[Samba] Can't get idmap_ad to work with winbind (only idmap_rid)

a.braml at buerger-energie-berlin.de a.braml at buerger-energie-berlin.de
Mon Jan 26 22:44:49 MST 2015 

Hi!

With the end of support for Win XP from many application vendors, we 
finally decided to go AD with our small domain that right now consists 
of two XP desktop clients and one Samba PDC (3.6 from official Ubuntu 
12.04 packages) that's also offering some file shares and a printer 
share. Since there already is one FreeBSD server for backup/mirroring, I 
decided to go all FreeBSD in the process. The final setup would consist 
of:

Realm/Domain TEST.BUERGER-ENERGIE-BERLIN.DE
FreeBSD 10.1-RELEASE AD DC with Samba 4 from ports (4.1.16 right now), 
single domain forest
FreeBSD 10.1-RELEASE AD Member Server with Samba 4 from ports
2 Win 7 Professional SP1 desktop clients

I installed everything in a Virtualbox host-only network with a layout 
identical to what the actual network will be.

For the setup, I followed the Wiki at http://wiki.samba.org for the AD 
DC and AD Member server setup. I followed the instructions for RFC 2307 
and decided to use RID+100000 for the default users/groups and 102XXX 
for my additional groups/users. I set the corresponding GID/UID in the 
UNIX attributes via ADUC from one of the Win 7 clients. And it works! 
Well, mostly...

The problem is that on the AD member server, I can't use the ad backend 
with winbind. The rid backend works, though. This doesn't seem to be a 
problem with FreeBSD, as I can reproduce that error on member servers 
running Ubuntu 12.04 with Samba 3.6. or Ubuntu 14.04 with Samba 4.

The behavior I get is as follows:

When I set

    idmap config *:backend = tdb
    idmap config *:range = 70000-99999
    idmap config TEST:backend = ad
    idmap config TEST:schema_mode = rfc2307
    idmap config TEST:range = 100000-2000000
    winbind nss info = rfc2307

in the AD member server's smb.conf, getent passwd gives me

administrator:*:70000:70017:Administrator:/home/TEST/administrator:/bin/false
test:*:70003:70004:Test User:/home/TEST/test:/bin/false
krbtgt:*:70001:70004:krbtgt:/home/TEST/krbtgt:/bin/false
guest:*:70002:70005:Guest:/home/TEST/guest:/bin/false

So the TEST:range is ignored, *:range is used instead. User Shell, Home 
Dir and the UID (102000 for the test user) from the UNIX attributes in 
AD are ignored.

When I set

    idmap config *:backend = tdb
    idmap config *:range = 70000-99999
    idmap config TEST:backend = rid
    idmap config TEST:range = 100000-2000000
    winbind nss info = rfc2307

instead, getent passwd gives me

administrator:*:100500:100512:Administrator:/home/TEST/administrator:/bin/false
test:*:101105:100513:Test User:/home/TEST/test:/bin/false
krbtgt:*:100502:100513:krbtgt:/home/TEST/krbtgt:/bin/false
guest:*:100501:100514:Guest:/home/TEST/guest:/bin/false

So the TEST:range is respected now. But User Shell and Home Dir from the 
UNIX attributes in the AD are still ignored.

There's log entries in the AD member server's log.winbindd stating 
"Added (BUILTIN|BSDMEM|TEST.BUERGER-ENERGIE-BERLIN.DE) ...". My 
log.winbindd-dc-connect is completely empty, though! Is this a first 
clue?

It would be no problem to go with the RID backend for now. But as I 
understand, this might give trouble should I ever trust domains from 
another forest in the future. With a big warning in our documentation, I 
could live with that. But I'd prefer to get the ad backend working from 
the start.

What's going on here? Any clues? I searched the list archives and the 
WWW with ixquick, but found no solution for my problem.

The AD DC I provisioned with

# samba-tool domain provision --use-rfc2307 --interactive --option 
"nsupdate command = /usr/local/bin/samba-nsupdate -g"

The --option I appended because the message from the ports install told 
me to add this to my smb.conf.

In the following  interactive setup, I went with the defaults, adding 
only the dns forwarder.

 From this I got:

# AD DC smb.conf
[global]
    workgroup = TEST
    realm = TEST.BUERGER-ENERGIE-BERLIN.DE
    netbios name = BSDSRV
    server role = active directory domain controller
    dns forwarder = 62.109.121.2
    idmap_ldb:use rfc2307 = yes

    nsupdate command = /usr/local/bin/samba-nsupdate -g

[netlogon]
    path = /var/db/samba4/sysvol/test.buerger-energie-berlin.de/scripts
    read only = No

[sysvol]
    path = /var/db/samba4/sysvol
    read only = No
# END AD DC smb.conf

On the AD member server, I edited my smb4.conf as follows

# AD Member Server smb.conf
[global]

    netbios name = BSDMEM
    workgroup = TEST
    security = ADS
    realm = TEST.BUERGER-ENERGIE-BERLIN.DE
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    idmap config *:backend = tdb
    idmap config *:range = 70000-99999
    idmap config TEST:backend = ad
    idmap config TEST:schema_mode = rfc2307
    idmap config TEST:range = 100000-2000000

    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind refresh tickets = yes

    nsupdate command = /usr/local/bin/samba-nsupdate -g

    load printers = no

    log level = winbind:2
# END AD Member Server smb.conf

Any help would be greatly appreciated!


Cheers,
Andreas

More information about the samba mailing list