[Samba] winbind backends ad and rfc2307 both with errors...
Rowland Penny
rowlandpenny at googlemail.com
Mon Jan 5 04:08:43 MST 2015
On 05/01/15 10:31, Sven Schumacher wrote:
> Hello,
>
> I just set up a samba server (version 2:4.1.13+dfsg-4) on Debian 7.7,
> being a member server of a Win2k8-Domain (before that, that server was
> an old SuSE (10.4)-Samba with own user-management (standalone-server).
> I would like to use winbind with the idmap backend "ad" or "rfc2307"
> instead.
>
> When using rfc2307 (like in my conf specified), I can do successfully:
> wbinfo -u
> wbinfo -g
> and even "getent passwd" shows the users. Only "getent group" doesn't
> list any domain-based group (but uid and gid-Values are looking like
> being served from tdb instead of ad).
> wbinfo -i $USER gives uid and gid values coming from the tdb-Database
> (70000...),too.
> wbinfo --group-info $GROUP gives the right members of the group, but
> the wrong gid (coming from tdb, too).
>
> When I use the backend "ad" wbinfo -u and wbinfo -g work without
> failure, too. But "getent passwd" and "getent group" didn't show any
> domain-based entry.
> Calling "wbinfo -i $USER" tells me:
>
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user $USER
>
> wbinfo --group-info $GROUP
>
> works fine and has the correct information.
>
> In the winbind-logfiles (using -d 10 for debugging):
>
> 2015/01/05 10:51:48.578960, 10, pid=18923, effective(0, 0), real(0,
> 0), class=idmap] ../source3/winbindd/idmap.c:377(idmap_find_domain)
> idmap_find_domain called for domain 'LUH-TFD'
> [2015/01/05 10:51:48.579001, 10, pid=18923, effective(0, 0), real(0,
> 0), class=idmap]
> ../source3/winbindd/idmap_ad.c:64(ad_idmap_cached_connection)
> ad_idmap_cached_connection: called for domain 'LUH-TFD'
> [2015/01/05 10:51:48.579034, 7, pid=18923, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd_ads.c:61(ads_cached_connection_reuse)
> Current tickets expire in 35972 seconds (at 1420487480, time is now
> 1420451508)
> [2015/01/05 10:51:48.579085, 10, pid=18923, effective(0, 0), real(0,
> 0), class=idmap]
> ../source3/winbindd/idmap_ad.c:452(idmap_ad_sids_to_unixids)
> Filter:
> [(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\AD\A7\D8\C3\A75a\80a<\EF\1A\80\04\00\00)))]
> [2015/01/05 10:51:48.579963, 5, pid=18923, effective(0, 0), real(0,
> 0)] ../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal)
> Search for
> (&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\AD\A7\D8\C3\A75a\80a<\EF\1A\80\04\00\00)))
> in <dc=LUH-TFD,dc=LOCAL> gave 1 replies
> [2015/01/05 10:51:48.580034, 10, pid=18923, effective(0, 0), real(0,
> 0), class=idmap]
> ../source3/winbindd/idmap_ad.c:539(idmap_ad_sids_to_unixids)
> Mapped S-1-5-21-3285755821-2153854375-451886177-1152 -> 516 (1)
> [2015/01/05 10:51:48.580078, 10, pid=18923, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd_dual_srv.c:194(_wbint_Sids2UnixIDs)
> sids_to_unixids returned NT_STATUS_OK
> [2015/01/05 10:51:48.580112, 1, pid=18923, effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
> wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
> out: struct wbint_Sids2UnixIDs
> ids : *
> ids: struct wbint_TransIDArray
> num_ids : 0x00000001 (1)
> ids: ARRAY(1)
> ids: struct wbint_TransID
> type : ID_TYPE_UID (1)
> domain_index : 0x00000000 (0)
> rid : 0x00000480
> (1152)
> xid: struct unixid
> id :
> 0x00000204 (516)
> type :
> ID_TYPE_UID (1)
> result : NT_STATUS_OK
> [2015/01/05 10:51:48.580343, 4, pid=18923, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
> Finished processing child request 59
> [2015/01/05 10:51:48.580402, 10, pid=18923, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd_dual.c:1363(child_handler)
> Writing 3528 bytes to parent
> [2015/01/05 10:51:48.582682, 10, pid=18923, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd_dual.c:71(child_read_request)
> Need to read 110 extra bytes
> [2015/01/05 10:51:48.582753, 4, pid=18923, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd_dual.c:1338(child_handler)
> child daemon request 59
> [2015/01/05 10:51:48.582801, 10, pid=18923, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd_dual.c:458(child_process_request)
> child_process_request: request fn NDRCMD
>
>
> Summary:
> So, by using backend ad winbind is able to fetch the uid, but reports
> errors (and getent passwd, getent group fails), fetching gid works
> without error.
> By using backend rfc2307 winbind is able to fetch user and group-lists
> using wbinfo and getent passwd/group but has wrong uid and gid.
> Any suggestions for possible solutions?
> Even stripping down my config to mention only the main domain (instead
> of the trusted ones, too) doesn't solves the problem.
>
> My config (smb.conf) for winbind (anything obvious wrong here?):
Quite a lot actually :-)
Try changing your smb.conf to this:
[global]
workgroup = LUH-TFD
security = ADS
realm = LUH-TFD.LOCAL
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = yes
winbind normalize names = yes
winbind offline logon = yes
idmap config * : backend = tdb
idmap config * : range = 70000-80000
idmap config LUH-TFD : backend = ad
idmap config LUH-TFD : range = 500-69999
idmap config LUH-TFD : schema_mode = rfc2307
domain master = no
local master = no
preferred master = no
printcap name = cups
printing = cups
template shell = /bin/false
template homedir = /home/%U
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
OH and you are number 5 this week, please do not use .local as the
domain name.
Rowland
>
> [global]
> workgroup = LUH-TFD
> realm = LUH-TFD.LOCAL
> follow symlinks = yes
> security = ADS
> printing = cups
> printcap name = cups
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> idmap config * : backend = tdb
> idmap config * : range = 70000-80000
> idmap config LUH-TFD : range = 500-69999
> idmap config LUH-TFD : backend = rfc2307
> idmap config LUH-TFD : ldap_server = ad
> idmap config POOL : range = 500-69999
> idmap config POOL : backend = rfc2307
> idmap config POOL : ldap_server = ad
> idmap config WINPOOL : range = 500-69999
> idmap config WINPOOL : backend = rfc2307
> idmap config WINPOOL : ldap_server = ad
> # idmap config WINPOOL : range = 500-69999
> # idmap config WINPOOL : backend = ad
> # idmap config WINPOOL : schema_mode = rfc2307
> # idmap config LUH-TFD : range = 500-69999
> # idmap config LUH-TFD : backend = ad
> # idmap config LUH-TFD : schema_mode = rfc2307
> # idmap config POOL : range = 500-69999
> # idmap config POOL : backend = ad
> # idmap config POOL : schema_mode = rfc2307
> template shell = /bin/false
> template homedir = /home/%U
> winbind offline logon = yes
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
> map untrusted to domain = no
> obey pam restrictions = no
> client use spnego = yes
> client ntlmv2 auth = yes
> allow trusted domains = yes
> winbind normalize names = yes
> winbind use default domain = yes
> winbind refresh tickets = yes
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
> winbind nested groups = yes
> winbind trusted domains only = no
>
>
>
> my /etc/krb5.conf:
>
> [libdefaults]
> default_realm = LUH-TFD.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = false
> renew_lifetime = 7d
> ticket_lifetime = 24h
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96
> default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96
> permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = true
> }
> # The following libdefaults parameters are only for Heimdal Kerberos.
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
>
> [realms]
> POOL.LUH-TFD.LOCAL = {
> kdc = winad2.tfd.uni-hannover.de:88
> admin_server = winad2.tfd.uni-hannover.de:749
> default_domain = pool.luh-tfd.local
> }
> LUH-TFD.LOCAL = {
> kdc = winad1.tfd.uni-hannover.de:88
> admin_server = winad1.tfd.uni-hannover.de:749
> default_domain = luh-tfd.local
> }
> WINPOOL.TFD.UNI-HANNOVER.DE = {
> kdc = aias.winpool.tfd.uni-hannover.de:88
> admin_server = aias.winpool.tfd.uni-hannover.de:749
> default_domain = winpool.tfd.uni-hannover.de
> }
>
> [domain_realm]
> .luh-tfd.local = LUH-TFD.LOCAL
> luh-tfd.local = LUH-TFD.LOCAL
> .winpool.tfd.uni-hannover.de = WINPOOL.TFD.UNI-HANNOVER.DE
> winpool.tfd.uni-hannover.de = WINPOOL.TFD.UNI-HANNOVER.DE
> .pool.luh-tfd.local = POOL.LUH-TFD.LOCAL
> pool.luh-tfd.local = POOL.LUH-TFD.LOCAL
>
> [login]
> krb4_convert = true
> krb4_get_tickets = true
>
>
> my /etc/nsswitch.conf:
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed,
> try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
>
> hosts: files dns mdns4
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
> sudoers: files
>
>
>
>
>
>
>
>
More information about the samba
mailing list