[Samba] Can't get idmap_ad to work with winbind (only idmap_rid)

Rowland Penny rowlandpenny at googlemail.com
Tue Jan 27 08:48:49 MST 2015 

On 27/01/15 15:13, "Andreas Braml (BürgerEnergie Berlin)" wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> thanks for your fast reply. It's always Rowland ;)
>
> On 27.01.2015 10:04, Rowland Penny wrote:
>> On 27/01/15 05:44, a.braml at buerger-energie-berlin.de wrote:
>>> Hi!
>>>
>>> With the end of support for Win XP from many application
>>> vendors, we finally decided to go AD with our small domain that
>>> right now consists of two XP desktop clients and one Samba PDC
>>> (3.6 from official Ubuntu 12.04 packages) that's also offering
>>> some file shares and a printer share. Since there already is one
>>> FreeBSD server for backup/mirroring, I decided to go all FreeBSD
>>> in the process. The final setup would consist of:
>>>
>>> Realm/Domain TEST.BUERGER-ENERGIE-BERLIN.DE FreeBSD 10.1-RELEASE
>>> AD DC with Samba 4 from ports (4.1.16 right now), single domain
>>> forest FreeBSD 10.1-RELEASE AD Member Server with Samba 4 from
>>> ports 2 Win 7 Professional SP1 desktop clients
>>>
>>> I installed everything in a Virtualbox host-only network with a
>>> layout identical to what the actual network will be.
>>>
>>> For the setup, I followed the Wiki at http://wiki.samba.org for
>>> the AD DC and AD Member server setup. I followed the
>>> instructions for RFC 2307 and decided to use RID+100000 for the
>>> default users/groups and 102XXX for my additional groups/users. I
>>> set the corresponding GID/UID in the UNIX attributes via ADUC
>>> from one of the Win 7 clients. And it works! Well, mostly...
>>>
>>> The problem is that on the AD member server, I can't use the ad
>>> backend with winbind. The rid backend works, though. This
>>> doesn't seem to be a problem with FreeBSD, as I can reproduce
>>> that error on member servers running Ubuntu 12.04 with Samba 3.6.
>>> or Ubuntu 14.04 with Samba 4.
>>>
>>> The behavior I get is as follows:
>>>
>>> When I set
>>>
>>> idmap config *:backend = tdb idmap config *:range = 70000-99999
>>> idmap config TEST:backend = ad idmap config TEST:schema_mode =
>>> rfc2307 idmap config TEST:range = 100000-2000000 winbind nss
>>> info = rfc2307
>>>
>>> in the AD member server's smb.conf, getent passwd gives me
>>>
>>> administrator:*:70000:70017:Administrator:/home/TEST/administrator:/bin/false
>>>
>>>
>>>
>>>
> test:*:70003:70004:Test User:/home/TEST/test:/bin/false
>>> krbtgt:*:70001:70004:krbtgt:/home/TEST/krbtgt:/bin/false
>>> guest:*:70002:70005:Guest:/home/TEST/guest:/bin/false
>>>
>>> So the TEST:range is ignored, *:range is used instead. User
>>> Shell, Home Dir and the UID (102000 for the test user) from the
>>> UNIX attributes in AD are ignored.
>>>
>>> When I set
>>>
>>> idmap config *:backend = tdb idmap config *:range = 70000-99999
>>> idmap config TEST:backend = rid idmap config TEST:range =
>>> 100000-2000000 winbind nss info = rfc2307
>>>
>>> instead, getent passwd gives me
>>>
>>> administrator:*:100500:100512:Administrator:/home/TEST/administrator:/bin/false
>>>
>>>
>>>
>>>
> test:*:101105:100513:Test User:/home/TEST/test:/bin/false
>>> krbtgt:*:100502:100513:krbtgt:/home/TEST/krbtgt:/bin/false
>>> guest:*:100501:100514:Guest:/home/TEST/guest:/bin/false
>>>
>>> So the TEST:range is respected now. But User Shell and Home Dir
>>> from the UNIX attributes in the AD are still ignored.
>>>
>>> There's log entries in the AD member server's log.winbindd
>>> stating "Added (BUILTIN|BSDMEM|TEST.BUERGER-ENERGIE-BERLIN.DE)
>>> ...". My log.winbindd-dc-connect is completely empty, though! Is
>>> this a first clue?
>>>
>>> It would be no problem to go with the RID backend for now. But
>>> as I understand, this might give trouble should I ever trust
>>> domains from another forest in the future. With a big warning in
>>> our documentation, I could live with that. But I'd prefer to get
>>> the ad backend working from the start.
>>>
>>> What's going on here? Any clues? I searched the list archives
>>> and the WWW with ixquick, but found no solution for my problem.
>>>
>>> The AD DC I provisioned with
>>>
>>> # samba-tool domain provision --use-rfc2307 --interactive
>>> --option "nsupdate command = /usr/local/bin/samba-nsupdate -g"
>>>
>>> The --option I appended because the message from the ports
>>> install told me to add this to my smb.conf.
>>>
>>> In the following  interactive setup, I went with the defaults,
>>> adding only the dns forwarder.
>>>
>>>  From this I got:
>>>
>>> # AD DC smb.conf [global] workgroup = TEST realm =
>>> TEST.BUERGER-ENERGIE-BERLIN.DE netbios name = BSDSRV server role
>>> = active directory domain controller dns forwarder = 62.109.121.2
>>> idmap_ldb:use rfc2307 = yes
>>>
>>> nsupdate command = /usr/local/bin/samba-nsupdate -g
>>>
>>> [netlogon] path =
>>> /var/db/samba4/sysvol/test.buerger-energie-berlin.de/scripts
>>> read only = No
>>>
>>> [sysvol] path = /var/db/samba4/sysvol read only = No # END AD DC
>>> smb.conf
>>>
>>> On the AD member server, I edited my smb4.conf as follows
>>>
>>> # AD Member Server smb.conf [global]
>>>
>>> netbios name = BSDMEM workgroup = TEST security = ADS realm =
>>> TEST.BUERGER-ENERGIE-BERLIN.DE dedicated keytab file =
>>> /etc/krb5.keytab kerberos method = secrets and keytab
>>>
>>> idmap config *:backend = tdb idmap config *:range = 70000-99999
>>> idmap config TEST:backend = ad idmap config TEST:schema_mode =
>>> rfc2307 idmap config TEST:range = 100000-2000000
>>>
>>> winbind nss info = rfc2307 winbind trusted domains only = no
>>> winbind use default domain = yes winbind enum users = yes
>>> winbind enum groups = yes winbind refresh tickets = yes
>>>
>>> nsupdate command = /usr/local/bin/samba-nsupdate -g
>>>
>>> load printers = no
>>>
>>> log level = winbind:2 # END AD Member Server smb.conf
>>>
>>> Any help would be greatly appreciated!
>>>
>>>
>>> Cheers, Andreas
>> Have you actually set any 'uidNumber' & 'gidNumber' attributes in
>> AD ?
> Yes, as I said: set them with ADUC, I even checked on the attributes
> with ADSI Edit (never trust a GUI by MS that feigns compatibility with
> the Unix world). uidNumber and gidNumber are there and in the range I
> reserved in the smb.conf. Still, they're ignored by winbind and I
> can't figure out why.
>
> What to check next? Which logs might give a clue here?
>
>
> Cheers,
> Andreas
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBAgAGBQJUx6suAAoJEMs6lqj1bb0RbgUH/ipIkLEYzpWT2JLzSJTyIuPu
> 8f0QZZuNKifps+RI2qkeX/7lynsBuAnxbsn7veVZcRDh3zrJWeSsF6Xc2UyNDRIS
> 0zsqTWTOIriimJaunJOzkbsQWXTSoSepIIpxl5+GRr4X/hXEVsr5gPX4l7KfVN5e
> 8RyL0xTc/JrgUEPMU05jrQ/wuJMLM66S4viqSpVHDNxR0rInS54n2JZuUh2b0kw2
> JO+JUl+KaBdkzOMvaYqpMtx6XNAW/z13uy1WVWMhPvXlyD+d6DWOd7OwQADRRj23
> veuK1/d9yxb2BSMfOm/ethXV0aGKwmcgHmRU/lSd52/cbOZ3EKvkr/wf0NolVAQ=
> =q2D7
> -----END PGP SIGNATURE-----

OK, you posted 'I followed the instructions for RFC 2307 and decided to 
use RID+100000 for the default users/groups and 102XXX for my additional 
groups/users'
What do you mean by 'default users/groups' and 'additional groups/users' ?

You really only need to give Domain Users and Domain Admins a 
'gidNumber' attribute, you then give your users a 'uidNumber' attribute.

Why  did you choose the numbers that you have ? you can start both 
'uidNumber' & 'gidNumber' from 10000, this is what windows expects, 
there doesn't need to be any link between RID and uidNumber/gidNumber.

I think your problem is that you have given your users/groups numbers 
that are outside the ranges you have set in AD.

I can assure you, if you set the numbers correctly in AD it will work.

Rowland

More information about the samba mailing list