[Samba] Winbind does not read uidNumber
steve at steve-ss.com
Sun Jun 29 05:41:53 MDT 2014
On Sun, 2014-06-29 at 13:01 +0200, Lars Hanke wrote:
> Well, seems like I hit every mudhole that could be on the way ...
> root at samba4:/# getent passwd | grep mgr
> mgr:*:10000:10000:Lars LH. Hanke:/home/AD/mgr:/bin/bash
> root at samba4:/# ldapsearch -LLL -D
> "CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -x -W '(uid=mgr)'
> uid uidNumber gidNumber sAMAccountName name gecos
> Enter LDAP Password:
> dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de
> name: Lars LH. Hanke
> sAMAccountName: mgr
> uid: mgr
> uidNumber: 1001
> gidNumber: 1001
> gecos: Dr. Lars Hanke
> root at samba4:/# grep mgr /etc/passwd
> root at samba4:/#
> So although proper POSIX information is in the AD, and no local
> information present, winbind rolls dice for POSIX attributes.
lol! Do you have any local cache? nscd is often a culprit here. flush
the winbind tdb too:
net cache flush
check that winbind registers on the DC when you start it.
> situation seems similar to that of Rowland and Derek Werthmuller last
> December. There finally, Rowland suggested to use sssd.
OK, make a decision. If it doesn't work this time, try the latter.
> My smb.conf:
> workgroup = AD
> realm = AD.MICROSULT.DE
> security = ADS
> restrict anonymous = 2
> kerberos method = system keytab
> os level = 0
> local master = No
> domain master = No
> template shell = /bin/bash
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> idmap config * : range = 10000-20000
> idmap config AD: backend = ad
> idmap config AD: range = 1001 - 2000
idmap config AD: range = 1000-2000 #lose the spaces and change the
range just to be sure
> idmap config * : backend = tdb
> Interestingly the bahaviour is no different, if I simply put idmap uid
> and idmap gid lines instead of the more detailed config.
> And, if you doubt that I'm querying the right LDAP:
> root at samba4:/# cat /etc/ldap/ldap.conf
> BASE DC=ad,DC=microsult,DC=de
> URI ldap://samba.ad.microsult.de:3268
> TLS_CACERT /etc/certs/cacert.pem
> BTW: administrator neither maps to 0!
It only maps to 0 is if you configure it to do so.
More information about the samba