[Samba] Several questions about winbind[d]
mathias dufresne
infractory at gmail.com
Thu Jun 25 08:27:32 MDT 2015
Hi all,
I'm wondering about winbind[d] behaviour.
I tried the following with:
auth methods = sam winbindd
and the same with only one d:
auth methods = sam winbind
One user:
ldbsearch -H $sam '(cn=another.fakeuser)' homeDirectory loginShell
gidnumber uidnumber
# record 1
dn: CN=another.fakeuser,OU=a,OU=Standards,OU=Utilisateurs,DC=ad,DC=dgfip
homeDirectory: */home/another.fakeuser*
uidNumber: 1000210377
gidNumber: 1000210377
loginShell: */bin/bash*
Seen through winbind eyes:
wbinfo -i another.fakeuser
another.fakeuser:*:1000210377:100:another.fakeuser:
*/home/AD/another.fakeuser*:*/bin/false*
Using winbind in nsswitch.conf I could see the same through getent:
getent passwd another.fakeuser
another.fakeuser:*:1000210377:100:another.fakeuser:
*/home/AD/another.fakeuser*:*/bin/false*
Regarding gidNumber I thought it was because no group with that GID was
existing, after creating one, no change.
Finally I thought about caching issue as I could have change these values
after user craetion, so I removed /var/lib/samba/winbindd_cache.tdb after
stopping samba, then starting it again. Same answers from getent and wbinfo.
I also wondering why GID of this user is 100. I expect this 100 stand for
"Domain users" and I imagine "Domain users" has no members as it contains
all non-computer user objects (at least it how I see that...)
ldbsearch -H $sam '(cn=administrator)' memberOf
..
dn: CN=Administrator,CN=Users,DC=ad,DC=dgfip
memberOf: CN=Administrators,CN=Builtin,DC=ad,DC=dgfip
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=ad,DC=dgfip
memberOf: CN=Enterprise Admins,CN=Users,DC=ad,DC=dgfip
memberOf: CN=Schema Admins,CN=Users,DC=ad,DC=dgfip
memberOf: CN=Domain Admins,CN=Users,DC=ad,DC=dgfip
..
getent passwd administrator
administrator:*:0:100::/home/AD/administrator:/bin/false
To resume I don't understand why wbinfo does not use attributes values from
LDB or why it rewrite it.
Best regards,
mathias
PS: my /etc/samba/smb.conf :
---------------------------------------------------------------------------
# Global parameters
[global]
workgroup = AD.DOMAIN
realm = ad.domain.tld
netbios name = DCname
server role = active directory domain controller
dns forwarder = A.B.C.D
idmap_ldb:use rfc2307 = yes
auth methods = sam winbindd
#auth methods = winbind sam
time server = yes
wins support = yes
idmap config * : backend = tdb
idmap config * : range = 2000-999999999
idmap config AD.DOMAIN : backend = ad
idmap config AD.DOMAIN : schema_mode = rfc2307
idmap config AD.DOMAIN : range = 1000000000-3999999999
# Use home directory and shell information from AD
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind expand groups = 3
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
server services = +smb -s3fs
#dcerpc endpoint servers = +winreg +srvsvc
#dbwrap_tdb_mutexes:* = yes
#log level = 0 auth:0 sam:0 passdb:0
[netlogon]
path = /var/lib/samba/sysvol/ad.dgfip.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
---------------------------------------------------------------------------
More information about the samba
mailing list