[Samba] Winbind does not read uidNumber

Lars Hanke debian at lhanke.de
Mon Jun 30 01:07:03 MDT 2014


Am 29.06.2014 16:24, schrieb steve:
> On Sun, 2014-06-29 at 16:09 +0200, Lars Hanke wrote:
>> Hi Steve,
>>
>> the smb.conf of the client (samba 3.6.6, Debian Wheezy):
>> [global]
>>           workgroup = AD
>>           realm = AD.MICROSULT.DE
>>           security = ADS
>>           restrict anonymous = 2
>>           local master = No
>>           domain master = No
>>           template shell = /bin/bash
>>           winbind enum users = Yes
>>           winbind enum groups = Yes
>>           winbind use default domain = Yes
>>           winbind nss info = rfc2307
>>           winbind refresh tickets = Yes
>>           winbind normalize names = Yes
>>           idmap config * : range = 10000-20000
>>           idmap config AD: schema_mode = rfc2307
>>           idmap config AD: backend = ad
>>           idmap config AD: range = 1001 - 2000
>>           idmap config * : backend = tdb
>>
>>> We're assuming that Rowland's working smb.conf did not work for you.
>>
>> As far as I can tell it is identical concerning winbind except for using
>> my names.
>>
>>> Can you tail the samba log on the dc (samba -i -d3) and have a look in
>>> real time what happens when you start winbind?
>>
>> This is logged on restarting winbind:
>>
>> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
>> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
>> Kerberos: AS-REQ SAMBA4$@AD.MICROSULT.DE from ipv4:172.16.6.242:36156
>> for krbtgt/AD.MICROSULT.DE at AD.MICROSULT.DE
>> Kerberos: Client sent patypes: REQ-ENC-PA-REP
>> Kerberos: Looking for PK-INIT(ietf) pa-data -- SAMBA4$@AD.MICROSULT.DE
>> Kerberos: Looking for PK-INIT(win2k) pa-data -- SAMBA4$@AD.MICROSULT.DE
>> Kerberos: Looking for ENC-TS pa-data -- SAMBA4$@AD.MICROSULT.DE
>> Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
>> Kerberos: AS-REQ SAMBA4$@AD.MICROSULT.DE from ipv4:172.16.6.242:38801
>> for krbtgt/AD.MICROSULT.DE at AD.MICROSULT.DE
>> Kerberos: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
>> Kerberos: Looking for PK-INIT(ietf) pa-data -- SAMBA4$@AD.MICROSULT.DE
>> Kerberos: Looking for PK-INIT(win2k) pa-data -- SAMBA4$@AD.MICROSULT.DE
>> Kerberos: Looking for ENC-TS pa-data -- SAMBA4$@AD.MICROSULT.DE
>> Kerberos: ENC-TS Pre-authentication succeeded -- SAMBA4$@AD.MICROSULT.DE
>> using arcfour-hmac-md5
>> Kerberos: ENC-TS pre-authentication succeeded -- SAMBA4$@AD.MICROSULT.DE
>> Kerberos: AS-REQ authtime: 2014-06-29T16:05:55 starttime: unset endtime:
>> 2014-06-30T02:05:55 renew till: 2014-06-30T16:05:55
>> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
>> aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
>> arcfour-hmac-md5/arcfour-hmac-md5
>> Kerberos: Requested flags: renewable-ok, proxiable, forwardable
>> Kerberos: TGS-REQ SAMBA4$@AD.MICROSULT.DE from ipv4:172.16.6.242:51790
>> for cifs/samba.ad.microsult.de at AD.MICROSULT.DE [canonicalize, renewable,
>> proxiable, forwardable]
>> Kerberos: TGS-REQ authtime: 2014-06-29T16:05:55 starttime:
>> 2014-06-29T16:05:55 endtime: 2014-06-30T02:05:55 renew till:
>> 2014-06-30T16:05:55
>> Kerberos: TGS-REQ SAMBA4$@AD.MICROSULT.DE from ipv4:172.16.6.242:59339
>> for krbtgt/AD.MICROSULT.DE at AD.MICROSULT.DE [renewable, proxiable,
>> forwarded, forwardable]
>> Kerberos: TGS-REQ authtime: 2014-06-29T16:05:55 starttime:
>> 2014-06-29T16:05:55 endtime: 2014-06-30T02:05:55 renew till:
>> 2014-06-30T16:05:55
>> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
>> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
>> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
>> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
>> schannel_store_session_key_tdb: stored schannel info with key
>> SECRETS/SCHANNEL/SAMBA4
>> ldb_wrap open of secrets.ldb
>> schannel_fetch_session_key_tdb: restored schannel info key
>> SECRETS/SCHANNEL/SAMBA4
>> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
>> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
>>
>> No idea what to expect, but it at least doesn't scream any failures into
>> my face.
>
> No, that's fine. I thought that there may (have) be(en) something wrong
> with the keytab. So, onto Rowland's check-list. In it he mentions the
> gidNumber. That should be for Domain Users and you can use ldbedit to
> add it. I'd suggest:
>   gidNumber: 1999

Did that. Checked with ldapsearch on the client that it took efect. 
Restarted samba and winbind on the client, cleared the caches, but still 
no difference.

BTW: Where is the gid range for winbind defined?

Regards,
  - lars.



More information about the samba mailing list