[Samba] Winbind does not read uidNumber
Lars Hanke
debian at lhanke.de
Sun Jun 29 08:09:51 MDT 2014
Hi Steve,
the smb.conf of the client (samba 3.6.6, Debian Wheezy):
[global]
workgroup = AD
realm = AD.MICROSULT.DE
security = ADS
restrict anonymous = 2
local master = No
domain master = No
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind normalize names = Yes
idmap config * : range = 10000-20000
idmap config AD: schema_mode = rfc2307
idmap config AD: backend = ad
idmap config AD: range = 1001 - 2000
idmap config * : backend = tdb
> We're assuming that Rowland's working smb.conf did not work for you.
As far as I can tell it is identical concerning winbind except for using
my names.
> Can you tail the samba log on the dc (samba -i -d3) and have a look in
> real time what happens when you start winbind?
This is logged on restarting winbind:
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: AS-REQ SAMBA4$@AD.MICROSULT.DE from ipv4:172.16.6.242:36156
for krbtgt/AD.MICROSULT.DE at AD.MICROSULT.DE
Kerberos: Client sent patypes: REQ-ENC-PA-REP
Kerberos: Looking for PK-INIT(ietf) pa-data -- SAMBA4$@AD.MICROSULT.DE
Kerberos: Looking for PK-INIT(win2k) pa-data -- SAMBA4$@AD.MICROSULT.DE
Kerberos: Looking for ENC-TS pa-data -- SAMBA4$@AD.MICROSULT.DE
Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
Kerberos: AS-REQ SAMBA4$@AD.MICROSULT.DE from ipv4:172.16.6.242:38801
for krbtgt/AD.MICROSULT.DE at AD.MICROSULT.DE
Kerberos: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
Kerberos: Looking for PK-INIT(ietf) pa-data -- SAMBA4$@AD.MICROSULT.DE
Kerberos: Looking for PK-INIT(win2k) pa-data -- SAMBA4$@AD.MICROSULT.DE
Kerberos: Looking for ENC-TS pa-data -- SAMBA4$@AD.MICROSULT.DE
Kerberos: ENC-TS Pre-authentication succeeded -- SAMBA4$@AD.MICROSULT.DE
using arcfour-hmac-md5
Kerberos: ENC-TS pre-authentication succeeded -- SAMBA4$@AD.MICROSULT.DE
Kerberos: AS-REQ authtime: 2014-06-29T16:05:55 starttime: unset endtime:
2014-06-30T02:05:55 renew till: 2014-06-30T16:05:55
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok, proxiable, forwardable
Kerberos: TGS-REQ SAMBA4$@AD.MICROSULT.DE from ipv4:172.16.6.242:51790
for cifs/samba.ad.microsult.de at AD.MICROSULT.DE [canonicalize, renewable,
proxiable, forwardable]
Kerberos: TGS-REQ authtime: 2014-06-29T16:05:55 starttime:
2014-06-29T16:05:55 endtime: 2014-06-30T02:05:55 renew till:
2014-06-30T16:05:55
Kerberos: TGS-REQ SAMBA4$@AD.MICROSULT.DE from ipv4:172.16.6.242:59339
for krbtgt/AD.MICROSULT.DE at AD.MICROSULT.DE [renewable, proxiable,
forwarded, forwardable]
Kerberos: TGS-REQ authtime: 2014-06-29T16:05:55 starttime:
2014-06-29T16:05:55 endtime: 2014-06-30T02:05:55 renew till:
2014-06-30T16:05:55
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
schannel_store_session_key_tdb: stored schannel info with key
SECRETS/SCHANNEL/SAMBA4
ldb_wrap open of secrets.ldb
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/SAMBA4
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
No idea what to expect, but it at least doesn't scream any failures into
my face.
regards,
- lars.
>> Am 29.06.2014 13:45, schrieb Rowland Penny:
>>> On 29/06/14 12:01, Lars Hanke wrote:
>>>> Well, seems like I hit every mudhole that could be on the way ...
>>>>
>>>> root at samba4:/# getent passwd | grep mgr
>>>> mgr:*:10000:10000:Lars LH. Hanke:/home/AD/mgr:/bin/bash
>>>> root at samba4:/# ldapsearch -LLL -D
>>>> "CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -x -W '(uid=mgr)'
>>>> uid uidNumber gidNumber sAMAccountName name gecos
>>>> Enter LDAP Password:
>>>> dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de
>>>> name: Lars LH. Hanke
>>>> sAMAccountName: mgr
>>>> uid: mgr
>>>> uidNumber: 1001
>>>> gidNumber: 1001
>>>> gecos: Dr. Lars Hanke
>>>>
>>>> root at samba4:/# grep mgr /etc/passwd
>>>> root at samba4:/#
>>>>
>>>> So although proper POSIX information is in the AD, and no local
>>>> information present, winbind rolls dice for POSIX attributes. The
>>>> situation seems similar to that of Rowland and Derek Werthmuller last
>>>> December. There finally, Rowland suggested to use sssd.
>>>>
>>>> My smb.conf:
>>>>
>>>> [global]
>>>> workgroup = AD
>>>> realm = AD.MICROSULT.DE
>>>> security = ADS
>>>> restrict anonymous = 2
>>>> kerberos method = system keytab
>>>> os level = 0
>>>> local master = No
>>>> domain master = No
>>>> template shell = /bin/bash
>>>> winbind enum users = Yes
>>>> winbind enum groups = Yes
>>>> winbind use default domain = Yes
>>>> idmap config * : range = 10000-20000
>>>> idmap config AD: backend = ad
>>>> idmap config AD: range = 1001 - 2000
>>>> idmap config * : backend = tdb
>>>>
>>>> Interestingly the bahaviour is no different, if I simply put idmap uid
>>>> and idmap gid lines instead of the more detailed config.
>>>>
>>>> And, if you doubt that I'm querying the right LDAP:
>>>>
>>>> root at samba4:/# cat /etc/ldap/ldap.conf
>>>> BASE DC=ad,DC=microsult,DC=de
>>>> URI ldap://samba.ad.microsult.de:3268
>>>> TLS_CACERT /etc/certs/cacert.pem
>>>>
>>>> BTW: administrator neither maps to 0!
>>>>
>>>> Moreover, I largely folled the Debian Wiki
>>>> https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory. In
>>>> their setup uids get prefixed by %D+. Unsure which I like better, but
>>>> it's a least an observation.
>>>>
>>>> samba4 runs vanilla Debian Wheezy, i.e. samba 3.6.6. If this is a
>>>> _known_ issue with that version, I readily update to backports 4.1.7.
>>>> Otherwise, I have some reasons to explore the old version for a while.
>>>>
>>>> Thanks for your help,
>>>> - lars.
>>> Hi, this is a working samba 3.6 samba.conf:
>>>
>>> [global]
>>> workgroup = EXAMPLE
>>> realm = EXAMPLE.COM
>>> security = ADS
>>> client signing = yes
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>> os level = 20
>>> local master = no
>>> domain master = no
>>> preferred master = no
>>> server string = Samba 3 Client %h
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind use default domain = yes
>>> winbind expand groups = 4
>>> winbind nss info = rfc2307
>>> winbind refresh tickets = Yes
>>> winbind normalize names = Yes
>>> idmap config * : backend = tdb
>>> idmap config * : range = 2000-9999
>>> idmap config HOME : backend = ad
>>> idmap config HOME : range = 10000-999999
>>> idmap config HOME:schema_mode = rfc2307
>>> printcap name = cups
>>> cups options = raw
>>> usershare allow guests = yes
>>> map to guest = bad user
>>> username map = /etc/samba/smbmap
>>>
>>> and there is at least one line in there that you do not have:
>>>
>>> winbind nss info = rfc2307
>>>
>>> Try adding at least that one line and then report back ;-)
>>>
>>> Rowland
>>>
>>
>
>
More information about the samba
mailing list