[Samba] User home directory UID:GID incorrect on VM Samba 4 AD client
Paul R. Ganci
ganci at nurdog.com
Tue Oct 22 00:43:10 MDT 2013
I have a problem that has me completely perplexed. I have a home samba
4.0.10 (sernet-samba-4.0.10-5) AD server setup on a DELL 2950III running
CentOS 6.4. On my network I have another 2950iii with CentOS 6.4 used as
a NAS box, 2 CentOS 6.4 desktops, 1 Windows XP PRO box, 1 Windows 7 PRO
laptop and 1 CentOS 6.4 VM (on the Dell 2950iii AD server) all joined to
the domain. For the NAS box, 2 desktops and Windows box everything works
perfectly. I can authenticate, mount via autofs the home directories,
use roaming profiles. manage the AD from the Windows boxes... everything
is just fine. However on the CentOS guest on the 2950iii which provides
the samba 4 AD server the domain user's home directory UID:GID are
coming up as "nobody:nobody" instead of "username:domain users".
Some debug on the VM I have tried follows (I have truncated output where
appropriated and replaced actual domain names with fakes):
> ps auxww
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 19777 0.0 0.0 399424 7676 ? Ss Oct20 0:02
/usr/sbin/smbd -D
root 19806 0.0 0.0 399424 3548 ? S Oct20 0:00
/usr/sbin/smbd -D
root 19977 0.0 0.0 297212 2784 ? Ss Oct20 0:01
/usr/sbin/nmbd -D
root 20173 0.0 0.0 361488 6724 ? Ss Oct20 0:00
/usr/sbin/winbindd -D
root 20175 0.0 0.1 393136 8380 ? S Oct20 0:00
/usr/sbin/winbindd -D
root 20368 0.0 0.0 361936 4140 ? S Oct21 0:00
/usr/sbin/winbindd -D
root 20369 0.0 0.0 361560 4272 ? S Oct21 0:00
/usr/sbin/winbindd -D
root 27394 0.0 0.0 363936 4132 ? S 00:00 0:00
/usr/sbin/winbindd -D
> getent passwd
administrator:*:3000500:3000513:Administrator:/home/administrator:/bin/bash
ganci:*:3001106:3000513:Paul R. Ganci:/home/ganci:/bin/bash
krbtgt:*:3000502:3000513:krbtgt:/home/krbtgt:/bin/bash
guest:*:3000501:3000514:Guest:/home/guest:/bin/bash
> getent group
roaming profile and folder redirection users:x:3001115:ganci,administrator
allowed rodc password replication group:x:3000571:
enterprise read-only domain controllers:x:3000498:
denied rodc password replication group:x:3000572:krbtgt
read-only domain controllers:x:3000521:
group policy creator owners:x:3000520:administrator
ras and ias servers:x:3000553:
domain controllers:x:3000516:
enterprise admins:x:3000519:administrator
domain computers:x:3000515:
cert publishers:x:3000517:
dnsupdateproxy:x:3001103:
domain admins:x:3000512:administrator
domain guests:x:3000514:
schema admins:x:3000518:administrator
domain users:x:3000513:
dnsadmins:x:3001102:
> wbinfo -u
administrator
ganci
krbtgt
guest
> wbinfo -g
roaming profile and folder redirection users
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins
> klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at MYFAKE.FAKE.COM
Valid starting Expires Service principal
10/22/13 00:03:53 10/22/13 10:03:53 krbtgt/MYFAKE.FAKE.COM at MYFAKE.FAKE.COM
renew until 10/29/13 00:03:46
> cd ~ganci
> ls -alt /home
total 12
drwxr-xr-x 72 nobody nobody 4096 Oct 22 00:08 ganci
drwxr-xr-x 3 nobody nobody 0 Oct 21, 23:59 .
dr-xr-xr-x. 25 root root 4096 Oct 19 19:28 ..
On my working desktop the above commands give:
> cd ~ganci
> ls -alt /home
total 12
drwxr-xr-x 72 ganci domain users 4096 Oct 22 00:08 ganci
drwxr-xr-x 3 root root 0 Oct 21 00:19 .
dr-xr-xr-x. 26 root root 4096 Oct 21 00:18 ..
The only thing that is screwed up is the VM client thinks nobody:nobody
owns the user files and directories. Needless to say that means nothing
really works for domain users who logon to the VM. I have copied (at
least 3 times now) all the configuration from a working CentOS 6.4
desktop to the VM and no matter what I do I can not get the VM to see
the proper UID/GID for domain user home directories.
Here are the configs on my CentOS 6.4 VM:
/etc/samba/smb.conf:
[global]
workgroup = MYFAKE
realm = MYFAKE.FAKE.COM
server string =WWW Samba Version %v
netbios name = WWW
security = ads
idmap_ldb:use rfc2307 = yes
idmap config *:backend = tdb
idmap config *:range = 1000000-2999999
idmap config MYFAKE:backend = rid
idmap config MYFAKE:schema_mode = rfc2307
idmap config MYFAKE:range = 3000000-40000000
winbind use default domain = true
winbind offline logon = false
winbind enum groups = yes
winbind enum users = yes
template homedir = /home/%U
template shell = /bin/bash
/etc/krb4.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYFAKE.FAKE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MYFAKE.FAKE.COM = {
kdc =dc.myfake.fake.com
admin_server = dc.myfake.fake.com
}
[domain_realm]
.myfake.fake.com = MYFAKE.FAKE.COM
myfake.fake.com = MYFAKE.FAKE.COM
/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
#hosts: db files nisplus nis dns
hosts: files dns
(truncated)
/etc/auto.home:
#
# File: /etc/auto.home
#
* -acl dc.myfake.fake.com:/home/&
Can anyone think of something I am missing? I believe the VM
configuration is the same as all my other Linux boxes. They work and the
VM does not. Is there a limitation with a CentOS VM as a Samba 4 AD
client? If anyone would like to see any other config or command output I
would be happy to oblige. And thank you for any insight you can provide.
I am at my wits end on this one and appreciate any thoughts. I can't
help but think I overlooked something on the VM that I did properly on
all the other Linux boxes.
--
Paul
More information about the samba
mailing list