[Samba] RFC2307 attributes not being read by DC2 in 4.2.1
Fred Smith
fs582087 at gmail.com
Sun Apr 26 18:47:50 MDT 2015
Thanks for your suggestions, I have tried both and neither helped unfortunately:
Replacing winbindd with winbind on the existing server services line
or adding with"server services = -winbindd +winbind" to smb.conf on
all DCs did not solve the issue.
Adding "server services = -winbind" did not solve the issue either.
On Thu, Apr 23, 2015 at 11:18 AM, Fred Smith <fs582087 at gmail.com> wrote:
> Hi all
>
> On latest samba 4.2.1 I have provisioned a new domain on DC1 that
> successfully reads RFC2307 attributes set on a user account through
> ADUC.
>
> wbinfo (correct uid gets resolved from sid)
>
> wbinfo -n fsmith
> S-1-5-21-1273750850-484487853-1026460749-1120 SID_USER (1)
> wbinfo -S S-1-5-21-1273750850-484487853-1026460749-1120
> 1000006
>
>
> ldbsearch
>
> sudo ldbsearch -H '/usr/local/samba/private/sam.ldb' -b
> 'DC=samdom,DC=example,DC=org' -s sub
> '(&(objectCategory=Person)(CN=Fred Smith))'
> # record 1
> dn: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org
> cn: Fred Smith
> sn: Smith
> givenName: Fred
> instanceType: 4
> whenCreated: 20150422234928.0Z
> displayName: Fred Smith
> uSNCreated: 4558
> name: Fred Smith
> objectGUID: 7b49274a-9ac9-48bd-9af7-e51e8ea17c9a
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> profilePath: %LOGONSERVER%\profiles\%USERNAME%
> objectSid: S-1-5-21-1273750850-484487853-1026460749-1120
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: fsmith
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=org
> uid: fsmith
> uidNumber: 1000006
> gidNumber: 50023
> loginShell: /bin/false
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> pwdLastSet: 130742201680000000
> userAccountControl: 512
> msSFU30NisDomain: samdom
> unixHomeDirectory: /dev/null
> msSFU30Name: fsmith
> unixUserPassword: ABCD!efgh12345$67890
> userPrincipalName: fsmith at samdom.example.org
> whenChanged: 20150422234929.0Z
> uSNChanged: 4565
> distinguishedName: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org
>
>
> provision domain command
>
> sudo samba-tool domain provision --use-rfc2307 --site="DC1" --interactive
>
> Realm: SAMDOM.EXAMPLE.ORG
> Domain: SAMDOM
> Server Role: dc
> DNS backend: BIND9_DLZ
>
>
> DC1 smb.conf
>
> cat /usr/local/samba/etc/smb.conf
> # Global parameters
> [global]
> workgroup = SAMDOM
> realm = SAMDOM.EXAMPLE.ORG
> netbios name = DC1
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
>
> # Disable printing
> printcap name = /dev/null
> load printers = no
> printing = bsd
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/samdom.example.org/scripts
> read only = No
> browseable = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
> browseable = No
>
>
>
>
>
>
> But when I join DC2 to the domain and attempt to retrieve RFC2307
> attributes they don't get read.
>
>
> wbinfo (wrong uid gets resolved from sid)
>
> wbinfo -n fsmith
> S-1-5-21-1273750850-484487853-1026460749-1120 SID_USER (1)
> wbinfo -S S-1-5-21-1273750850-484487853-1026460749-1120
> 3000017
>
>
> ldbsearch
>
> sudo ldbsearch -H '/usr/local/samba/private/sam.ldb' -b
> 'DC=samdom,DC=example,DC=org' -s sub
> '(&(objectCategory=Person)(CN=Fred Smith))'
> # record 1
> dn: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Fred Smith
> sn: Smith
> givenName: Fred
> instanceType: 4
> whenCreated: 20150422234928.0Z
> whenChanged: 20150422234929.0Z
> displayName: Fred Smith
> uSNCreated: 4494
> uSNChanged: 4494
> name: Fred Smith
> objectGUID: 7b49274a-9ac9-48bd-9af7-e51e8ea17c9a
> userAccountControl: 512
> codePage: 0
> countryCode: 0
> pwdLastSet: 130742201680000000
> primaryGroupID: 513
> profilePath: %LOGONSERVER%\profiles\%USERNAME%
> objectSid: S-1-5-21-1273750850-484487853-1026460749-1120
> accountExpires: 9223372036854775807
> sAMAccountName: fsmith
> sAMAccountType: 805306368
> userPrincipalName: fsmith at example.org
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=org
> unixUserPassword: ABCD!efgh12345$67890
> uid: fsmith
> msSFU30Name: fsmith
> msSFU30NisDomain: samdom
> uidNumber: 1000006
> gidNumber: 50023
> unixHomeDirectory: /dev/null
> loginShell: /bin/false
> distinguishedName: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org
>
>
> join domain command
>
> sudo samba-tool domain join samdom.example.org DC -UAdministrator
> --realm=samdom.example.org --site=DC2 --dns-backend=BIND9_DLZ
>
>
>
> DC2 smb.conf
>
> cat /usr/local/samba/etc/smb.conf
> # Global parameters
> [global]
> workgroup = SAMDOM
> realm = samdom.example.org
> netbios name = DC2
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 # Added manually after join domain
>
> # Disable printing
> printcap name = /dev/null
> load printers = no
> printing = bsd
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/samdom.example.org/scripts
> read only = No
> browseable = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
> browseable = No
>
> Reading RFC2307 attributes on DC2 worked well using the same
> configuration on samba 4.1.x.
>
> Thanks
>
> Fred.
More information about the samba
mailing list