[Samba] How winbindd is working on DC/member? It ignores rfc2703 on DC, and not showing all users on member server... Where is a error?

Alex Wakizashi alex at wakizashi.info
Mon Oct 28 07:22:30 MDT 2013


Hi Rowland,

At least on Debian Squeezy sssd is not working with Samba4 - it
complains about wrong format of databases.
After 2 days of trying to build S4 and sssd from Debian Unstable I've
dropped that hopeless efforts.

So, need to have something without sssd.

Changing attributes, such as shell, from smb.conf is bad - because
some users need to have it, and some not.


2013/10/28 Rowland Penny <rowlandpenny at googlemail.com>:
> On 28/10/13 11:54, Alex Wakizashi wrote:
>>
>> Hi all,
>>
>> Still looking for the best way to achieve consistent GID/UID mapping
>> on Linux servers/clients, in heterogeneous environment (Linux,
>> Windows, CIFS, NFS).
>> Current problems with UID/GID resolution prevents from using Samba4 in
>> environment with backups (where data may be restored on another
>> server) and mixed Linux/Windows  workstations.
>>
>> Just recently installed fresh Samba 4.1.0 on the server as DC, and
>> completely confused by how winbind is working.
>>
>> DC provisioned as:
>>
>> samba-tool domain provision --use-rfc2307 --domain=SAMBA
>> --realm=samba.local.net --adminpass='<Password>'
>> --dns-backend=BIND9_DLZ --server-role=dc
>>
>> DNS is confirured, kerberos too, kinit/klist working fine.
>>
>> Samba and NSS configuration:
>>
>> --- smb.conf ---
>> # Global parameters
>> [global]
>>      workgroup = SAMBA
>>      realm = samba.local.net
>>      netbios name = NAS
>>      server role = active directory domain controller
>>      server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> winbind, ntp_signd, kcc, dnsupdate
>>      idmap_ldb:use rfc2307 = yes
>>
>> [netlogon]
>>      path = /var/lib/samba/sysvol/samba.local.net/scripts
>>      read only = No
>>
>> [sysvol]
>>      path = /var/lib/samba/sysvol
>>      read only = No
>> --- smb.conf ---
>>
>> --- nsswitch.conf ---
>> passwd:         compat winbind
>> group:          compat winbind
>> shadow:         compat
>> hosts:          files dns
>> networks:       files
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>> netgroup:       nis
>> --- nsswitch.conf ---
>>
>> Have created new user:
>>
>> samba-tool user add Wakizashi --use-username-as-cn --given-name=Alex
>> --surname=Wakizashi --uid-number=1001
>>
>> And modified RFC attributes, result:
>>
>> root at nas:~# ldbsearch -k yes -H ldap://nas
>> "(sAMAccountName=wakizashi)" sAMAccountName uid loginShell
>> unixHomeDirectory
>> # record 1
>> dn: CN=Wakizashi,CN=Users,DC=samba,DC=local,DC=net
>> sAMAccountName: Wakizashi
>> unixHomeDirectory: /home/wakizashi
>> uid: wakizashi
>> loginShell: /bin/bash
>>
>> Problems:
>>
>> 1. Just after Samba install "id" reports no user "wakizashi", after
>> reboot it started to resolve both "Wakizashi" and "wakizashi", as well
>> as "Administrator", etc.
>>
>> 2. I can see users in the domain, but seems like winbindd ignores the
>> frc2703 attributes:
>> - cut -
>> root at nas:~# getent passwd
>> root:x:0:0:root:/root:/bin/bash
>> ....
>> ntp:x:107:112::/home/ntp:/bin/false
>> nslcd:x:108:113:nslcd name service LDAP connection
>> daemon,,,:/var/run/nslcd/:/bin/false
>> SAMBA\Administrator:*:0:100::/home/SAMBA/Administrator:/bin/false
>> SAMBA\Guest:*:3000011:3000012::/home/SAMBA/Guest:/bin/false
>> SAMBA\krbtgt:*:3000017:100::/home/SAMBA/krbtgt:/bin/false
>> SAMBA\dns-nas:*:3000018:100::/home/SAMBA/dns-nas:/bin/false
>> SAMBA\Wakizashi:*:1001:100:Alex Wakizashi:/home/SAMBA/Wakizashi:/bin/false
>> - cut -
>>
>> So, as you can see, there are rfc2703 attributes: uid, shell and home
>> directory, but winbindd just ignores these, and uses crazy
>> "SAMBA\wakizashi" username, wrong home directory, wrong shell.
>>
>> 3. Still some groups IDs are not resolvable:
>> root at nas:~# ls -la /var/lib/samba/sysvol/
>> total 20
>> drwxrwx---+  3 SAMBA\Administrator 3000000 4096 Oct 28 03:09 .
>> drwxr-xr-x  10 SAMBA\Administrator root    4096 Oct 28 03:09 ..
>> drwxrwx---+  4 SAMBA\Administrator 3000000 4096 Oct 28 03:09
>> samba.local.net
>>
>> As I can see, there is GID 3000000. What is it?
>>
>> root at nas:~# wbinfo -s `wbinfo -G 3000000 `
>> BUILTIN\Administrators 4
>>
>> So, why this is not resolved by winbindd?
>>
>> Same with ACL:
>>
>> root at nas:~# getfacl /var/lib/samba/sysvol/
>> getfacl: Removing leading '/' from absolute path names
>> # file: var/lib/samba/sysvol/
>> # owner: root
>> # group: 3000000
>> user::rwx
>> user:root:rwx
>> group::rwx
>> group:3000000:rwx
>> group:3000001:r-x
>> group:3000002:rwx
>> group:3000003:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:group::---
>> default:group:3000000:rwx
>> default:group:3000001:r-x
>> default:group:3000002:rwx
>> default:group:3000003:r-x
>> default:mask::rwx
>> default:other::---
>>
>> Why there are unresolved GIDs?
>>
>> root at nas:~# wbinfo -s `wbinfo -G 3000001 `
>> BUILTIN\Server Operators 4
>> root at nas:~# wbinfo -s `wbinfo -G 3000002 `
>> NT AUTHORITY\SYSTEM 5
>> root at nas:~# wbinfo -s `wbinfo -G 3000003 `
>> NT AUTHORITY\Authenticated Users 5
>>
>>
>> 3. Ok, let's try winbind on member server.
>>
>> Have installed CHEETAH with following config (Just from Wiki):
>>
>> --- smb.conf AD member ---
>> [global]
>>
>>     workgroup = SAMBA
>>     security = ADS
>>     realm = SAMBA.LOCAL.NET
>>     encrypt passwords = yes
>>
>>     idmap config *:backend = tdb
>>     idmap config *:range = 70001-80000
>>     idmap config SAMBA:backend = ad
>>     idmap config SAMBA:schema_mode = rfc2307
>>     idmap config SAMBA:range = 3000000-4000000
>>
>>     winbind nss info = rfc2307
>>     winbind trusted domains only = no
>>     winbind use default domain = yes
>>     winbind enum users  = yes
>>     winbind enum groups = yes
>>
>> [test]
>>     path = /home/test
>>     read only = no
>>
>> --- smb.conf AD member ---
>>
>> Services has been forcibly restarted - to make sure, that everything
>> has been reloaded.
>>
>> root at cheetah:~# getent passwd
>> root:x:0:0:root:/root:/bin/bash
>> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
>> ...
>> wakizashi:x:1001:100::/home/wakizashi:/bin/bash
>> gdm:x:110:115:Gnome Display Manager:/var/lib/gdm:/bin/false
>> avahi:x:111:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
>> ntp:x:112:120::/home/ntp:/bin/false
>> libvirt-qemu:x:113:121:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
>> vde2-net:x:114:124::/var/run/vde2:/bin/false
>> nslcd:x:115:125:nslcd name service LDAP connection
>> daemon,,,:/var/run/nslcd/:/bin/false
>> guest:*:3000011:3000012:Guest:/home/guest:/bin/false
>>
>> Hmmm... Where is "Administrator"? Where is a "krb-tgt"?
>>
>> BTW - Guest have all needed rfc2703 attributes, as well as other
>> users, so supposed to get shell and homedir correctly... But even in
>> this case it's not resolvable by system:
>>
>> root at cheetah:~# id guest
>> id: guest: No such user
>> root at cheetah:~# id administrator
>> id: administrator: No such user
>> root at cheetah:~# id SAMBA\\Guest
>> id: SAMBA\Guest: No such user
>> root at cheetah:~# id SAMBA\\guest
>> id: SAMBA\guest: No such user
>>
>> Even worse - no any user visible, even the "Guest", which is in "getent
>> passwd"
>>
>> And of course, here are issue with denying access to Administrator
>> (and other users too, except "wakizashi," which is available locally
>> from /etc/passwd):
>>
>> [2013/10/28 15:32:44.525754,  3]
>> ../source3/smbd/sesssetup.c:138(reply_sesssetup_and_X_spnego)
>>    Doing spnego session setup
>> [2013/10/28 15:32:44.525773,  3]
>> ../source3/smbd/sesssetup.c:179(reply_sesssetup_and_X_spnego)
>>    NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
>> [2013/10/28 15:32:44.538199,  3]
>> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
>>    Found account name from PAC: Wakizashi [Alex Wakizashi]
>> [2013/10/28 15:32:44.538250,  3]
>> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
>>    Kerberos ticket principal name is [wakizashi at SAMBA.LOCAL.NET]
>> [2013/10/28 15:32:44.538419,  3]
>> ../source3/param/loadparm.c:4838(lp_load_ex)
>>    lp_load_ex: refreshing parameters
>> [2013/10/28 15:32:44.538489,  3]
>> ../source3/param/loadparm.c:750(init_globals)
>>    Initialising global parameters
>> [2013/10/28 15:32:44.538546,  3] ../lib/util/params.c:550(pm_process)
>>    params.c:pm_process() - Processing configuration file
>> "/etc/samba/smb.conf"
>> [2013/10/28 15:32:44.538563,  3]
>> ../source3/param/loadparm.c:3564(do_section)
>>    Processing section "[global]"
>> [2013/10/28 15:32:44.538719,  2]
>> ../source3/param/loadparm.c:3581(do_section)
>>    Processing section "[test]"
>> [2013/10/28 15:32:44.538761,  3]
>> ../source3/param/loadparm.c:1773(lp_add_ipc)
>>    adding IPC service
>> [2013/10/28 15:32:44.539384,  3]
>> ../source3/smbd/password.c:144(register_homes_share)
>>    Adding homes service for user 'wakizashi' using home directory:
>> '/home/wakizashi'
>> [2013/10/28 15:32:44.539627,  3]
>> ../source3/smbd/process.c:1795(process_smb)
>>    Transaction 2 of length 84 (0 toread)
>> [2013/10/28 15:32:44.539667,  3]
>> ../source3/smbd/process.c:1398(switch_message)
>>    switch message SMBtconX (pid 15953) conn 0x0
>> [2013/10/28 15:32:44.539796,  3] ../source3/lib/access.c:338(allow_access)
>>    Allowed connection from cheetah (127.0.0.1)
>> [2013/10/28 15:32:44.539879,  3]
>> ../source3/smbd/service.c:612(make_connection_snum)
>>    Connect path is '/tmp' for service [IPC$]
>> [2013/10/28 15:32:44.539944,  3]
>> ../source3/smbd/vfs.c:113(vfs_init_default)
>>    Initialising default vfs hooks
>> [2013/10/28 15:32:44.539987,  3]
>> ../source3/smbd/vfs.c:139(vfs_init_custom)
>>    Initialising custom vfs hooks from [/[Default VFS]/]
>> [2013/10/28 15:32:44.540102,  3]
>> ../source3/smbd/service.c:848(make_connection_snum)
>>    cheetah (ipv4:127.0.0.1:38217) connect to service IPC$ initially as
>> user wakizashi (uid=1001, gid=100) (pid 15953)
>> ...
>> [2013/10/28 15:35:11.002140,  3]
>> ../source3/smbd/sesssetup.c:138(reply_sesssetup_and_X_spnego)
>>    Doing spnego session setup
>> [2013/10/28 15:35:11.002169,  3]
>> ../source3/smbd/sesssetup.c:179(reply_sesssetup_and_X_spnego)
>>    NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
>> [2013/10/28 15:35:11.014682,  3]
>> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
>>    Found account name from PAC: Administrator []
>> [2013/10/28 15:35:11.014726,  3]
>> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
>>    Kerberos ticket principal name is [administrator at SAMBA.LOCAL.NET]
>> [2013/10/28 15:35:11.032130,  1]
>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>>    Username SAMBA\administrator is invalid on this system
>> [2013/10/28 15:35:11.032176,  1]
>> ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
>>    Failed to map kerberos principal to system user
>> (NT_STATUS_LOGON_FAILURE)
>> [2013/10/28 15:35:11.032209,  1]
>> ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
>>    Failed to generate session_info (user and group token) for session
>> setup: NT_STATUS_ACCESS_DENIED
>> [2013/10/28 15:35:11.032288,  3]
>> ../source3/smbd/error.c:82(error_packet_set)
>>    NT error packet at ../source3/smbd/sesssetup.c(279) cmd=115
>> (SMBsesssetupX) NT_STATUS_ACCESS_DENIED
>> [2013/10/28 15:35:11.032927,  3]
>> ../source3/smbd/server_exit.c:212(exit_server_common)
>>    Server exit (failed to receive smb request)
>>
>> Could someone, please, explain - how to set up Samba correctly, at
>> least to provide users/groups on the CD and member servers?
>>
>> So far, default installation and documentation does not provide
>> reasonable way to get working environment...
>>
>> I'm completely lost with it. Sometimes it working, sometimes - not.
>>
>> Yes, there is a way with nslcd, but it's just workaround, requiring
>> additional scripts... But how to make SAMBA working just with it's
>> standard services, like winbindd?
>>
>> And of course - if there is anything I can do for the Samba team -
>> will be glad to help. Hope to see SAMBA replacing Windows Server and
>> AD completely :)
>> Issues, mentioned above, are reproducible on my virtual machines
>> (Debian Wheezy), may provide access to these, if needed.
>>
>> Regards,
>>    Alex
>
> Hi, the problem is that winbind on the S4 server only knows about the
> uidNumber & gidnumber, you can change the shell by putting 'template shell =
> /bin/bash' into smb.conf but you are stuck with /home/DOMAIN/USER as it is
> hard coded into winbind.
> The devs say that they will replace S4 winbind with the winbind from S3
> which is a much different beast, but I do not know when this will happen.
> If you want your Linux users to log into the S4 server, then my advice is to
> take a look at sssd, you will then get consistent UID/GID's.
>
> Rowland
>


More information about the samba mailing list