[Samba] Query re winbind, primary group enumeration from Active Directory and Services For Unix
cgreen at ultradata.com.au
Tue May 4 00:59:49 MDT 2010
Query re winbind, primary group enumeration from Active Directory and Services For Unix
I am wondering if anyone can explain to me how the GIDs work when using winbind to extract them from an ADS server.
I have Unix servers running AIX 5.3 ML-10, an ADS server running Win 2003-SP2 with SFU 3.5 installed.
I have been configuring the Unix servers as domain members and using winbind to extract the user id and primary group form the AD and SFU. This in theory would supply consistent uids and gids for the domian user accounts when logging into the Unix servers.
I have been able to compile samba 3.4.7 and with ADS support successfully. I have also used version 3.4.7 from the pware site and get the same issues.
I have modified the /usr/security/user file to use WINBIND.
I have modified the /usr/lib/security/methods.cfg file to include a stanza for WINBIND.
I can obtain a kerberos ticket successfully, (kinit valid-aduser).
I can join the domain successfully, (net ads join -Uvalid-ad-user).
I can run wbinfo -t, -u, -g, -i, etc succssfully.
Using "wbinfo -i valid-ad-user" returns the correct information as stored under the users properties SFU tab.
If I change these settings, eg: home directory, primary group name/gid or login shell they are reflected correctly by a subsequent "wbinfo -i". That is, they are correctly extracted/obtained from the ADS server.
However when I try to open a telnet session to the Unix server I have a problem if the PGID is not related back to an actual group as stored within the AD.
That is, if I set the PGID to 208, which is a valid group id within the group file on the Unix server but is not a valid group id within the AD I cannot telnet to the Unix server. The -i option of wbinfo shows the correct group id.
Eg: wbinfo -i valid-ad-user
When I try and open a telnet session I get the following error.
3004-010 Failed setting terminal ownership and mode.
Browsing the www indicates that this problem is due to an invalid group id. That the id is not stored within the group file.
But it is a valid group id.
If I change the gid to be 10001 which according to samba is BUILTIN\users
I can open a telnet session without any problems:
My understanding from reading the smb.conf man page is that for samba (aka winbind) to extract the home directory, login shell, UID and GID from the ADS server then you need to specify the options "winbind nss info" and either "idmap backend = ad" or "idmap config DOMAIN:backend = ad" as well. I have these entries in the smb.conf file.
idmap config ULTRADATA : default = yes
idmap config ULTRADATA : backend = ad
idmap config ULTRADATA : range = 200-9999
idmap config ULTRADATA : schema_mode = sfu
winbind nss info = sfu
With these settings the userid that is extracted is the one that gets used when a successful telnet session is made. However the GID appears to be ignored. It looks like the GID must be one that is allocated to a valid group that is on the ADS server.
What entries do I need to make in the smb.conf file to have samba/winbind use the group id as stored on the ADS server?
I have included what I think is the pertinent info from the global section of the smb.conf file:
workgroup = REALMNAME
security = ADS
realm = REALMNAME.COM.AU
encrypt passwords = Yes
password server = 172.16.xx.xxx
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
log file = /etc/samba/var/%L-%m.log
log level = 5
interfaces = en0 lo0
bind interfaces only = yes
name resolve order = host wins bcast
keepalive = 30
os level = 0
lm announce = False
preferred master = False
local master = No
domain master = False
wins server = 172.16.xx.xxx
unix extensions = no
auth methods = winbind
idmap uid = 10000-200000
idmap gid = 10000-200000
idmap config REALMNAME : default = yes
idmap config REALMNAME : backend = ad
idmap config REALMNAME : range = 200-9999
idmap config REALMNAME : schema_mode = sfu
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nss info = sfu
This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action or place any reliance on it. If you have received this message in error please notify Ultradata immediately on +61 3 9291 1600. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Ultradata Australia Pty. Ltd.
To unsubscribe from receiving commercial electronic messages from Ultradata Australia please email unsubscribe at ultradata.com.au with the subject heading "Unsubscribe".
More information about the samba