[Samba] winbind/idmap issue on samba4 member server
?icro MEGAS
micromegas at mail333.com
Mon Oct 20 08:52:40 MDT 2014
Hello list,
I'm stuck since 2 days and I have no clue how to troubleshoot and solve that problem. Any help really really appreciated.
Scenario:
=========
I am using Samba 4.1.12/sernet on DC1 (172.19.100.1) and DC2 (172.19.100.2) with default [netlogon] and [sysvol] share only.
I installed an additional samba4 server with fileserving role which is called MEMBERSRV1 (172.19.100.3), which is serving the
[profiles], [home] and [printer] stuff shares. For setting up the member server, I relied on
"https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Set_up_a_basic_smb.conf".
I also am using NIS extensions on my AD according the wiki tutorials. Through ADUC tool I modified the security group "Domain Users":
I did choose tab [UNIX Attribute] and there I assigned the NIS domain = MYDOM and the GID=10000 to that group.
Issue:
======
My membersrv1 (172.19.100.3) fails to resolve mappings! See output below...
----OUTPUT ON DC1-----------------------------------------------------------------------------------------------------
root at DC1:~$ getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
[...lots of local accounts here...]
MYDOM\Administrator:*:0:10000::/home/MYDOM/Administrator:/bin/false
MYDOM\Guest:*:3000011:3000012::/home/MYDOM/Guest:/bin/false
MYDOM\krbtgt:*:3000021:10000::/home/MYDOM/krbtgt:/bin/false
MYDOM\john:*:3000020:10000:John Doe:/home/MYDOM/john:/bin/false
MYDOM\george:*:3000022:10000:George Miller:/home/MYDOM/george:/bin/false
MYDOM\richard:*:3000023:10000:Richard Smitty:/home/MYDOM/richard:/bin/false
MYDOM\testuser1:*:3000030:10000:Test User 1:/home/MYDOM/testuser1:/bin/false
MYDOM\testuser3:*:3000027:10000:Test User 3:/home/MYDOM/testuser3:/bin/false
MYDOM\testuser2:*:3000032:10000:Test User 2:/home/MYDOM/testuser2:/bin/false
root at DC1:~$ wbinfo -u
Administrator
Guest
krbtgt
john
george
richard
testuser1
testuser3
testuser2
root at DC1:~$ wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy
root at dc1:~$ wbinfo -n testuser1
S-1-5-21-2040615909-1719611856-576149365-1114 SID_USER (1)
root at dc1:~$ wbinfo -S S-1-5-21-2040615909-1719611856-576149365-1114
3000030
root at dc1:~$ wbinfo -Y S-1-5-21-2040615909-1719611856-576149365-1114
3000030
root at dc1:~$ wbinfo -s S-1-5-21-2040615909-1719611856-576149365-1114
MYDOM\testuser1 1
root at dc1:~$ wbinfo -r testuser1
10000
root at dc1:~$ wbinfo --uid-info=3000030
MYDOM\testuser1:*:3000030:10000:Test User 1:/home/MYDOM/testuser1:/bin/false
root at dc1:~$ wbinfo --gid-info=10000
MYDOM\Domain Users:*:10000:
root at dc1:~$ wbinfo -P
checking the NETLOGON dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND
root at dc1:~$ samba-tool testparm --suppress-prompt -v |grep winbind
winbind separator = \
winbind cache time = 0
winbind reconnect delay = 0
winbind request timeout = 0
winbind max clients = 0
winbind enum users = No
winbind enum groups = No
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = No
winbind expand groups = 0
winbind nss info =
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
winbind rpc only = No
winbind max domain connections = 0
winbindd socket directory = /var/run/samba/winbindd
winbindd privileged socket directory = /var/lib/samba/winbindd_privileged
winbind sealed pipes = Yes
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
----OUTPUT ON DC2-----------------------------------------------------------------------------------------------------
root at dc2:~$ wbinfo -n testuser1
S-1-5-21-2040615909-1719611856-576149365-1114 SID_USER (1)
root at dc2:~$ wbinfo -S S-1-5-21-2040615909-1719611856-576149365-1114
3000030
root at dc2:~$ wbinfo -Y S-1-5-21-2040615909-1719611856-576149365-1114
3000030
root at dc2:~$ wbinfo -s S-1-5-21-2040615909-1719611856-576149365-1114
MYDOM\testuser1 1
root at dc2:~$ wbinfo -r testuser1
10000
root at dc2:~$ wbinfo --uid-info=3000030
MYDOM\testuser1:*:3000030:10000:Test User 1:/home/MYDOM/testuser1:/bin/false
root at dc2:~$ wbinfo --gid-info=10000
MYDOM\Domain Users:*:10000:
root at dc2:~$ wbinfo -P
checking the NETLOGON dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND
root at dc2:~$ samba-tool testparm --suppress-prompt -v |grep winbind
winbind separator = \
winbind cache time = 0
winbind reconnect delay = 0
winbind request timeout = 0
winbind max clients = 0
winbind enum users = No
winbind enum groups = No
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = No
winbind expand groups = 0
winbind nss info =
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
winbind rpc only = No
winbind max domain connections = 0
winbindd socket directory = /var/run/samba/winbindd
winbindd privileged socket directory = /var/lib/samba/winbindd_privileged
winbind sealed pipes = Yes
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
----OUTPUT ON MEMBERSRV1----------------------------------------------------------------------------------------------
root at membersrv1:~$ wbinfo -n testuser1
S-1-5-21-2040615909-1719611856-576149365-1114 SID_USER (1)
root at membersrv1:~$ wbinfo -Y S-1-5-21-2040615909-1719611856-576149365-1114
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2040615909-1719611856-576149365-1114 to gid
root at membersrv1:~$ wbinfo -s S-1-5-21-2040615909-1719611856-576149365-1114
MYDOM\testuser1 1
root at membersrv1:~$ wbinfo -r testuser1
10000
70002
root at membersrv1:~$ wbinfo --uid-info=3000030
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 3000030
root at membersrv1:~$ wbinfo --uid-info=10000
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 10000
root at membersrv1:~$ wbinfo --gid-info=10000
domain users:x:10000:
root at membersrv1:~$ wbinfo -P
checking the NETLOGON dc connection to "dc1.mydom.example.com" succeeded
root at membersrv1:~$ samba-tool testparm --suppress-prompt -v |grep winbind
winbind separator = \
winbind cache time = 0
winbind reconnect delay = 0
winbind request timeout = 0
winbind max clients = 0
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind trusted domains only = No
winbind nested groups = No
winbind expand groups = 0
winbind nss info = rfc2307
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
winbind rpc only = No
winbind max domain connections = 0
winbindd socket directory = /var/run/samba/winbindd
winbindd privileged socket directory = /var/lib/samba/winbindd_privileged
winbind sealed pipes = Yes
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
root at membersrv1:/lib64$ ls -lh
lrwxrwxrwx 1 root root 32 Aug 26 23:10 ld-linux-x86-64.so.2 -> /lib/x86_64-linux-gnu/ld-2.13.so
lrwxrwxrwx 1 root root 39 Okt 17 15:11 libnss_winbind.so -> /lib/x86_64-linux-gnu/libnss_winbind.so
lrwxrwxrwx 1 root root 24 Okt 17 15:11 libnss_winbind.so.2 -> /lib64/libnss_winbind.so
root at membersrv1:/lib64$ head -n15 /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
root at membersrv1:~ cat /etc/samba/smb.conf:
[global]
netbios name = MEMBERSRV1
workgroup = MYDOM
security = ADS
realm = MYDOM.EXAMPLE.COM
encrypt passwords = yes
idmap config MYDOM:backend = ad
idmap config MYDOM:schema_mode = rfc2307
idmap config MYDOM:range = 500-40000
idmap config *:backend = tdb
idmap config *:range = 70001-80000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
[printers]
path = /var/spool/samba
printable = yes
printing = CUPS
[print$]
path = /srv/samba4_data/printer_drivers
comment = Printer Drivers
writeable = yes
[home]
path = /srv/samba4_data/home/
read only = No
[profiles]
path = /srv/samba4_data/profiles/
read only = no
=============================================================================
I did modify of course the file membersrv1:/etc/nsswitch.conf and linked the files on /lib64 on the same way I did for DC1 and DC2
according the wiki tutorial. I joined the member server successfully with "net ads join -U administrator" to DC1.
I also realized and am confused about the output of "wbinfo -g" on the member server. The output is not exactly the same as on
DC1 output for example. I also want to add, when I run "getent passwd" or "getent group" on that member server, I get only displayed my local account, no AD accounts at all!
Detailled log files, with debug level = 10:
===========================================
http://www.file-upload.net/download-9714752/log.wb-MYDOM.html
http://www.file-upload.net/download-9714750/log.winbindd.html
http://www.file-upload.net/download-9714751/log.winbindd-dc-connect.html
http://www.file-upload.net/download-9714753/log.winbindd-idmap.html
Thanks a lot in advance to everyone for assistance.
Mirco
More information about the samba
mailing list