[Samba] Winbind does not read uidNumber

Rowland Penny rowlandpenny at googlemail.com
Sun Jun 29 05:45:21 MDT 2014 

On 29/06/14 12:01, Lars Hanke wrote:
> Well, seems like I hit every mudhole that could be on the way ...
>
> root at samba4:/# getent passwd | grep mgr
> mgr:*:10000:10000:Lars LH. Hanke:/home/AD/mgr:/bin/bash
> root at samba4:/# ldapsearch -LLL -D 
> "CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -x -W '(uid=mgr)' 
> uid uidNumber gidNumber sAMAccountName name gecos
> Enter LDAP Password:
> dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de
> name: Lars LH. Hanke
> sAMAccountName: mgr
> uid: mgr
> uidNumber: 1001
> gidNumber: 1001
> gecos: Dr. Lars Hanke
>
> root at samba4:/# grep mgr /etc/passwd
> root at samba4:/#
>
> So although proper POSIX information is in the AD, and no local 
> information present, winbind rolls dice for POSIX attributes. The 
> situation seems similar to that of Rowland and Derek Werthmuller last 
> December. There finally, Rowland suggested to use sssd.
>
> My smb.conf:
>
> [global]
>         workgroup = AD
>         realm = AD.MICROSULT.DE
>         security = ADS
>         restrict anonymous = 2
>         kerberos method = system keytab
>         os level = 0
>         local master = No
>         domain master = No
>         template shell = /bin/bash
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind use default domain = Yes
>         idmap config * : range = 10000-20000
>         idmap config AD: backend = ad
>         idmap config AD: range = 1001 - 2000
>         idmap config * : backend = tdb
>
> Interestingly the bahaviour is no different, if I simply put idmap uid 
> and idmap gid lines instead of the more detailed config.
>
> And, if you doubt that I'm querying the right LDAP:
>
> root at samba4:/# cat /etc/ldap/ldap.conf
> BASE    DC=ad,DC=microsult,DC=de
> URI     ldap://samba.ad.microsult.de:3268
> TLS_CACERT      /etc/certs/cacert.pem
>
> BTW: administrator neither maps to 0!
>
> Moreover, I largely folled the Debian Wiki 
> https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory. In 
> their setup uids get prefixed by %D+. Unsure which I like better, but 
> it's a least an observation.
>
> samba4 runs vanilla Debian Wheezy, i.e. samba 3.6.6. If this is a 
> _known_ issue with that version, I readily update to backports 4.1.7. 
> Otherwise, I have some reasons to explore the old version for a while.
>
> Thanks for your help,
> - lars.
Hi, this is a working samba 3.6 samba.conf:

[global]
         workgroup = EXAMPLE
         realm = EXAMPLE.COM
         security = ADS
         client signing = yes
         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab
         os level = 20
         local master = no
         domain master = no
         preferred master = no
         server string = Samba 3 Client %h
         winbind enum users = yes
         winbind enum groups = yes
         winbind use default domain = yes
         winbind expand groups = 4
         winbind nss info = rfc2307
         winbind refresh tickets = Yes
         winbind normalize names = Yes
         idmap config * : backend = tdb
         idmap config * : range = 2000-9999
         idmap config HOME : backend  = ad
         idmap config HOME : range = 10000-999999
         idmap config HOME:schema_mode = rfc2307
         printcap name = cups
         cups options = raw
         usershare allow guests = yes
         map to guest = bad user
         username map = /etc/samba/smbmap

and there is at least one line in there that you do not have:

         winbind nss info = rfc2307

Try adding at least that one line and then report back ;-)

Rowland

More information about the samba mailing list