[Samba] Samba 4, Winbind & RFC2307

Thomas Simmons twsnnva at gmail.com
Sun Dec 16 18:35:14 MST 2012


I am seeing similar behavior on an S4 member server. In this case, every
uid and gid is reported as "4294967295". As best I can tell, my smb.conf is
ok.

[root at ALW2 etc]# wbinfo -u
administrator
tuser1
tuser2
tuser3
krbtgt
guest

[root at ALW2 etc]# wbinfo -i tuser1
tuser1:*:4294967295:4294967295:Test User1:/home/tuser1:/bin/sh

[root at ALW2 etc]# getent passwd|grep tuser
tuser1:*:4294967295:4294967295:Test User1:/home/tuser1:/bin/sh
tuser2:*:4294967295:4294967295:Test User2:/home/tuser2:/bin/sh
tuser3:*:4294967295:4294967295:Test User3:/home/tuser3:/bin/sh


[global]
        workgroup = TESTDOM
        realm = internal.testdom.com
        preferred master = no
        server string = ALW2
        security = ads
        encrypt passwords = yes

        idmap config TESTDOM:backend = ads
        idmap config TESTDOM:schema_mode = rfc2307
        idmap config TESTDOM:range = 1000-999999

        winbind enum users = yes
        winbind enum groups = yes
        winbind nested groups = yes
        winbind use default domain = yes

        template homedir = /home/%U
        template shell = /bin/sh

If I add:

        idmap backend = tdb
        idmap uid = 1000000-1999999
        idmap gid = 1000000-1999999

then I get uids and gids generated from this range. When I remove the
options, my users keep the generated uids and gids. I'm not sure how to
revert?


Thank you all for your help.


On Sun, Dec 16, 2012 at 5:32 PM, Thomas Simmons <twsnnva at gmail.com> wrote:

> acl:search = false is commented out there, but the behavior is the same
> either way.
>
>
> On Sun, Dec 16, 2012 at 5:30 PM, Thomas Simmons <twsnnva at gmail.com> wrote:
>
>> I am using 'template homedir' and 'template shell' for these attributes,
>> which I'm fine with. It's the uidNumber and gidNumber that
>> I'm primarily concerned with. My global section:
>>
>> [global]
>>         workgroup = TESTDOM
>>         realm = internal.testdom.com
>>         netbios name = ADC1
>>         server role = active directory domain controller
>>         dns forwarder = 10.10.65.1
>>         idmap_ldb:use rfc2307 = yes
>>         #acl:search = false
>>
>>         template homedir = /home/%ACCOUNTNAME%
>>         template shell = /bin/sh
>>
>>
>>
>> On Sun, Dec 16, 2012 at 5:06 PM, Andrew Bartlett <abartlet at samba.org>wrote:
>>
>>> On Sun, 2012-12-16 at 16:51 -0500, Thomas Simmons wrote:
>>> > Hello Andrew,
>>> >
>>> >
>>> > If functionality is not there, I certainly understand and can work
>>> > around it. I just want to make sure I am not misunderstanding
>>> > something.
>>> >
>>> >
>>> > When you say I should set "idmap_ldb:use rfc2307=yes" in smb.conf on
>>> > the DC, do you mean that by doing so I can use winbind (and the
>>> > rfc2307 attributes) for *nix authentication on the DC? I am confused
>>> > because I already have "idmap_ldb:use rfc2307 = yes" in my smb.conf
>>> > (it gets added automatically with the classicupgrade and I always
>>> > provision my "clean" test setup with "--use-rfc2307"). That actually
>>> > works fine - the rfc2307 attributes are there and I can modify them in
>>> > ADUC. If I configure the server to use NSS+LDAP for authentication, my
>>> > users's uid number, gid number, shell, etc are what I have specified
>>> > in ADUC. When I try using winbind, it is not using the rfc2307
>>> > information from AD.
>>>
>>> That's odd, but remember that only the UID and GID values will be used
>>> (not the shell or homedir, which is handled in a different bit of the
>>> code).  However, your output below clearly shows that isn't
>>> happening :-(
>>>
>>> >         > Here I have NSS+LDAP configured and getent reports the
>>> correct uidNumber
>>> >         > and gidNumber that I have specified in AD (rfc2307
>>> attributes):
>>> >         >
>>> >         > root at ALW1:~# getent passwd | grep tuser
>>> >         > tuser1:*:10005:10000:Test User1:/home/tuser1:/bin/sh
>>> >         > tuser2:*:10006:10000:Test User2:/home/tuser2:/bin/sh
>>> >         > tuser3:*:10007:10000:Test User3:/home/tuser3:/bin/sh
>>> >         >
>>> >         > Here (DC) I am using winbind for authentication, and getent
>>> does not report
>>> >         > the correct uidNumber and gidNumber:
>>> >         >
>>> >         > [root at ADC1 ~]# getent passwd | grep tuser
>>> >         > TESTDOM\tuser1:*:3000025:100:Test User1:/home/tuser1:/bin/sh
>>> >         > TESTDOM\tuser2:*:3000026:100:Test User2:/home/tuser2:/bin/sh
>>> >         > TESTDOM\tuser3:*:3000027:100:Test User3:/home/tuser3:/bin/sh
>>> >
>>> As a test, can you set 'acl:search=false' and see if it makes a
>>> difference?
>>>
>>> > Initially,  "idmap_ldb:use rfc2307 = yes" was the only idmap related
>>> > entry in my smb.conf. When that did not work I tried a bunch of other
>>> > "idmap config DOMAIN" settings.
>>>
>>> The code that handles that isn't hooked up yet.  I'm hoping someone will
>>> take this on for 4.1.
>>>
>>> > Again, if this simply does not work at this time, I can use NSS and
>>> > LDAP for logins on my DCs. With my S3 setup, I've always used LDAP for
>>> > auth on *nix systems and am not terribly familiar with winbind, so I
>>> > just want to make sure I'm not missing something. My next test will be
>>> > setting up a member server. Can you tell me what entries I will need
>>> > in my smb.conf to have winbind use the rfc2307 information from my S4
>>> > DC on member servers?
>>>
>>> I don't recall the exact settings right now, but for member servers it
>>> is the same as for a Windows AD domain (yes, I think this should be more
>>> automatic).
>>>
>>> In terms of using nss_ldap on the DC, the only concern I have is that
>>> the [homes] share might not work if you do that.  Our DC code mostly
>>> avoids calling into nss, but that particular area does do it, and really
>>> does expect that nss_winbind is being used.
>>>
>>> For that reason, we generally suggest separation between the DC and
>>> other roles as the best way out of this situation.
>>>
>>> Andrew Bartlett
>>>
>>> --
>>> Andrew Bartlett
>>> http://samba.org/~abartlet/
>>> Authentication Developer, Samba Team           http://samba.org
>>>
>>>
>>>
>>
>


More information about the samba mailing list