[Samba] Can't get idmap_ad to work with winbind (only idmap_rid)
"Andreas Braml (BürgerEnergie Berlin)"
a.braml at buerger-energie-berlin.de
Tue Jan 27 08:13:50 MST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
thanks for your fast reply. It's always Rowland ;)
On 27.01.2015 10:04, Rowland Penny wrote:
> On 27/01/15 05:44, a.braml at buerger-energie-berlin.de wrote:
>> Hi!
>>
>> With the end of support for Win XP from many application
>> vendors, we finally decided to go AD with our small domain that
>> right now consists of two XP desktop clients and one Samba PDC
>> (3.6 from official Ubuntu 12.04 packages) that's also offering
>> some file shares and a printer share. Since there already is one
>> FreeBSD server for backup/mirroring, I decided to go all FreeBSD
>> in the process. The final setup would consist of:
>>
>> Realm/Domain TEST.BUERGER-ENERGIE-BERLIN.DE FreeBSD 10.1-RELEASE
>> AD DC with Samba 4 from ports (4.1.16 right now), single domain
>> forest FreeBSD 10.1-RELEASE AD Member Server with Samba 4 from
>> ports 2 Win 7 Professional SP1 desktop clients
>>
>> I installed everything in a Virtualbox host-only network with a
>> layout identical to what the actual network will be.
>>
>> For the setup, I followed the Wiki at http://wiki.samba.org for
>> the AD DC and AD Member server setup. I followed the
>> instructions for RFC 2307 and decided to use RID+100000 for the
>> default users/groups and 102XXX for my additional groups/users. I
>> set the corresponding GID/UID in the UNIX attributes via ADUC
>> from one of the Win 7 clients. And it works! Well, mostly...
>>
>> The problem is that on the AD member server, I can't use the ad
>> backend with winbind. The rid backend works, though. This
>> doesn't seem to be a problem with FreeBSD, as I can reproduce
>> that error on member servers running Ubuntu 12.04 with Samba 3.6.
>> or Ubuntu 14.04 with Samba 4.
>>
>> The behavior I get is as follows:
>>
>> When I set
>>
>> idmap config *:backend = tdb idmap config *:range = 70000-99999
>> idmap config TEST:backend = ad idmap config TEST:schema_mode =
>> rfc2307 idmap config TEST:range = 100000-2000000 winbind nss
>> info = rfc2307
>>
>> in the AD member server's smb.conf, getent passwd gives me
>>
>> administrator:*:70000:70017:Administrator:/home/TEST/administrator:/bin/false
>>
>>
>>
>>
test:*:70003:70004:Test User:/home/TEST/test:/bin/false
>> krbtgt:*:70001:70004:krbtgt:/home/TEST/krbtgt:/bin/false
>> guest:*:70002:70005:Guest:/home/TEST/guest:/bin/false
>>
>> So the TEST:range is ignored, *:range is used instead. User
>> Shell, Home Dir and the UID (102000 for the test user) from the
>> UNIX attributes in AD are ignored.
>>
>> When I set
>>
>> idmap config *:backend = tdb idmap config *:range = 70000-99999
>> idmap config TEST:backend = rid idmap config TEST:range =
>> 100000-2000000 winbind nss info = rfc2307
>>
>> instead, getent passwd gives me
>>
>> administrator:*:100500:100512:Administrator:/home/TEST/administrator:/bin/false
>>
>>
>>
>>
test:*:101105:100513:Test User:/home/TEST/test:/bin/false
>> krbtgt:*:100502:100513:krbtgt:/home/TEST/krbtgt:/bin/false
>> guest:*:100501:100514:Guest:/home/TEST/guest:/bin/false
>>
>> So the TEST:range is respected now. But User Shell and Home Dir
>> from the UNIX attributes in the AD are still ignored.
>>
>> There's log entries in the AD member server's log.winbindd
>> stating "Added (BUILTIN|BSDMEM|TEST.BUERGER-ENERGIE-BERLIN.DE)
>> ...". My log.winbindd-dc-connect is completely empty, though! Is
>> this a first clue?
>>
>> It would be no problem to go with the RID backend for now. But
>> as I understand, this might give trouble should I ever trust
>> domains from another forest in the future. With a big warning in
>> our documentation, I could live with that. But I'd prefer to get
>> the ad backend working from the start.
>>
>> What's going on here? Any clues? I searched the list archives
>> and the WWW with ixquick, but found no solution for my problem.
>>
>> The AD DC I provisioned with
>>
>> # samba-tool domain provision --use-rfc2307 --interactive
>> --option "nsupdate command = /usr/local/bin/samba-nsupdate -g"
>>
>> The --option I appended because the message from the ports
>> install told me to add this to my smb.conf.
>>
>> In the following interactive setup, I went with the defaults,
>> adding only the dns forwarder.
>>
>> From this I got:
>>
>> # AD DC smb.conf [global] workgroup = TEST realm =
>> TEST.BUERGER-ENERGIE-BERLIN.DE netbios name = BSDSRV server role
>> = active directory domain controller dns forwarder = 62.109.121.2
>> idmap_ldb:use rfc2307 = yes
>>
>> nsupdate command = /usr/local/bin/samba-nsupdate -g
>>
>> [netlogon] path =
>> /var/db/samba4/sysvol/test.buerger-energie-berlin.de/scripts
>> read only = No
>>
>> [sysvol] path = /var/db/samba4/sysvol read only = No # END AD DC
>> smb.conf
>>
>> On the AD member server, I edited my smb4.conf as follows
>>
>> # AD Member Server smb.conf [global]
>>
>> netbios name = BSDMEM workgroup = TEST security = ADS realm =
>> TEST.BUERGER-ENERGIE-BERLIN.DE dedicated keytab file =
>> /etc/krb5.keytab kerberos method = secrets and keytab
>>
>> idmap config *:backend = tdb idmap config *:range = 70000-99999
>> idmap config TEST:backend = ad idmap config TEST:schema_mode =
>> rfc2307 idmap config TEST:range = 100000-2000000
>>
>> winbind nss info = rfc2307 winbind trusted domains only = no
>> winbind use default domain = yes winbind enum users = yes
>> winbind enum groups = yes winbind refresh tickets = yes
>>
>> nsupdate command = /usr/local/bin/samba-nsupdate -g
>>
>> load printers = no
>>
>> log level = winbind:2 # END AD Member Server smb.conf
>>
>> Any help would be greatly appreciated!
>>
>>
>> Cheers, Andreas
>
> Have you actually set any 'uidNumber' & 'gidNumber' attributes in
> AD ?
Yes, as I said: set them with ADUC, I even checked on the attributes
with ADSI Edit (never trust a GUI by MS that feigns compatibility with
the Unix world). uidNumber and gidNumber are there and in the range I
reserved in the smb.conf. Still, they're ignored by winbind and I
can't figure out why.
What to check next? Which logs might give a clue here?
Cheers,
Andreas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUx6suAAoJEMs6lqj1bb0RbgUH/ipIkLEYzpWT2JLzSJTyIuPu
8f0QZZuNKifps+RI2qkeX/7lynsBuAnxbsn7veVZcRDh3zrJWeSsF6Xc2UyNDRIS
0zsqTWTOIriimJaunJOzkbsQWXTSoSepIIpxl5+GRr4X/hXEVsr5gPX4l7KfVN5e
8RyL0xTc/JrgUEPMU05jrQ/wuJMLM66S4viqSpVHDNxR0rInS54n2JZuUh2b0kw2
JO+JUl+KaBdkzOMvaYqpMtx6XNAW/z13uy1WVWMhPvXlyD+d6DWOd7OwQADRRj23
veuK1/d9yxb2BSMfOm/ethXV0aGKwmcgHmRU/lSd52/cbOZ3EKvkr/wf0NolVAQ=
=q2D7
-----END PGP SIGNATURE-----
More information about the samba
mailing list