[Samba] Winbind does not read uidNumber
Lars Hanke
debian at lhanke.de
Sun Jun 29 06:18:53 MDT 2014
Argl, I hate transparent caching! After 'net cache flush' the entries
were gone altogether. Thanks for the hint Steve!
So we have:
root at samba4:/# wbinfo -u
mgr
administrator
dns-samba
krbtgt
guest
root at samba4:/# cat /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
[...]
We still have:
root at samba4:/# ldapsearch -LLL -D
"CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -x -W '(uid=mgr)'
uid uidNumber gidNumber sAMAccountName name gecos
Enter LDAP Password:
dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de
name: Lars LH. Hanke
sAMAccountName: mgr
uid: mgr
uidNumber: 1001
gidNumber: 1001
gecos: Dr. Lars Hanke
But we lost the user entry:
root at samba4:/# getent passwd | grep -i mgr
root at samba4:/#
I updated my smb.conf towards Rowland's sample:
[global]
workgroup = AD
realm = AD.MICROSULT.DE
security = ADS
restrict anonymous = 2
kerberos method = system keytab
os level = 0
local master = No
domain master = No
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind normalize names = Yes
idmap config * : range = 10000-20000
idmap config AD: schema_mode = rfc2307
idmap config AD: backend = ad
idmap config AD: range = 1001 - 2000
idmap config * : backend = tdb
Since it had 'mgr' in the cache, it must have been worked with the old
uid and gid settings for idmap. And yes, using the following smb.conf
(i.e. what testparm creates from it) the user re-appears and even has
proper gecos:
[global]
workgroup = AD
realm = AD.MICROSULT.DE
security = ADS
restrict anonymous = 2
kerberos method = system keytab
os level = 0
local master = No
domain master = No
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind normalize names = Yes
idmap config * : range = 10000 - 30000
idmap config * : backend = tdb
root at samba4:/# getent passwd | grep -i mgr
mgr:*:10000:10000:Dr. Lars Hanke:/home/AD/mgr:/bin/bash
Am 29.06.2014 13:45, schrieb Rowland Penny:
> On 29/06/14 12:01, Lars Hanke wrote:
>> Well, seems like I hit every mudhole that could be on the way ...
>>
>> root at samba4:/# getent passwd | grep mgr
>> mgr:*:10000:10000:Lars LH. Hanke:/home/AD/mgr:/bin/bash
>> root at samba4:/# ldapsearch -LLL -D
>> "CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -x -W '(uid=mgr)'
>> uid uidNumber gidNumber sAMAccountName name gecos
>> Enter LDAP Password:
>> dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de
>> name: Lars LH. Hanke
>> sAMAccountName: mgr
>> uid: mgr
>> uidNumber: 1001
>> gidNumber: 1001
>> gecos: Dr. Lars Hanke
>>
>> root at samba4:/# grep mgr /etc/passwd
>> root at samba4:/#
>>
>> So although proper POSIX information is in the AD, and no local
>> information present, winbind rolls dice for POSIX attributes. The
>> situation seems similar to that of Rowland and Derek Werthmuller last
>> December. There finally, Rowland suggested to use sssd.
>>
>> My smb.conf:
>>
>> [global]
>> workgroup = AD
>> realm = AD.MICROSULT.DE
>> security = ADS
>> restrict anonymous = 2
>> kerberos method = system keytab
>> os level = 0
>> local master = No
>> domain master = No
>> template shell = /bin/bash
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> idmap config * : range = 10000-20000
>> idmap config AD: backend = ad
>> idmap config AD: range = 1001 - 2000
>> idmap config * : backend = tdb
>>
>> Interestingly the bahaviour is no different, if I simply put idmap uid
>> and idmap gid lines instead of the more detailed config.
>>
>> And, if you doubt that I'm querying the right LDAP:
>>
>> root at samba4:/# cat /etc/ldap/ldap.conf
>> BASE DC=ad,DC=microsult,DC=de
>> URI ldap://samba.ad.microsult.de:3268
>> TLS_CACERT /etc/certs/cacert.pem
>>
>> BTW: administrator neither maps to 0!
>>
>> Moreover, I largely folled the Debian Wiki
>> https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory. In
>> their setup uids get prefixed by %D+. Unsure which I like better, but
>> it's a least an observation.
>>
>> samba4 runs vanilla Debian Wheezy, i.e. samba 3.6.6. If this is a
>> _known_ issue with that version, I readily update to backports 4.1.7.
>> Otherwise, I have some reasons to explore the old version for a while.
>>
>> Thanks for your help,
>> - lars.
> Hi, this is a working samba 3.6 samba.conf:
>
> [global]
> workgroup = EXAMPLE
> realm = EXAMPLE.COM
> security = ADS
> client signing = yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> os level = 20
> local master = no
> domain master = no
> preferred master = no
> server string = Samba 3 Client %h
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind expand groups = 4
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind normalize names = Yes
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> idmap config HOME : backend = ad
> idmap config HOME : range = 10000-999999
> idmap config HOME:schema_mode = rfc2307
> printcap name = cups
> cups options = raw
> usershare allow guests = yes
> map to guest = bad user
> username map = /etc/samba/smbmap
>
> and there is at least one line in there that you do not have:
>
> winbind nss info = rfc2307
>
> Try adding at least that one line and then report back ;-)
>
> Rowland
>
More information about the samba
mailing list