[Samba] Help "Could not get unix ID"

[Ross S. W. Walker]

Linux Addict wrote:
> 
> Greetings!!!
> 
> I am using samba 3.0.28 clients authenticating AD R2 with SFU 3.5. I
> have setup nss info to template, sfu get the uid, gid, home dir and
> shell from AD.

Whoa, slow down, your getting all ahead of yourself. You seem to need
to pick a user authorization (passwd/group) method and a user
authentication method.

User authorization can be nss_ldap or samba+winbind or samba+ldap or
samba+ad (samba+ldap and samba+ad are really the same, but samba
uses ad extensions when storing the attributes).

I personnally like samba+winbind because with RID mapping I no
longer have to worry about creating and maintaining UIDs and GIDs for
every Windows user and group, which is a big pain.

As far as authentication goes, there is pam_ldap, pam_winbind, samba
or kerberos.

If you authenticating against a Windows AD domain I really don't see
any point to not using Kerberos. It is straight forward, easy to
setup, secure and provides single sign-on functionality. The others
require additional setup procedures and don't do single sign-on.

> The problem is it seems to be working for sometime, and then it says
> could not get uid/gid pair. I am assuming some kind of caching is
> causing this.

It may be your initial setup.

> My understanding with SFU is that, there wont be any mappings and the
> specific user will pull the uid,gid from AD Unix Attributes.

Managing UIDs and GIDs under SFU is a big PITA. I would only use it
under circumstances where winbind wasn't available, but even there
I would probably setup a Linux VM that would dump winbind RID
mappings into NIS maps and then use NIS to send them out.

> The winbindd-idmap file throws the following error.
> 
> nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(613)
>   Could not get unix ID

Did you join the machine to the domain with a 'net ads join' ?

> This is testparam output.
> 
> idmap backend = ad
>         idmap uid = 16777216-33554431
>         idmap gid = 16777216-33554431
>         template shell = /bin/bash
>         winbind separator = +
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind use default domain = Yes
>         winbind nss info = template, sfu
> 
> 
> 
> Please someone help me to all linux clients authenticate 
> consistently from AD.

Make sure you have these installed:

samba-common
samba-client
cyrus-sasl-gssapi
libgssapi
cyrus-sasl-md5
cyrus-sasl-lib
cyrus-sasl
cyrus-sasl-gssapi
cyrus-sasl-ntlm
cyrus-sasl-plain
krb5-workstation
pam_krb5
krb5-libs
krb5-auth-dialog

Try this simple starting smb.conf:

[global]
   workgroup = EXAMPLE
   realm = EXAMPLE.COM
   security = ads
   password server = *
   use kerberos keytab = yes
   passdb backend = tdbsam
   allow trusted domains = no
   idmap backend = rid
   idmap uid = 100000-199999
   idmap gid = 100000-199999
   template homedir = /home/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind enum groups = yes
   winbind enum users = yes
   name resolve order = wins bcast host

[homes]
   comment = Home Directories
   read only = no
   browseable = no

[printers]
   comment = All Printers
   path = /var/spool/samba
   printable = yes
   browseable = no

And this simple krb5.conf:

logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = yes

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = true
   krb4_convert = false
 }

[realms]
 EXAMPLE.COM = {
  kdc = example.com
  admin_server = example.com
 }

[domain_realm]
 example.com = EXAMPLE.COM
 .example.com = EXAMPLE.COM

Then make sure your nsswitch.conf has these defined:

passwd:     files winbind
shadow:     files
group:      files winbind

And your /etc/pam.d/system-auth is similar to:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_mkhomedir.so skel=/etc/skel umask=0077 silent
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

The modules to pay attention to are, pam_krb5.so and pam_mkhomedir.so.

Then your Windows users should be able to single sign-on to Linux and access
all the Windows shares and resources.

-Ross

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.