[Samba] Winbind does not read uidNumber
Rowland Penny
rowlandpenny at googlemail.com
Sun Jun 29 06:37:04 MDT 2014
On 29/06/14 13:18, Lars Hanke wrote:
> Argl, I hate transparent caching! After 'net cache flush' the entries
> were gone altogether. Thanks for the hint Steve!
>
> So we have:
>
> root at samba4:/# wbinfo -u
> mgr
> administrator
> dns-samba
> krbtgt
> guest
> root at samba4:/# cat /etc/nsswitch.conf
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> hosts: files dns
> [...]
>
> We still have:
> root at samba4:/# ldapsearch -LLL -D
> "CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -x -W '(uid=mgr)'
> uid uidNumber gidNumber sAMAccountName name gecos
> Enter LDAP Password:
> dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de
> name: Lars LH. Hanke
> sAMAccountName: mgr
> uid: mgr
> uidNumber: 1001
> gidNumber: 1001
> gecos: Dr. Lars Hanke
>
> But we lost the user entry:
> root at samba4:/# getent passwd | grep -i mgr
> root at samba4:/#
>
> I updated my smb.conf towards Rowland's sample:
> [global]
> workgroup = AD
> realm = AD.MICROSULT.DE
> security = ADS
> restrict anonymous = 2
> kerberos method = system keytab
> os level = 0
> local master = No
> domain master = No
> template shell = /bin/bash
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind normalize names = Yes
> idmap config * : range = 10000-20000
> idmap config AD: schema_mode = rfc2307
> idmap config AD: backend = ad
> idmap config AD: range = 1001 - 2000
> idmap config * : backend = tdb
>
> Since it had 'mgr' in the cache, it must have been worked with the old
> uid and gid settings for idmap. And yes, using the following smb.conf
> (i.e. what testparm creates from it) the user re-appears and even has
> proper gecos:
>
> [global]
> workgroup = AD
> realm = AD.MICROSULT.DE
> security = ADS
> restrict anonymous = 2
> kerberos method = system keytab
> os level = 0
> local master = No
> domain master = No
> template shell = /bin/bash
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind normalize names = Yes
> idmap config * : range = 10000 - 30000
> idmap config * : backend = tdb
> root at samba4:/# getent passwd | grep -i mgr
> mgr:*:10000:10000:Dr. Lars Hanke:/home/AD/mgr:/bin/bash
You seem to have lost the lines that pull the user/group info from AD. I
am also beginning to think that you do not have the packages installed
to connect PAM to nsswitch.conf, do you have libpam-winbind &
libnss-winbind installed?
Rowland
>
> Am 29.06.2014 13:45, schrieb Rowland Penny:
>> On 29/06/14 12:01, Lars Hanke wrote:
>>> Well, seems like I hit every mudhole that could be on the way ...
>>>
>>> root at samba4:/# getent passwd | grep mgr
>>> mgr:*:10000:10000:Lars LH. Hanke:/home/AD/mgr:/bin/bash
>>> root at samba4:/# ldapsearch -LLL -D
>>> "CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -x -W '(uid=mgr)'
>>> uid uidNumber gidNumber sAMAccountName name gecos
>>> Enter LDAP Password:
>>> dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de
>>> name: Lars LH. Hanke
>>> sAMAccountName: mgr
>>> uid: mgr
>>> uidNumber: 1001
>>> gidNumber: 1001
>>> gecos: Dr. Lars Hanke
>>>
>>> root at samba4:/# grep mgr /etc/passwd
>>> root at samba4:/#
>>>
>>> So although proper POSIX information is in the AD, and no local
>>> information present, winbind rolls dice for POSIX attributes. The
>>> situation seems similar to that of Rowland and Derek Werthmuller last
>>> December. There finally, Rowland suggested to use sssd.
>>>
>>> My smb.conf:
>>>
>>> [global]
>>> workgroup = AD
>>> realm = AD.MICROSULT.DE
>>> security = ADS
>>> restrict anonymous = 2
>>> kerberos method = system keytab
>>> os level = 0
>>> local master = No
>>> domain master = No
>>> template shell = /bin/bash
>>> winbind enum users = Yes
>>> winbind enum groups = Yes
>>> winbind use default domain = Yes
>>> idmap config * : range = 10000-20000
>>> idmap config AD: backend = ad
>>> idmap config AD: range = 1001 - 2000
>>> idmap config * : backend = tdb
>>>
>>> Interestingly the bahaviour is no different, if I simply put idmap uid
>>> and idmap gid lines instead of the more detailed config.
>>>
>>> And, if you doubt that I'm querying the right LDAP:
>>>
>>> root at samba4:/# cat /etc/ldap/ldap.conf
>>> BASE DC=ad,DC=microsult,DC=de
>>> URI ldap://samba.ad.microsult.de:3268
>>> TLS_CACERT /etc/certs/cacert.pem
>>>
>>> BTW: administrator neither maps to 0!
>>>
>>> Moreover, I largely folled the Debian Wiki
>>> https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory. In
>>> their setup uids get prefixed by %D+. Unsure which I like better, but
>>> it's a least an observation.
>>>
>>> samba4 runs vanilla Debian Wheezy, i.e. samba 3.6.6. If this is a
>>> _known_ issue with that version, I readily update to backports 4.1.7.
>>> Otherwise, I have some reasons to explore the old version for a while.
>>>
>>> Thanks for your help,
>>> - lars.
>> Hi, this is a working samba 3.6 samba.conf:
>>
>> [global]
>> workgroup = EXAMPLE
>> realm = EXAMPLE.COM
>> security = ADS
>> client signing = yes
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> os level = 20
>> local master = no
>> domain master = no
>> preferred master = no
>> server string = Samba 3 Client %h
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind use default domain = yes
>> winbind expand groups = 4
>> winbind nss info = rfc2307
>> winbind refresh tickets = Yes
>> winbind normalize names = Yes
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-9999
>> idmap config HOME : backend = ad
>> idmap config HOME : range = 10000-999999
>> idmap config HOME:schema_mode = rfc2307
>> printcap name = cups
>> cups options = raw
>> usershare allow guests = yes
>> map to guest = bad user
>> username map = /etc/samba/smbmap
>>
>> and there is at least one line in there that you do not have:
>>
>> winbind nss info = rfc2307
>>
>> Try adding at least that one line and then report back ;-)
>>
>> Rowland
>>
>
More information about the samba
mailing list