[Samba] How winbindd is working on DC/member? It ignores rfc2703 on DC, and not showing all users on member server... Where is a error?

Alex Wakizashi alex at wakizashi.info
Mon Oct 28 05:54:03 MDT 2013

Hi all,

Still looking for the best way to achieve consistent GID/UID mapping
on Linux servers/clients, in heterogeneous environment (Linux,
Windows, CIFS, NFS).
Current problems with UID/GID resolution prevents from using Samba4 in
environment with backups (where data may be restored on another
server) and mixed Linux/Windows  workstations.

Just recently installed fresh Samba 4.1.0 on the server as DC, and
completely confused by how winbind is working.

DC provisioned as:

samba-tool domain provision --use-rfc2307 --domain=SAMBA
--realm=samba.local.net --adminpass='<Password>'
--dns-backend=BIND9_DLZ --server-role=dc

DNS is confirured, kerberos too, kinit/klist working fine.

Samba and NSS configuration:

--- smb.conf ---
# Global parameters
    workgroup = SAMBA
    realm = samba.local.net
    netbios name = NAS
    server role = active directory domain controller
    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
    idmap_ldb:use rfc2307 = yes

    path = /var/lib/samba/sysvol/samba.local.net/scripts
    read only = No

    path = /var/lib/samba/sysvol
    read only = No
--- smb.conf ---

--- nsswitch.conf ---
passwd:         compat winbind
group:          compat winbind
shadow:         compat
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis
--- nsswitch.conf ---

Have created new user:

samba-tool user add Wakizashi --use-username-as-cn --given-name=Alex
--surname=Wakizashi --uid-number=1001

And modified RFC attributes, result:

root at nas:~# ldbsearch -k yes -H ldap://nas
"(sAMAccountName=wakizashi)" sAMAccountName uid loginShell
# record 1
dn: CN=Wakizashi,CN=Users,DC=samba,DC=local,DC=net
sAMAccountName: Wakizashi
unixHomeDirectory: /home/wakizashi
uid: wakizashi
loginShell: /bin/bash


1. Just after Samba install "id" reports no user "wakizashi", after
reboot it started to resolve both "Wakizashi" and "wakizashi", as well
as "Administrator", etc.

2. I can see users in the domain, but seems like winbindd ignores the
frc2703 attributes:
- cut -
root at nas:~# getent passwd
nslcd:x:108:113:nslcd name service LDAP connection
SAMBA\Wakizashi:*:1001:100:Alex Wakizashi:/home/SAMBA/Wakizashi:/bin/false
- cut -

So, as you can see, there are rfc2703 attributes: uid, shell and home
directory, but winbindd just ignores these, and uses crazy
"SAMBA\wakizashi" username, wrong home directory, wrong shell.

3. Still some groups IDs are not resolvable:
root at nas:~# ls -la /var/lib/samba/sysvol/
total 20
drwxrwx---+  3 SAMBA\Administrator 3000000 4096 Oct 28 03:09 .
drwxr-xr-x  10 SAMBA\Administrator root    4096 Oct 28 03:09 ..
drwxrwx---+  4 SAMBA\Administrator 3000000 4096 Oct 28 03:09 samba.local.net

As I can see, there is GID 3000000. What is it?

root at nas:~# wbinfo -s `wbinfo -G 3000000 `
BUILTIN\Administrators 4

So, why this is not resolved by winbindd?

Same with ACL:

root at nas:~# getfacl /var/lib/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000

Why there are unresolved GIDs?

root at nas:~# wbinfo -s `wbinfo -G 3000001 `
BUILTIN\Server Operators 4
root at nas:~# wbinfo -s `wbinfo -G 3000002 `
root at nas:~# wbinfo -s `wbinfo -G 3000003 `
NT AUTHORITY\Authenticated Users 5

3. Ok, let's try winbind on member server.

Have installed CHEETAH with following config (Just from Wiki):

--- smb.conf AD member ---

   workgroup = SAMBA
   security = ADS
   realm = SAMBA.LOCAL.NET
   encrypt passwords = yes

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config SAMBA:backend = ad
   idmap config SAMBA:schema_mode = rfc2307
   idmap config SAMBA:range = 3000000-4000000

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes

   path = /home/test
   read only = no

--- smb.conf AD member ---

Services has been forcibly restarted - to make sure, that everything
has been reloaded.

root at cheetah:~# getent passwd
gdm:x:110:115:Gnome Display Manager:/var/lib/gdm:/bin/false
avahi:x:111:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
libvirt-qemu:x:113:121:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
nslcd:x:115:125:nslcd name service LDAP connection

Hmmm... Where is "Administrator"? Where is a "krb-tgt"?

BTW - Guest have all needed rfc2703 attributes, as well as other
users, so supposed to get shell and homedir correctly... But even in
this case it's not resolvable by system:

root at cheetah:~# id guest
id: guest: No such user
root at cheetah:~# id administrator
id: administrator: No such user
root at cheetah:~# id SAMBA\\Guest
id: SAMBA\Guest: No such user
root at cheetah:~# id SAMBA\\guest
id: SAMBA\guest: No such user

Even worse - no any user visible, even the "Guest", which is in "getent passwd"

And of course, here are issue with denying access to Administrator
(and other users too, except "wakizashi," which is available locally
from /etc/passwd):

[2013/10/28 15:32:44.525754,  3]
  Doing spnego session setup
[2013/10/28 15:32:44.525773,  3]
  NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2013/10/28 15:32:44.538199,  3]
  Found account name from PAC: Wakizashi [Alex Wakizashi]
[2013/10/28 15:32:44.538250,  3]
  Kerberos ticket principal name is [wakizashi at SAMBA.LOCAL.NET]
[2013/10/28 15:32:44.538419,  3] ../source3/param/loadparm.c:4838(lp_load_ex)
  lp_load_ex: refreshing parameters
[2013/10/28 15:32:44.538489,  3] ../source3/param/loadparm.c:750(init_globals)
  Initialising global parameters
[2013/10/28 15:32:44.538546,  3] ../lib/util/params.c:550(pm_process)
  params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2013/10/28 15:32:44.538563,  3] ../source3/param/loadparm.c:3564(do_section)
  Processing section "[global]"
[2013/10/28 15:32:44.538719,  2] ../source3/param/loadparm.c:3581(do_section)
  Processing section "[test]"
[2013/10/28 15:32:44.538761,  3] ../source3/param/loadparm.c:1773(lp_add_ipc)
  adding IPC service
[2013/10/28 15:32:44.539384,  3]
  Adding homes service for user 'wakizashi' using home directory:
[2013/10/28 15:32:44.539627,  3] ../source3/smbd/process.c:1795(process_smb)
  Transaction 2 of length 84 (0 toread)
[2013/10/28 15:32:44.539667,  3] ../source3/smbd/process.c:1398(switch_message)
  switch message SMBtconX (pid 15953) conn 0x0
[2013/10/28 15:32:44.539796,  3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from cheetah (
[2013/10/28 15:32:44.539879,  3]
  Connect path is '/tmp' for service [IPC$]
[2013/10/28 15:32:44.539944,  3] ../source3/smbd/vfs.c:113(vfs_init_default)
  Initialising default vfs hooks
[2013/10/28 15:32:44.539987,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2013/10/28 15:32:44.540102,  3]
  cheetah (ipv4: connect to service IPC$ initially as
user wakizashi (uid=1001, gid=100) (pid 15953)
[2013/10/28 15:35:11.002140,  3]
  Doing spnego session setup
[2013/10/28 15:35:11.002169,  3]
  NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2013/10/28 15:35:11.014682,  3]
  Found account name from PAC: Administrator []
[2013/10/28 15:35:11.014726,  3]
  Kerberos ticket principal name is [administrator at SAMBA.LOCAL.NET]
[2013/10/28 15:35:11.032130,  1]
  Username SAMBA\administrator is invalid on this system
[2013/10/28 15:35:11.032176,  1]
  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2013/10/28 15:35:11.032209,  1]
  Failed to generate session_info (user and group token) for session
[2013/10/28 15:35:11.032288,  3] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/sesssetup.c(279) cmd=115
[2013/10/28 15:35:11.032927,  3]
  Server exit (failed to receive smb request)

Could someone, please, explain - how to set up Samba correctly, at
least to provide users/groups on the CD and member servers?

So far, default installation and documentation does not provide
reasonable way to get working environment...

I'm completely lost with it. Sometimes it working, sometimes - not.

Yes, there is a way with nslcd, but it's just workaround, requiring
additional scripts... But how to make SAMBA working just with it's
standard services, like winbindd?

And of course - if there is anything I can do for the Samba team -
will be glad to help. Hope to see SAMBA replacing Windows Server and
AD completely :)
Issues, mentioned above, are reproducible on my virtual machines
(Debian Wheezy), may provide access to these, if needed.


More information about the samba mailing list