[Samba] Winbindd Strangeness
Rowland Penny
rowlandpenny at googlemail.com
Thu Jun 25 07:20:41 MDT 2015
On 25/06/15 13:44, David Minard wrote:
>> On 24/06/15 02:55, David Minard wrote:
>>> On 23/06/15 13:32, David Minard wrote:
>>>
>>>> I've Set up a DC and a Member Server for a file server. Both are
>>>> running on Centos7 and samba version 4.2.2. The Member Server is
>>>> running smbd and winbindd.
>>>>
>>>> I've followed the wiki and for the most part it's working.
>>>> However, after stuffing up the ranges, then fixing them up, when I
>>>> create new accounts, adding all the Unix attributes, the UID_Number
>>>> is not showing the correct value for new accounts. Existing ones are
>>>> okay.
>>>>
>>>> Member_Server Config:
>>>>
>>>> [global]
>>>>
>>>> netbios name = MS1
>>>> workgroup = AD
>>>> security = ADS
>>>> realm = SAMBADOM
>>>> dedicated keytab file = /etc/krb5.keytab
>>>> kerberos method = secrets and keytab
>>>>
>>>> idmap config *:backend = tdb
>>>> idmap config *:range = 30000000-40000000
>>>> idmap config SAMBADOM:backend = ad
>>>> idmap config SAMBADOM:schema_mode = rfc2307
>>>> idmap config SAMBADOM:range = 600-29999999
>>>>
>>>> winbind nss info = rfc2307
>>>> winbind trusted domains only = no
>>>> winbind use default domain = yes
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>> winbind refresh tickets = Yes
>>>>
>>>>
>>>>
>>>> Existing Account:
>>>> getent passwd fred
>>>>
>>>> fred:*:4999:30000000:Fred Nerks:/home/fred:/bin/tcsh
>>>>
>>>> New Account:
>>>>
>>>> fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh
>>>>
>>>> Fred1 was set up with --uid-number='5004'
>>>>
>>>> I've tried clearing winbindd caches as per some post I read:
>>>>
>>>> systemctl stop winbindd
>>>> rm /usr/local/samba/var/locks/group_mapping.tdb*
>>>> /usr/local/samba/var/locks/winbindd_idmap.tdb*
>>>> /usr/local/samba/var/locks/winbindd_cache.tdb*
>>>> systemctl start winbindd
>>>>
>>>> But no change.
>>>>
>>>> I've also noticed that the default group that all users are in
>>>> used to be "domain users", now for some reason they are all in
>>>> "BUILTIN\administrators" !
>>>> Am I doing something wrong? If so, what. If not, how do
>>>> I track down why this is happening?
>>>>
>>>> Cheers,
>>>> David Minard.
>>>> Ph: 0247 360 155
>>>> Fax: 0247 360 770
>>>>
>>>> School of Computing, Engineering, and Mathematics
>>>> Building Y - Penrith Campus (Kingswood)
>>>> Locked bag 1797
>>>> Penrith South DC
>>>> NSW 1797
>>>>
>>>> [Sometimes waking up just isn't worth the insult of the day to
>>>> come.]
>>>>
>>>>
>>> Yes, you do appear to doing things wrong workgroup = AD but: idmap
>>> config SAMBADOM:backend = ad idmap config SAMBADOM:schema_mode =
>>> rfc2307 idmap config SAMBADOM:range = 600-29999999 'SAMBADOM' should
>>> be 'AD' You have 'realm = SAMBADOM' , it really should be something
>>> like 'realm = SAMBADOM.COM' Rowland
>>>
>>> Thanks for the quick reply Roland. The change didn't make any
>>> difference. I remember having it the way you suggested in the first
>>> place, but was still getting strangeness. I have put it back to the
>>> right way as suggested. I now have a config of:
>>>
>>> [global]
>>>
>>> netbios name = MS1
>>> workgroup = AD
>>> security = ADS
>>> realm = SAMDOM
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 30000000-40000000
>>> idmap config AD:backend = ad
>>> idmap config AD:schema_mode = rfc2307
>>> idmap config AD:range = 600-29999999
>>>
>>> winbind nss info = rfc2307
>>> winbind trusted domains only = no
>>> winbind use default domain = yes
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind refresh tickets = Yes
>>>
>>>
>>> SAMDOM is as you say, a domain name for the AD.
>>>
>>> I noticed that the UIDNumber of new accounts are overlapping with
>>> system accounts.
>>>
>>> fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh
>>> krbtgt:*:30000002:30000000:krbtgt:/home/AD/krbtgt:/bin/false
>>>
>>> fred:*:30000000:30000000:Fred Nerks:/home/fred:/bin/tcsh
>>> administrator:*:30000000:30000000:Administrator:/home/AD/administrator:/bin/false
>>>
>>>
>>
>> Strange, have you tried running 'net cache flush' on the member server ?
> No I hadn't. I tried it. Now 'getent passwd' gives only gives me the unix accounts on the server. 'wbinfo -u' works fine.
>
>> Have you given all the users & groups an ID number in AD ?
> Only users and groups that I have created. Do I have to do that for the default accounts too?
>
>> Can you post the exact command you are using to create users.
>>
> samba-tool user add fred --userou='OU=Test Users' --profile-path='\\ms1.example.com\profiles\fred' --home-drive='u:' --home-directory='\\ms1.example.com\fred' --login-shell='/bin/tcsh' --gecos='Fred Nerks' --gid-number='600' --uid-number='4999' --uid='fred' --unix-home='/home/fred' --nis-domain='AD' --surname='Nerks' --given-name='Fred' --mail-address='fred at example.com' --random-password
>
>
OK, I have recreated your user 'fred' on my DC, just a couple of issues
first, shouldn't --home-drive='u:' be
--home-drive='U:' and how will your user login, I ask this because you
(or fred) don't know the password ?
Now, if I run 'getent passwd fred' on the DC, I get this:
EXAMPLE\fred:*:4999:10000:Fred Nerks:/home/EXAMPLE/fred:/bin/bash
But I get nothing on a member server.
until I change the uidNumber for fred to 14999 which is inside the range
I have in smb.conf:
idmap config EXAMPLE : range = 10000-999999
So, can we confirm that your line in smb.conf is:
idmap config AD : range = 600-29999999
Rowland
More information about the samba
mailing list