[Samba] winbind backends ad and rfc2307 both with errors...
Sven Schumacher
schumacher at tfd.uni-hannover.de
Mon Jan 5 03:31:03 MST 2015
Hello,
I just set up a samba server (version 2:4.1.13+dfsg-4) on Debian 7.7,
being a member server of a Win2k8-Domain (before that, that server was
an old SuSE (10.4)-Samba with own user-management (standalone-server).
I would like to use winbind with the idmap backend "ad" or "rfc2307"
instead.
When using rfc2307 (like in my conf specified), I can do successfully:
wbinfo -u
wbinfo -g
and even "getent passwd" shows the users. Only "getent group" doesn't
list any domain-based group (but uid and gid-Values are looking like
being served from tdb instead of ad).
wbinfo -i $USER gives uid and gid values coming from the tdb-Database
(70000...),too.
wbinfo --group-info $GROUP gives the right members of the group, but the
wrong gid (coming from tdb, too).
When I use the backend "ad" wbinfo -u and wbinfo -g work without
failure, too. But "getent passwd" and "getent group" didn't show any
domain-based entry.
Calling "wbinfo -i $USER" tells me:
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user $USER
wbinfo --group-info $GROUP
works fine and has the correct information.
In the winbind-logfiles (using -d 10 for debugging):
2015/01/05 10:51:48.578960, 10, pid=18923, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap.c:377(idmap_find_domain)
idmap_find_domain called for domain 'LUH-TFD'
[2015/01/05 10:51:48.579001, 10, pid=18923, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_ad.c:64(ad_idmap_cached_connection)
ad_idmap_cached_connection: called for domain 'LUH-TFD'
[2015/01/05 10:51:48.579034, 7, pid=18923, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:61(ads_cached_connection_reuse)
Current tickets expire in 35972 seconds (at 1420487480, time is now 1420451508)
[2015/01/05 10:51:48.579085, 10, pid=18923, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_ad.c:452(idmap_ad_sids_to_unixids)
Filter: [(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\AD\A7\D8\C3\A75a\80a<\EF\1A\80\04\00\00)))]
[2015/01/05 10:51:48.579963, 5, pid=18923, effective(0, 0), real(0, 0)] ../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal)
Search for (&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\AD\A7\D8\C3\A75a\80a<\EF\1A\80\04\00\00))) in <dc=LUH-TFD,dc=LOCAL> gave 1 replies
[2015/01/05 10:51:48.580034, 10, pid=18923, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_ad.c:539(idmap_ad_sids_to_unixids)
Mapped S-1-5-21-3285755821-2153854375-451886177-1152 -> 516 (1)
[2015/01/05 10:51:48.580078, 10, pid=18923, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual_srv.c:194(_wbint_Sids2UnixIDs)
sids_to_unixids returned NT_STATUS_OK
[2015/01/05 10:51:48.580112, 1, pid=18923, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
out: struct wbint_Sids2UnixIDs
ids : *
ids: struct wbint_TransIDArray
num_ids : 0x00000001 (1)
ids: ARRAY(1)
ids: struct wbint_TransID
type : ID_TYPE_UID (1)
domain_index : 0x00000000 (0)
rid : 0x00000480 (1152)
xid: struct unixid
id : 0x00000204 (516)
type : ID_TYPE_UID (1)
result : NT_STATUS_OK
[2015/01/05 10:51:48.580343, 4, pid=18923, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1346(child_handler)
Finished processing child request 59
[2015/01/05 10:51:48.580402, 10, pid=18923, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1363(child_handler)
Writing 3528 bytes to parent
[2015/01/05 10:51:48.582682, 10, pid=18923, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:71(child_read_request)
Need to read 110 extra bytes
[2015/01/05 10:51:48.582753, 4, pid=18923, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1338(child_handler)
child daemon request 59
[2015/01/05 10:51:48.582801, 10, pid=18923, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:458(child_process_request)
child_process_request: request fn NDRCMD
Summary:
So, by using backend ad winbind is able to fetch the uid, but reports
errors (and getent passwd, getent group fails), fetching gid works
without error.
By using backend rfc2307 winbind is able to fetch user and group-lists
using wbinfo and getent passwd/group but has wrong uid and gid.
Any suggestions for possible solutions?
Even stripping down my config to mention only the main domain (instead
of the trusted ones, too) doesn't solves the problem.
My config (smb.conf) for winbind (anything obvious wrong here?):
[global]
workgroup = LUH-TFD
realm = LUH-TFD.LOCAL
follow symlinks = yes
security = ADS
printing = cups
printcap name = cups
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
idmap config * : backend = tdb
idmap config * : range = 70000-80000
idmap config LUH-TFD : range = 500-69999
idmap config LUH-TFD : backend = rfc2307
idmap config LUH-TFD : ldap_server = ad
idmap config POOL : range = 500-69999
idmap config POOL : backend = rfc2307
idmap config POOL : ldap_server = ad
idmap config WINPOOL : range = 500-69999
idmap config WINPOOL : backend = rfc2307
idmap config WINPOOL : ldap_server = ad
# idmap config WINPOOL : range = 500-69999
# idmap config WINPOOL : backend = ad
# idmap config WINPOOL : schema_mode = rfc2307
# idmap config LUH-TFD : range = 500-69999
# idmap config LUH-TFD : backend = ad
# idmap config LUH-TFD : schema_mode = rfc2307
# idmap config POOL : range = 500-69999
# idmap config POOL : backend = ad
# idmap config POOL : schema_mode = rfc2307
template shell = /bin/false
template homedir = /home/%U
winbind offline logon = yes
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
map untrusted to domain = no
obey pam restrictions = no
client use spnego = yes
client ntlmv2 auth = yes
allow trusted domains = yes
winbind normalize names = yes
winbind use default domain = yes
winbind refresh tickets = yes
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind trusted domains only = no
my /etc/krb5.conf:
[libdefaults]
default_realm = LUH-TFD.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
renew_lifetime = 7d
ticket_lifetime = 24h
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = true
}
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
POOL.LUH-TFD.LOCAL = {
kdc = winad2.tfd.uni-hannover.de:88
admin_server = winad2.tfd.uni-hannover.de:749
default_domain = pool.luh-tfd.local
}
LUH-TFD.LOCAL = {
kdc = winad1.tfd.uni-hannover.de:88
admin_server = winad1.tfd.uni-hannover.de:749
default_domain = luh-tfd.local
}
WINPOOL.TFD.UNI-HANNOVER.DE = {
kdc = aias.winpool.tfd.uni-hannover.de:88
admin_server = aias.winpool.tfd.uni-hannover.de:749
default_domain = winpool.tfd.uni-hannover.de
}
[domain_realm]
.luh-tfd.local = LUH-TFD.LOCAL
luh-tfd.local = LUH-TFD.LOCAL
.winpool.tfd.uni-hannover.de = WINPOOL.TFD.UNI-HANNOVER.DE
winpool.tfd.uni-hannover.de = WINPOOL.TFD.UNI-HANNOVER.DE
.pool.luh-tfd.local = POOL.LUH-TFD.LOCAL
pool.luh-tfd.local = POOL.LUH-TFD.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = true
my /etc/nsswitch.conf:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
sudoers: files
More information about the samba
mailing list