[Samba] How winbindd is working on DC/member? It ignores rfc2703 on DC, and not showing all users on member server... Where is a error?
Rowland Penny
rowlandpenny at googlemail.com
Mon Oct 28 08:42:10 MDT 2013
On 28/10/13 13:22, Alex Wakizashi wrote:
> Hi Rowland,
>
> At least on Debian Squeezy sssd is not working with Samba4 - it
> complains about wrong format of databases.
> After 2 days of trying to build S4 and sssd from Debian Unstable I've
> dropped that hopeless efforts.
Are you fataly wedded to Squeezy? what about Ubuntu 12.04 server, this
is getting updates until 2017 and there is a ppa for sssd 1.11.1
>
> So, need to have something without sssd.
>
> Changing attributes, such as shell, from smb.conf is bad - because
> some users need to have it, and some not.
OK, I can understand that, but until Samba switches to the S3 winbind on
the S4 server, this is a problem everybody is having, S4 winbind != S3
winbind. You need to use something other than winbind if you want Unix
users to connect to shares on the S4 server, I know because I got bitten
by this with cifsmount.
Rowland
>
> 2013/10/28 Rowland Penny <rowlandpenny at googlemail.com>:
>> On 28/10/13 11:54, Alex Wakizashi wrote:
>>> Hi all,
>>>
>>> Still looking for the best way to achieve consistent GID/UID mapping
>>> on Linux servers/clients, in heterogeneous environment (Linux,
>>> Windows, CIFS, NFS).
>>> Current problems with UID/GID resolution prevents from using Samba4 in
>>> environment with backups (where data may be restored on another
>>> server) and mixed Linux/Windows workstations.
>>>
>>> Just recently installed fresh Samba 4.1.0 on the server as DC, and
>>> completely confused by how winbind is working.
>>>
>>> DC provisioned as:
>>>
>>> samba-tool domain provision --use-rfc2307 --domain=SAMBA
>>> --realm=samba.local.net --adminpass='<Password>'
>>> --dns-backend=BIND9_DLZ --server-role=dc
>>>
>>> DNS is confirured, kerberos too, kinit/klist working fine.
>>>
>>> Samba and NSS configuration:
>>>
>>> --- smb.conf ---
>>> # Global parameters
>>> [global]
>>> workgroup = SAMBA
>>> realm = samba.local.net
>>> netbios name = NAS
>>> server role = active directory domain controller
>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>> winbind, ntp_signd, kcc, dnsupdate
>>> idmap_ldb:use rfc2307 = yes
>>>
>>> [netlogon]
>>> path = /var/lib/samba/sysvol/samba.local.net/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>> --- smb.conf ---
>>>
>>> --- nsswitch.conf ---
>>> passwd: compat winbind
>>> group: compat winbind
>>> shadow: compat
>>> hosts: files dns
>>> networks: files
>>> protocols: db files
>>> services: db files
>>> ethers: db files
>>> rpc: db files
>>> netgroup: nis
>>> --- nsswitch.conf ---
>>>
>>> Have created new user:
>>>
>>> samba-tool user add Wakizashi --use-username-as-cn --given-name=Alex
>>> --surname=Wakizashi --uid-number=1001
>>>
>>> And modified RFC attributes, result:
>>>
>>> root at nas:~# ldbsearch -k yes -H ldap://nas
>>> "(sAMAccountName=wakizashi)" sAMAccountName uid loginShell
>>> unixHomeDirectory
>>> # record 1
>>> dn: CN=Wakizashi,CN=Users,DC=samba,DC=local,DC=net
>>> sAMAccountName: Wakizashi
>>> unixHomeDirectory: /home/wakizashi
>>> uid: wakizashi
>>> loginShell: /bin/bash
>>>
>>> Problems:
>>>
>>> 1. Just after Samba install "id" reports no user "wakizashi", after
>>> reboot it started to resolve both "Wakizashi" and "wakizashi", as well
>>> as "Administrator", etc.
>>>
>>> 2. I can see users in the domain, but seems like winbindd ignores the
>>> frc2703 attributes:
>>> - cut -
>>> root at nas:~# getent passwd
>>> root:x:0:0:root:/root:/bin/bash
>>> ....
>>> ntp:x:107:112::/home/ntp:/bin/false
>>> nslcd:x:108:113:nslcd name service LDAP connection
>>> daemon,,,:/var/run/nslcd/:/bin/false
>>> SAMBA\Administrator:*:0:100::/home/SAMBA/Administrator:/bin/false
>>> SAMBA\Guest:*:3000011:3000012::/home/SAMBA/Guest:/bin/false
>>> SAMBA\krbtgt:*:3000017:100::/home/SAMBA/krbtgt:/bin/false
>>> SAMBA\dns-nas:*:3000018:100::/home/SAMBA/dns-nas:/bin/false
>>> SAMBA\Wakizashi:*:1001:100:Alex Wakizashi:/home/SAMBA/Wakizashi:/bin/false
>>> - cut -
>>>
>>> So, as you can see, there are rfc2703 attributes: uid, shell and home
>>> directory, but winbindd just ignores these, and uses crazy
>>> "SAMBA\wakizashi" username, wrong home directory, wrong shell.
>>>
>>> 3. Still some groups IDs are not resolvable:
>>> root at nas:~# ls -la /var/lib/samba/sysvol/
>>> total 20
>>> drwxrwx---+ 3 SAMBA\Administrator 3000000 4096 Oct 28 03:09 .
>>> drwxr-xr-x 10 SAMBA\Administrator root 4096 Oct 28 03:09 ..
>>> drwxrwx---+ 4 SAMBA\Administrator 3000000 4096 Oct 28 03:09
>>> samba.local.net
>>>
>>> As I can see, there is GID 3000000. What is it?
>>>
>>> root at nas:~# wbinfo -s `wbinfo -G 3000000 `
>>> BUILTIN\Administrators 4
>>>
>>> So, why this is not resolved by winbindd?
>>>
>>> Same with ACL:
>>>
>>> root at nas:~# getfacl /var/lib/samba/sysvol/
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: var/lib/samba/sysvol/
>>> # owner: root
>>> # group: 3000000
>>> user::rwx
>>> user:root:rwx
>>> group::rwx
>>> group:3000000:rwx
>>> group:3000001:r-x
>>> group:3000002:rwx
>>> group:3000003:r-x
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:group::---
>>> default:group:3000000:rwx
>>> default:group:3000001:r-x
>>> default:group:3000002:rwx
>>> default:group:3000003:r-x
>>> default:mask::rwx
>>> default:other::---
>>>
>>> Why there are unresolved GIDs?
>>>
>>> root at nas:~# wbinfo -s `wbinfo -G 3000001 `
>>> BUILTIN\Server Operators 4
>>> root at nas:~# wbinfo -s `wbinfo -G 3000002 `
>>> NT AUTHORITY\SYSTEM 5
>>> root at nas:~# wbinfo -s `wbinfo -G 3000003 `
>>> NT AUTHORITY\Authenticated Users 5
>>>
>>>
>>> 3. Ok, let's try winbind on member server.
>>>
>>> Have installed CHEETAH with following config (Just from Wiki):
>>>
>>> --- smb.conf AD member ---
>>> [global]
>>>
>>> workgroup = SAMBA
>>> security = ADS
>>> realm = SAMBA.LOCAL.NET
>>> encrypt passwords = yes
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 70001-80000
>>> idmap config SAMBA:backend = ad
>>> idmap config SAMBA:schema_mode = rfc2307
>>> idmap config SAMBA:range = 3000000-4000000
>>>
>>> winbind nss info = rfc2307
>>> winbind trusted domains only = no
>>> winbind use default domain = yes
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>>
>>> [test]
>>> path = /home/test
>>> read only = no
>>>
>>> --- smb.conf AD member ---
>>>
>>> Services has been forcibly restarted - to make sure, that everything
>>> has been reloaded.
>>>
>>> root at cheetah:~# getent passwd
>>> root:x:0:0:root:/root:/bin/bash
>>> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
>>> ...
>>> wakizashi:x:1001:100::/home/wakizashi:/bin/bash
>>> gdm:x:110:115:Gnome Display Manager:/var/lib/gdm:/bin/false
>>> avahi:x:111:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
>>> ntp:x:112:120::/home/ntp:/bin/false
>>> libvirt-qemu:x:113:121:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
>>> vde2-net:x:114:124::/var/run/vde2:/bin/false
>>> nslcd:x:115:125:nslcd name service LDAP connection
>>> daemon,,,:/var/run/nslcd/:/bin/false
>>> guest:*:3000011:3000012:Guest:/home/guest:/bin/false
>>>
>>> Hmmm... Where is "Administrator"? Where is a "krb-tgt"?
>>>
>>> BTW - Guest have all needed rfc2703 attributes, as well as other
>>> users, so supposed to get shell and homedir correctly... But even in
>>> this case it's not resolvable by system:
>>>
>>> root at cheetah:~# id guest
>>> id: guest: No such user
>>> root at cheetah:~# id administrator
>>> id: administrator: No such user
>>> root at cheetah:~# id SAMBA\\Guest
>>> id: SAMBA\Guest: No such user
>>> root at cheetah:~# id SAMBA\\guest
>>> id: SAMBA\guest: No such user
>>>
>>> Even worse - no any user visible, even the "Guest", which is in "getent
>>> passwd"
>>>
>>> And of course, here are issue with denying access to Administrator
>>> (and other users too, except "wakizashi," which is available locally
>>> from /etc/passwd):
>>>
>>> [2013/10/28 15:32:44.525754, 3]
>>> ../source3/smbd/sesssetup.c:138(reply_sesssetup_and_X_spnego)
>>> Doing spnego session setup
>>> [2013/10/28 15:32:44.525773, 3]
>>> ../source3/smbd/sesssetup.c:179(reply_sesssetup_and_X_spnego)
>>> NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
>>> [2013/10/28 15:32:44.538199, 3]
>>> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
>>> Found account name from PAC: Wakizashi [Alex Wakizashi]
>>> [2013/10/28 15:32:44.538250, 3]
>>> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
>>> Kerberos ticket principal name is [wakizashi at SAMBA.LOCAL.NET]
>>> [2013/10/28 15:32:44.538419, 3]
>>> ../source3/param/loadparm.c:4838(lp_load_ex)
>>> lp_load_ex: refreshing parameters
>>> [2013/10/28 15:32:44.538489, 3]
>>> ../source3/param/loadparm.c:750(init_globals)
>>> Initialising global parameters
>>> [2013/10/28 15:32:44.538546, 3] ../lib/util/params.c:550(pm_process)
>>> params.c:pm_process() - Processing configuration file
>>> "/etc/samba/smb.conf"
>>> [2013/10/28 15:32:44.538563, 3]
>>> ../source3/param/loadparm.c:3564(do_section)
>>> Processing section "[global]"
>>> [2013/10/28 15:32:44.538719, 2]
>>> ../source3/param/loadparm.c:3581(do_section)
>>> Processing section "[test]"
>>> [2013/10/28 15:32:44.538761, 3]
>>> ../source3/param/loadparm.c:1773(lp_add_ipc)
>>> adding IPC service
>>> [2013/10/28 15:32:44.539384, 3]
>>> ../source3/smbd/password.c:144(register_homes_share)
>>> Adding homes service for user 'wakizashi' using home directory:
>>> '/home/wakizashi'
>>> [2013/10/28 15:32:44.539627, 3]
>>> ../source3/smbd/process.c:1795(process_smb)
>>> Transaction 2 of length 84 (0 toread)
>>> [2013/10/28 15:32:44.539667, 3]
>>> ../source3/smbd/process.c:1398(switch_message)
>>> switch message SMBtconX (pid 15953) conn 0x0
>>> [2013/10/28 15:32:44.539796, 3] ../source3/lib/access.c:338(allow_access)
>>> Allowed connection from cheetah (127.0.0.1)
>>> [2013/10/28 15:32:44.539879, 3]
>>> ../source3/smbd/service.c:612(make_connection_snum)
>>> Connect path is '/tmp' for service [IPC$]
>>> [2013/10/28 15:32:44.539944, 3]
>>> ../source3/smbd/vfs.c:113(vfs_init_default)
>>> Initialising default vfs hooks
>>> [2013/10/28 15:32:44.539987, 3]
>>> ../source3/smbd/vfs.c:139(vfs_init_custom)
>>> Initialising custom vfs hooks from [/[Default VFS]/]
>>> [2013/10/28 15:32:44.540102, 3]
>>> ../source3/smbd/service.c:848(make_connection_snum)
>>> cheetah (ipv4:127.0.0.1:38217) connect to service IPC$ initially as
>>> user wakizashi (uid=1001, gid=100) (pid 15953)
>>> ...
>>> [2013/10/28 15:35:11.002140, 3]
>>> ../source3/smbd/sesssetup.c:138(reply_sesssetup_and_X_spnego)
>>> Doing spnego session setup
>>> [2013/10/28 15:35:11.002169, 3]
>>> ../source3/smbd/sesssetup.c:179(reply_sesssetup_and_X_spnego)
>>> NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
>>> [2013/10/28 15:35:11.014682, 3]
>>> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
>>> Found account name from PAC: Administrator []
>>> [2013/10/28 15:35:11.014726, 3]
>>> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
>>> Kerberos ticket principal name is [administrator at SAMBA.LOCAL.NET]
>>> [2013/10/28 15:35:11.032130, 1]
>>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>>> Username SAMBA\administrator is invalid on this system
>>> [2013/10/28 15:35:11.032176, 1]
>>> ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
>>> Failed to map kerberos principal to system user
>>> (NT_STATUS_LOGON_FAILURE)
>>> [2013/10/28 15:35:11.032209, 1]
>>> ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
>>> Failed to generate session_info (user and group token) for session
>>> setup: NT_STATUS_ACCESS_DENIED
>>> [2013/10/28 15:35:11.032288, 3]
>>> ../source3/smbd/error.c:82(error_packet_set)
>>> NT error packet at ../source3/smbd/sesssetup.c(279) cmd=115
>>> (SMBsesssetupX) NT_STATUS_ACCESS_DENIED
>>> [2013/10/28 15:35:11.032927, 3]
>>> ../source3/smbd/server_exit.c:212(exit_server_common)
>>> Server exit (failed to receive smb request)
>>>
>>> Could someone, please, explain - how to set up Samba correctly, at
>>> least to provide users/groups on the CD and member servers?
>>>
>>> So far, default installation and documentation does not provide
>>> reasonable way to get working environment...
>>>
>>> I'm completely lost with it. Sometimes it working, sometimes - not.
>>>
>>> Yes, there is a way with nslcd, but it's just workaround, requiring
>>> additional scripts... But how to make SAMBA working just with it's
>>> standard services, like winbindd?
>>>
>>> And of course - if there is anything I can do for the Samba team -
>>> will be glad to help. Hope to see SAMBA replacing Windows Server and
>>> AD completely :)
>>> Issues, mentioned above, are reproducible on my virtual machines
>>> (Debian Wheezy), may provide access to these, if needed.
>>>
>>> Regards,
>>> Alex
>> Hi, the problem is that winbind on the S4 server only knows about the
>> uidNumber & gidnumber, you can change the shell by putting 'template shell =
>> /bin/bash' into smb.conf but you are stuck with /home/DOMAIN/USER as it is
>> hard coded into winbind.
>> The devs say that they will replace S4 winbind with the winbind from S3
>> which is a much different beast, but I do not know when this will happen.
>> If you want your Linux users to log into the S4 server, then my advice is to
>> take a look at sssd, you will then get consistent UID/GID's.
>>
>> Rowland
>>
More information about the samba
mailing list