[Samba] Winbindd Strangeness

Rowland Penny rowlandpenny at googlemail.com
Thu Jun 25 07:20:41 MDT 2015 

On 25/06/15 13:44, David Minard wrote:
>> On 24/06/15 02:55, David Minard wrote:
>>> On 23/06/15 13:32, David Minard wrote:
>>>
>>>>     I've Set up a DC and a Member Server for a file server.  Both are
>>>> running on Centos7 and samba version 4.2.2.  The Member Server is
>>>> running smbd and winbindd.
>>>>
>>>>     I've followed the wiki and for the most part it's working.
>>>> However, after stuffing up the ranges, then fixing them up, when I
>>>> create new accounts, adding all the Unix attributes, the UID_Number
>>>> is not showing the correct value for new accounts. Existing ones are
>>>> okay.
>>>>
>>>>     Member_Server Config:
>>>>
>>>>     [global]
>>>>
>>>>         netbios name = MS1
>>>>         workgroup = AD
>>>>         security = ADS
>>>>         realm = SAMBADOM
>>>>         dedicated keytab file = /etc/krb5.keytab
>>>>         kerberos method = secrets and keytab
>>>>
>>>>         idmap config *:backend = tdb
>>>>         idmap config *:range = 30000000-40000000
>>>>         idmap config SAMBADOM:backend = ad
>>>>         idmap config SAMBADOM:schema_mode = rfc2307
>>>>         idmap config SAMBADOM:range = 600-29999999
>>>>
>>>>         winbind nss info = rfc2307
>>>>         winbind trusted domains only = no
>>>>         winbind use default domain = yes
>>>>         winbind enum users  = yes
>>>>         winbind enum groups = yes
>>>>         winbind refresh tickets = Yes
>>>>
>>>>
>>>>
>>>>     Existing Account:
>>>>     getent passwd fred
>>>>
>>>>     fred:*:4999:30000000:Fred Nerks:/home/fred:/bin/tcsh
>>>>
>>>>     New Account:
>>>>
>>>>     fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh
>>>>
>>>>     Fred1 was set up with --uid-number='5004'
>>>>
>>>>     I've tried clearing winbindd caches as per some post I read:
>>>>
>>>>     systemctl stop winbindd
>>>>     rm /usr/local/samba/var/locks/group_mapping.tdb*
>>>> /usr/local/samba/var/locks/winbindd_idmap.tdb*
>>>> /usr/local/samba/var/locks/winbindd_cache.tdb*
>>>>     systemctl start winbindd
>>>>
>>>>     But no change.
>>>>
>>>>     I've also noticed that the default group that all users are in
>>>> used to be "domain users", now for some reason they are all in
>>>> "BUILTIN\administrators" !
>>>>            Am I doing something wrong?  If so, what.  If not, how do
>>>> I track down why this is happening?
>>>>
>>>>     Cheers,
>>>>     David Minard.
>>>>     Ph:    0247 360 155
>>>>     Fax:    0247 360 770
>>>>
>>>>     School of Computing, Engineering, and Mathematics
>>>>     Building Y - Penrith Campus (Kingswood)
>>>>     Locked bag 1797
>>>>     Penrith South DC
>>>>     NSW 1797
>>>>
>>>>     [Sometimes waking up just isn't worth the insult of the day to
>>>> come.]
>>>>
>>>>
>>>    Yes, you do appear to doing things wrong workgroup = AD but: idmap
>>>    config SAMBADOM:backend = ad idmap config SAMBADOM:schema_mode =
>>>    rfc2307 idmap config SAMBADOM:range = 600-29999999 'SAMBADOM' should
>>>    be 'AD' You have 'realm = SAMBADOM' , it really should be something
>>>    like 'realm = SAMBADOM.COM' Rowland
>>>
>>> Thanks for the quick reply Roland.  The change didn't make any
>>> difference.  I remember having it the way you suggested in the first
>>> place, but was still getting strangeness.  I have put it back to the
>>> right way as suggested.  I now have a config of:
>>>
>>> [global]
>>>
>>>   netbios name = MS1
>>>   workgroup = AD
>>>   security = ADS
>>>   realm = SAMDOM
>>>   dedicated keytab file = /etc/krb5.keytab
>>>   kerberos method = secrets and keytab
>>>
>>>   idmap config *:backend = tdb
>>>   idmap config *:range = 30000000-40000000
>>>   idmap config AD:backend = ad
>>>   idmap config AD:schema_mode = rfc2307
>>>   idmap config AD:range = 600-29999999
>>>
>>>   winbind nss info = rfc2307
>>>   winbind trusted domains only = no
>>>   winbind use default domain = yes
>>>   winbind enum users  = yes
>>>   winbind enum groups = yes
>>>   winbind refresh tickets = Yes
>>>
>>>
>>> SAMDOM is as you say, a domain name for the AD.
>>>
>>> I noticed that the UIDNumber of new accounts are overlapping with
>>> system accounts.
>>>
>>> fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh
>>> krbtgt:*:30000002:30000000:krbtgt:/home/AD/krbtgt:/bin/false
>>>
>>> fred:*:30000000:30000000:Fred Nerks:/home/fred:/bin/tcsh
>>> administrator:*:30000000:30000000:Administrator:/home/AD/administrator:/bin/false
>>>
>>>
>>
>> Strange, have you tried running 'net cache flush' on the member server ?
> No I hadn't.  I tried it.  Now 'getent passwd' gives only gives me the unix accounts on the server.  'wbinfo -u' works fine.
>
>> Have you given all the users & groups an ID number in AD ?
> Only users and groups that I have created.  Do I have to do that for the default accounts too?
>
>> Can you post the exact command you are using to create users.
>>
> samba-tool user add fred --userou='OU=Test Users' --profile-path='\\ms1.example.com\profiles\fred' --home-drive='u:' --home-directory='\\ms1.example.com\fred' --login-shell='/bin/tcsh' --gecos='Fred Nerks' --gid-number='600' --uid-number='4999' --uid='fred' --unix-home='/home/fred' --nis-domain='AD' --surname='Nerks' --given-name='Fred' --mail-address='fred at example.com'  --random-password
>
>

OK, I have recreated your user 'fred' on my DC, just a couple of issues 
first, shouldn't  --home-drive='u:' be
--home-drive='U:' and how will your user login, I ask this because you 
(or fred) don't know the password ?

Now, if I run 'getent passwd fred' on the DC, I get this:

EXAMPLE\fred:*:4999:10000:Fred Nerks:/home/EXAMPLE/fred:/bin/bash

But I get nothing on a member server.

until I change the uidNumber for fred to 14999 which is inside the range 
I have in smb.conf:

idmap config EXAMPLE : range = 10000-999999

So, can we confirm that your line in smb.conf is:

idmap config AD : range = 600-29999999

Rowland

More information about the samba mailing list