[Samba] Can't get idmap_ad to work with winbind (only idmap_rid)

Rowland Penny rowlandpenny at googlemail.com
Tue Jan 27 02:04:16 MST 2015 

On 27/01/15 05:44, a.braml at buerger-energie-berlin.de wrote:
> Hi!
>
> With the end of support for Win XP from many application vendors, we 
> finally decided to go AD with our small domain that right now consists 
> of two XP desktop clients and one Samba PDC (3.6 from official Ubuntu 
> 12.04 packages) that's also offering some file shares and a printer 
> share. Since there already is one FreeBSD server for backup/mirroring, 
> I decided to go all FreeBSD in the process. The final setup would 
> consist of:
>
> Realm/Domain TEST.BUERGER-ENERGIE-BERLIN.DE
> FreeBSD 10.1-RELEASE AD DC with Samba 4 from ports (4.1.16 right now), 
> single domain forest
> FreeBSD 10.1-RELEASE AD Member Server with Samba 4 from ports
> 2 Win 7 Professional SP1 desktop clients
>
> I installed everything in a Virtualbox host-only network with a layout 
> identical to what the actual network will be.
>
> For the setup, I followed the Wiki at http://wiki.samba.org for the AD 
> DC and AD Member server setup. I followed the instructions for RFC 
> 2307 and decided to use RID+100000 for the default users/groups and 
> 102XXX for my additional groups/users. I set the corresponding GID/UID 
> in the UNIX attributes via ADUC from one of the Win 7 clients. And it 
> works! Well, mostly...
>
> The problem is that on the AD member server, I can't use the ad 
> backend with winbind. The rid backend works, though. This doesn't seem 
> to be a problem with FreeBSD, as I can reproduce that error on member 
> servers running Ubuntu 12.04 with Samba 3.6. or Ubuntu 14.04 with 
> Samba 4.
>
> The behavior I get is as follows:
>
> When I set
>
>    idmap config *:backend = tdb
>    idmap config *:range = 70000-99999
>    idmap config TEST:backend = ad
>    idmap config TEST:schema_mode = rfc2307
>    idmap config TEST:range = 100000-2000000
>    winbind nss info = rfc2307
>
> in the AD member server's smb.conf, getent passwd gives me
>
> administrator:*:70000:70017:Administrator:/home/TEST/administrator:/bin/false 
>
> test:*:70003:70004:Test User:/home/TEST/test:/bin/false
> krbtgt:*:70001:70004:krbtgt:/home/TEST/krbtgt:/bin/false
> guest:*:70002:70005:Guest:/home/TEST/guest:/bin/false
>
> So the TEST:range is ignored, *:range is used instead. User Shell, 
> Home Dir and the UID (102000 for the test user) from the UNIX 
> attributes in AD are ignored.
>
> When I set
>
>    idmap config *:backend = tdb
>    idmap config *:range = 70000-99999
>    idmap config TEST:backend = rid
>    idmap config TEST:range = 100000-2000000
>    winbind nss info = rfc2307
>
> instead, getent passwd gives me
>
> administrator:*:100500:100512:Administrator:/home/TEST/administrator:/bin/false 
>
> test:*:101105:100513:Test User:/home/TEST/test:/bin/false
> krbtgt:*:100502:100513:krbtgt:/home/TEST/krbtgt:/bin/false
> guest:*:100501:100514:Guest:/home/TEST/guest:/bin/false
>
> So the TEST:range is respected now. But User Shell and Home Dir from 
> the UNIX attributes in the AD are still ignored.
>
> There's log entries in the AD member server's log.winbindd stating 
> "Added (BUILTIN|BSDMEM|TEST.BUERGER-ENERGIE-BERLIN.DE) ...". My 
> log.winbindd-dc-connect is completely empty, though! Is this a first 
> clue?
>
> It would be no problem to go with the RID backend for now. But as I 
> understand, this might give trouble should I ever trust domains from 
> another forest in the future. With a big warning in our documentation, 
> I could live with that. But I'd prefer to get the ad backend working 
> from the start.
>
> What's going on here? Any clues? I searched the list archives and the 
> WWW with ixquick, but found no solution for my problem.
>
> The AD DC I provisioned with
>
> # samba-tool domain provision --use-rfc2307 --interactive --option 
> "nsupdate command = /usr/local/bin/samba-nsupdate -g"
>
> The --option I appended because the message from the ports install 
> told me to add this to my smb.conf.
>
> In the following  interactive setup, I went with the defaults, adding 
> only the dns forwarder.
>
> From this I got:
>
> # AD DC smb.conf
> [global]
>    workgroup = TEST
>    realm = TEST.BUERGER-ENERGIE-BERLIN.DE
>    netbios name = BSDSRV
>    server role = active directory domain controller
>    dns forwarder = 62.109.121.2
>    idmap_ldb:use rfc2307 = yes
>
>    nsupdate command = /usr/local/bin/samba-nsupdate -g
>
> [netlogon]
>    path = /var/db/samba4/sysvol/test.buerger-energie-berlin.de/scripts
>    read only = No
>
> [sysvol]
>    path = /var/db/samba4/sysvol
>    read only = No
> # END AD DC smb.conf
>
> On the AD member server, I edited my smb4.conf as follows
>
> # AD Member Server smb.conf
> [global]
>
>    netbios name = BSDMEM
>    workgroup = TEST
>    security = ADS
>    realm = TEST.BUERGER-ENERGIE-BERLIN.DE
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>
>    idmap config *:backend = tdb
>    idmap config *:range = 70000-99999
>    idmap config TEST:backend = ad
>    idmap config TEST:schema_mode = rfc2307
>    idmap config TEST:range = 100000-2000000
>
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind refresh tickets = yes
>
>    nsupdate command = /usr/local/bin/samba-nsupdate -g
>
>    load printers = no
>
>    log level = winbind:2
> # END AD Member Server smb.conf
>
> Any help would be greatly appreciated!
>
>
> Cheers,
> Andreas

Have you actually set any 'uidNumber' & 'gidNumber' attributes in AD ?
If you use the 'ad' backend they are mandatory, with the 'rid' backend, 
winbind doesn't need them.

Rowland

More information about the samba mailing list