[Samba] Several questions about winbind[d]

mathias dufresne infractory at gmail.com
Thu Jun 25 08:27:32 MDT 2015


Hi all,

I'm wondering about winbind[d] behaviour.
I tried the following with:
auth methods = sam winbindd
and the same with only one d:
auth methods = sam winbind

One user:
ldbsearch -H $sam '(cn=another.fakeuser)' homeDirectory loginShell
gidnumber uidnumber
# record 1
dn: CN=another.fakeuser,OU=a,OU=Standards,OU=Utilisateurs,DC=ad,DC=dgfip
homeDirectory: */home/another.fakeuser*
uidNumber: 1000210377
gidNumber: 1000210377
loginShell: */bin/bash*

Seen through winbind eyes:
 wbinfo -i another.fakeuser
another.fakeuser:*:1000210377:100:another.fakeuser:
*/home/AD/another.fakeuser*:*/bin/false*
Using winbind in nsswitch.conf I could see the same through getent:
getent passwd another.fakeuser
another.fakeuser:*:1000210377:100:another.fakeuser:
*/home/AD/another.fakeuser*:*/bin/false*

Regarding gidNumber I thought it was because no group with that GID was
existing, after creating one, no change.

Finally I thought about caching issue as I could have change these values
after user craetion, so I removed /var/lib/samba/winbindd_cache.tdb after
stopping samba, then starting it again. Same answers from getent and wbinfo.

I also wondering why GID of this user is 100. I expect this 100 stand for
"Domain users" and I imagine "Domain users" has no members as it contains
all non-computer user objects (at least it how I see that...)

ldbsearch -H $sam '(cn=administrator)' memberOf
..
dn: CN=Administrator,CN=Users,DC=ad,DC=dgfip
memberOf: CN=Administrators,CN=Builtin,DC=ad,DC=dgfip
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=ad,DC=dgfip
memberOf: CN=Enterprise Admins,CN=Users,DC=ad,DC=dgfip
memberOf: CN=Schema Admins,CN=Users,DC=ad,DC=dgfip
memberOf: CN=Domain Admins,CN=Users,DC=ad,DC=dgfip
..


getent passwd administrator
administrator:*:0:100::/home/AD/administrator:/bin/false

To resume I don't understand why wbinfo does not use attributes values from
LDB or why it rewrite it.

Best regards,

mathias

PS: my /etc/samba/smb.conf :

---------------------------------------------------------------------------
# Global parameters
[global]
        workgroup = AD.DOMAIN
        realm = ad.domain.tld
        netbios name = DCname
        server role = active directory domain controller

        dns forwarder = A.B.C.D
        idmap_ldb:use rfc2307 = yes

        auth methods = sam winbindd
        #auth methods = winbind sam
        time server = yes
        wins support = yes

        idmap config * : backend = tdb
        idmap config * : range = 2000-999999999
        idmap config AD.DOMAIN : backend = ad
        idmap config AD.DOMAIN : schema_mode = rfc2307
        idmap config AD.DOMAIN : range = 1000000000-3999999999

        # Use home directory and shell information from AD
        winbind nss info = rfc2307

        winbind trusted domains only = no
        winbind use default domain = yes
        winbind expand groups = 3

        winbind enum users  = yes
        winbind enum groups = yes

        winbind refresh tickets = Yes

        server services = +smb -s3fs
        #dcerpc endpoint servers = +winreg +srvsvc

        #dbwrap_tdb_mutexes:* = yes

        #log level = 0 auth:0 sam:0 passdb:0

[netlogon]
        path = /var/lib/samba/sysvol/ad.dgfip.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
---------------------------------------------------------------------------


More information about the samba mailing list