[Samba] Winbind does not read uidNumber
Rowland Penny
rowlandpenny at googlemail.com
Sun Jun 29 07:08:25 MDT 2014
On 29/06/14 13:48, steve wrote:
> On Sun, 2014-06-29 at 14:18 +0200, Lars Hanke wrote:
>> Argl, I hate transparent caching! After 'net cache flush' the entries
>> were gone altogether. Thanks for the hint Steve!
>>
>> So we have:
>>
>> root at samba4:/# wbinfo -u
>> mgr
>> administrator
>> dns-samba
>> krbtgt
>> guest
>> root at samba4:/# cat /etc/nsswitch.conf
>> passwd: compat winbind
>> group: compat winbind
>> shadow: compat
>> hosts: files dns
>> [...]
>>
>> We still have:
>> root at samba4:/# ldapsearch -LLL -D
>> "CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -x -W '(uid=mgr)'
>> uid uidNumber gidNumber sAMAccountName name gecos
>> Enter LDAP Password:
>> dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de
>> name: Lars LH. Hanke
>> sAMAccountName: mgr
>> uid: mgr
>> uidNumber: 1001
>> gidNumber: 1001
>> gecos: Dr. Lars Hanke
>>
>> But we lost the user entry:
>> root at samba4:/# getent passwd | grep -i mgr
>> root at samba4:/#
>>
>> I updated my smb.conf towards Rowland's sample:
>> [global]
>> workgroup = AD
>> realm = AD.MICROSULT.DE
>> security = ADS
>> restrict anonymous = 2
>> kerberos method = system keytab
>> os level = 0
>> local master = No
>> domain master = No
>> template shell = /bin/bash
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind nss info = rfc2307
>> winbind refresh tickets = Yes
>> winbind normalize names = Yes
>> idmap config * : range = 10000-20000
>> idmap config AD: schema_mode = rfc2307
>> idmap config AD: backend = ad
>> idmap config AD: range = 1001 - 2000
>> idmap config * : backend = tdb
>>
>> Since it had 'mgr' in the cache, it must have been worked with the old
>> uid and gid settings for idmap. And yes, using the following smb.conf
>> (i.e. what testparm creates from it) the user re-appears and even has
>> proper gecos:
>>
>> [global]
>> workgroup = AD
>> realm = AD.MICROSULT.DE
>> security = ADS
>> restrict anonymous = 2
>> kerberos method = system keytab
>> os level = 0
>> local master = No
>> domain master = No
>> template shell = /bin/bash
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind nss info = rfc2307
>> winbind refresh tickets = Yes
>> winbind normalize names = Yes
>> idmap config * : range = 10000 - 30000
>> idmap config * : backend = tdb
>> root at samba4:/# getent passwd | grep -i mgr
>> mgr:*:10000:10000:Dr. Lars Hanke:/home/AD/mgr:/bin/bash
> This is because winbind has opened up another tdb to store the values.
> As you have not opted for AD this time, it fits them into the range you
> specified for *.
>
> We're assuming that Rowland's working smb.conf did not work for you.
>
> Can you tail the samba log on the dc (samba -i -d3) and have a look in
> real time what happens when you start winbind?
> HTH
> Steve
>
>> Am 29.06.2014 13:45, schrieb Rowland Penny:
>>> On 29/06/14 12:01, Lars Hanke wrote:
>>>> Well, seems like I hit every mudhole that could be on the way ...
>>>>
>>>> root at samba4:/# getent passwd | grep mgr
>>>> mgr:*:10000:10000:Lars LH. Hanke:/home/AD/mgr:/bin/bash
>>>> root at samba4:/# ldapsearch -LLL -D
>>>> "CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -x -W '(uid=mgr)'
>>>> uid uidNumber gidNumber sAMAccountName name gecos
>>>> Enter LDAP Password:
>>>> dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de
>>>> name: Lars LH. Hanke
>>>> sAMAccountName: mgr
>>>> uid: mgr
>>>> uidNumber: 1001
>>>> gidNumber: 1001
>>>> gecos: Dr. Lars Hanke
>>>>
>>>> root at samba4:/# grep mgr /etc/passwd
>>>> root at samba4:/#
>>>>
>>>> So although proper POSIX information is in the AD, and no local
>>>> information present, winbind rolls dice for POSIX attributes. The
>>>> situation seems similar to that of Rowland and Derek Werthmuller last
>>>> December. There finally, Rowland suggested to use sssd.
>>>>
>>>> My smb.conf:
>>>>
>>>> [global]
>>>> workgroup = AD
>>>> realm = AD.MICROSULT.DE
>>>> security = ADS
>>>> restrict anonymous = 2
>>>> kerberos method = system keytab
>>>> os level = 0
>>>> local master = No
>>>> domain master = No
>>>> template shell = /bin/bash
>>>> winbind enum users = Yes
>>>> winbind enum groups = Yes
>>>> winbind use default domain = Yes
>>>> idmap config * : range = 10000-20000
>>>> idmap config AD: backend = ad
>>>> idmap config AD: range = 1001 - 2000
>>>> idmap config * : backend = tdb
>>>>
>>>> Interestingly the bahaviour is no different, if I simply put idmap uid
>>>> and idmap gid lines instead of the more detailed config.
>>>>
>>>> And, if you doubt that I'm querying the right LDAP:
>>>>
>>>> root at samba4:/# cat /etc/ldap/ldap.conf
>>>> BASE DC=ad,DC=microsult,DC=de
>>>> URI ldap://samba.ad.microsult.de:3268
>>>> TLS_CACERT /etc/certs/cacert.pem
>>>>
>>>> BTW: administrator neither maps to 0!
>>>>
>>>> Moreover, I largely folled the Debian Wiki
>>>> https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory. In
>>>> their setup uids get prefixed by %D+. Unsure which I like better, but
>>>> it's a least an observation.
>>>>
>>>> samba4 runs vanilla Debian Wheezy, i.e. samba 3.6.6. If this is a
>>>> _known_ issue with that version, I readily update to backports 4.1.7.
>>>> Otherwise, I have some reasons to explore the old version for a while.
>>>>
>>>> Thanks for your help,
>>>> - lars.
>>> Hi, this is a working samba 3.6 samba.conf:
>>>
>>> [global]
>>> workgroup = EXAMPLE
>>> realm = EXAMPLE.COM
>>> security = ADS
>>> client signing = yes
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>> os level = 20
>>> local master = no
>>> domain master = no
>>> preferred master = no
>>> server string = Samba 3 Client %h
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind use default domain = yes
>>> winbind expand groups = 4
>>> winbind nss info = rfc2307
>>> winbind refresh tickets = Yes
>>> winbind normalize names = Yes
>>> idmap config * : backend = tdb
>>> idmap config * : range = 2000-9999
>>> idmap config HOME : backend = ad
>>> idmap config HOME : range = 10000-999999
>>> idmap config HOME:schema_mode = rfc2307
>>> printcap name = cups
>>> cups options = raw
>>> usershare allow guests = yes
>>> map to guest = bad user
>>> username map = /etc/samba/smbmap
>>>
>>> and there is at least one line in there that you do not have:
>>>
>>> winbind nss info = rfc2307
>>>
>>> Try adding at least that one line and then report back ;-)
>>>
>>> Rowland
>>>
>
I am loosing track a bit here, can you refresh my memory, just what OS
are you using ?
You need to have winbind installed, nss and pam need to know about
winbind, the users need to have a uidnumber that is inside the range
that is specified in smb.conf, the users primarygroup also needs to have
a gidNumber and again this must be inside the range in smb.conf.
Somewhere, you are missing something, but what ?
Rowland
More information about the samba
mailing list