domain Users,CN=Users,DC=math,DC=purdue,DC=edu
uSNChanged: 16654
name: Neal Antoine Lucier
objectGUID::
  KAc8FHeOlk+RCtOS+GU1LA==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 127983163550937500
lastLogoff: 0
lastLogon: 127985790209218750
pwdLastSet: 127982483572031250
primaryGroupID: 1113
objectSid::
  AQUAAAAAAAUVAAAA1d5KxJSOAsluXD4OVgQAAA==
accountExpires: 9223372036854775807
logonCount: 37
sAMAccountName: nlucier
sAMAccountType: 805306368
userPrincipalName: nlucier at math.purdue.edu
objectCategory: 
CN=Person,CN=Schema,CN=Configuration,DC=math,DC=purdue,DC=edu
unixUserPassword: ABCD!efgh12345$67890
uid: nlucier
msSFU30Name: nlucier
msSFU30NisDomain: math
uidNumber: 501
gidNumber: 1
unixHomeDirectory: /home/nlucier
loginShell: /bin/tcsh

dn: CN=unix-other,CN=Users,DC=math,DC=purdue,DC=edu
objectClass: top
objectClass: group
cn: unix-other
distinguishedName: CN=unix-other,CN=Users,DC=math,DC=purdue,DC=edu
instanceType: 4
whenCreated: 20060727203057.0Z
whenChanged: 20060727203240.0Z
uSNCreated: 16634
uSNChanged: 16652
name: unix-other
objectGUID::
  3bszP63jDkKjC//KPHoGWg==
objectSid::
  AQUAAAAAAAUVAAAA1d5KxJSOAsluXD4OWQQAAA==
sAMAccountName: unix-other
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=math,DC=purdue,DC=edu
msSFU30Name: unix-other
msSFU30NisDomain: math
gidNumber: 1

dn: CN=gram,CN=Computers,DC=math,DC=purdue,DC=edu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: gram
distinguishedName: CN=gram,CN=Computers,DC=math,DC=purdue,DC=edu
instanceType: 4
whenCreated: 20060725193722.0Z
whenChanged: 20060725193723.0Z
uSNCreated: 16454
uSNChanged: 16460
name: gram
objectGUID::
  Px81ZCjtw06s3gH53SsxuA==
userAccountControl: 69632
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 127985792499843750
localPolicyFlags: 0
pwdLastSet: 0
primaryGroupID: 515
objectSid::
  AQUAAAAAAAUVAAAA1d5KxJSOAsluXD4OWAQAAA==
accountExpires: 9223372036854775807
logonCount: 122
sAMAccountName: gram$
sAMAccountType: 805306369
dNSHostName: gram.math.purdue.edu
servicePrincipalName: HOST/gram.math.purdue.edu
servicePrincipalName: HOST/GRAM
objectCategory: 
CN=Computer,CN=Schema,CN=Configuration,DC=math,DC=purdue,DC=edu
isCriticalSystemObject: FALSE

Thanks,
Neal

More information about the samba mailing list