[Samba] Samba as AD member can not validate domain user
Rowland Penny
rowlandpenny at googlemail.com
Mon Apr 6 03:38:09 MDT 2015
On 06/04/15 10:09, jd at ionica.lv wrote:
>
> Citēju Rowland Penny <rowlandpenny at googlemail.com>:
>
>>> getent passwd shows list of local users, freezes for a while and exits;
>>
>> This is possibly because you may have (somehow) the same username in
>> AD and /etc/passwd
>
> even with the "problematic" user removed behaviour is the same (with
> net ads leave, remove krb5 keytab and join +restart)
>>
>>> id user shows user info if it exists locally.
>>
>> On an AD joined machine id should show user info if the user exists
>> in AD and has the required rfc2307 attributes.
>
> I re-checked what I have on AD DC:
> 1. getent passwd shows local + AD users (AD users having uids in the
> range of 30000XX)
> 2. getent group shows local + AD grous, AD groups having gids in the
> range of 30000XX, just Domain Users having gid 100
> 3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)' objectSID
> gidNumber
> gives onlyObjectSID without gidNumber;
>
> CFG files from fileserver:
> ============
> krb5.conf
> [libdefaults]
> default = INTERNAL.DOMAIN.LV
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> ===========
> nsswitch.conf
> passwd: compat winbind
> group: compat winbind
> shadow: compat files
>
> hosts: files dns
> networks: files
>
> services: files
> protocols: files
> rpc: files
> ethers: files
> netmasks: files
> netgroup: files
> bootparams: files
>
> automount: files
> aliases: files nisplus
> publickey: nisplus
> =============
> SMB.conf on fileserver
> [global]
> security = ADS
> workgroup = INTERNAL
> acl group control = yes
> inherit acls = Yes
> map acl inherit = Yes
> realm = INTERNAL.DOMAIN.LV
> kerberos method = secrets and keytab
> idmap config internal:backend = ad
> idmap config internal:range = 10000-3001000
> idmap config internal:schema_mode = rfc2307
> idmap config *:range = 2000-9999
> idmap config *:backend = tdb
> dedicated keytab file = /etc/krb5.keytab
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind separator = \
> winbind refresh tickets = Yes
> winbind nss info = rfc2307
> winbind use default domain = yes
> winbind trusted domains only = yes
> utmp = yes
> wins server = sambadc.DOMAIN.lv
> wins support = yes
> dns proxy = no
> wins proxy = no
> wtmp directory = /var/log/wtmp
> preferred master = no
> log level = 4
> bind interfaces only = Yes
> interfaces = lo, eth1
> netbios name = FS2
> os level = 33
> ======================
> smb.conf on AD DC
> [global]
> wins support = yes
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbind, ntp_signd, kcc, dnsupdate
> winbind trusted domains only = yes
> os level = 65
> workgroup = INTERNAL
> realm = INTERNAL.DOMAIN.LV
> name resolve order = bcast wins host
> log level = 4
> idmap_ldb:use rfc2307 = yes
> preferred master = Yes
> map to guest = Bad Password
> security = user
> server role = active directory domain controller
> domain logons = Yes
> kerberos method = secrets and keytab
> server string = Samba AD DC Server %v
> domain master = Yes
> winbind use default domain = yes
> utmp = yes
> max log size = 5000
> netbios name = SAMBADC
> local master = Yes
> wtmp directory = /var/log/wtmp
>
> I feel lost and I do not understand what else to read or how to detect
> what is wrong with cfg.
>
> Janis
>
Firstly, please put the smb.conf on the AD DC back to what it was just
after the provision. You do not need the extra lines you have added.
You have posted what is probably your problem:
3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)' objectSID
gidNumber
gives onlyObjectSID without gidNumber;
You are using the winbind 'ad' backend on the member server, for this to
work, your users need a 'uidNumber' attribute and 'Domain Users' (at
least) *NEEDS* a 'gidNumber'
If you use the 'ad' backend, then giving your users a 'uidNumber' is not
enough, you must give their primarygroup (Domain Users) a 'gidNumber'
attribute.
Rowland
More information about the samba
mailing list