[Samba] winbind backends ad and rfc2307 both with errors...

[Sven Schumacher]

Hello,

I just set up a samba server (version 2:4.1.13+dfsg-4) on Debian 7.7, 
being a member server of a Win2k8-Domain (before that, that server was 
an old SuSE (10.4)-Samba with own user-management (standalone-server).
I would like to use winbind with the idmap backend "ad" or "rfc2307" 
instead.

When using rfc2307 (like in my conf specified), I can do successfully:
wbinfo -u
wbinfo -g
and even "getent passwd" shows the users. Only "getent group" doesn't 
list any domain-based group (but uid and gid-Values are looking like 
being served from tdb instead of ad).
wbinfo -i $USER gives uid and gid values coming from the tdb-Database 
(70000...),too.
wbinfo --group-info $GROUP gives the right members of the group, but the 
wrong gid (coming from tdb, too).

When I use the backend "ad" wbinfo -u and wbinfo -g work without 
failure, too. But "getent passwd" and "getent group" didn't show any 
domain-based entry.
Calling "wbinfo -i $USER" tells me:

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user $USER

wbinfo --group-info $GROUP

works fine and has the correct information.

In the winbind-logfiles (using -d 10 for debugging):

2015/01/05 10:51:48.578960, 10, pid=18923, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap.c:377(idmap_find_domain)
   idmap_find_domain called for domain 'LUH-TFD'
[2015/01/05 10:51:48.579001, 10, pid=18923, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_ad.c:64(ad_idmap_cached_connection)
   ad_idmap_cached_connection: called for domain 'LUH-TFD'
[2015/01/05 10:51:48.579034,  7, pid=18923, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:61(ads_cached_connection_reuse)
   Current tickets expire in 35972 seconds (at 1420487480, time is now 1420451508)
[2015/01/05 10:51:48.579085, 10, pid=18923, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_ad.c:452(idmap_ad_sids_to_unixids)
   Filter: [(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\AD\A7\D8\C3\A75a\80a<\EF\1A\80\04\00\00)))]
[2015/01/05 10:51:48.579963,  5, pid=18923, effective(0, 0), real(0, 0)] ../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal)
   Search for (&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\AD\A7\D8\C3\A75a\80a<\EF\1A\80\04\00\00))) in <dc=LUH-TFD,dc=LOCAL> gave 1 replies
[2015/01/05 10:51:48.580034, 10, pid=18923, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap_ad.c:539(idmap_ad_sids_to_unixids)
   Mapped S-1-5-21-3285755821-2153854375-451886177-1152 -> 516 (1)
[2015/01/05 10:51:48.580078, 10, pid=18923, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual_srv.c:194(_wbint_Sids2UnixIDs)
   sids_to_unixids returned NT_STATUS_OK
[2015/01/05 10:51:48.580112,  1, pid=18923, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
        wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
           out: struct wbint_Sids2UnixIDs
               ids                      : *
                   ids: struct wbint_TransIDArray
                       num_ids                  : 0x00000001 (1)
                       ids: ARRAY(1)
                           ids: struct wbint_TransID
                               type                     : ID_TYPE_UID (1)
                               domain_index             : 0x00000000 (0)
                               rid                      : 0x00000480 (1152)
                               xid: struct unixid
                                   id                       : 0x00000204 (516)
                                   type                     : ID_TYPE_UID (1)
               result                   : NT_STATUS_OK
[2015/01/05 10:51:48.580343,  4, pid=18923, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1346(child_handler)
   Finished processing child request 59
[2015/01/05 10:51:48.580402, 10, pid=18923, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1363(child_handler)
   Writing 3528 bytes to parent
[2015/01/05 10:51:48.582682, 10, pid=18923, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:71(child_read_request)
   Need to read 110 extra bytes
[2015/01/05 10:51:48.582753,  4, pid=18923, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1338(child_handler)
   child daemon request 59
[2015/01/05 10:51:48.582801, 10, pid=18923, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:458(child_process_request)
   child_process_request: request fn NDRCMD


Summary:
So, by using backend ad winbind is able to fetch the uid, but reports 
errors (and getent passwd, getent group fails), fetching gid works 
without error.
By using backend rfc2307 winbind is able to fetch user and group-lists 
using wbinfo and getent passwd/group but has wrong uid and gid.
Any suggestions for possible solutions?
Even stripping down my config to mention only the main domain (instead 
of the trusted ones, too) doesn't solves the problem.

My config (smb.conf) for winbind (anything obvious wrong here?):

[global]
    workgroup = LUH-TFD
    realm = LUH-TFD.LOCAL
    follow symlinks = yes
    security = ADS
    printing = cups
    printcap name = cups
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes
     idmap config * : backend = tdb
     idmap config * : range = 70000-80000
     idmap config LUH-TFD : range = 500-69999
     idmap config LUH-TFD : backend = rfc2307
     idmap config LUH-TFD : ldap_server = ad
     idmap config POOL : range = 500-69999
     idmap config POOL : backend = rfc2307
     idmap config POOL : ldap_server = ad
     idmap config WINPOOL : range = 500-69999
     idmap config WINPOOL : backend = rfc2307
     idmap config WINPOOL : ldap_server = ad
#    idmap config WINPOOL : range = 500-69999
#    idmap config WINPOOL : backend = ad
#    idmap config WINPOOL : schema_mode = rfc2307
#    idmap config LUH-TFD : range = 500-69999
#    idmap config LUH-TFD : backend = ad
#    idmap config LUH-TFD : schema_mode = rfc2307
#    idmap config POOL : range = 500-69999
#    idmap config POOL : backend = ad
#    idmap config POOL : schema_mode = rfc2307
     template shell = /bin/false
     template homedir = /home/%U
     winbind offline logon = yes
          kerberos method = secrets and keytab
          dedicated keytab file = /etc/krb5.keytab
     map untrusted to domain = no
     obey pam restrictions = no
     client use spnego = yes
     client ntlmv2 auth = yes
     allow trusted domains = yes
     winbind normalize names = yes
     winbind use default domain = yes
     winbind refresh tickets = yes
     winbind nss info = rfc2307
     winbind enum users = yes
     winbind enum groups = yes
     winbind nested groups = yes
     winbind trusted domains only = no



my /etc/krb5.conf:

[libdefaults]
         default_realm = LUH-TFD.LOCAL
         dns_lookup_realm = false
         dns_lookup_kdc = false
         renew_lifetime = 7d
         ticket_lifetime = 24h
         krb4_config = /etc/krb.conf
         krb4_realms = /etc/krb.realms
         kdc_timesync = 1
         ccache_type = 4
         forwardable = true
         proxiable = true
         default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
         default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
         permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
[appdefaults]
     pam = {
         debug = false
         ticket_lifetime = 36000
         renew_lifetime = 36000
         forwardable = true
         krb4_convert = true
     }
# The following libdefaults parameters are only for Heimdal Kerberos.
         v4_instance_resolve = false
         v4_name_convert = {
                 host = {
                         rcmd = host
                         ftp = ftp
                 }
                 plain = {
                         something = something-else
                 }
         }
         fcc-mit-ticketflags = true

[realms]
         POOL.LUH-TFD.LOCAL = {
                 kdc = winad2.tfd.uni-hannover.de:88
                 admin_server = winad2.tfd.uni-hannover.de:749
                 default_domain = pool.luh-tfd.local
         }
         LUH-TFD.LOCAL = {
                 kdc = winad1.tfd.uni-hannover.de:88
                 admin_server = winad1.tfd.uni-hannover.de:749
                 default_domain = luh-tfd.local
         }
         WINPOOL.TFD.UNI-HANNOVER.DE = {
                 kdc = aias.winpool.tfd.uni-hannover.de:88
                 admin_server = aias.winpool.tfd.uni-hannover.de:749
                 default_domain = winpool.tfd.uni-hannover.de
         }

[domain_realm]
         .luh-tfd.local = LUH-TFD.LOCAL
         luh-tfd.local = LUH-TFD.LOCAL
         .winpool.tfd.uni-hannover.de = WINPOOL.TFD.UNI-HANNOVER.DE
         winpool.tfd.uni-hannover.de = WINPOOL.TFD.UNI-HANNOVER.DE
         .pool.luh-tfd.local = POOL.LUH-TFD.LOCAL
         pool.luh-tfd.local = POOL.LUH-TFD.LOCAL

[login]
         krb4_convert = true
         krb4_get_tickets = true


my /etc/nsswitch.conf:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
sudoers:        files