[Samba] NSLCD works, do I need RFC2307 extensions enabled in AD as well?

Rowland Penny rowlandpenny at googlemail.com
Tue Apr 21 13:06:28 MDT 2015


On 21/04/15 19:53, john_s wrote:
> On 04/20/2015 02:01 PM, Rowland Penny wrote:
>
>>
>> I would suggest you try it on a test set up in a VM and if it works, go
>> to production.
>>
>> Rowland
>>
>
> Hi Rowland,
>
> Ok, I think I am pretty close. Still using Samba 3.3.6 since I 
> couldn't seem to get Samba 4 to work from backports.
>
> My sticking point right now is that winbind is mapping the wrong UID 
> to my test user. I've setup the NIS domain in AD to correspond to my 
> smb.conf file and I've *think* i've correctly specified that UIDs 
> should start at 10000, however when I id a domain user, the mapping 
> starts at 2000. I assume this means that winbind thinks that the user 
> doesn't exist in the domain. Wbinfo -u and wbinfo -g work as expected
>
>
>  wbinfo -n flyboy
> S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1)
>
> root at debian-tester:~# id flyboy
> uid=2000(DEBIAN-TESTER\nobody) gid=2006(domain_users) 
> groups=2001(DEBIAN-TESTER\none),2006(domain_users),2007(student_terminal_server),2008(all_students_users),2009(mcm_students),2010(students),2011(chromebooks),2012(2020)
>
>
> root at debian-tester:~# getent passwd flyboy
> flyboy:*:2000:2006:flyboy:/home/flyboy:/bin/sh
>
> getent group "domain users"
> domain_users:x:2006:gcallison
>
> Here's my smb.conf file
>
> [global]
>
>
>    workgroup = VANGUARD
>    security = ADS
>    realm = VANGUARD.MYDOMAIN.ORG
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>
>    idmap config *:backend = tdb
>    idmap config *:range = 2000-9999
>    idmap config VANGUARD:backend = ad
>    idmap config VANGUARD:schema_mode = rfc2307
>    idmap config VANGUARD:range = 10000-99999
>
>    log level = 1 idmap:10
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
>    winbind refresh tickets = Yes
>    winbind expand groups = 4
>    winbind normalize names = Yes
>    domain master = no
>    local master = no
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
> [ALLSTUDENTS]
>
>  path = /home/ALLSTUDENTS
>      # valid users = %S
>       readonly = no
>       writable = yes
>       printable = no
>       create mode = 0700
>       directory mode = 0700
>
> I turned up the logs for idmap, here's what I see:
>
> log.winbindd-idmap:  idmap range not specified for domain DEBIAN-TESTER
> log.winbindd-idmap:  gid [0] not mapped
> log.winbindd-idmap:  idmap backend ad not found
> log.winbindd-idmap:  gid [65534] not mapped
> log.winbindd-idmap:  Record 
> S-1-5-21-2072017671-3909937455-2446232893-501 not found
> log.winbindd-idmap:  Record 
> S-1-5-21-2072017671-3909937455-2446232893-513 not found
> log.winbindd-idmap:  Record 
> S-1-5-21-2072017671-3909937455-2446232893-546 not found
> log.winbindd-idmap:  Record 
> S-1-5-21-2072017671-3909937455-2446232893-501 not found
> log.winbindd-idmap:  Record 
> S-1-5-21-2072017671-3909937455-2446232893-513 not found
> log.winbindd-idmap:  Record 
> S-1-5-21-2072017671-3909937455-2446232893-546 not found
> log.winbindd-idmap:  uid [0] not mapped
>
>
> Thanks for all of your help!
>
> John
>

If you are using the winbind 'ad' backend, your users need to have a 
'uidNumber' attribute containing a number that is inside the range you 
set for the domain in smb.conf. If this number is not there, or it is 
either too small or too large, the user will be ignored as a domain user 
and the other range will be used. It sounds like you need to check just 
what 'uidNumbers' you have in smb.conf, either that or you need to use 
the 'rid' backend, see the member server page on the wiki:

  https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

Rowland


More information about the samba mailing list