[Samba] Can't get idmap_ad to work with winbind (only idmap_rid)

"Andreas Braml (BürgerEnergie Berlin)" a.braml at buerger-energie-berlin.de
Tue Jan 27 08:13:50 MST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

thanks for your fast reply. It's always Rowland ;)

On 27.01.2015 10:04, Rowland Penny wrote:
> On 27/01/15 05:44, a.braml at buerger-energie-berlin.de wrote:
>> Hi!
>> 
>> With the end of support for Win XP from many application
>> vendors, we finally decided to go AD with our small domain that
>> right now consists of two XP desktop clients and one Samba PDC
>> (3.6 from official Ubuntu 12.04 packages) that's also offering
>> some file shares and a printer share. Since there already is one
>> FreeBSD server for backup/mirroring, I decided to go all FreeBSD
>> in the process. The final setup would consist of:
>> 
>> Realm/Domain TEST.BUERGER-ENERGIE-BERLIN.DE FreeBSD 10.1-RELEASE 
>> AD DC with Samba 4 from ports (4.1.16 right now), single domain 
>> forest FreeBSD 10.1-RELEASE AD Member Server with Samba 4 from 
>> ports 2 Win 7 Professional SP1 desktop clients
>> 
>> I installed everything in a Virtualbox host-only network with a 
>> layout identical to what the actual network will be.
>> 
>> For the setup, I followed the Wiki at http://wiki.samba.org for 
>> the AD DC and AD Member server setup. I followed the
>> instructions for RFC 2307 and decided to use RID+100000 for the
>> default users/groups and 102XXX for my additional groups/users. I
>> set the corresponding GID/UID in the UNIX attributes via ADUC
>> from one of the Win 7 clients. And it works! Well, mostly...
>> 
>> The problem is that on the AD member server, I can't use the ad 
>> backend with winbind. The rid backend works, though. This
>> doesn't seem to be a problem with FreeBSD, as I can reproduce
>> that error on member servers running Ubuntu 12.04 with Samba 3.6.
>> or Ubuntu 14.04 with Samba 4.
>> 
>> The behavior I get is as follows:
>> 
>> When I set
>> 
>> idmap config *:backend = tdb idmap config *:range = 70000-99999 
>> idmap config TEST:backend = ad idmap config TEST:schema_mode = 
>> rfc2307 idmap config TEST:range = 100000-2000000 winbind nss
>> info = rfc2307
>> 
>> in the AD member server's smb.conf, getent passwd gives me
>> 
>> administrator:*:70000:70017:Administrator:/home/TEST/administrator:/bin/false
>>
>>
>>
>> 
test:*:70003:70004:Test User:/home/TEST/test:/bin/false
>> krbtgt:*:70001:70004:krbtgt:/home/TEST/krbtgt:/bin/false 
>> guest:*:70002:70005:Guest:/home/TEST/guest:/bin/false
>> 
>> So the TEST:range is ignored, *:range is used instead. User 
>> Shell, Home Dir and the UID (102000 for the test user) from the 
>> UNIX attributes in AD are ignored.
>> 
>> When I set
>> 
>> idmap config *:backend = tdb idmap config *:range = 70000-99999 
>> idmap config TEST:backend = rid idmap config TEST:range = 
>> 100000-2000000 winbind nss info = rfc2307
>> 
>> instead, getent passwd gives me
>> 
>> administrator:*:100500:100512:Administrator:/home/TEST/administrator:/bin/false
>>
>>
>>
>> 
test:*:101105:100513:Test User:/home/TEST/test:/bin/false
>> krbtgt:*:100502:100513:krbtgt:/home/TEST/krbtgt:/bin/false 
>> guest:*:100501:100514:Guest:/home/TEST/guest:/bin/false
>> 
>> So the TEST:range is respected now. But User Shell and Home Dir 
>> from the UNIX attributes in the AD are still ignored.
>> 
>> There's log entries in the AD member server's log.winbindd 
>> stating "Added (BUILTIN|BSDMEM|TEST.BUERGER-ENERGIE-BERLIN.DE) 
>> ...". My log.winbindd-dc-connect is completely empty, though! Is 
>> this a first clue?
>> 
>> It would be no problem to go with the RID backend for now. But
>> as I understand, this might give trouble should I ever trust
>> domains from another forest in the future. With a big warning in
>> our documentation, I could live with that. But I'd prefer to get
>> the ad backend working from the start.
>> 
>> What's going on here? Any clues? I searched the list archives
>> and the WWW with ixquick, but found no solution for my problem.
>> 
>> The AD DC I provisioned with
>> 
>> # samba-tool domain provision --use-rfc2307 --interactive 
>> --option "nsupdate command = /usr/local/bin/samba-nsupdate -g"
>> 
>> The --option I appended because the message from the ports 
>> install told me to add this to my smb.conf.
>> 
>> In the following  interactive setup, I went with the defaults, 
>> adding only the dns forwarder.
>> 
>> From this I got:
>> 
>> # AD DC smb.conf [global] workgroup = TEST realm = 
>> TEST.BUERGER-ENERGIE-BERLIN.DE netbios name = BSDSRV server role 
>> = active directory domain controller dns forwarder = 62.109.121.2
>> idmap_ldb:use rfc2307 = yes
>> 
>> nsupdate command = /usr/local/bin/samba-nsupdate -g
>> 
>> [netlogon] path = 
>> /var/db/samba4/sysvol/test.buerger-energie-berlin.de/scripts
>> read only = No
>> 
>> [sysvol] path = /var/db/samba4/sysvol read only = No # END AD DC 
>> smb.conf
>> 
>> On the AD member server, I edited my smb4.conf as follows
>> 
>> # AD Member Server smb.conf [global]
>> 
>> netbios name = BSDMEM workgroup = TEST security = ADS realm = 
>> TEST.BUERGER-ENERGIE-BERLIN.DE dedicated keytab file = 
>> /etc/krb5.keytab kerberos method = secrets and keytab
>> 
>> idmap config *:backend = tdb idmap config *:range = 70000-99999 
>> idmap config TEST:backend = ad idmap config TEST:schema_mode = 
>> rfc2307 idmap config TEST:range = 100000-2000000
>> 
>> winbind nss info = rfc2307 winbind trusted domains only = no 
>> winbind use default domain = yes winbind enum users = yes
>> winbind enum groups = yes winbind refresh tickets = yes
>> 
>> nsupdate command = /usr/local/bin/samba-nsupdate -g
>> 
>> load printers = no
>> 
>> log level = winbind:2 # END AD Member Server smb.conf
>> 
>> Any help would be greatly appreciated!
>> 
>> 
>> Cheers, Andreas
> 
> Have you actually set any 'uidNumber' & 'gidNumber' attributes in 
> AD ?

Yes, as I said: set them with ADUC, I even checked on the attributes
with ADSI Edit (never trust a GUI by MS that feigns compatibility with
the Unix world). uidNumber and gidNumber are there and in the range I
reserved in the smb.conf. Still, they're ignored by winbind and I
can't figure out why.

What to check next? Which logs might give a clue here?


Cheers,
Andreas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUx6suAAoJEMs6lqj1bb0RbgUH/ipIkLEYzpWT2JLzSJTyIuPu
8f0QZZuNKifps+RI2qkeX/7lynsBuAnxbsn7veVZcRDh3zrJWeSsF6Xc2UyNDRIS
0zsqTWTOIriimJaunJOzkbsQWXTSoSepIIpxl5+GRr4X/hXEVsr5gPX4l7KfVN5e
8RyL0xTc/JrgUEPMU05jrQ/wuJMLM66S4viqSpVHDNxR0rInS54n2JZuUh2b0kw2
JO+JUl+KaBdkzOMvaYqpMtx6XNAW/z13uy1WVWMhPvXlyD+d6DWOd7OwQADRRj23
veuK1/d9yxb2BSMfOm/ethXV0aGKwmcgHmRU/lSd52/cbOZ3EKvkr/wf0NolVAQ=
=q2D7
-----END PGP SIGNATURE-----


More information about the samba mailing list