[Samba] User home directory UID:GID incorrect on VM Samba 4 AD client

Paul R. Ganci ganci at nurdog.com
Tue Oct 22 00:43:10 MDT 2013

I have a problem that has me completely perplexed. I have a home samba 
4.0.10 (sernet-samba-4.0.10-5) AD server setup on a DELL 2950III running 
CentOS 6.4. On my network I have another 2950iii with CentOS 6.4 used as 
a NAS box, 2 CentOS 6.4 desktops, 1 Windows XP PRO box, 1 Windows 7 PRO 
laptop and 1 CentOS 6.4 VM (on the Dell 2950iii AD server) all joined to 
the domain. For the NAS box, 2 desktops and Windows box everything works 
perfectly. I can authenticate, mount via autofs the home directories, 
use roaming profiles. manage the AD from the Windows boxes... everything 
is just fine. However on the CentOS guest on the 2950iii which provides 
the samba 4 AD server the domain user's home directory UID:GID are 
coming up as "nobody:nobody" instead of "username:domain users".

Some debug on the VM I have tried follows (I have truncated output where 
appropriated and replaced actual domain names with fakes):

 > ps auxww
root     19777  0.0  0.0 399424  7676 ?        Ss   Oct20   0:02 
/usr/sbin/smbd -D
root     19806  0.0  0.0 399424  3548 ?        S    Oct20   0:00 
/usr/sbin/smbd -D
root     19977  0.0  0.0 297212  2784 ?        Ss   Oct20   0:01 
/usr/sbin/nmbd -D
root     20173  0.0  0.0 361488  6724 ?        Ss   Oct20   0:00 
/usr/sbin/winbindd -D
root     20175  0.0  0.1 393136  8380 ?        S    Oct20   0:00 
/usr/sbin/winbindd -D
root     20368  0.0  0.0 361936  4140 ?        S    Oct21   0:00 
/usr/sbin/winbindd -D
root     20369  0.0  0.0 361560  4272 ?        S    Oct21   0:00 
/usr/sbin/winbindd -D
root     27394  0.0  0.0 363936  4132 ?        S    00:00   0:00 
/usr/sbin/winbindd -D

 > getent passwd
ganci:*:3001106:3000513:Paul R. Ganci:/home/ganci:/bin/bash

 > getent group
roaming profile and folder redirection users:x:3001115:ganci,administrator
allowed rodc password replication group:x:3000571:
enterprise read-only domain controllers:x:3000498:
denied rodc password replication group:x:3000572:krbtgt
read-only domain controllers:x:3000521:
group policy creator owners:x:3000520:administrator
ras and ias servers:x:3000553:
domain controllers:x:3000516:
enterprise admins:x:3000519:administrator
domain computers:x:3000515:
cert publishers:x:3000517:
domain admins:x:3000512:administrator
domain guests:x:3000514:
schema admins:x:3000518:administrator
domain users:x:3000513:

 > wbinfo -u

 > wbinfo -g
roaming profile and folder redirection users
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
domain admins
domain guests
schema admins
domain users

 > klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at MYFAKE.FAKE.COM

Valid starting     Expires            Service principal
10/22/13 00:03:53  10/22/13 10:03:53 krbtgt/MYFAKE.FAKE.COM at MYFAKE.FAKE.COM
         renew until 10/29/13 00:03:46

 > cd ~ganci
 > ls -alt /home
total 12
drwxr-xr-x  72 nobody  nobody  4096 Oct 22 00:08 ganci
drwxr-xr-x    3 nobody  nobody        0 Oct 21, 23:59 .
dr-xr-xr-x.   25 root       root       4096 Oct 19 19:28 ..

On my working desktop the above commands give:

 > cd ~ganci
 > ls -alt /home
total 12
drwxr-xr-x  72 ganci domain users 4096 Oct 22 00:08 ganci
drwxr-xr-x   3  root   root                     0 Oct 21 00:19 .
dr-xr-xr-x. 26  root    root               4096 Oct 21 00:18 ..

The only thing that is screwed up is the VM client thinks nobody:nobody 
owns the user files and directories. Needless to say that means nothing 
really works for domain users who logon to the VM. I have copied (at 
least 3 times now) all the configuration from a working CentOS 6.4 
desktop to the VM and no matter what I do I can not get the VM to see 
the proper UID/GID for domain user home directories.

Here are the configs on my CentOS 6.4 VM:


    workgroup = MYFAKE
    realm = MYFAKE.FAKE.COM
    server string =WWW Samba Version %v
    netbios name = WWW
    security = ads
    idmap_ldb:use rfc2307 = yes
    idmap config *:backend = tdb
    idmap config *:range = 1000000-2999999
    idmap config MYFAKE:backend = rid
    idmap config MYFAKE:schema_mode = rfc2307
    idmap config MYFAKE:range = 3000000-40000000
    winbind use default domain = true
    winbind offline logon = false
    winbind enum groups = yes
    winbind enum users = yes
    template homedir = /home/%U
    template shell = /bin/bash


  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

  default_realm = MYFAKE.FAKE.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true

   kdc =dc.myfake.fake.com
   admin_server = dc.myfake.fake.com

  .myfake.fake.com = MYFAKE.FAKE.COM
  myfake.fake.com = MYFAKE.FAKE.COM


passwd:     files winbind
shadow:     files winbind
group:      files winbind

#hosts:     db files nisplus nis dns
hosts:      files dns


# File: /etc/auto.home
*       -acl dc.myfake.fake.com:/home/&

Can anyone think of something I am missing? I believe the VM 
configuration is the same as all my other Linux boxes. They work and the 
VM does not. Is there a limitation with a CentOS VM as a Samba 4 AD 
client? If anyone would like to see any other config or command output I 
would be happy to oblige. And thank you for any insight you can provide. 
I am at my wits end on this one and appreciate any thoughts. I can't 
help but think I overlooked something on the VM that I did properly on 
all the other Linux boxes.


More information about the samba mailing list