[Samba] Winbindd Strangeness

David Minard david at scem.uws.edu.au
Thu Jun 25 06:44:04 MDT 2015 

> 
> On 24/06/15 02:55, David Minard wrote:
>> On 23/06/15 13:32, David Minard wrote:
>> 
>>>    I've Set up a DC and a Member Server for a file server.  Both are 
>>> running on Centos7 and samba version 4.2.2.  The Member Server is 
>>> running smbd and winbindd.
>>> 
>>>    I've followed the wiki and for the most part it's working. 
>>> However, after stuffing up the ranges, then fixing them up, when I 
>>> create new accounts, adding all the Unix attributes, the UID_Number 
>>> is not showing the correct value for new accounts. Existing ones are 
>>> okay.
>>> 
>>>    Member_Server Config:
>>> 
>>>    [global]
>>> 
>>>        netbios name = MS1
>>>        workgroup = AD
>>>        security = ADS
>>>        realm = SAMBADOM
>>>        dedicated keytab file = /etc/krb5.keytab
>>>        kerberos method = secrets and keytab
>>> 
>>>        idmap config *:backend = tdb
>>>        idmap config *:range = 30000000-40000000
>>>        idmap config SAMBADOM:backend = ad
>>>        idmap config SAMBADOM:schema_mode = rfc2307
>>>        idmap config SAMBADOM:range = 600-29999999
>>> 
>>>        winbind nss info = rfc2307
>>>        winbind trusted domains only = no
>>>        winbind use default domain = yes
>>>        winbind enum users  = yes
>>>        winbind enum groups = yes
>>>        winbind refresh tickets = Yes
>>> 
>>> 
>>> 
>>>    Existing Account:
>>>    getent passwd fred
>>> 
>>>    fred:*:4999:30000000:Fred Nerks:/home/fred:/bin/tcsh
>>> 
>>>    New Account:
>>> 
>>>    fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh
>>> 
>>>    Fred1 was set up with --uid-number='5004'
>>> 
>>>    I've tried clearing winbindd caches as per some post I read:
>>> 
>>>    systemctl stop winbindd
>>>    rm /usr/local/samba/var/locks/group_mapping.tdb* 
>>> /usr/local/samba/var/locks/winbindd_idmap.tdb* 
>>> /usr/local/samba/var/locks/winbindd_cache.tdb*
>>>    systemctl start winbindd
>>> 
>>>    But no change.
>>> 
>>>    I've also noticed that the default group that all users are in 
>>> used to be "domain users", now for some reason they are all in 
>>> "BUILTIN\administrators" !
>>>           Am I doing something wrong?  If so, what.  If not, how do 
>>> I track down why this is happening?
>>> 
>>>    Cheers,
>>>    David Minard.
>>>    Ph:    0247 360 155
>>>    Fax:    0247 360 770
>>> 
>>>    School of Computing, Engineering, and Mathematics
>>>    Building Y - Penrith Campus (Kingswood)
>>>    Locked bag 1797
>>>    Penrith South DC
>>>    NSW 1797
>>> 
>>>    [Sometimes waking up just isn't worth the insult of the day to 
>>> come.]
>>> 
>>> 
>>   Yes, you do appear to doing things wrong workgroup = AD but: idmap
>>   config SAMBADOM:backend = ad idmap config SAMBADOM:schema_mode =
>>   rfc2307 idmap config SAMBADOM:range = 600-29999999 'SAMBADOM' should
>>   be 'AD' You have 'realm = SAMBADOM' , it really should be something
>>   like 'realm = SAMBADOM.COM' Rowland
>> 
>> Thanks for the quick reply Roland.  The change didn't make any 
>> difference.  I remember having it the way you suggested in the first 
>> place, but was still getting strangeness.  I have put it back to the 
>> right way as suggested.  I now have a config of:
>> 
>> [global]
>> 
>>  netbios name = MS1
>>  workgroup = AD
>>  security = ADS
>>  realm = SAMDOM
>>  dedicated keytab file = /etc/krb5.keytab
>>  kerberos method = secrets and keytab
>> 
>>  idmap config *:backend = tdb
>>  idmap config *:range = 30000000-40000000
>>  idmap config AD:backend = ad
>>  idmap config AD:schema_mode = rfc2307
>>  idmap config AD:range = 600-29999999
>> 
>>  winbind nss info = rfc2307
>>  winbind trusted domains only = no
>>  winbind use default domain = yes
>>  winbind enum users  = yes
>>  winbind enum groups = yes
>>  winbind refresh tickets = Yes
>> 
>> 
>> SAMDOM is as you say, a domain name for the AD.
>> 
>> I noticed that the UIDNumber of new accounts are overlapping with 
>> system accounts.
>> 
>> fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh
>> krbtgt:*:30000002:30000000:krbtgt:/home/AD/krbtgt:/bin/false
>> 
>> fred:*:30000000:30000000:Fred Nerks:/home/fred:/bin/tcsh
>> administrator:*:30000000:30000000:Administrator:/home/AD/administrator:/bin/false 
>> 
>> 
> 
> 
> Strange, have you tried running 'net cache flush' on the member server ?

No I hadn't.  I tried it.  Now 'getent passwd' gives only gives me the unix accounts on the server.  'wbinfo -u' works fine.

> Have you given all the users & groups an ID number in AD ?

Only users and groups that I have created.  Do I have to do that for the default accounts too?

> 
> Can you post the exact command you are using to create users.
> 

samba-tool user add fred --userou='OU=Test Users' --profile-path='\\ms1.example.com\profiles\fred' --home-drive='u:' --home-directory='\\ms1.example.com\fred' --login-shell='/bin/tcsh' --gecos='Fred Nerks' --gid-number='600' --uid-number='4999' --uid='fred' --unix-home='/home/fred' --nis-domain='AD' --surname='Nerks' --given-name='Fred' --mail-address='fred at example.com'  --random-password

> Rowland
> 
> Cheers,
> David Minard.
> Ph:    0247 360 155
> Fax:    0247 360 770
> 
> School of Computing, Engineering, and Mathematics
> Building Y - Penrith Campus (Kingswood)
> Locked bag 1797
> Penrith South DC
> NSW 1797
> 
> [Sometimes waking up just isn't worth the insult of the day to come.]
> 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba mailing list