[Samba] winbind on server have different UIDs on each Member Server

Fri May 23 08:44:55 MDT 2014

On 23/05/14 15:12, William Antonin wrote:
> thank you for your reactivity.
> it's good, I change my smb.conf I use the ad backend and I put a large 
> range and it'ok
> but I can't see the same gecos and shell on server and clients.

I take it you mean that you altered the the smb.conf on the clients and 
added uidNumber & gidNumber attributes to your users and groups in AD, 
but now when you run 'getent passwd <username>' on the samba4 server, 
you get something similar to this:

DOMAIN\testuser:*:10000:10000:Test User:/home/DOMAIN/testuser:/bin/false

and if you run the same command on the client, you get something similar 
to this:

testuser:*:10000:10000::/home/DOMAIN/testuser:/bin/bash

OK, first the Server, to change '/bin/false' to '/bin/bash' , add 
'template shell = /bin/bash' to smb.conf, you can also change the users 
home directory by adding 'template homedir' , for this see 'man smb.conf'

On the client, it is a bit different, you need to add the following 
attributes to each user in AD:

loginShell                         Containing the shell to use i.e. 
'/bin/bash'
unixHomeDirectory         Containing the path to the users home dir i.e. 
'/home/DOMAIN/testuser'
gecos                               Containing the users full Name i.e. 
'Test User'

Hope this helps

Rowland

>
>
>
> 2014-05-23 11:03 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com 
> <mailto:rowlandpenny at googlemail.com>>:
>
>     On 23/05/14 09:56, William Antonin wrote:
>
>         Hello
>
>         I have a big problem.
>
>         I'm in labs situation with  2 domain controllers DC1,DC2 samba
>         4 (Ubuntu
>         14.04) in different networks and each of them have a client
>         (Ubuntu 12.04).
>
>
>
>         When I want to get  uid/gid, I use "wbinfo –i user" and I get
>         the same
>         results on each clients if they have the same configuration.
>         It's ok for
>         client.
>
>
>
>         But when I install winbind on servers (Ubuntu 14.04), just to
>         be able to
>         use the wbinfo command, I can use "wbinfo –i name" but on my 2
>         DCs I get a
>         not expected result for the uid/gid. It seems that the idmap
>         mapping is not
>         interpreted.
>
>
>
>         Here is my smb.conf excerpt and the results on a client and a
>         server:
>
>
>
>         Excerpt smb.conf of server
>
>         Global parameters
>
>         [global]
>
>                          workgroup = PREVERT
>
>                          realm = PREVERT.LAN
>
>                          netbios name = DCFR
>
>                          server role = active directory domain controller
>
>                          server services = s3fs, rpc, nbt, wrepl,
>         ldap, cldap, kdc,
>         drepl, winbind, ntp_signd, kcc, dnsupdate
>
>                          idmap_ldb:use rfc2307 = yes
>
>                          winbind nss info = rfc2307
>
>
>
>         [netlogon]
>
>                          path = /var/lib/samba/sysvol/prevert.lan/scripts
>
>                          read only = No
>
>
>
>         [sysvol]
>
>                          path = /var/lib/samba/sysvol
>
>                          read only = No
>
>
>
>         Excerpt smb.conf of client
>
>         [global]
>
>         ; Basic server settings
>
>            workgroup = PREVERT
>
>            realm = PREVERT.LAN
>
>            smb ports = 139
>
>
>
>            log file = /var/log/samba/%m.log
>
>            max log size = 1024
>
>
>
>         ; security options
>
>            ;hosts allow = 10.1.1. 127.0.0.1
>
>            security = ADS
>
>            null passwords = no
>
>            password server = dcfr.prevert.lan
>
>            encrypt passwords = yes
>
>            guest ok = no
>
>            invalid users = root bin daemon named sys tty disk mem kmem
>         users sshd
>
>
>
>            idmap config PREVERT:backend = rid
>
>            idmap config PREVERT:schema_mode = rfc2307
>
>            idmap config PREVERT:range = 10000-19999
>
>            idmap config PREVERT:read only = yes
>
>
>
>            winbind nss info = rfc2307
>
>
>
>
>
>            winbind uid = 60000-70000
>
>            winbind use default domain = Yes
>
>            winbind enum users = Yes
>
>            winbind enum groups = Yes
>
>
>
>
>
>            wins server = dcfr.prevert.lan
>
>
>
>
>
>            inherit acls = Yes
>
>
>
>
>
>
>
>            template homedir = /home/%U
>
>            template shell = /bin/false
>
>
>
>
>
>
>
>
>
>
>
>
>
>         Wbinfo –I bob sur client
>
>         bob:*:11106:10513:bob:/machine1/home/bob:/bin/sh
>
>         Wbinfo –I guy sur server
>
>         PREVERT\bob:*:10000:10000::/home/PREVERT/bob:/bin/false
>
>
>         Someone can help me, please.
>
>     The problem here is that the winbind on the server is not the same
>     as the winbind on the clients, you are also using the rid backend
>     on the clients. The only way to get consistent uid/gid's
>     everywhere is to use the ad backend on the clients and give your
>     users/groups uidNumber's &/or gidNumber's.
>
>     Rowland
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>