[Samba] Winbind does not read uidNumber

Rowland Penny rowlandpenny at googlemail.com
Mon Jun 30 01:47:43 MDT 2014 

On 30/06/14 08:07, Lars Hanke wrote:
> Am 29.06.2014 16:24, schrieb steve:
>> On Sun, 2014-06-29 at 16:09 +0200, Lars Hanke wrote:
>>> Hi Steve,
>>>
>>> the smb.conf of the client (samba 3.6.6, Debian Wheezy):
>>> [global]
>>>           workgroup = AD
>>>           realm = AD.MICROSULT.DE
>>>           security = ADS
>>>           restrict anonymous = 2
>>>           local master = No
>>>           domain master = No
>>>           template shell = /bin/bash
>>>           winbind enum users = Yes
>>>           winbind enum groups = Yes
>>>           winbind use default domain = Yes
>>>           winbind nss info = rfc2307
>>>           winbind refresh tickets = Yes
>>>           winbind normalize names = Yes
>>>           idmap config * : range = 10000-20000
>>>           idmap config AD: schema_mode = rfc2307
>>>           idmap config AD: backend = ad
>>>           idmap config AD: range = 1001 - 2000
>>>           idmap config * : backend = tdb
>>>
>>>> We're assuming that Rowland's working smb.conf did not work for you.
>>>
>>> As far as I can tell it is identical concerning winbind except for 
>>> using
>>> my names.
>>>
>>>> Can you tail the samba log on the dc (samba -i -d3) and have a look in
>>>> real time what happens when you start winbind?
>>>
>>> This is logged on restarting winbind:
>>>
>>> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
>>> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
>>> Kerberos: AS-REQ SAMBA4$@AD.MICROSULT.DE from ipv4:172.16.6.242:36156
>>> for krbtgt/AD.MICROSULT.DE at AD.MICROSULT.DE
>>> Kerberos: Client sent patypes: REQ-ENC-PA-REP
>>> Kerberos: Looking for PK-INIT(ietf) pa-data -- SAMBA4$@AD.MICROSULT.DE
>>> Kerberos: Looking for PK-INIT(win2k) pa-data -- SAMBA4$@AD.MICROSULT.DE
>>> Kerberos: Looking for ENC-TS pa-data -- SAMBA4$@AD.MICROSULT.DE
>>> Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
>>> Kerberos: AS-REQ SAMBA4$@AD.MICROSULT.DE from ipv4:172.16.6.242:38801
>>> for krbtgt/AD.MICROSULT.DE at AD.MICROSULT.DE
>>> Kerberos: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
>>> Kerberos: Looking for PK-INIT(ietf) pa-data -- SAMBA4$@AD.MICROSULT.DE
>>> Kerberos: Looking for PK-INIT(win2k) pa-data -- SAMBA4$@AD.MICROSULT.DE
>>> Kerberos: Looking for ENC-TS pa-data -- SAMBA4$@AD.MICROSULT.DE
>>> Kerberos: ENC-TS Pre-authentication succeeded -- 
>>> SAMBA4$@AD.MICROSULT.DE
>>> using arcfour-hmac-md5
>>> Kerberos: ENC-TS pre-authentication succeeded -- 
>>> SAMBA4$@AD.MICROSULT.DE
>>> Kerberos: AS-REQ authtime: 2014-06-29T16:05:55 starttime: unset 
>>> endtime:
>>> 2014-06-30T02:05:55 renew till: 2014-06-30T16:05:55
>>> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
>>> aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
>>> arcfour-hmac-md5/arcfour-hmac-md5
>>> Kerberos: Requested flags: renewable-ok, proxiable, forwardable
>>> Kerberos: TGS-REQ SAMBA4$@AD.MICROSULT.DE from ipv4:172.16.6.242:51790
>>> for cifs/samba.ad.microsult.de at AD.MICROSULT.DE [canonicalize, 
>>> renewable,
>>> proxiable, forwardable]
>>> Kerberos: TGS-REQ authtime: 2014-06-29T16:05:55 starttime:
>>> 2014-06-29T16:05:55 endtime: 2014-06-30T02:05:55 renew till:
>>> 2014-06-30T16:05:55
>>> Kerberos: TGS-REQ SAMBA4$@AD.MICROSULT.DE from ipv4:172.16.6.242:59339
>>> for krbtgt/AD.MICROSULT.DE at AD.MICROSULT.DE [renewable, proxiable,
>>> forwarded, forwardable]
>>> Kerberos: TGS-REQ authtime: 2014-06-29T16:05:55 starttime:
>>> 2014-06-29T16:05:55 endtime: 2014-06-30T02:05:55 renew till:
>>> 2014-06-30T16:05:55
>>> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
>>> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
>>> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
>>> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
>>> schannel_store_session_key_tdb: stored schannel info with key
>>> SECRETS/SCHANNEL/SAMBA4
>>> ldb_wrap open of secrets.ldb
>>> schannel_fetch_session_key_tdb: restored schannel info key
>>> SECRETS/SCHANNEL/SAMBA4
>>> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
>>> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
>>>
>>> No idea what to expect, but it at least doesn't scream any failures 
>>> into
>>> my face.
>>
>> No, that's fine. I thought that there may (have) be(en) something wrong
>> with the keytab. So, onto Rowland's check-list. In it he mentions the
>> gidNumber. That should be for Domain Users and you can use ldbedit to
>> add it. I'd suggest:
>>   gidNumber: 1999
>
> Did that. Checked with ldapsearch on the client that it took efect. 
> Restarted samba and winbind on the client, cleared the caches, but 
> still no difference.

I still think that this is likely to be a PAM problem, can you try 
running 'pam-auth-update' on the wheezy client and then report back on 
just what PAM is using ?

>
> BTW: Where is the gid range for winbind defined?
>

Same place as the uid range ;-)

Rowland

> Regards,
>  - lars.
>

More information about the samba mailing list