[Samba] RFC2307 attributes not being read by DC2 in 4.2.1

Rowland Penny rowlandpenny at googlemail.com
Thu Apr 23 02:01:39 MDT 2015


On 23/04/15 02:48, Fred Smith wrote:
> Hi all
>
> On latest samba 4.2.1 I have provisioned a new domain on DC1 that
> successfully reads RFC2307 attributes set on a user account through
> ADUC.
>
> wbinfo (correct uid gets resolved from sid)
>
> wbinfo -n fsmith
> S-1-5-21-1273750850-484487853-1026460749-1120 SID_USER (1)
> wbinfo -S S-1-5-21-1273750850-484487853-1026460749-1120
> 1000006
>
>
> ldbsearch
>
> sudo ldbsearch -H '/usr/local/samba/private/sam.ldb' -b
> 'DC=samdom,DC=example,DC=org' -s sub
> '(&(objectCategory=Person)(CN=Fred Smith))'
> # record 1
> dn: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org
> cn: Fred Smith
> sn: Smith
> givenName: Fred
> instanceType: 4
> whenCreated: 20150422234928.0Z
> displayName: Fred Smith
> uSNCreated: 4558
> name: Fred Smith
> objectGUID: 7b49274a-9ac9-48bd-9af7-e51e8ea17c9a
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> profilePath: %LOGONSERVER%\profiles\%USERNAME%
> objectSid: S-1-5-21-1273750850-484487853-1026460749-1120
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: fsmith
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=org
> uid: fsmith
> uidNumber: 1000006
> gidNumber: 50023
> loginShell: /bin/false
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> pwdLastSet: 130742201680000000
> userAccountControl: 512
> msSFU30NisDomain: samdom
> unixHomeDirectory: /dev/null
> msSFU30Name: fsmith
> unixUserPassword: ABCD!efgh12345$67890
> userPrincipalName: fsmith at samdom.example.org
> whenChanged: 20150422234929.0Z
> uSNChanged: 4565
> distinguishedName: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org
>
>
> provision domain command
>
> sudo samba-tool domain provision --use-rfc2307 --site="DC1" --interactive
>
> Realm: SAMDOM.EXAMPLE.ORG
> Domain: SAMDOM
> Server Role: dc
> DNS backend: BIND9_DLZ
>
>
> DC1 smb.conf
>
> cat /usr/local/samba/etc/smb.conf
> # Global parameters
> [global]
>          workgroup = SAMDOM
>          realm = SAMDOM.EXAMPLE.ORG
>          netbios name = DC1
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          idmap_ldb:use rfc2307 = yes
>
>          # Disable printing
>          printcap name = /dev/null
>          load printers = no
>          printing = bsd
>
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/samdom.example.org/scripts
>          read only = No
>          browseable = No
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
>          browseable = No
>
>
>
>
>
>
> But when I join DC2 to the domain and attempt to retrieve RFC2307
> attributes they don't get read.
>
>
> wbinfo (wrong uid gets resolved from sid)
>
> wbinfo -n fsmith
> S-1-5-21-1273750850-484487853-1026460749-1120 SID_USER (1)
> wbinfo -S S-1-5-21-1273750850-484487853-1026460749-1120
> 3000017
>
>
> ldbsearch
>
> sudo ldbsearch -H '/usr/local/samba/private/sam.ldb' -b
> 'DC=samdom,DC=example,DC=org' -s sub
> '(&(objectCategory=Person)(CN=Fred Smith))'
> # record 1
> dn: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Fred Smith
> sn: Smith
> givenName: Fred
> instanceType: 4
> whenCreated: 20150422234928.0Z
> whenChanged: 20150422234929.0Z
> displayName: Fred Smith
> uSNCreated: 4494
> uSNChanged: 4494
> name: Fred Smith
> objectGUID: 7b49274a-9ac9-48bd-9af7-e51e8ea17c9a
> userAccountControl: 512
> codePage: 0
> countryCode: 0
> pwdLastSet: 130742201680000000
> primaryGroupID: 513
> profilePath: %LOGONSERVER%\profiles\%USERNAME%
> objectSid: S-1-5-21-1273750850-484487853-1026460749-1120
> accountExpires: 9223372036854775807
> sAMAccountName: fsmith
> sAMAccountType: 805306368
> userPrincipalName: fsmith at example.org
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=org
> unixUserPassword: ABCD!efgh12345$67890
> uid: fsmith
> msSFU30Name: fsmith
> msSFU30NisDomain: samdom
> uidNumber: 1000006
> gidNumber: 50023
> unixHomeDirectory: /dev/null
> loginShell: /bin/false
> distinguishedName: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org
>
>
> join domain command
>
> sudo samba-tool domain join samdom.example.org DC -UAdministrator
> --realm=samdom.example.org --site=DC2 --dns-backend=BIND9_DLZ
>
>
>
> DC2 smb.conf
>
> cat /usr/local/samba/etc/smb.conf
> # Global parameters
> [global]
>          workgroup = SAMDOM
>          realm = samdom.example.org
>          netbios name = DC2
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          idmap_ldb:use rfc2307 # Added manually after join domain
>
>          # Disable printing
>          printcap name = /dev/null
>          load printers = no
>          printing = bsd
>
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/samdom.example.org/scripts
>          read only = No
>          browseable = No
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
>          browseable = No
>
> Reading RFC2307 attributes on DC2 worked well using the same
> configuration on samba 4.1.x.
>
> Thanks
>
> Fred.

Hmm, you seem to be the second person reporting something similar, have 
a look here:

https://lists.samba.org/archive/samba-technical/2015-April/106942.html

Could you try replacing 'winbindd' with 'winbind' in the 'server 
services' line in your smb.conf files on all DCs, restart samba and run 
your tests again. If it now works, I think you need to raise a bug report.

Rowland


More information about the samba mailing list