[Samba] winbind/idmap issue on samba4 member server

Rowland Penny rowlandpenny at googlemail.com
Mon Oct 20 09:36:23 MDT 2014 

On 20/10/14 15:52, ?icro MEGAS wrote:
> Hello list,
>
> I'm stuck since 2 days and I have no clue how to troubleshoot and solve that problem. Any help really really appreciated.
>
> Scenario:
> =========
> I am using Samba 4.1.12/sernet on DC1 (172.19.100.1) and DC2 (172.19.100.2) with default [netlogon] and [sysvol] share only.
> I installed an additional samba4 server with fileserving role which is called MEMBERSRV1 (172.19.100.3), which is serving the
> [profiles], [home] and [printer] stuff shares. For setting up the member server, I relied on
> "https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Set_up_a_basic_smb.conf".
> I also am using NIS extensions on my AD according the wiki tutorials. Through ADUC tool I modified the security group "Domain Users":
> I did choose tab [UNIX Attribute] and there I assigned the NIS domain = MYDOM and the GID=10000 to that group.
>
> Issue:
> ======
> My membersrv1 (172.19.100.3) fails to resolve mappings! See output below...
>
> ----OUTPUT ON DC1-----------------------------------------------------------------------------------------------------
> root at DC1:~$ getent passwd
>
> root:x:0:0:root:/root:/bin/bash
> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
> [...lots of local accounts here...]
> MYDOM\Administrator:*:0:10000::/home/MYDOM/Administrator:/bin/false
> MYDOM\Guest:*:3000011:3000012::/home/MYDOM/Guest:/bin/false
> MYDOM\krbtgt:*:3000021:10000::/home/MYDOM/krbtgt:/bin/false
> MYDOM\john:*:3000020:10000:John Doe:/home/MYDOM/john:/bin/false
> MYDOM\george:*:3000022:10000:George Miller:/home/MYDOM/george:/bin/false
> MYDOM\richard:*:3000023:10000:Richard Smitty:/home/MYDOM/richard:/bin/false
> MYDOM\testuser1:*:3000030:10000:Test User 1:/home/MYDOM/testuser1:/bin/false
> MYDOM\testuser3:*:3000027:10000:Test User 3:/home/MYDOM/testuser3:/bin/false
> MYDOM\testuser2:*:3000032:10000:Test User 2:/home/MYDOM/testuser2:/bin/false
>
> root at DC1:~$ wbinfo -u
>
> Administrator
> Guest
> krbtgt
> john
> george
> richard
> testuser1
> testuser3
> testuser2
>
> root at DC1:~$ wbinfo -g
> Enterprise Read-Only Domain Controllers
> Domain Admins
> Domain Users
> Domain Guests
> Domain Computers
> Domain Controllers
> Schema Admins
> Enterprise Admins
> Group Policy Creator Owners
> Read-Only Domain Controllers
> DnsUpdateProxy
>
> root at dc1:~$ wbinfo -n testuser1
> S-1-5-21-2040615909-1719611856-576149365-1114 SID_USER (1)
>
> root at dc1:~$ wbinfo -S S-1-5-21-2040615909-1719611856-576149365-1114
> 3000030
>
> root at dc1:~$ wbinfo -Y S-1-5-21-2040615909-1719611856-576149365-1114
> 3000030
>
> root at dc1:~$ wbinfo -s S-1-5-21-2040615909-1719611856-576149365-1114
> MYDOM\testuser1 1
>
> root at dc1:~$ wbinfo -r testuser1
> 10000
>
> root at dc1:~$ wbinfo --uid-info=3000030
> MYDOM\testuser1:*:3000030:10000:Test User 1:/home/MYDOM/testuser1:/bin/false
>
> root at dc1:~$ wbinfo --gid-info=10000
> MYDOM\Domain Users:*:10000:
>
> root at dc1:~$ wbinfo -P
> checking the NETLOGON dc connection to "" failed
> failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND
>
> root at dc1:~$ samba-tool testparm --suppress-prompt -v |grep winbind
>          winbind separator = \
>          winbind cache time = 0
>          winbind reconnect delay = 0
>          winbind request timeout = 0
>          winbind max clients = 0
>          winbind enum users = No
>          winbind enum groups = No
>          winbind use default domain = No
>          winbind trusted domains only = No
>          winbind nested groups = No
>          winbind expand groups = 0
>          winbind nss info =
>          winbind refresh tickets = No
>          winbind offline logon = No
>          winbind normalize names = No
>          winbind rpc only = No
>          winbind max domain connections = 0
>          winbindd socket directory = /var/run/samba/winbindd
>          winbindd privileged socket directory = /var/lib/samba/winbindd_privileged
>          winbind sealed pipes = Yes
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
>
> ----OUTPUT ON DC2-----------------------------------------------------------------------------------------------------
>
> root at dc2:~$ wbinfo -n testuser1
> S-1-5-21-2040615909-1719611856-576149365-1114 SID_USER (1)
>
> root at dc2:~$ wbinfo -S S-1-5-21-2040615909-1719611856-576149365-1114
> 3000030
>
> root at dc2:~$ wbinfo -Y S-1-5-21-2040615909-1719611856-576149365-1114
> 3000030
>
> root at dc2:~$ wbinfo -s S-1-5-21-2040615909-1719611856-576149365-1114
> MYDOM\testuser1 1
>
> root at dc2:~$ wbinfo -r testuser1
> 10000
>
> root at dc2:~$ wbinfo --uid-info=3000030
> MYDOM\testuser1:*:3000030:10000:Test User 1:/home/MYDOM/testuser1:/bin/false
>
> root at dc2:~$ wbinfo --gid-info=10000
> MYDOM\Domain Users:*:10000:
>
> root at dc2:~$ wbinfo -P
> checking the NETLOGON dc connection to "" failed
> failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND
>
> root at dc2:~$ samba-tool testparm --suppress-prompt -v |grep winbind
>          winbind separator = \
>          winbind cache time = 0
>          winbind reconnect delay = 0
>          winbind request timeout = 0
>          winbind max clients = 0
>          winbind enum users = No
>          winbind enum groups = No
>          winbind use default domain = No
>          winbind trusted domains only = No
>          winbind nested groups = No
>          winbind expand groups = 0
>          winbind nss info =
>          winbind refresh tickets = No
>          winbind offline logon = No
>          winbind normalize names = No
>          winbind rpc only = No
>          winbind max domain connections = 0
>          winbindd socket directory = /var/run/samba/winbindd
>          winbindd privileged socket directory = /var/lib/samba/winbindd_privileged
>          winbind sealed pipes = Yes
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
>
> ----OUTPUT ON MEMBERSRV1----------------------------------------------------------------------------------------------
>
> root at membersrv1:~$ wbinfo -n testuser1
> S-1-5-21-2040615909-1719611856-576149365-1114 SID_USER (1)
>
> root at membersrv1:~$ wbinfo -Y S-1-5-21-2040615909-1719611856-576149365-1114
> failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-2040615909-1719611856-576149365-1114 to gid
>
> root at membersrv1:~$ wbinfo -s S-1-5-21-2040615909-1719611856-576149365-1114
> MYDOM\testuser1 1
>
> root at membersrv1:~$ wbinfo -r testuser1
> 10000
> 70002
>
> root at membersrv1:~$ wbinfo --uid-info=3000030
> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for uid 3000030
>
> root at membersrv1:~$ wbinfo --uid-info=10000
> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for uid 10000
>
> root at membersrv1:~$ wbinfo --gid-info=10000
> domain users:x:10000:
>
> root at membersrv1:~$ wbinfo -P
> checking the NETLOGON dc connection to "dc1.mydom.example.com" succeeded
>
> root at membersrv1:~$ samba-tool testparm --suppress-prompt -v |grep winbind
>          winbind separator = \
>          winbind cache time = 0
>          winbind reconnect delay = 0
>          winbind request timeout = 0
>          winbind max clients = 0
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          winbind trusted domains only = No
>          winbind nested groups = No
>          winbind expand groups = 0
>          winbind nss info = rfc2307
>          winbind refresh tickets = No
>          winbind offline logon = No
>          winbind normalize names = No
>          winbind rpc only = No
>          winbind max domain connections = 0
>          winbindd socket directory = /var/run/samba/winbindd
>          winbindd privileged socket directory = /var/lib/samba/winbindd_privileged
>          winbind sealed pipes = Yes
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
>
> root at membersrv1:/lib64$ ls -lh
>
> lrwxrwxrwx 1 root root 32 Aug 26 23:10 ld-linux-x86-64.so.2 -> /lib/x86_64-linux-gnu/ld-2.13.so
> lrwxrwxrwx 1 root root 39 Okt 17 15:11 libnss_winbind.so -> /lib/x86_64-linux-gnu/libnss_winbind.so
> lrwxrwxrwx 1 root root 24 Okt 17 15:11 libnss_winbind.so.2 -> /lib64/libnss_winbind.so
>
> root at membersrv1:/lib64$ head -n15 /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd:         compat winbind
> group:          compat winbind
>
> root at membersrv1:~ cat /etc/samba/smb.conf:
>
> [global]
>          netbios name = MEMBERSRV1
>          workgroup = MYDOM
>          security = ADS
>          realm = MYDOM.EXAMPLE.COM
>          encrypt passwords = yes
>
>          idmap config MYDOM:backend = ad
>          idmap config MYDOM:schema_mode = rfc2307
>          idmap config MYDOM:range = 500-40000
>
>          idmap config *:backend = tdb
>          idmap config *:range = 70001-80000
>
>          winbind nss info = rfc2307
>          winbind trusted domains only = no
>          winbind use default domain = yes
>          winbind enum users  = yes
>          winbind enum groups = yes
>
>          rpc_server:spoolss = external
>          rpc_daemon:spoolssd = fork
>
> [printers]
>          path = /var/spool/samba
>          printable = yes
>          printing = CUPS
>
> [print$]
>          path = /srv/samba4_data/printer_drivers
>          comment = Printer Drivers
>          writeable = yes
>
> [home]
>       path = /srv/samba4_data/home/
>       read only = No
>
> [profiles]
>       path = /srv/samba4_data/profiles/
>       read only = no
>
> =============================================================================
>
> I did modify of course the file membersrv1:/etc/nsswitch.conf and linked the files on /lib64 on the same way I did for DC1 and DC2
> according the wiki tutorial. I joined the member server successfully with "net ads join -U administrator" to DC1.
>
> I also realized and am confused about the output of "wbinfo -g" on the member server. The output is not exactly the same as on
> DC1 output for example. I also want to add, when I run "getent passwd" or "getent group" on that member server, I get only displayed my local account, no AD accounts at all!
>
> Detailled log files, with debug level = 10:
> ===========================================
> http://www.file-upload.net/download-9714752/log.wb-MYDOM.html
> http://www.file-upload.net/download-9714750/log.winbindd.html
> http://www.file-upload.net/download-9714751/log.winbindd-dc-connect.html
> http://www.file-upload.net/download-9714753/log.winbindd-idmap.html
>
> Thanks a lot in advance to everyone for assistance.
>
> Mirco
Hi, I think that you are falling into the 'winbind on the DC != winbind 
on the client' problem.

On the DC, winbind is built into the samba daemon and does not have the 
same capabilities of the separate winbind daemon that is in use on your 
member server. This is the main reason that it is not recommended to use 
the DC for anything other than authentication.

Rowland

More information about the samba mailing list