[Samba] Winbind does not read uidNumber
steve
steve at steve-ss.com
Sun Jun 29 06:48:59 MDT 2014
On Sun, 2014-06-29 at 14:18 +0200, Lars Hanke wrote:
> Argl, I hate transparent caching! After 'net cache flush' the entries
> were gone altogether. Thanks for the hint Steve!
>
> So we have:
>
> root at samba4:/# wbinfo -u
> mgr
> administrator
> dns-samba
> krbtgt
> guest
> root at samba4:/# cat /etc/nsswitch.conf
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> hosts: files dns
> [...]
>
> We still have:
> root at samba4:/# ldapsearch -LLL -D
> "CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -x -W '(uid=mgr)'
> uid uidNumber gidNumber sAMAccountName name gecos
> Enter LDAP Password:
> dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de
> name: Lars LH. Hanke
> sAMAccountName: mgr
> uid: mgr
> uidNumber: 1001
> gidNumber: 1001
> gecos: Dr. Lars Hanke
>
> But we lost the user entry:
> root at samba4:/# getent passwd | grep -i mgr
> root at samba4:/#
>
> I updated my smb.conf towards Rowland's sample:
> [global]
> workgroup = AD
> realm = AD.MICROSULT.DE
> security = ADS
> restrict anonymous = 2
> kerberos method = system keytab
> os level = 0
> local master = No
> domain master = No
> template shell = /bin/bash
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind normalize names = Yes
> idmap config * : range = 10000-20000
> idmap config AD: schema_mode = rfc2307
> idmap config AD: backend = ad
> idmap config AD: range = 1001 - 2000
> idmap config * : backend = tdb
>
> Since it had 'mgr' in the cache, it must have been worked with the old
> uid and gid settings for idmap. And yes, using the following smb.conf
> (i.e. what testparm creates from it) the user re-appears and even has
> proper gecos:
>
> [global]
> workgroup = AD
> realm = AD.MICROSULT.DE
> security = ADS
> restrict anonymous = 2
> kerberos method = system keytab
> os level = 0
> local master = No
> domain master = No
> template shell = /bin/bash
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind normalize names = Yes
> idmap config * : range = 10000 - 30000
> idmap config * : backend = tdb
> root at samba4:/# getent passwd | grep -i mgr
> mgr:*:10000:10000:Dr. Lars Hanke:/home/AD/mgr:/bin/bash
This is because winbind has opened up another tdb to store the values.
As you have not opted for AD this time, it fits them into the range you
specified for *.
We're assuming that Rowland's working smb.conf did not work for you.
Can you tail the samba log on the dc (samba -i -d3) and have a look in
real time what happens when you start winbind?
HTH
Steve
>
> Am 29.06.2014 13:45, schrieb Rowland Penny:
> > On 29/06/14 12:01, Lars Hanke wrote:
> >> Well, seems like I hit every mudhole that could be on the way ...
> >>
> >> root at samba4:/# getent passwd | grep mgr
> >> mgr:*:10000:10000:Lars LH. Hanke:/home/AD/mgr:/bin/bash
> >> root at samba4:/# ldapsearch -LLL -D
> >> "CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -x -W '(uid=mgr)'
> >> uid uidNumber gidNumber sAMAccountName name gecos
> >> Enter LDAP Password:
> >> dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de
> >> name: Lars LH. Hanke
> >> sAMAccountName: mgr
> >> uid: mgr
> >> uidNumber: 1001
> >> gidNumber: 1001
> >> gecos: Dr. Lars Hanke
> >>
> >> root at samba4:/# grep mgr /etc/passwd
> >> root at samba4:/#
> >>
> >> So although proper POSIX information is in the AD, and no local
> >> information present, winbind rolls dice for POSIX attributes. The
> >> situation seems similar to that of Rowland and Derek Werthmuller last
> >> December. There finally, Rowland suggested to use sssd.
> >>
> >> My smb.conf:
> >>
> >> [global]
> >> workgroup = AD
> >> realm = AD.MICROSULT.DE
> >> security = ADS
> >> restrict anonymous = 2
> >> kerberos method = system keytab
> >> os level = 0
> >> local master = No
> >> domain master = No
> >> template shell = /bin/bash
> >> winbind enum users = Yes
> >> winbind enum groups = Yes
> >> winbind use default domain = Yes
> >> idmap config * : range = 10000-20000
> >> idmap config AD: backend = ad
> >> idmap config AD: range = 1001 - 2000
> >> idmap config * : backend = tdb
> >>
> >> Interestingly the bahaviour is no different, if I simply put idmap uid
> >> and idmap gid lines instead of the more detailed config.
> >>
> >> And, if you doubt that I'm querying the right LDAP:
> >>
> >> root at samba4:/# cat /etc/ldap/ldap.conf
> >> BASE DC=ad,DC=microsult,DC=de
> >> URI ldap://samba.ad.microsult.de:3268
> >> TLS_CACERT /etc/certs/cacert.pem
> >>
> >> BTW: administrator neither maps to 0!
> >>
> >> Moreover, I largely folled the Debian Wiki
> >> https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory. In
> >> their setup uids get prefixed by %D+. Unsure which I like better, but
> >> it's a least an observation.
> >>
> >> samba4 runs vanilla Debian Wheezy, i.e. samba 3.6.6. If this is a
> >> _known_ issue with that version, I readily update to backports 4.1.7.
> >> Otherwise, I have some reasons to explore the old version for a while.
> >>
> >> Thanks for your help,
> >> - lars.
> > Hi, this is a working samba 3.6 samba.conf:
> >
> > [global]
> > workgroup = EXAMPLE
> > realm = EXAMPLE.COM
> > security = ADS
> > client signing = yes
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> > os level = 20
> > local master = no
> > domain master = no
> > preferred master = no
> > server string = Samba 3 Client %h
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind use default domain = yes
> > winbind expand groups = 4
> > winbind nss info = rfc2307
> > winbind refresh tickets = Yes
> > winbind normalize names = Yes
> > idmap config * : backend = tdb
> > idmap config * : range = 2000-9999
> > idmap config HOME : backend = ad
> > idmap config HOME : range = 10000-999999
> > idmap config HOME:schema_mode = rfc2307
> > printcap name = cups
> > cups options = raw
> > usershare allow guests = yes
> > map to guest = bad user
> > username map = /etc/samba/smbmap
> >
> > and there is at least one line in there that you do not have:
> >
> > winbind nss info = rfc2307
> >
> > Try adding at least that one line and then report back ;-)
> >
> > Rowland
> >
>
More information about the samba
mailing list