[Samba] Samba 4, Winbind & RFC2307
Thomas Simmons
twsnnva at gmail.com
Sun Dec 16 18:35:14 MST 2012
I am seeing similar behavior on an S4 member server. In this case, every
uid and gid is reported as "4294967295". As best I can tell, my smb.conf is
ok.
[root at ALW2 etc]# wbinfo -u
administrator
tuser1
tuser2
tuser3
krbtgt
guest
[root at ALW2 etc]# wbinfo -i tuser1
tuser1:*:4294967295:4294967295:Test User1:/home/tuser1:/bin/sh
[root at ALW2 etc]# getent passwd|grep tuser
tuser1:*:4294967295:4294967295:Test User1:/home/tuser1:/bin/sh
tuser2:*:4294967295:4294967295:Test User2:/home/tuser2:/bin/sh
tuser3:*:4294967295:4294967295:Test User3:/home/tuser3:/bin/sh
[global]
workgroup = TESTDOM
realm = internal.testdom.com
preferred master = no
server string = ALW2
security = ads
encrypt passwords = yes
idmap config TESTDOM:backend = ads
idmap config TESTDOM:schema_mode = rfc2307
idmap config TESTDOM:range = 1000-999999
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
template homedir = /home/%U
template shell = /bin/sh
If I add:
idmap backend = tdb
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
then I get uids and gids generated from this range. When I remove the
options, my users keep the generated uids and gids. I'm not sure how to
revert?
Thank you all for your help.
On Sun, Dec 16, 2012 at 5:32 PM, Thomas Simmons <twsnnva at gmail.com> wrote:
> acl:search = false is commented out there, but the behavior is the same
> either way.
>
>
> On Sun, Dec 16, 2012 at 5:30 PM, Thomas Simmons <twsnnva at gmail.com> wrote:
>
>> I am using 'template homedir' and 'template shell' for these attributes,
>> which I'm fine with. It's the uidNumber and gidNumber that
>> I'm primarily concerned with. My global section:
>>
>> [global]
>> workgroup = TESTDOM
>> realm = internal.testdom.com
>> netbios name = ADC1
>> server role = active directory domain controller
>> dns forwarder = 10.10.65.1
>> idmap_ldb:use rfc2307 = yes
>> #acl:search = false
>>
>> template homedir = /home/%ACCOUNTNAME%
>> template shell = /bin/sh
>>
>>
>>
>> On Sun, Dec 16, 2012 at 5:06 PM, Andrew Bartlett <abartlet at samba.org>wrote:
>>
>>> On Sun, 2012-12-16 at 16:51 -0500, Thomas Simmons wrote:
>>> > Hello Andrew,
>>> >
>>> >
>>> > If functionality is not there, I certainly understand and can work
>>> > around it. I just want to make sure I am not misunderstanding
>>> > something.
>>> >
>>> >
>>> > When you say I should set "idmap_ldb:use rfc2307=yes" in smb.conf on
>>> > the DC, do you mean that by doing so I can use winbind (and the
>>> > rfc2307 attributes) for *nix authentication on the DC? I am confused
>>> > because I already have "idmap_ldb:use rfc2307 = yes" in my smb.conf
>>> > (it gets added automatically with the classicupgrade and I always
>>> > provision my "clean" test setup with "--use-rfc2307"). That actually
>>> > works fine - the rfc2307 attributes are there and I can modify them in
>>> > ADUC. If I configure the server to use NSS+LDAP for authentication, my
>>> > users's uid number, gid number, shell, etc are what I have specified
>>> > in ADUC. When I try using winbind, it is not using the rfc2307
>>> > information from AD.
>>>
>>> That's odd, but remember that only the UID and GID values will be used
>>> (not the shell or homedir, which is handled in a different bit of the
>>> code). However, your output below clearly shows that isn't
>>> happening :-(
>>>
>>> > > Here I have NSS+LDAP configured and getent reports the
>>> correct uidNumber
>>> > > and gidNumber that I have specified in AD (rfc2307
>>> attributes):
>>> > >
>>> > > root at ALW1:~# getent passwd | grep tuser
>>> > > tuser1:*:10005:10000:Test User1:/home/tuser1:/bin/sh
>>> > > tuser2:*:10006:10000:Test User2:/home/tuser2:/bin/sh
>>> > > tuser3:*:10007:10000:Test User3:/home/tuser3:/bin/sh
>>> > >
>>> > > Here (DC) I am using winbind for authentication, and getent
>>> does not report
>>> > > the correct uidNumber and gidNumber:
>>> > >
>>> > > [root at ADC1 ~]# getent passwd | grep tuser
>>> > > TESTDOM\tuser1:*:3000025:100:Test User1:/home/tuser1:/bin/sh
>>> > > TESTDOM\tuser2:*:3000026:100:Test User2:/home/tuser2:/bin/sh
>>> > > TESTDOM\tuser3:*:3000027:100:Test User3:/home/tuser3:/bin/sh
>>> >
>>> As a test, can you set 'acl:search=false' and see if it makes a
>>> difference?
>>>
>>> > Initially, "idmap_ldb:use rfc2307 = yes" was the only idmap related
>>> > entry in my smb.conf. When that did not work I tried a bunch of other
>>> > "idmap config DOMAIN" settings.
>>>
>>> The code that handles that isn't hooked up yet. I'm hoping someone will
>>> take this on for 4.1.
>>>
>>> > Again, if this simply does not work at this time, I can use NSS and
>>> > LDAP for logins on my DCs. With my S3 setup, I've always used LDAP for
>>> > auth on *nix systems and am not terribly familiar with winbind, so I
>>> > just want to make sure I'm not missing something. My next test will be
>>> > setting up a member server. Can you tell me what entries I will need
>>> > in my smb.conf to have winbind use the rfc2307 information from my S4
>>> > DC on member servers?
>>>
>>> I don't recall the exact settings right now, but for member servers it
>>> is the same as for a Windows AD domain (yes, I think this should be more
>>> automatic).
>>>
>>> In terms of using nss_ldap on the DC, the only concern I have is that
>>> the [homes] share might not work if you do that. Our DC code mostly
>>> avoids calling into nss, but that particular area does do it, and really
>>> does expect that nss_winbind is being used.
>>>
>>> For that reason, we generally suggest separation between the DC and
>>> other roles as the best way out of this situation.
>>>
>>> Andrew Bartlett
>>>
>>> --
>>> Andrew Bartlett
>>> http://samba.org/~abartlet/
>>> Authentication Developer, Samba Team http://samba.org
>>>
>>>
>>>
>>
>
More information about the samba
mailing list