[Samba] Winbind does not read uidNumber

steve steve at steve-ss.com
Sun Jun 29 08:24:36 MDT 2014 

On Sun, 2014-06-29 at 16:09 +0200, Lars Hanke wrote:
> Hi Steve,
> 
> the smb.conf of the client (samba 3.6.6, Debian Wheezy):
> [global]
>          workgroup = AD
>          realm = AD.MICROSULT.DE
>          security = ADS
>          restrict anonymous = 2
>          local master = No
>          domain master = No
>          template shell = /bin/bash
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          winbind nss info = rfc2307
>          winbind refresh tickets = Yes
>          winbind normalize names = Yes
>          idmap config * : range = 10000-20000
>          idmap config AD: schema_mode = rfc2307
>          idmap config AD: backend = ad
>          idmap config AD: range = 1001 - 2000
>          idmap config * : backend = tdb
> 
> > We're assuming that Rowland's working smb.conf did not work for you.
> 
> As far as I can tell it is identical concerning winbind except for using 
> my names.
> 
> > Can you tail the samba log on the dc (samba -i -d3) and have a look in
> > real time what happens when you start winbind?
> 
> This is logged on restarting winbind:
> 
> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
> Kerberos: AS-REQ SAMBA4$@AD.MICROSULT.DE from ipv4:172.16.6.242:36156 
> for krbtgt/AD.MICROSULT.DE at AD.MICROSULT.DE
> Kerberos: Client sent patypes: REQ-ENC-PA-REP
> Kerberos: Looking for PK-INIT(ietf) pa-data -- SAMBA4$@AD.MICROSULT.DE
> Kerberos: Looking for PK-INIT(win2k) pa-data -- SAMBA4$@AD.MICROSULT.DE
> Kerberos: Looking for ENC-TS pa-data -- SAMBA4$@AD.MICROSULT.DE
> Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
> Kerberos: AS-REQ SAMBA4$@AD.MICROSULT.DE from ipv4:172.16.6.242:38801 
> for krbtgt/AD.MICROSULT.DE at AD.MICROSULT.DE
> Kerberos: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
> Kerberos: Looking for PK-INIT(ietf) pa-data -- SAMBA4$@AD.MICROSULT.DE
> Kerberos: Looking for PK-INIT(win2k) pa-data -- SAMBA4$@AD.MICROSULT.DE
> Kerberos: Looking for ENC-TS pa-data -- SAMBA4$@AD.MICROSULT.DE
> Kerberos: ENC-TS Pre-authentication succeeded -- SAMBA4$@AD.MICROSULT.DE 
> using arcfour-hmac-md5
> Kerberos: ENC-TS pre-authentication succeeded -- SAMBA4$@AD.MICROSULT.DE
> Kerberos: AS-REQ authtime: 2014-06-29T16:05:55 starttime: unset endtime: 
> 2014-06-30T02:05:55 renew till: 2014-06-30T16:05:55
> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, 
> aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using 
> arcfour-hmac-md5/arcfour-hmac-md5
> Kerberos: Requested flags: renewable-ok, proxiable, forwardable
> Kerberos: TGS-REQ SAMBA4$@AD.MICROSULT.DE from ipv4:172.16.6.242:51790 
> for cifs/samba.ad.microsult.de at AD.MICROSULT.DE [canonicalize, renewable, 
> proxiable, forwardable]
> Kerberos: TGS-REQ authtime: 2014-06-29T16:05:55 starttime: 
> 2014-06-29T16:05:55 endtime: 2014-06-30T02:05:55 renew till: 
> 2014-06-30T16:05:55
> Kerberos: TGS-REQ SAMBA4$@AD.MICROSULT.DE from ipv4:172.16.6.242:59339 
> for krbtgt/AD.MICROSULT.DE at AD.MICROSULT.DE [renewable, proxiable, 
> forwarded, forwardable]
> Kerberos: TGS-REQ authtime: 2014-06-29T16:05:55 starttime: 
> 2014-06-29T16:05:55 endtime: 2014-06-30T02:05:55 renew till: 
> 2014-06-30T16:05:55
> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
> schannel_store_session_key_tdb: stored schannel info with key 
> SECRETS/SCHANNEL/SAMBA4
> ldb_wrap open of secrets.ldb
> schannel_fetch_session_key_tdb: restored schannel info key 
> SECRETS/SCHANNEL/SAMBA4
> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
> 
> No idea what to expect, but it at least doesn't scream any failures into 
> my face.

No, that's fine. I thought that there may (have) be(en) something wrong
with the keytab. So, onto Rowland's check-list. In it he mentions the
gidNumber. That should be for Domain Users and you can use ldbedit to
add it. I'd suggest:
 gidNumber: 1999

We've gotta be really close now. . .
Steve

More information about the samba mailing list