[Samba] How winbindd is working on DC/member? It ignores rfc2703 on DC, and not showing all users on member server... Where is a error?
Alex Wakizashi
alex at wakizashi.info
Mon Oct 28 10:29:21 MDT 2013
Hi Rowland,
2013/10/28 Rowland Penny <rowlandpenny at googlemail.com>:
> On 28/10/13 13:22, Alex Wakizashi wrote:
>>
>> Hi Rowland,
>>
>> At least on Debian Squeezy sssd is not working with Samba4 - it
>> complains about wrong format of databases.
>> After 2 days of trying to build S4 and sssd from Debian Unstable I've
>> dropped that hopeless efforts.
>
>
> Are you fataly wedded to Squeezy? what about Ubuntu 12.04 server, this is
> getting updates until 2017 and there is a ppa for sssd 1.11.1
Yes, unfortunately, it's requirement for the project... Related to
3-rd party security software, which is mandatory and need exactly
Squeeze 6.0.3 - crazy, but it's fact...
I have idiosyncrasy for Ubuntu :) It became Windows-like monstrous
system, which "know things better than youself".
Also, mix of closed-source and open-source, like in Ubuntu, is not
allowed in this project.
>> So, need to have something without sssd.
>>
>> Changing attributes, such as shell, from smb.conf is bad - because
>> some users need to have it, and some not.
>
> OK, I can understand that, but until Samba switches to the S3 winbind on the
> S4 server, this is a problem everybody is having, S4 winbind != S3 winbind.
> You need to use something other than winbind if you want Unix users to
> connect to shares on the S4 server, I know because I got bitten by this with
> cifsmount.
Well, I have other solution - in my previous mail with subject "User
Administrator access denied" - where script is used to populate
UID/GID, reported by wbinfo on DC, to rfc2307 attributes, and then use
nslcd everywhere. That gives consistency, but still a dirty hack.
So, will wait for normal winbind in S4 :)
Thanks,
Alex
> Rowland
>
>>
>> 2013/10/28 Rowland Penny <rowlandpenny at googlemail.com>:
>>>
>>> On 28/10/13 11:54, Alex Wakizashi wrote:
>>>>
>>>> Hi all,
>>>>
>>>> Still looking for the best way to achieve consistent GID/UID mapping
>>>> on Linux servers/clients, in heterogeneous environment (Linux,
>>>> Windows, CIFS, NFS).
>>>> Current problems with UID/GID resolution prevents from using Samba4 in
>>>> environment with backups (where data may be restored on another
>>>> server) and mixed Linux/Windows workstations.
>>>>
>>>> Just recently installed fresh Samba 4.1.0 on the server as DC, and
>>>> completely confused by how winbind is working.
>>>>
>>>> DC provisioned as:
>>>>
>>>> samba-tool domain provision --use-rfc2307 --domain=SAMBA
>>>> --realm=samba.local.net --adminpass='<Password>'
>>>> --dns-backend=BIND9_DLZ --server-role=dc
>>>>
>>>> DNS is confirured, kerberos too, kinit/klist working fine.
>>>>
>>>> Samba and NSS configuration:
>>>>
>>>> --- smb.conf ---
>>>> # Global parameters
>>>> [global]
>>>> workgroup = SAMBA
>>>> realm = samba.local.net
>>>> netbios name = NAS
>>>> server role = active directory domain controller
>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>>> winbind, ntp_signd, kcc, dnsupdate
>>>> idmap_ldb:use rfc2307 = yes
>>>>
>>>> [netlogon]
>>>> path = /var/lib/samba/sysvol/samba.local.net/scripts
>>>> read only = No
>>>>
>>>> [sysvol]
>>>> path = /var/lib/samba/sysvol
>>>> read only = No
>>>> --- smb.conf ---
>>>>
>>>> --- nsswitch.conf ---
>>>> passwd: compat winbind
>>>> group: compat winbind
>>>> shadow: compat
>>>> hosts: files dns
>>>> networks: files
>>>> protocols: db files
>>>> services: db files
>>>> ethers: db files
>>>> rpc: db files
>>>> netgroup: nis
>>>> --- nsswitch.conf ---
>>>>
>>>> Have created new user:
>>>>
>>>> samba-tool user add Wakizashi --use-username-as-cn --given-name=Alex
>>>> --surname=Wakizashi --uid-number=1001
>>>>
>>>> And modified RFC attributes, result:
>>>>
>>>> root at nas:~# ldbsearch -k yes -H ldap://nas
>>>> "(sAMAccountName=wakizashi)" sAMAccountName uid loginShell
>>>> unixHomeDirectory
>>>> # record 1
>>>> dn: CN=Wakizashi,CN=Users,DC=samba,DC=local,DC=net
>>>> sAMAccountName: Wakizashi
>>>> unixHomeDirectory: /home/wakizashi
>>>> uid: wakizashi
>>>> loginShell: /bin/bash
>>>>
>>>> Problems:
>>>>
>>>> 1. Just after Samba install "id" reports no user "wakizashi", after
>>>> reboot it started to resolve both "Wakizashi" and "wakizashi", as well
>>>> as "Administrator", etc.
>>>>
>>>> 2. I can see users in the domain, but seems like winbindd ignores the
>>>> frc2703 attributes:
>>>> - cut -
>>>> root at nas:~# getent passwd
>>>> root:x:0:0:root:/root:/bin/bash
>>>> ....
>>>> ntp:x:107:112::/home/ntp:/bin/false
>>>> nslcd:x:108:113:nslcd name service LDAP connection
>>>> daemon,,,:/var/run/nslcd/:/bin/false
>>>> SAMBA\Administrator:*:0:100::/home/SAMBA/Administrator:/bin/false
>>>> SAMBA\Guest:*:3000011:3000012::/home/SAMBA/Guest:/bin/false
>>>> SAMBA\krbtgt:*:3000017:100::/home/SAMBA/krbtgt:/bin/false
>>>> SAMBA\dns-nas:*:3000018:100::/home/SAMBA/dns-nas:/bin/false
>>>> SAMBA\Wakizashi:*:1001:100:Alex
>>>> Wakizashi:/home/SAMBA/Wakizashi:/bin/false
>>>> - cut -
>>>>
>>>> So, as you can see, there are rfc2703 attributes: uid, shell and home
>>>> directory, but winbindd just ignores these, and uses crazy
>>>> "SAMBA\wakizashi" username, wrong home directory, wrong shell.
>>>>
>>>> 3. Still some groups IDs are not resolvable:
>>>> root at nas:~# ls -la /var/lib/samba/sysvol/
>>>> total 20
>>>> drwxrwx---+ 3 SAMBA\Administrator 3000000 4096 Oct 28 03:09 .
>>>> drwxr-xr-x 10 SAMBA\Administrator root 4096 Oct 28 03:09 ..
>>>> drwxrwx---+ 4 SAMBA\Administrator 3000000 4096 Oct 28 03:09
>>>> samba.local.net
>>>>
>>>> As I can see, there is GID 3000000. What is it?
>>>>
>>>> root at nas:~# wbinfo -s `wbinfo -G 3000000 `
>>>> BUILTIN\Administrators 4
>>>>
>>>> So, why this is not resolved by winbindd?
>>>>
>>>> Same with ACL:
>>>>
>>>> root at nas:~# getfacl /var/lib/samba/sysvol/
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: var/lib/samba/sysvol/
>>>> # owner: root
>>>> # group: 3000000
>>>> user::rwx
>>>> user:root:rwx
>>>> group::rwx
>>>> group:3000000:rwx
>>>> group:3000001:r-x
>>>> group:3000002:rwx
>>>> group:3000003:r-x
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:root:rwx
>>>> default:group::---
>>>> default:group:3000000:rwx
>>>> default:group:3000001:r-x
>>>> default:group:3000002:rwx
>>>> default:group:3000003:r-x
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> Why there are unresolved GIDs?
>>>>
>>>> root at nas:~# wbinfo -s `wbinfo -G 3000001 `
>>>> BUILTIN\Server Operators 4
>>>> root at nas:~# wbinfo -s `wbinfo -G 3000002 `
>>>> NT AUTHORITY\SYSTEM 5
>>>> root at nas:~# wbinfo -s `wbinfo -G 3000003 `
>>>> NT AUTHORITY\Authenticated Users 5
>>>>
>>>>
>>>> 3. Ok, let's try winbind on member server.
>>>>
>>>> Have installed CHEETAH with following config (Just from Wiki):
>>>>
>>>> --- smb.conf AD member ---
>>>> [global]
>>>>
>>>> workgroup = SAMBA
>>>> security = ADS
>>>> realm = SAMBA.LOCAL.NET
>>>> encrypt passwords = yes
>>>>
>>>> idmap config *:backend = tdb
>>>> idmap config *:range = 70001-80000
>>>> idmap config SAMBA:backend = ad
>>>> idmap config SAMBA:schema_mode = rfc2307
>>>> idmap config SAMBA:range = 3000000-4000000
>>>>
>>>> winbind nss info = rfc2307
>>>> winbind trusted domains only = no
>>>> winbind use default domain = yes
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>>
>>>> [test]
>>>> path = /home/test
>>>> read only = no
>>>>
>>>> --- smb.conf AD member ---
>>>>
>>>> Services has been forcibly restarted - to make sure, that everything
>>>> has been reloaded.
>>>>
>>>> root at cheetah:~# getent passwd
>>>> root:x:0:0:root:/root:/bin/bash
>>>> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
>>>> ...
>>>> wakizashi:x:1001:100::/home/wakizashi:/bin/bash
>>>> gdm:x:110:115:Gnome Display Manager:/var/lib/gdm:/bin/false
>>>> avahi:x:111:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
>>>> ntp:x:112:120::/home/ntp:/bin/false
>>>> libvirt-qemu:x:113:121:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
>>>> vde2-net:x:114:124::/var/run/vde2:/bin/false
>>>> nslcd:x:115:125:nslcd name service LDAP connection
>>>> daemon,,,:/var/run/nslcd/:/bin/false
>>>> guest:*:3000011:3000012:Guest:/home/guest:/bin/false
>>>>
>>>> Hmmm... Where is "Administrator"? Where is a "krb-tgt"?
>>>>
>>>> BTW - Guest have all needed rfc2703 attributes, as well as other
>>>> users, so supposed to get shell and homedir correctly... But even in
>>>> this case it's not resolvable by system:
>>>>
>>>> root at cheetah:~# id guest
>>>> id: guest: No such user
>>>> root at cheetah:~# id administrator
>>>> id: administrator: No such user
>>>> root at cheetah:~# id SAMBA\\Guest
>>>> id: SAMBA\Guest: No such user
>>>> root at cheetah:~# id SAMBA\\guest
>>>> id: SAMBA\guest: No such user
>>>>
>>>> Even worse - no any user visible, even the "Guest", which is in "getent
>>>> passwd"
>>>>
>>>> And of course, here are issue with denying access to Administrator
>>>> (and other users too, except "wakizashi," which is available locally
>>>> from /etc/passwd):
>>>>
>>>> [2013/10/28 15:32:44.525754, 3]
>>>> ../source3/smbd/sesssetup.c:138(reply_sesssetup_and_X_spnego)
>>>> Doing spnego session setup
>>>> [2013/10/28 15:32:44.525773, 3]
>>>> ../source3/smbd/sesssetup.c:179(reply_sesssetup_and_X_spnego)
>>>> NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
>>>> [2013/10/28 15:32:44.538199, 3]
>>>> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
>>>> Found account name from PAC: Wakizashi [Alex Wakizashi]
>>>> [2013/10/28 15:32:44.538250, 3]
>>>> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
>>>> Kerberos ticket principal name is [wakizashi at SAMBA.LOCAL.NET]
>>>> [2013/10/28 15:32:44.538419, 3]
>>>> ../source3/param/loadparm.c:4838(lp_load_ex)
>>>> lp_load_ex: refreshing parameters
>>>> [2013/10/28 15:32:44.538489, 3]
>>>> ../source3/param/loadparm.c:750(init_globals)
>>>> Initialising global parameters
>>>> [2013/10/28 15:32:44.538546, 3] ../lib/util/params.c:550(pm_process)
>>>> params.c:pm_process() - Processing configuration file
>>>> "/etc/samba/smb.conf"
>>>> [2013/10/28 15:32:44.538563, 3]
>>>> ../source3/param/loadparm.c:3564(do_section)
>>>> Processing section "[global]"
>>>> [2013/10/28 15:32:44.538719, 2]
>>>> ../source3/param/loadparm.c:3581(do_section)
>>>> Processing section "[test]"
>>>> [2013/10/28 15:32:44.538761, 3]
>>>> ../source3/param/loadparm.c:1773(lp_add_ipc)
>>>> adding IPC service
>>>> [2013/10/28 15:32:44.539384, 3]
>>>> ../source3/smbd/password.c:144(register_homes_share)
>>>> Adding homes service for user 'wakizashi' using home directory:
>>>> '/home/wakizashi'
>>>> [2013/10/28 15:32:44.539627, 3]
>>>> ../source3/smbd/process.c:1795(process_smb)
>>>> Transaction 2 of length 84 (0 toread)
>>>> [2013/10/28 15:32:44.539667, 3]
>>>> ../source3/smbd/process.c:1398(switch_message)
>>>> switch message SMBtconX (pid 15953) conn 0x0
>>>> [2013/10/28 15:32:44.539796, 3]
>>>> ../source3/lib/access.c:338(allow_access)
>>>> Allowed connection from cheetah (127.0.0.1)
>>>> [2013/10/28 15:32:44.539879, 3]
>>>> ../source3/smbd/service.c:612(make_connection_snum)
>>>> Connect path is '/tmp' for service [IPC$]
>>>> [2013/10/28 15:32:44.539944, 3]
>>>> ../source3/smbd/vfs.c:113(vfs_init_default)
>>>> Initialising default vfs hooks
>>>> [2013/10/28 15:32:44.539987, 3]
>>>> ../source3/smbd/vfs.c:139(vfs_init_custom)
>>>> Initialising custom vfs hooks from [/[Default VFS]/]
>>>> [2013/10/28 15:32:44.540102, 3]
>>>> ../source3/smbd/service.c:848(make_connection_snum)
>>>> cheetah (ipv4:127.0.0.1:38217) connect to service IPC$ initially as
>>>> user wakizashi (uid=1001, gid=100) (pid 15953)
>>>> ...
>>>> [2013/10/28 15:35:11.002140, 3]
>>>> ../source3/smbd/sesssetup.c:138(reply_sesssetup_and_X_spnego)
>>>> Doing spnego session setup
>>>> [2013/10/28 15:35:11.002169, 3]
>>>> ../source3/smbd/sesssetup.c:179(reply_sesssetup_and_X_spnego)
>>>> NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
>>>> [2013/10/28 15:35:11.014682, 3]
>>>> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
>>>> Found account name from PAC: Administrator []
>>>> [2013/10/28 15:35:11.014726, 3]
>>>> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
>>>> Kerberos ticket principal name is [administrator at SAMBA.LOCAL.NET]
>>>> [2013/10/28 15:35:11.032130, 1]
>>>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>>>> Username SAMBA\administrator is invalid on this system
>>>> [2013/10/28 15:35:11.032176, 1]
>>>> ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
>>>> Failed to map kerberos principal to system user
>>>> (NT_STATUS_LOGON_FAILURE)
>>>> [2013/10/28 15:35:11.032209, 1]
>>>> ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
>>>> Failed to generate session_info (user and group token) for session
>>>> setup: NT_STATUS_ACCESS_DENIED
>>>> [2013/10/28 15:35:11.032288, 3]
>>>> ../source3/smbd/error.c:82(error_packet_set)
>>>> NT error packet at ../source3/smbd/sesssetup.c(279) cmd=115
>>>> (SMBsesssetupX) NT_STATUS_ACCESS_DENIED
>>>> [2013/10/28 15:35:11.032927, 3]
>>>> ../source3/smbd/server_exit.c:212(exit_server_common)
>>>> Server exit (failed to receive smb request)
>>>>
>>>> Could someone, please, explain - how to set up Samba correctly, at
>>>> least to provide users/groups on the CD and member servers?
>>>>
>>>> So far, default installation and documentation does not provide
>>>> reasonable way to get working environment...
>>>>
>>>> I'm completely lost with it. Sometimes it working, sometimes - not.
>>>>
>>>> Yes, there is a way with nslcd, but it's just workaround, requiring
>>>> additional scripts... But how to make SAMBA working just with it's
>>>> standard services, like winbindd?
>>>>
>>>> And of course - if there is anything I can do for the Samba team -
>>>> will be glad to help. Hope to see SAMBA replacing Windows Server and
>>>> AD completely :)
>>>> Issues, mentioned above, are reproducible on my virtual machines
>>>> (Debian Wheezy), may provide access to these, if needed.
>>>>
>>>> Regards,
>>>> Alex
>>>
>>> Hi, the problem is that winbind on the S4 server only knows about the
>>> uidNumber & gidnumber, you can change the shell by putting 'template
>>> shell =
>>> /bin/bash' into smb.conf but you are stuck with /home/DOMAIN/USER as it
>>> is
>>> hard coded into winbind.
>>> The devs say that they will replace S4 winbind with the winbind from S3
>>> which is a much different beast, but I do not know when this will happen.
>>> If you want your Linux users to log into the S4 server, then my advice is
>>> to
>>> take a look at sssd, you will then get consistent UID/GID's.
>>>
>>> Rowland
>>>
>
More information about the samba
mailing list