[Samba] samba pdc winbind

duportail guy at duportail.be
Thu Feb 12 08:42:11 MST 2015


> >>>>>>>> There are a few lines that are duplicated in each smb.conf.
> >>>>>>>>
> >>>>>>>> I take it that you only use the PDC for authentication and don't let the
> >>>>>>>> users login.
> >>>>>>>>
> >>>>>>>> It has been sometime since I setup and used a linux client with a PDC,
> >>>>>>>> but I don't actually remember having all those passwd & script lines in
> >>>>>>>> the client smb.conf.
> >>>>>>>>
> >>>>>>>> Do the users exist as unix users on both machines ?
> >>>>>>>>
> >>>>>>>> Rowland
> >>>>>>>>
> >>>>>>> No, the users are created on the debian pdc.  that is the long number (as their username).
> >>>>>>> Than the users can login on a joined ubuntu computer in the classroom. It does not matter which one.
> >>>>>>> The long number (as their username) comes from a smartcard).
> >>>>>>> I have this setup in many schools, and working ok. But on this setup, with the long numbers as usernames, i have problems.
> >>>>>>> As I was debugging, i tried to su the user on a client machine, and got another user instead:
> >>>>>>> root at blank005:~# su 59031614949
> >>>>>>> 98121524292 at blank005:/root$
> >>>>>>>
> >>>>>>> I never seen this .
> >>>>>>> Is it a problem with long usernames and winbind?
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> Well, the portion of the logfile you posted is full of lines like this:
> >>>>>>
> >>>>>>      Failed to find a Unix account for 92101633919
> >>>>>>
> >>>>>> OK, just what part of that line do you not understand ?? :-)
> >>>>>>
> >>>>>> You need a unix user for '92101633919'
> >>>>>>
> >>>>>> Rowland
> >>>>>>
> >>>>> Correct, but there was this user:
> >>>>>
> >>>>> on debian pdc:
> >>>>> root at fai:~# cat /var/log/auth.log | grep 92101633919
> >>>>> Feb 10 14:54:51 fai useradd[9507]: new group: name=92101633919, GID=1209
> >>>>> Feb 10 14:54:51 fai useradd[9507]: new user: name=92101633919, UID=1209, GID=1209, home=/home/92101633919, shell=/bin/sh
> >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'audio'
> >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'dip'
> >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'video'
> >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'plugdev'
> >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'fuse'
> >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse'
> >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse-access'
> >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'audio'
> >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'dip'
> >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'video'
> >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'plugdev'
> >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'fuse'
> >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse'
> >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse-access'
> >>>>>
> >>>> OK, is '92101633919' in /etc/passwd on the pdc and does 'getent passwd
> >>>> 92101633919' return anything ?
> >>>>
> >>>> If they both are true, then you may have run into this bug:
> >>>> https://bugzilla.samba.org/show_bug.cgi?id=11044
> >>>>
> >>>> Rowland
> >>>>
> >>>>
> >>>>
> >>> Ok,
> >>> getent on another works ok,
> >>> but not on a user with numbers:
> >>> root at fai:~# getent passwd ubu
> >>> ubu:x:1000:1000:ubu,,,:/home/ubu:/bin/bash
> >>> root at fai:~# getent passwd 71101411853
> >>> root at fai:~#
> >>>
> >>>
> >>> part of /etc/passwd
> >>>
> >>> ubu:x:1000:1000:ubu,,,:/home/ubu:/bin/bash
> >>> bind:x:111:120::/var/cache/bind:/bin/false
> >>> fai$:x:1001:1003:Machine:/var/lib/samba:/bin/false
> >>> test:x:1002:1004::/home/test:/bin/sh
> >>> sshuser:x:1003:1005::/home/sshuser:/bin/sh
> >>> ubuntu8053$:x:1008:1003:Machine:/var/lib/samba:/bin/false
> >>> blank1$:x:1009:1003:Machine:/var/lib/samba:/bin/false
> >>> blank3$:x:1011:1003:Machine:/var/lib/samba:/bin/false
> >>> blank4$:x:1012:1003:Machine:/var/lib/samba:/bin/false
> >>> blank5$:x:1013:1003:Machine:/var/lib/samba:/bin/false
> >>> blank6$:x:1014:1003:Machine:/var/lib/samba:/bin/false
> >>> linux:x:1026:1026::/home/linux:/bin/sh
> >>> blank2$:x:1072:1003:blank2:/var/lib/nobody:/bin/false
> >>> blank004$:x:1092:1003:Machine:/var/lib/samba:/bin/false
> >>> blank001$:x:1093:1003:Machine:/var/lib/samba:/bin/false
> >>> blank005$:x:1094:1003:Machine:/var/lib/samba:/bin/false
> >>> blank002$:x:1095:1003:Machine:/var/lib/samba:/bin/false
> >>> blank003$:x:1096:1003:Machine:/var/lib/samba:/bin/false
> >>> blank006$:x:1097:1003:Machine:/var/lib/samba:/bin/false
> >>> 71101411853:x:1103:1103:60,,,:/home/71101411853:/bin/sh
> >>> ayke:x:1104:1104:60,,,:/home/ayke:/bin/sh
> >>> blank0001$:x:1146:1003:Machine:/var/lib/samba:/bin/false
> >>>
> >>> could it be the 60 in the line:
> >>> 71101411853:x:1103:1103:60,,,:/home/71101411853:/bin/sh
> >>>
> >>> I use this 60 to know on the client machines how long the can be logged in ( so that will be 60 minutes)
> >>> I add this with :
> >>> chfn -f 60  $username71101411853
> >>>
> >>>
> >> OK, it looks like your users have id's in the 1xxx range, yet you have
> >> this in smb.conf: winbind uid = 10000-20000, could this be your problem ?
> >>
> >> Rowland
> >>
> >>
> > No, this does not help.
> > What I also see if a numeric username such as 71101411853 log in on a client pc, and starts for example firefox, than top shows that firefox is run by another (non numeric) local user.
> > net cache flush did also not help
> 
> I have nearly run out of ideas here, the only one left is, have you 
> considered upgrading to samba4 AD ?
> 
> Rowland
> 
> 
Not yet, will do that in the future when debian 8 comes out.

About the errors: I do not have any problems when the username is not numeric or partial numeric.
So if username is abcdefghijk  , not problems at all.
So I think it is the numeric usernames problem.

i found this:
http://www.linuxquestions.org/questions/linux-security-4/linux-userid-syntax-requirements-don%27t-allow-id-to-begin-with-a-number-368518/

Guy


More information about the samba mailing list