[Samba] Can't get idmap connected to AD unix attribs

Rowland Penny rpenny at f2s.com
Fri Jul 13 04:03:19 MDT 2012 

On 13/07/12 07:10, Nick Triantos wrote:
> It turns out that setting idmap config * : ad was the cause of my failures. For some reason, that backend is not compiled into the Ubuntu packages (or at least, when I ran with debug = 3 for winbind, I saw that the backend 'ad' was failing to load.
>
> It does seem, from my very non-scientific study of the list over the past few days, that a large number of questions seem to be focused on connecting samba with AD. Hopefully this can be made more rock-solid in the future.
>
> regards,
> -Nick
>
> On Jul 11, 2012, at 10:50 AM, Rowland Penny wrote:
>
>> On 11/07/12 17:38, Nick Triantos wrote:
>>> Hi Rowland,
>>>
>>> Yes, I've added their unix attributes.
>>>
>>> It looks like there is a long-open bug in winbind/samba 3.6.x that may be causing the error below (https://bugzilla.samba.org/show_bug.cgi?id=8676). I'm now stuck behind that so I'm trying to downgrade to 3.5.x.
>>>
>>> regards,
>>> -Nick
>>>
>>> On Jul 11, 2012, at 7:05 AM, Rowland Penny wrote:
>>>
>>>> On 11/07/12 01:57, Nick Triantos wrote:
>>>>> Thanks Robert.
>>>>>
>>>>> I've tried switching over to the AD back-end (which does sound like what I want), but I still receive only the errors:
>>>>>     failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>>>>
>>>>> I restarted both winbind and smbd after changing the config. Is there some cache I have to flush, or some other config that needs to be changed beyond the settings in smb.conf?
>>>>>
>>>>> thanks again!
>>>>> -Nick
>>>>>
>>>>> My updated smb.conf:
>>>>>
>>>>>     workgroup = CORP
>>>>>     security = ADS
>>>>>     #password server = 192.168.77.251
>>>>>     realm = CORP.MYCOMPANY.COM
>>>>>     allow trusted domains = yes
>>>>>     winbind use default domain = yes
>>>>>     winbind nested groups = YES
>>>>>     idmap config CORP : backend = ad
>>>>>     idmap config CORP : default = yes
>>>>>     idmap config CORP : schema_mode = rfc2307
>>>>>     idmap config CORP : range = 800 - 99999
>>>>>
>>>>>
>>>>> On Jul 10, 2012, at 7:27 AM, Robert Freeman-Day wrote:
>>>>>
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA1
>>>>>>
>>>>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA1
>>>>>>
>>>>>> Nick,
>>>>>>
>>>>>> I think what you may be looking for is the ad backend:
>>>>>>
>>>>>> https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html
>>>>>>
>>>>>> Since you are using tdb in your config, it is using a local database
>>>>>> and allocates UID/GIDs on the fly...first come, first served.  So a
>>>>>> user may not get the same UID from one machine to the next.
>>>>>>
>>>>>> Robert
>>>>>>
>>>>>> On 07/10/2012 12:20 AM, Nick Triantos wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and
>>>>>>> Winbind to map userids and groups to the unix attributes in an AD
>>>>>>> 2008 server. I can see that when I perform an ldapsearch, I'm able
>>>>>>> to read the attributes, and for one of my accounts, the id should
>>>>>>> be 1001. However, when I run 'wbinfo -i<username>', I get back
>>>>>>> something like 920.
>>>>>>>
>>>>>>> At one point, I was setting the idmap range to start at 900, but
>>>>>>> I've since removed that from my config, and restarted winbindd and
>>>>>>> smbd. I've also tried to 'net cache flush'.
>>>>>>>
>>>>>>> I also see wbinfo -i<someuser>    usually returns: failed to call
>>>>>>> wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user
>>>>>>> <someuser>
>>>>>>>
>>>>>>> The relevant parts of my smb.conf are below. I've tried patching
>>>>>>> this together from various tuts and help pages. Any guidance would
>>>>>>> be very helpful.
>>>>>>>
>>>>>>> thanks! -Nick
>>>>>>>
>>>>>>> [global] workgroup = CORP security = ADS password server =
>>>>>>> 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains =
>>>>>>> yes winbind use default domain = yes winbind nested groups = YES
>>>>>>> idmap config CORP : backend = tdb idmap config CORP : default = yes
>>>>>>> idmap config CORP : schema_mode = rfc2307 idmap config CORP : range
>>>>>>> = 1000 - 9999 idmap config * : backend = tdb encrypt passwords =
>>>>>>> true obey pam restrictions = yes client use spnego = yes client
>>>>>>> ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2
>>>>>>> unix password sync = yes winbind enum groups = yes winbind enum
>>>>>>> users = yes winbind nss info = rfc2307
>>>>>>>
>>>>>>>
>>>>>> - - --
>>>>>> ________
>>>>>>
>>>>>> Robert Freeman-Day
>>>>>>
>>>>>> https://launchpad.net/~presgas
>>>>>> GPG Public Key:
>>>>>> http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
>>>>>>
>>>>>>
>>>>>> - -----BEGIN PGP SIGNATURE-----
>>>>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>>>>
>>>>>> iEYEARECAAYFAk/8O4QACgkQup357T5MfTZprwCeJ7iMF7NcxUctOd7bOAFqT4ZZ
>>>>>> AAgAoMqnWGK5E5LWZxxMxsUaVhfbil9Y
>>>>>> =yLz3
>>>>>> - -----END PGP SIGNATURE-----
>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>>>>
>>>>>> iEYEARECAAYFAk/8O7UACgkQup357T5MfTaCgACdHU8bg9f9cJ9+xgH6GuBchjJ+
>>>>>> 3iQAoLndWChQKGLDkeGGTRaCM00LwHKb
>>>>>> =eagU
>>>>>> -----END PGP SIGNATURE-----
>>>> Hi, just a thought, have you added the RFC2307 uid/gid values to your users on the AD server? if you haven't, there will be nothing to find and it may throw the error that you are getting.
>>>>
>>>> Rowland
>>>>
>>>>
>>>> -- 
>>>> This message has been scanned for viruses and
>>>> dangerous content by MailScanner, and is
>>>> believed to be clean.
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>> I am playing about with this on a Xubuntu 12.04 client against a Samba4 server (Ubuntu 12.04 server) and it seems to be working for me (mostly)
>>
>> I have:
>>     winbind enum users = Yes
>>     winbind enum groups = Yes
>>     winbind use default domain = Yes
>>     winbind nss info = rfc2307
>>     winbind refresh tickets = Yes
>>     winbind normalize names = Yes
>>     idmap config HOME:schema_mode = rfc2307
>>     idmap config HOME:range = 210000-3100000
>>     idmap config HOME:backend = ad
>>     idmap config * : range = 210000-3100000
>>     idmap config * : backend = tdb
>>
>> in /etc/samba/smb.conf
>>
>> wbinfo -u returns all AD users
>> wbinfo -g returns all AD groups
>> getent passwd returns all local&  AD unixusers
>> getent group returns local users but no AD unixusers, but
>> getent group linuxusers returns the AD info for the unix group
>>
>> Hope this helps.
>>
>> Rowland
>>
>> -- 
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>
>

Now, you have got me confused, I am playing with samba4 on a test server 
& a virtual client. Samba4 version: Version 4.0.0beta3-GIT-ec737d9 
running on Ubuntu 12.04 server. The client is using the standard samba 
packages (Version 3.6.3) on xubuntu 12.04.

I intially had this in smb.conf on the client:

         idmap config * : backend = tdb
         idmap config * : range = 210000-3100000
         idmap config HOME:backend = ad
         idmap config HOME:range = 210000-3100000
         idmap config HOME:schema_mode = rfc2307

and getent passwd returned:

<usual local users>
rowland:*:3000019:3000018:rowland:/home/HOME/rowland:/bin/bash
(This is also what I get on the server from the same command)

I now think that is wrong, HOME is the servers domain and I should be 
using the clients name, XUBUNTU (please feel free to comment if this is 
wrong).

So, with this in smb.conf:

         idmap config * : backend = tdb
         idmap config * : range = 210000-3100000
         idmap config XUBUNTU:backend = ad
         idmap config XUBUNTU:range = 1100-50000
         idmap config XUBUNTU:schema_mode = rfc2307

getent passwd now returns:

<usual local users>
administrator:*:2100000:2100000:Administrator:/home/HOME/administrator:/bin/bash
nslcd-service:*:2100001:2100000:nslcd-service:/home/HOME/nslcd-service:/bin/bash
dns-adserver:*:2100002:2100000:dns-adserver:/home/HOME/dns-adserver:/bin/bash
nfs-user:*:2100003:2100000:nfs-user:/home/HOME/nfs-user:/bin/bash
rowland:*:2100004:2100001:rowland:/home/HOME/rowland:/bin/bash
krbtgt:*:2100005:2100000:krbtgt:/home/HOME/krbtgt:/bin/bash
guest:*:2100006:2100002:Guest:/home/HOME/guest:/bin/bash

rowland actually has the uidNumber 3000019 & gidNumber 3000018 in the 
samba4 database.
I can login to the client as rowland (there is no user by that name in 
the local /etc/passwd file), the home directory for rowland is cifs 
mounted on /home/HOME/rowland and appears as the standard home in the 
GUI, so to me, everything seems to work ok. I can find no mention of the 
problem you are having with the ad backend in any log files, so I can 
only think that you have not configured smb.conf correctly.

Can you please post the full smb.conf file that you have been using, I 
am no expert, but I am sure that somebody will be able to point out 
where you are possibly going wrong ;-)

Rowland

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba mailing list