[Samba] winbind: uid range is ignored

Steven Schlegel steven.schlegel1988 at googlemail.com
Wed Aug 8 02:39:08 MDT 2012 

Hey Steve,

I knew the error "Can't initialize directory" with the auto-create
method of pam+winbind for home directories as well,
but I think my setup is a little bit different than yours...

My setup looks like this:

- 50 linux-server
- 5 AD secondary DC's (Active Directory w2k8 R2)
- 1 Master-DC (Active Directory w2k8 R2)

The linux-server were setup with RHEL 5 (nearly half of all).
Approx. 15 server were setup with Oracle Linux 6.2 (nearly the same like RHEL).

Do you use the same Linux-Version for your clients (e.g. servers)?
If so just try to put the same pam-lines (/etc/pam.d/system-auth) into
the file password-auth file (/etc/pam.d/password-auth).

These are my files:
--> /etc/pam.d/system-auth <--
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_smb_auth.so use_first_pass nolocal
auth sufficient pam_winbind.so use_first_pass
require_membership_of=g-gr-eo-it-io-dc,g-gr-eo-it-ao
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account sufficient pam_krb5.so
account sufficient pam_winbind.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so

session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session required pam_mkhomedir.so skel=/etc/skel umask=0077

--> /etc/pam.d/password-auth <--
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_smb_auth.so use_first_pass nolocal
auth sufficient pam_winbind.so use_first_pass
require_membership_of=g-gr-eo-it-io-dc,g-gr-eo-it-ao
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account sufficient pam_krb5.so
account sufficient pam_winbind.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so

session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session required pam_mkhomedir.so skel=/etc/skel umask=0077

And my smb.conf looks like this:
# GLOBAL PARAMETERS
[global]
workgroup = <MY-WORKGROUP>
realm = <MY-DOMAIN.LCL>
password server = *
preferred master = no
server string = <YOUR> File-Server
security = ads
encrypt passwords = yes
local master = no
log level = 1
log file = /var/log/samba/%m
max log size = 50
#printcap name = cups
#printcap = cups
printcap = /dev/null
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = \\
winbind refresh tickets = yes
winbind offline logon = true
winbind trusted domains only = no
#winbind trusted domains only = yes
map untrusted to domain = Yes
allow trusted domains = yes
obey pam restrictions = no
idmap backend = tdb
idmap uid = 10000-600000
idmap gid = 10000-600000
#idmap config EOS : tdb
#idmap config EOS : 10000-100000
#idmap config DFD : tdb
#idmap config DFD : 110000-200000
#idmap config * : backend = tdb
#idmap config * : range = 10000-600000
passdb backend = tdbsam
;template primary group = "domain users"
#template shell = /bin/false
template shell = /bin/bash
winbind nss info = rfc2307
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

[homes]
comment = Heimatverzeichnisse
valid users = %S
path = /home/<DOMAIN>/
read only = yes
browseable = no
#verstecke "nicht-lesbare" Verzeichnisse
hide unreadable = yes
#verstecke "nicht-schreibbare" Dateien u. Ordner
hide unwriteable files = yes
create mask = 0700
directory mask = 0700


When you login to one of my linux box with a user called "schlegels",
the home directory
will be created like this: /home/<DOMAIN>/schlegels


Oddjobd is not working for me... I don't know exactly if my setup is
the same like yours, because
I'm not able to read the whole conversation (too many things to do).


Cheers and good luck,

Steven

2012/8/8 steve <steve at steve-ss.com>:
> On 08/08/2012 12:35 AM, Jonathan Buzzard wrote:
>>
>> steve wrote:
>>>
>>> On 07/08/12 16:15, Jonathan Buzzard wrote:
>>>>
>>>> On 07/08/12 15:10, steve wrote:
>>>>>
>>>>> On 04/08/12 22:06, NdK wrote:
>>>>>>
>>>>>> Il 04/08/2012 21:13, steve ha scritto:
>>>>>>
>>>>>
>>>>>> Uh? "wide links" seems a bad idea to me... At least from a security
>>>>>> perspective.
>>>>>> Why a single home directory? We have a single NFS share containing
>>>>>> folders for the two domains and inside those a folder for each home.
>>>>>> We are trying to migrate away from that, preferring a '[homes]' share
>>>>>> where users will place the data they want to have available on every
>>>>>> PC.
>>>>>> This way even Firefox should work...
>>>>>>
>>>>> Hi Diego
>>>>> We have home directories like:
>>>>> home2/staff
>>>>> home2/students/7a
>>>>> home2/students/7b
>>>>>
>>>>> Winbind allows only one template homedir and all user home folders must
>>>>> reside there (or tell me otherwise).
>>>>>
>>>>> The only way we can have what we want is:
>>>>> 1. use nss-ldapd and store the true uinixHomeDirectory in AD
>>>>> 2. winbind. We have a symlink in template homedir to the real data. For
>>>>> that we need wide links.
>>>>>
>>>>
>>>> 3. Use winbind to store the true unixHomeDirectory in AD.
>>>>
>>>
>>> Hi
>>> If I store unixHomeDirectory in AD, winbind seems to ignore it. As far as
>>> it's concerned, all home directories have to be in template homedir.
>>>
>>> How would I use winbind to store it? This is why we tend toward 1.
>>> nss-ldapd pulls all of rfc2307 from AD. winbind seems to recognise only
>>> uidNumber and gidNumber. It doesn't sem to give you any control over login
>>> shell and unixHomeDirectory. Everyone has the same shell and homedir.
>>>
>>
>> Well it's read only, winbind pulls the information from the AD, but take
>> out your template homedir/shell lines from smb.conf and do something like
>>
>>     winbind nss info = rfc2307
>>     winbind expand groups = 2
>>     winbind nested groups = yes
>>     winbind enum users = yes
>>     winbind enum groups = yes
>>
>> Note you can get nested groups this way, something I don't think nss-ldapd
>> provides. It does work I have it in production for over 1500 users right now
>> with some 900 active SMB sessions.
>>
> Hi Jonathan
> Is that with Samba3 or 4? I just tried it with Samba4 with unixHomeDirectory
> in AD. I removed template homedir =, created the user directory and gave it
> the correct permissions, but logging in, winbind tries to create the
> directory:
>  su steve2
> Creating directory ''.
> Unable to create and initialize directory ''.
> su: Permission denied
>
> Cheers,
> Steve
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list