[Samba] Winbindd Strangeness
David Minard
david at scem.uws.edu.au
Sun Jun 28 21:26:59 MDT 2015
On 25/06/15 13:44, David Minard wrote:
>> On 24/06/15 02:55, David Minard wrote:
>>> On 23/06/15 13:32, David Minard wrote:
>>>
>>>> I've Set up a DC and a Member Server for a file server. Both are
>>>> running on Centos7 and samba version 4.2.2. The Member Server is
>>>> running smbd and winbindd.
>>>>
>>>> I've followed the wiki and for the most part it's working.
>>>> However, after stuffing up the ranges, then fixing them up, when I
>>>> create new accounts, adding all the Unix attributes, the UID_Number
>>>> is not showing the correct value for new accounts. Existing ones are
>>>> okay.
>>>>
>>>> Member_Server Config:
>>>>
>>>> [global]
>>>>
>>>> netbios name = MS1
>>>> workgroup = AD
>>>> security = ADS
>>>> realm = SAMBADOM
>>>> dedicated keytab file = /etc/krb5.keytab
>>>> kerberos method = secrets and keytab
>>>>
>>>> idmap config *:backend = tdb
>>>> idmap config *:range = 30000000-40000000
>>>> idmap config SAMBADOM:backend = ad
>>>> idmap config SAMBADOM:schema_mode = rfc2307
>>>> idmap config SAMBADOM:range = 600-29999999
>>>>
>>>> winbind nss info = rfc2307
>>>> winbind trusted domains only = no
>>>> winbind use default domain = yes
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>> winbind refresh tickets = Yes
>>>>
>>>>
>>>>
>>>> Existing Account:
>>>> getent passwd fred
>>>>
>>>> fred:*:4999:30000000:Fred Nerks:/home/fred:/bin/tcsh
>>>>
>>>> New Account:
>>>>
>>>> fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh
>>>>
>>>> Fred1 was set up with --uid-number='5004'
>>>>
>>>> I've tried clearing winbindd caches as per some post I read:
>>>>
>>>> systemctl stop winbindd
>>>> rm /usr/local/samba/var/locks/group_mapping.tdb*
>>>> /usr/local/samba/var/locks/winbindd_idmap.tdb*
>>>> /usr/local/samba/var/locks/winbindd_cache.tdb*
>>>> systemctl start winbindd
>>>>
>>>> But no change.
>>>>
>>>> I've also noticed that the default group that all users are in
>>>> used to be "domain users", now for some reason they are all in
>>>> "BUILTIN\administrators" !
>>>> Am I doing something wrong? If so, what. If not, how do
>>>> I track down why this is happening?
>>>>
>>>> Cheers,
>>>> David Minard.
>>>> Ph: 0247 360 155
>>>> Fax: 0247 360 770
>>>>
>>>> School of Computing, Engineering, and Mathematics
>>>> Building Y - Penrith Campus (Kingswood)
>>>> Locked bag 1797
>>>> Penrith South DC
>>>> NSW 1797
>>>>
>>>> [Sometimes waking up just isn't worth the insult of the day to
>>>> come.]
>>>>
>>>>
>>> Yes, you do appear to doing things wrong workgroup = AD but: idmap
>>> config SAMBADOM:backend = ad idmap config SAMBADOM:schema_mode =
>>> rfc2307 idmap config SAMBADOM:range = 600-29999999 'SAMBADOM' should
>>> be 'AD' You have 'realm = SAMBADOM' , it really should be something
>>> like 'realm = SAMBADOM.COM' Rowland
>>>
>>> Thanks for the quick reply Roland. The change didn't make any
>>> difference. I remember having it the way you suggested in the first
>>> place, but was still getting strangeness. I have put it back to the
>>> right way as suggested. I now have a config of:
>>>
>>> [global]
>>>
>>> netbios name = MS1
>>> workgroup = AD
>>> security = ADS
>>> realm = SAMDOM
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 30000000-40000000
>>> idmap config AD:backend = ad
>>> idmap config AD:schema_mode = rfc2307
>>> idmap config AD:range = 600-29999999
>>>
>>> winbind nss info = rfc2307
>>> winbind trusted domains only = no
>>> winbind use default domain = yes
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind refresh tickets = Yes
>>>
>>>
>>> SAMDOM is as you say, a domain name for the AD.
>>>
>>> I noticed that the UIDNumber of new accounts are overlapping with
>>> system accounts.
>>>
>>> fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh
>>> krbtgt:*:30000002:30000000:krbtgt:/home/AD/krbtgt:/bin/false
>>>
>>> fred:*:30000000:30000000:Fred Nerks:/home/fred:/bin/tcsh
>>> administrator:*:30000000:30000000:Administrator:/home/AD/administrator:/bin/false
>>>
>>>
>> Strange, have you tried running 'net cache flush' on the member server ?
> No I hadn't. I tried it. Now 'getent passwd' gives only gives me the unix accounts on the server. 'wbinfo -u' works fine.
>
>> Have you given all the users & groups an ID number in AD ?
> Only users and groups that I have created. Do I have to do that for the default accounts too?
>
>> Can you post the exact command you are using to create users.
>>
> samba-tool user add fred --userou='OU=Test Users' --profile-path='\\ms1.example.com\profiles\fred' --home-drive='u:' --home-directory='\\ms1.example.com\fred' --login-shell='/bin/tcsh' --gecos='Fred Nerks' --gid-number='600' --uid-number='4999' --uid='fred' --unix-home='/home/fred' --nis-domain='AD' --surname='Nerks' --given-name='Fred' --mail-address='fred at example.com' --random-password
>
>
OK, I have recreated your user 'fred' on my DC, just a couple of issues
first, shouldn't --home-drive='u:' be
--home-drive='U:' and how will your user login, I ask this because you
(or fred) don't know the password ?
This is a test set up, and I set the password up later using 'smbpasswd
[username]'
The u: vs U:... Not sure that's a problem (I could be wrong). The account goes into AD okay, but I will change my scripts.
Now, if I run 'getent passwd fred' on the DC, I get this:
EXAMPLE\fred:*:4999:10000:Fred Nerks:/home/EXAMPLE/fred:/bin/bash
How come you get a line like that? I get:
fred:*:4999:4294967295:Fred Nerks:/kusers/techies/fred:/bin/tcsh
normal unix style username, and a proper home directory and shell.
But I get nothing on a member server.
until I change the uidNumber for fred to 14999 which is inside the range
I have in smb.conf:
idmap config EXAMPLE : range = 10000-999999
So, can we confirm that your line in smb.conf is:
idmap config AD : range = 600-29999999
That was correct. However I have changed them to: 600 - 2999999. I saw
errors about the original ones being out of range. The errors have
stopped. Winbindd is still giving me strange results.
Earlier, you asked "Have you given all the users & groups an ID number
in AD ?". Do you mean the default accounts and groups that come with a
fresh provision as well as the user accounts and groups I create after
the provision?
Rowland
I have some other questions. When I run 'net cache flush' the 'getent passwd' stops serving out any samba4 account information. 'wbinfo -u' still works. Why does the connectivity of getent disappear? Starting and stopping smbd and winbindd does not fix it. Removing the above mentioned winbind cache files doesn't help. A re-boot of the server mostly fixes it, but not always. What is the cause? It's been broken since Friday arvo. How can I reliably kick winbindd and get it to work again.
I'm thinking a lot of it has to do with caching, but I don't know enough to put my finger on it...
I want to run all this in production, and have all OSX, Linux boxes, and Windows clients using it as their sole account info/auth, but it has to be rock solid and predictable.
--
Cheers,
David Minard.
Ph: 0247 360 155
Fax: 0247 360 770
School of Computing, Engineering, and Mathematics
Building Y - Penrith Campus (Kingswood)
Locked bag 1797
Penrith South DC
NSW 1797
[Sometimes waking up just isn't worth the insult of the day to come.]
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba
mailing list