[Samba] Query re winbind, primary group enumeration from Active Directory and Services For Unix

Craig Green cgreen at ultradata.com.au
Tue May 4 00:59:49 MDT 2010

Query re winbind, primary group enumeration from Active Directory and Services For Unix

I am wondering if anyone can explain to me how the GIDs work when using winbind to extract them from an ADS server.

I have Unix servers running AIX 5.3 ML-10, an ADS server running Win 2003-SP2 with SFU 3.5 installed.
I have been configuring the Unix servers as domain members and using winbind to extract the user id and primary group form the AD and SFU.  This in theory would supply consistent uids and gids for the domian user accounts when logging into the Unix servers.

I have been able to compile samba 3.4.7 and with ADS support successfully.  I have also used version 3.4.7 from the pware site and get the same issues.

I have modified the /usr/security/user file to use WINBIND.

I have modified the /usr/lib/security/methods.cfg file to include a stanza for WINBIND.

I can obtain a kerberos ticket successfully, (kinit valid-aduser).

I can join the domain successfully, (net ads join -Uvalid-ad-user).

I can run wbinfo -t, -u, -g, -i, etc succssfully.

Using "wbinfo -i valid-ad-user" returns the correct information as stored under the users properties SFU tab.
If I change these settings, eg: home directory, primary group name/gid or login shell they are reflected correctly by a subsequent "wbinfo -i".  That is, they are correctly extracted/obtained from the ADS server.

However when I try to open a telnet session to the Unix server I have a problem if the PGID is not related back to an actual group as stored within the AD.

That is, if I set the PGID to 208, which is a valid group id within the group file on the Unix server but is not a valid group id within the AD I cannot telnet to the Unix server.  The -i option of wbinfo shows the correct group id.

Eg: wbinfo -i  valid-ad-user

When I try and open a telnet session I get the following error.

3004-010 Failed setting terminal ownership and mode.

Browsing the www indicates that this problem is due to an invalid group id.  That the id is not stored within the group file.
But it is a valid group id.

If I change the gid to be 10001 which according to samba is BUILTIN\users

wbinfo --gid-info=10001

I can open a telnet session without any problems:

My understanding from reading the smb.conf man page is that for samba (aka winbind) to extract the home directory, login shell, UID and GID from the ADS server then you need to specify the options "winbind nss info" and either "idmap backend = ad" or "idmap config DOMAIN:backend  = ad" as well. I have these entries in the smb.conf file.

        idmap config ULTRADATA : default  = yes
        idmap config ULTRADATA : backend  = ad
        idmap config ULTRADATA : range  = 200-9999
        idmap config ULTRADATA : schema_mode = sfu
        winbind nss info = sfu

With these settings the userid that is extracted is the one that gets used when a successful telnet session is made.  However the GID appears to be ignored.  It looks like the GID must be one that is allocated to a valid group that is on the ADS server.

What entries do I need to make in the smb.conf file to have samba/winbind use the group id as stored on the ADS server?

I have included what I think is the pertinent info from the global section of the smb.conf file:

        workgroup = REALMNAME
        security = ADS
        realm = REALMNAME.COM.AU
        encrypt passwords = Yes
        password server = 172.16.xx.xxx
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        log file = /etc/samba/var/%L-%m.log
        log level = 5
        interfaces = en0 lo0
        bind interfaces only = yes
        name resolve order = host wins bcast
        keepalive = 30
        os level = 0
        lm announce = False
        preferred master = False
        local master = No
        domain master = False
        wins server = 172.16.xx.xxx
        unix extensions = no

        auth methods = winbind
        idmap uid = 10000-200000
        idmap gid = 10000-200000
        idmap config REALMNAME : default  = yes
        idmap config REALMNAME : backend  = ad
        idmap config REALMNAME : range  = 200-9999
        idmap config REALMNAME : schema_mode = sfu

        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind nss info = sfu

Disclaimer Notice

This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action or place any reliance on it. If you have received this message in error please notify Ultradata immediately on +61 3 9291 1600. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Ultradata Australia Pty. Ltd.

To unsubscribe from receiving commercial electronic messages from Ultradata Australia please email unsubscribe at ultradata.com.au with the subject heading "Unsubscribe".

More information about the samba mailing list