[Samba] Winbindd Strangeness [Solved]
David Minard
david at scem.uws.edu.au
Thu Jul 2 03:54:55 UTC 2015
On 01/07/15 03:30, samba-request at lists.samba.org wrote:
> Message: 17
> Date: Mon, 29 Jun 2015 08:30:52 +0100
> From: Rowland Penny<rowlandpenny at googlemail.com>
> To:samba at lists.samba.org
> Subject: Re: [Samba] Winbindd Strangeness
> Message-ID:<5590F42C.8050002 at gmail.com>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> On 29/06/15 04:26, David Minard wrote:
>> >On 25/06/15 13:44, David Minard wrote:
>> >
>>>> >>> On 24/06/15 02:55, David Minard wrote:
>>>>> >>>> On 23/06/15 13:32, David Minard wrote:
>>>>> >>>>
>>>>>> >>>>> I've Set up a DC and a Member Server for a file server.
>>>>>> >>>>>Both are
>>>>>> >>>>> running on Centos7 and samba version 4.2.2. The Member Server is
>>>>>> >>>>> running smbd and winbindd.
>>>>>> >>>>>
>>>>>> >>>>> I've followed the wiki and for the most part it's working.
>>>>>> >>>>> However, after stuffing up the ranges, then fixing them up,
>>>>>> >>>>>when I
>>>>>> >>>>> create new accounts, adding all the Unix attributes, the
>>>>>> >>>>>UID_Number
>>>>>> >>>>> is not showing the correct value for new accounts. Existing
>>>>>> >>>>>ones are
>>>>>> >>>>> okay.
>>>>>> >>>>>
>>>>>> >>>>> Member_Server Config:
>>>>>> >>>>>
>>>>>> >>>>> [global]
>>>>>> >>>>>
>>>>>> >>>>> netbios name = MS1
>>>>>> >>>>> workgroup = AD
>>>>>> >>>>> security = ADS
>>>>>> >>>>> realm = SAMBADOM
>>>>>> >>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>> >>>>> kerberos method = secrets and keytab
>>>>>> >>>>>
>>>>>> >>>>> idmap config *:backend = tdb
>>>>>> >>>>> idmap config *:range = 30000000-40000000
>>>>>> >>>>> idmap config SAMBADOM:backend = ad
>>>>>> >>>>> idmap config SAMBADOM:schema_mode = rfc2307
>>>>>> >>>>> idmap config SAMBADOM:range = 600-29999999
>>>>>> >>>>>
>>>>>> >>>>> winbind nss info = rfc2307
>>>>>> >>>>> winbind trusted domains only = no
>>>>>> >>>>> winbind use default domain = yes
>>>>>> >>>>> winbind enum users = yes
>>>>>> >>>>> winbind enum groups = yes
>>>>>> >>>>> winbind refresh tickets = Yes
>>>>>> >>>>>
>>>>>> >>>>>
>>>>>> >>>>>
>>>>>> >>>>> Existing Account:
>>>>>> >>>>> getent passwd fred
>>>>>> >>>>>
>>>>>> >>>>> fred:*:4999:30000000:Fred Nerks:/home/fred:/bin/tcsh
>>>>>> >>>>>
>>>>>> >>>>> New Account:
>>>>>> >>>>>
>>>>>> >>>>> fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh
>>>>>> >>>>>
>>>>>> >>>>> Fred1 was set up with --uid-number='5004'
>>>>>> >>>>>
>>>>>> >>>>> I've tried clearing winbindd caches as per some post I read:
>>>>>> >>>>>
>>>>>> >>>>> systemctl stop winbindd
>>>>>> >>>>> rm /usr/local/samba/var/locks/group_mapping.tdb*
>>>>>> >>>>> /usr/local/samba/var/locks/winbindd_idmap.tdb*
>>>>>> >>>>> /usr/local/samba/var/locks/winbindd_cache.tdb*
>>>>>> >>>>> systemctl start winbindd
>>>>>> >>>>>
>>>>>> >>>>> But no change.
>>>>>> >>>>>
>>>>>> >>>>> I've also noticed that the default group that all users
>>>>>> >>>>>are in
>>>>>> >>>>> used to be "domain users", now for some reason they are all in
>>>>>> >>>>> "BUILTIN\administrators" !
>>>>>> >>>>> Am I doing something wrong? If so, what. If not,
>>>>>> >>>>>how do
>>>>>> >>>>> I track down why this is happening?
>>>>>> >>>>>
>>>>>> >>>>> Cheers,
>>>>>> >>>>> David Minard.
>>>>>> >>>>> Ph: 0247 360 155
>>>>>> >>>>> Fax: 0247 360 770
>>>>>> >>>>>
>>>>>> >>>>> School of Computing, Engineering, and Mathematics
>>>>>> >>>>> Building Y - Penrith Campus (Kingswood)
>>>>>> >>>>> Locked bag 1797
>>>>>> >>>>> Penrith South DC
>>>>>> >>>>> NSW 1797
>>>>>> >>>>>
>>>>>> >>>>> [Sometimes waking up just isn't worth the insult of the
>>>>>> >>>>>day to
>>>>>> >>>>> come.]
>>>>>> >>>>>
>>>>>> >>>>>
>>>>> >>>> Yes, you do appear to doing things wrong workgroup = AD
>>>>> >>>>but: idmap
>>>>> >>>> config SAMBADOM:backend = ad idmap config
>>>>> >>>>SAMBADOM:schema_mode =
>>>>> >>>> rfc2307 idmap config SAMBADOM:range = 600-29999999
>>>>> >>>>'SAMBADOM' should
>>>>> >>>> be 'AD' You have 'realm = SAMBADOM' , it really should be
>>>>> >>>>something
>>>>> >>>> like 'realm = SAMBADOM.COM' Rowland
>>>>> >>>>
>>>>> >>>> Thanks for the quick reply Roland. The change didn't make any
>>>>> >>>> difference. I remember having it the way you suggested in the
>>>>> >>>>first
>>>>> >>>> place, but was still getting strangeness. I have put it back
>>>>> >>>>to the
>>>>> >>>> right way as suggested. I now have a config of:
>>>>> >>>>
>>>>> >>>> [global]
>>>>> >>>>
>>>>> >>>> netbios name = MS1
>>>>> >>>> workgroup = AD
>>>>> >>>> security = ADS
>>>>> >>>> realm = SAMDOM
>>>>> >>>> dedicated keytab file = /etc/krb5.keytab
>>>>> >>>> kerberos method = secrets and keytab
>>>>> >>>>
>>>>> >>>> idmap config *:backend = tdb
>>>>> >>>> idmap config *:range = 30000000-40000000
>>>>> >>>> idmap config AD:backend = ad
>>>>> >>>> idmap config AD:schema_mode = rfc2307
>>>>> >>>> idmap config AD:range = 600-29999999
>>>>> >>>>
>>>>> >>>> winbind nss info = rfc2307
>>>>> >>>> winbind trusted domains only = no
>>>>> >>>> winbind use default domain = yes
>>>>> >>>> winbind enum users = yes
>>>>> >>>> winbind enum groups = yes
>>>>> >>>> winbind refresh tickets = Yes
>>>>> >>>>
>>>>> >>>>
>>>>> >>>> SAMDOM is as you say, a domain name for the AD.
>>>>> >>>>
>>>>> >>>> I noticed that the UIDNumber of new accounts are overlapping with
>>>>> >>>> system accounts.
>>>>> >>>>
>>>>> >>>> fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh
>>>>> >>>>krbtgt:*:30000002:30000000:krbtgt:/home/AD/krbtgt:/bin/false
>>>>> >>>>
>>>>> >>>> fred:*:30000000:30000000:Fred Nerks:/home/fred:/bin/tcsh
>>>>> >>>>administrator:*:30000000:30000000:Administrator:/home/AD/administrator:/bin/false
>>>>> >>>>
>>>>> >>>>
>>>> >>> Strange, have you tried running 'net cache flush' on the member
>>>> >>>server ?
>>> >> No I hadn't. I tried it. Now 'getent passwd' gives only gives
>>> >>me the unix accounts on the server. 'wbinfo -u' works fine.
>>> >>
>>>> >>> Have you given all the users & groups an ID number in AD ?
>>> >> Only users and groups that I have created. Do I have to do that
>>> >>for the default accounts too?
>>> >>
>>>> >>> Can you post the exact command you are using to create users.
>>>> >>>
>>> >> samba-tool user add fred --userou='OU=Test Users'
>>> >>--profile-path='\\ms1.example.com\profiles\fred' --home-drive='u:'
>>> >>--home-directory='\\ms1.example.com\fred' --login-shell='/bin/tcsh'
>>> >>--gecos='Fred Nerks' --gid-number='600' --uid-number='4999'
>>> >>--uid='fred' --unix-home='/home/fred' --nis-domain='AD'
>>> >>--surname='Nerks' --given-name='Fred'
>>> >>--mail-address='fred at example.com' --random-password
>>> >>
>>> >>
>> > OK, I have recreated your user 'fred' on my DC, just a couple of
>> >issues
>> > first, shouldn't --home-drive='u:' be
>> > --home-drive='U:' and how will your user login, I ask this because you
>> > (or fred) don't know the password ?
>> >
>> >This is a test set up, and I set the password up later using
>> >'smbpasswd [username]'
> Why not do it all at the same time ?
It's a hang up from years of older and varied systems. I'll be looking
into it in the not too distant future.
> also I am not sure that this is
> really a supported way of changing AD passwords.
Possibly not, but it has been working reliably for years on our
production Samba4.0.x AD.
> , just a thought, you
> haven't got Unix users with the same name as AD users ?
No. All users are created on the Unix side. There are NO overlaps
of usernames nor UIDNumbers or GIDNumbers.
>
>> >
>> >The u: vs U:... Not sure that's a problem (I could be wrong). The
>> >account goes into AD okay, but I will change my scripts.
>> >
> I am not sure either, but it is the way I have always done it and
> microsoft always refers to it in uppercase.
Okay. I'll make the change.
>> >Now, if I run 'getent passwd fred' on the DC, I get this:
>> >
>> > EXAMPLE\fred:*:4999:10000:Fred Nerks:/home/EXAMPLE/fred:/bin/bash
>> >
>> >How come you get a line like that? I get:
>> >
>> >fred:*:4999:4294967295:Fred Nerks:/kusers/techies/fred:/bin/tcsh
>> >
> You probably have sssd running and it is either not set up to read the
> group gidNumber or the group hasn't got one. You also the template lines
> in the DC smb.conf
No. I made sure that all sssd packages were removed. The good thing
now is that on the member server I now get the correct getent results:
fred:*:4999:1001:Fred Nerks:/kusers/techies/fred:/bin/tcsh
>
>> >normal unix style username, and a proper home directory and shell.
>> >
>> > But I get nothing on a member server.
>> >
>> > until I change the uidNumber for fred to 14999 which is inside the
>> >range
>> > I have in smb.conf:
>> >
>> > idmap config EXAMPLE : range = 10000-999999
>> >
>> > So, can we confirm that your line in smb.conf is:
>> >
>> > idmap config AD : range = 600-29999999
>> >
>> >That was correct. However I have changed them to: 600 - 2999999. I
>> >saw errors about the original ones being out of range. The errors
>> >have stopped. Winbindd is still giving me strange results.
>> >
>> >Earlier, you asked "Have you given all the users & groups an ID number
>> >in AD ?". Do you mean the default accounts and groups that come with
>> >a fresh provision as well as the user accounts and groups I create
>> >after the provision?
>> >
>> >
> You can, if you so wish, give every user & group in AD a uidNumber or
> gidNumber, but this is not obligatory. You only need to give them to
> users & groups you want to be visible to Unix machines, the only group
> that must have a gidNumber is Domain Users, winbind will not work
> without this.
Ah ! and this is what fixed it. I must have missed it in the samba
wiki, but Domain Users didn't have a GIDNumber.
Now it is all working absolutely perfectly...
Thank you Rowland.
> Have you considered coming over from the dark side to Debian ? It is so
> much easier over here:-)
>
> Rowland
>
--
Cheers,
David Minard.
Ph: 0247 360 155
Fax: 0247 360 770
School of Computing, Engineering, and Mathematics
Building Y - Penrith Campus (Kingswood)
Locked bag 1797
Penrith South DC
NSW 1797
[Sometimes waking up just isn't worth the insult of the day to come.]
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba
mailing list