[Samba] Can't get idmap_ad to work with winbind (only idmap_rid)
a.braml at buerger-energie-berlin.de
a.braml at buerger-energie-berlin.de
Mon Jan 26 22:44:49 MST 2015
Hi!
With the end of support for Win XP from many application vendors, we
finally decided to go AD with our small domain that right now consists
of two XP desktop clients and one Samba PDC (3.6 from official Ubuntu
12.04 packages) that's also offering some file shares and a printer
share. Since there already is one FreeBSD server for backup/mirroring, I
decided to go all FreeBSD in the process. The final setup would consist
of:
Realm/Domain TEST.BUERGER-ENERGIE-BERLIN.DE
FreeBSD 10.1-RELEASE AD DC with Samba 4 from ports (4.1.16 right now),
single domain forest
FreeBSD 10.1-RELEASE AD Member Server with Samba 4 from ports
2 Win 7 Professional SP1 desktop clients
I installed everything in a Virtualbox host-only network with a layout
identical to what the actual network will be.
For the setup, I followed the Wiki at http://wiki.samba.org for the AD
DC and AD Member server setup. I followed the instructions for RFC 2307
and decided to use RID+100000 for the default users/groups and 102XXX
for my additional groups/users. I set the corresponding GID/UID in the
UNIX attributes via ADUC from one of the Win 7 clients. And it works!
Well, mostly...
The problem is that on the AD member server, I can't use the ad backend
with winbind. The rid backend works, though. This doesn't seem to be a
problem with FreeBSD, as I can reproduce that error on member servers
running Ubuntu 12.04 with Samba 3.6. or Ubuntu 14.04 with Samba 4.
The behavior I get is as follows:
When I set
idmap config *:backend = tdb
idmap config *:range = 70000-99999
idmap config TEST:backend = ad
idmap config TEST:schema_mode = rfc2307
idmap config TEST:range = 100000-2000000
winbind nss info = rfc2307
in the AD member server's smb.conf, getent passwd gives me
administrator:*:70000:70017:Administrator:/home/TEST/administrator:/bin/false
test:*:70003:70004:Test User:/home/TEST/test:/bin/false
krbtgt:*:70001:70004:krbtgt:/home/TEST/krbtgt:/bin/false
guest:*:70002:70005:Guest:/home/TEST/guest:/bin/false
So the TEST:range is ignored, *:range is used instead. User Shell, Home
Dir and the UID (102000 for the test user) from the UNIX attributes in
AD are ignored.
When I set
idmap config *:backend = tdb
idmap config *:range = 70000-99999
idmap config TEST:backend = rid
idmap config TEST:range = 100000-2000000
winbind nss info = rfc2307
instead, getent passwd gives me
administrator:*:100500:100512:Administrator:/home/TEST/administrator:/bin/false
test:*:101105:100513:Test User:/home/TEST/test:/bin/false
krbtgt:*:100502:100513:krbtgt:/home/TEST/krbtgt:/bin/false
guest:*:100501:100514:Guest:/home/TEST/guest:/bin/false
So the TEST:range is respected now. But User Shell and Home Dir from the
UNIX attributes in the AD are still ignored.
There's log entries in the AD member server's log.winbindd stating
"Added (BUILTIN|BSDMEM|TEST.BUERGER-ENERGIE-BERLIN.DE) ...". My
log.winbindd-dc-connect is completely empty, though! Is this a first
clue?
It would be no problem to go with the RID backend for now. But as I
understand, this might give trouble should I ever trust domains from
another forest in the future. With a big warning in our documentation, I
could live with that. But I'd prefer to get the ad backend working from
the start.
What's going on here? Any clues? I searched the list archives and the
WWW with ixquick, but found no solution for my problem.
The AD DC I provisioned with
# samba-tool domain provision --use-rfc2307 --interactive --option
"nsupdate command = /usr/local/bin/samba-nsupdate -g"
The --option I appended because the message from the ports install told
me to add this to my smb.conf.
In the following interactive setup, I went with the defaults, adding
only the dns forwarder.
From this I got:
# AD DC smb.conf
[global]
workgroup = TEST
realm = TEST.BUERGER-ENERGIE-BERLIN.DE
netbios name = BSDSRV
server role = active directory domain controller
dns forwarder = 62.109.121.2
idmap_ldb:use rfc2307 = yes
nsupdate command = /usr/local/bin/samba-nsupdate -g
[netlogon]
path = /var/db/samba4/sysvol/test.buerger-energie-berlin.de/scripts
read only = No
[sysvol]
path = /var/db/samba4/sysvol
read only = No
# END AD DC smb.conf
On the AD member server, I edited my smb4.conf as follows
# AD Member Server smb.conf
[global]
netbios name = BSDMEM
workgroup = TEST
security = ADS
realm = TEST.BUERGER-ENERGIE-BERLIN.DE
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 70000-99999
idmap config TEST:backend = ad
idmap config TEST:schema_mode = rfc2307
idmap config TEST:range = 100000-2000000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
nsupdate command = /usr/local/bin/samba-nsupdate -g
load printers = no
log level = winbind:2
# END AD Member Server smb.conf
Any help would be greatly appreciated!
Cheers,
Andreas
More information about the samba
mailing list