[Samba] Winbind does not read uidNumber
Rowland Penny
rowlandpenny at googlemail.com
Sun Jun 29 05:45:21 MDT 2014
On 29/06/14 12:01, Lars Hanke wrote:
> Well, seems like I hit every mudhole that could be on the way ...
>
> root at samba4:/# getent passwd | grep mgr
> mgr:*:10000:10000:Lars LH. Hanke:/home/AD/mgr:/bin/bash
> root at samba4:/# ldapsearch -LLL -D
> "CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -x -W '(uid=mgr)'
> uid uidNumber gidNumber sAMAccountName name gecos
> Enter LDAP Password:
> dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de
> name: Lars LH. Hanke
> sAMAccountName: mgr
> uid: mgr
> uidNumber: 1001
> gidNumber: 1001
> gecos: Dr. Lars Hanke
>
> root at samba4:/# grep mgr /etc/passwd
> root at samba4:/#
>
> So although proper POSIX information is in the AD, and no local
> information present, winbind rolls dice for POSIX attributes. The
> situation seems similar to that of Rowland and Derek Werthmuller last
> December. There finally, Rowland suggested to use sssd.
>
> My smb.conf:
>
> [global]
> workgroup = AD
> realm = AD.MICROSULT.DE
> security = ADS
> restrict anonymous = 2
> kerberos method = system keytab
> os level = 0
> local master = No
> domain master = No
> template shell = /bin/bash
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> idmap config * : range = 10000-20000
> idmap config AD: backend = ad
> idmap config AD: range = 1001 - 2000
> idmap config * : backend = tdb
>
> Interestingly the bahaviour is no different, if I simply put idmap uid
> and idmap gid lines instead of the more detailed config.
>
> And, if you doubt that I'm querying the right LDAP:
>
> root at samba4:/# cat /etc/ldap/ldap.conf
> BASE DC=ad,DC=microsult,DC=de
> URI ldap://samba.ad.microsult.de:3268
> TLS_CACERT /etc/certs/cacert.pem
>
> BTW: administrator neither maps to 0!
>
> Moreover, I largely folled the Debian Wiki
> https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory. In
> their setup uids get prefixed by %D+. Unsure which I like better, but
> it's a least an observation.
>
> samba4 runs vanilla Debian Wheezy, i.e. samba 3.6.6. If this is a
> _known_ issue with that version, I readily update to backports 4.1.7.
> Otherwise, I have some reasons to explore the old version for a while.
>
> Thanks for your help,
> - lars.
Hi, this is a working samba 3.6 samba.conf:
[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
security = ADS
client signing = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
os level = 20
local master = no
domain master = no
preferred master = no
server string = Samba 3 Client %h
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind normalize names = Yes
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config HOME : backend = ad
idmap config HOME : range = 10000-999999
idmap config HOME:schema_mode = rfc2307
printcap name = cups
cups options = raw
usershare allow guests = yes
map to guest = bad user
username map = /etc/samba/smbmap
and there is at least one line in there that you do not have:
winbind nss info = rfc2307
Try adding at least that one line and then report back ;-)
Rowland
More information about the samba
mailing list