[Samba] AD DC, winbind and Domain Local type groups

Davor Vusir davortvusir at gmail.com
Thu Mar 27 13:23:06 MDT 2014 

Here we go again! :)

Setup: Ubuntu 12.04.4, Samba 4.1.6 compiled from sources running as AD 
DC, activated winbind following the wikipage. All on the same server.

smb.conf:
[global]
         workgroup = EXAMPLE
         realm = EXAMPLE.COM
         netbios name = DC1
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbind, ntp_signd, kcc, dnsupdate
         idmap_ldb:use rfc2307 = yes

         log level = 1
         disable spoolss = yes

         winbind use default domain = yes
         winbind separator = +
         template shell = /bin/bash
         template homedir = /data/home/%ACCOUNTNAME%

The story is: I activated winbind to get the possibility to login with 
ssh and later add Linux and Macintosh to the Active Directory as member 
clients. There is no problem logging in but first I experienced the 
following:

$ ssh -Y davor at dc1
davor at odc1's password:
Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.2.0-60-generic x86_64)

Could not chdir to home directory /data/home/davor: Permission denied
-bash: /data/home/davor/.bash_profile: Permission denied
EXAMPLE+davor at dc1:/$

when it came to me that as I logged in and authenticated to AD and, the 
file permissions are stored as extended attributes (the only ones I have 
edited), that it had something to do with this particular group. Digging 
some more I realise that the access group for the home share is with 
scope Domain Local and is not enumerated with winbind (getent group). 
This access group 'FileAcc-Home' was created with ADUC, so I first 
thought that that was creating this problem. So I deleted it and 
recreated it with samba-tool not paying attention to that it was created 
with scope Global (default in MS AD DS). And it worked:

$ ssh -Y davor at dc1
davor at dc1's password:
Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.2.0-60-generic x86_64)

EXAMPLE+davor at dc1:~$ pwd
/data/home/davor

The following group was originally of group type Domain Local and was 
not shown when issuing 'getent group'. As soon as it was converted to 
group with scope Universal it got xidnumber 4000000. When converted to 
the Global type the xidnumber remained. All other groups have numbers 
from the 3000000 interval. Is there a potential conflict in the future 
as groups are added and removed?
EXAMPLE+FileAcc-Common:*:4000000:

Below is some tests. My conclusion is that groups of scope Domain Local 
is not found and enumerated by winbind. Nor is any of type Distribution.

This will be a problem in an environment with trusts or just following 
Microsofts recommendation AGDLP ("account, global, domain local, 
permission"). See http://en.wikipedia.org/wiki/AGDLP for a quick 
explanation.

Regards
Davor Vusir

---

/usr/local/samba/bin/samba-tool group add SambaTool-DL-Sec 
--group-scope=Domain|Global|Universal --group-type=Security|Distribution

root at dc1:~# /usr/local/samba/bin/samba-tool group add SambaTool-DL-Sec 
--group-scope=Domain --group-type=Security
Added group SambaTool-DL-Sec
getent group shows nothing
root at dc1:~# /usr/local/samba/bin/wbinfo -n SambaTool-DL-Sec
S-1-5-21-3390367671-3527586854-3401016232-1128 SID_ALIAS (4)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H 
/usr/local/samba/private/idmap.ldb 
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1128
no matching records - cannot edit
Shows in ADUC.

root at dc1:~# /usr/local/samba/bin/samba-tool group add SambaTool-GG-Sec 
--group-scope=Global --group-type=Security
Added group SambaTool-GG-Sec
root at dc1:~# getent group
EXAMPLE+SambaTool-GG-Sec:*:3000056:
root at dc1:~# /usr/local/samba/bin/wbinfo -n SambaTool-GG-Sec
S-1-5-21-3390367671-3527586854-3401016232-1129 SID_DOM_GROUP (2)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H 
/usr/local/samba/private/idmap.ldb 
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1129
# editing 1 records
# record 1
dn: CN=S-1-5-21-3390367671-3527586854-3401016232-1129
cn: S-1-5-21-3390367671-3527586854-3401016232-1129
objectClass: sidMap
objectSid: S-1-5-21-3390367671-3527586854-3401016232-1129
type: ID_TYPE_BOTH
xidNumber: 3000056
distinguishedName: CN=S-1-5-21-3390367671-3527586854-3401016232-1129
Shows in ADUC.

root at dc1:~# /usr/local/samba/bin/samba-tool group add SambaTool-UG-Sec 
--group-scope=Universal --group-type=Security
Added group SambaTool-UG-Sec
root at dc1:~# getent group
EXAMPLE+SambaTool-UG-Sec:*:3000057:
root at dc1:~# /usr/local/samba/bin/wbinfo -n SambaTool-UG-Sec
S-1-5-21-3390367671-3527586854-3401016232-1130 SID_DOM_GROUP (2)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H 
/usr/local/samba/private/idmap.ldb 
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1130
# editing 1 records
# record 1
dn: CN=S-1-5-21-3390367671-3527586854-3401016232-1130
cn: S-1-5-21-3390367671-3527586854-3401016232-1130
objectClass: sidMap
objectSid: S-1-5-21-3390367671-3527586854-3401016232-1130
type: ID_TYPE_BOTH
xidNumber: 3000057
distinguishedName: CN=S-1-5-21-3390367671-3527586854-3401016232-1130
Shows in ADUC.

root at dc1:~# /usr/local/samba/bin/samba-tool group add SambaTool-DL-Distr 
--group-scope=Domain --group-type=Distribution
Added group SambaTool-DL-Distr
getent group shows nothing.
root at dc1:~# /usr/local/samba/bin/wbinfo -n SambaTool-DL-Distr
S-1-5-21-3390367671-3527586854-3401016232-1131 SID_ALIAS (4)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H 
/usr/local/samba/private/idmap.ldb 
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1131
no matching records - cannot edit
Shows in ADUC.

root at dc1:~# /usr/local/samba/bin/samba-tool group add SambaTool-GG-Distr 
--group-scope=Global --group-type=Distribution
Added group SambaTool-GG-Distr
getent group shows nothing.
root at dc1:~# /usr/local/samba/bin/wbinfo -n SambaTool-GG-Distr
S-1-5-21-3390367671-3527586854-3401016232-1132 SID_DOM_GROUP (2)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H 
/usr/local/samba/private/idmap.ldb 
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1132
no matching records - cannot edit
Shows in ADUC.

root at dc1:~# /usr/local/samba/bin/samba-tool group add SambaTool-UG-Distr 
--group-scope=Universal --group-type=Distribution
Added group SambaTool-UG-Distr
getent group shows nothing.
root at dc1:~# /usr/local/samba/bin/wbinfo -n SambaTool-UG-Distr
S-1-5-21-3390367671-3527586854-3401016232-1133 SID_DOM_GROUP (2)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H 
/usr/local/samba/private/idmap.ldb 
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1133
no matching records - cannot edit
Shows in ADUC.

With ADUC:
ADUC-DL-Sec
getent group shows nothing.
root at dc1:~# /usr/local/samba/bin/wbinfo -n ADUC-DL-Sec
S-1-5-21-3390367671-3527586854-3401016232-1134 SID_ALIAS (4)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H 
/usr/local/samba/private/idmap.ldb 
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1134
no matching records - cannot edit

ADUC-GG-Sec
root at dc1:~# getent group
EXAMPLE+ADUC-GG-Sec:*:3000058:
root at dc1:~# /usr/local/samba/bin/wbinfo -n ADUC-GG-Sec
S-1-5-21-3390367671-3527586854-3401016232-1135 SID_DOM_GROUP (2)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H 
/usr/local/samba/private/idmap.ldb 
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1135
# editing 1 records
# record 1
dn: CN=S-1-5-21-3390367671-3527586854-3401016232-1135
cn: S-1-5-21-3390367671-3527586854-3401016232-1135
objectClass: sidMap
objectSid: S-1-5-21-3390367671-3527586854-3401016232-1135
type: ID_TYPE_BOTH
xidNumber: 3000058
distinguishedName: CN=S-1-5-21-3390367671-3527586854-3401016232-1135

ADUC-UG-Sec
root at dc1:~# getent group
EXAMPLE+ADUC-UG-Sec:*:3000059:
root at dc1:~# /usr/local/samba/bin/wbinfo -n ADUC-UG-Sec
S-1-5-21-3390367671-3527586854-3401016232-1136 SID_DOM_GROUP (2)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H 
/usr/local/samba/private/idmap.ldb 
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1136
# editing 1 records
# record 1
dn: CN=S-1-5-21-3390367671-3527586854-3401016232-1136
cn: S-1-5-21-3390367671-3527586854-3401016232-1136
objectClass: sidMap
objectSid: S-1-5-21-3390367671-3527586854-3401016232-1136
type: ID_TYPE_BOTH
xidNumber: 3000059
distinguishedName: CN=S-1-5-21-3390367671-3527586854-3401016232-1136

ADUC-DL-Distr
getent group shows nothing.
root at dc1:~# /usr/local/samba/bin/wbinfo -n ADUC-DL-Distr
S-1-5-21-3390367671-3527586854-3401016232-1137 SID_ALIAS (4)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H 
/usr/local/samba/private/idmap.ldb 
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1137
no matching records - cannot edit

ADUC-GG-Distr
getent group shows nothing.
root at dc1:~# /usr/local/samba/bin/wbinfo -n ADUC-GG-Distr
S-1-5-21-3390367671-3527586854-3401016232-1138 SID_DOM_GROUP (2)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H 
/usr/local/samba/private/idmap.ldb 
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1138
no matching records - cannot edit

ADUC-UG-Distr
getent group shows nothing.
root at dc1:~# /usr/local/samba/bin/wbinfo -n ADUC-UG-Distr
S-1-5-21-3390367671-3527586854-3401016232-1139 SID_DOM_GROUP (2)
root at dc1:~# /usr/local/samba/bin/ldbedit -e vi -H 
/usr/local/samba/private/idmap.ldb 
objectsid=S-1-5-21-3390367671-3527586854-3401016232-1139
no matching records - cannot edit

More information about the samba mailing list