[Samba] Winbindd Strangeness

Rowland Penny rowlandpenny at googlemail.com
Mon Jun 29 01:30:52 MDT 2015 

On 29/06/15 04:26, David Minard wrote:
> On 25/06/15 13:44, David Minard wrote:
>
>>>     On 24/06/15 02:55, David Minard wrote:
>>>>     On 23/06/15 13:32, David Minard wrote:
>>>>
>>>>>          I've Set up a DC and a Member Server for a file server.  
>>>>> Both are
>>>>>     running on Centos7 and samba version 4.2.2.  The Member Server is
>>>>>     running smbd and winbindd.
>>>>>
>>>>>          I've followed the wiki and for the most part it's working.
>>>>>     However, after stuffing up the ranges, then fixing them up, 
>>>>> when I
>>>>>     create new accounts, adding all the Unix attributes, the 
>>>>> UID_Number
>>>>>     is not showing the correct value for new accounts. Existing 
>>>>> ones are
>>>>>     okay.
>>>>>
>>>>>          Member_Server Config:
>>>>>
>>>>>          [global]
>>>>>
>>>>>              netbios name = MS1
>>>>>              workgroup = AD
>>>>>              security = ADS
>>>>>              realm = SAMBADOM
>>>>>              dedicated keytab file = /etc/krb5.keytab
>>>>>              kerberos method = secrets and keytab
>>>>>
>>>>>              idmap config *:backend = tdb
>>>>>              idmap config *:range = 30000000-40000000
>>>>>              idmap config SAMBADOM:backend = ad
>>>>>              idmap config SAMBADOM:schema_mode = rfc2307
>>>>>              idmap config SAMBADOM:range = 600-29999999
>>>>>
>>>>>              winbind nss info = rfc2307
>>>>>              winbind trusted domains only = no
>>>>>              winbind use default domain = yes
>>>>>              winbind enum users  = yes
>>>>>              winbind enum groups = yes
>>>>>              winbind refresh tickets = Yes
>>>>>
>>>>>
>>>>>
>>>>>          Existing Account:
>>>>>          getent passwd fred
>>>>>
>>>>>          fred:*:4999:30000000:Fred Nerks:/home/fred:/bin/tcsh
>>>>>
>>>>>          New Account:
>>>>>
>>>>>          fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh
>>>>>
>>>>>          Fred1 was set up with --uid-number='5004'
>>>>>
>>>>>          I've tried clearing winbindd caches as per some post I read:
>>>>>
>>>>>          systemctl stop winbindd
>>>>>          rm /usr/local/samba/var/locks/group_mapping.tdb*
>>>>>     /usr/local/samba/var/locks/winbindd_idmap.tdb*
>>>>>     /usr/local/samba/var/locks/winbindd_cache.tdb*
>>>>>          systemctl start winbindd
>>>>>
>>>>>          But no change.
>>>>>
>>>>>          I've also noticed that the default group that all users 
>>>>> are in
>>>>>     used to be "domain users", now for some reason they are all in
>>>>>     "BUILTIN\administrators" !
>>>>>                 Am I doing something wrong?  If so, what. If not, 
>>>>> how do
>>>>>     I track down why this is happening?
>>>>>
>>>>>          Cheers,
>>>>>          David Minard.
>>>>>          Ph:    0247 360 155
>>>>>          Fax:    0247 360 770
>>>>>
>>>>>          School of Computing, Engineering, and Mathematics
>>>>>          Building Y - Penrith Campus (Kingswood)
>>>>>          Locked bag 1797
>>>>>          Penrith South DC
>>>>>          NSW 1797
>>>>>
>>>>>          [Sometimes waking up just isn't worth the insult of the 
>>>>> day to
>>>>>     come.]
>>>>>
>>>>>
>>>>         Yes, you do appear to doing things wrong workgroup = AD 
>>>> but: idmap
>>>>         config SAMBADOM:backend = ad idmap config 
>>>> SAMBADOM:schema_mode =
>>>>         rfc2307 idmap config SAMBADOM:range = 600-29999999 
>>>> 'SAMBADOM' should
>>>>         be 'AD' You have 'realm = SAMBADOM' , it really should be 
>>>> something
>>>>         like 'realm = SAMBADOM.COM' Rowland
>>>>
>>>>     Thanks for the quick reply Roland.  The change didn't make any
>>>>     difference.  I remember having it the way you suggested in the 
>>>> first
>>>>     place, but was still getting strangeness.  I have put it back 
>>>> to the
>>>>     right way as suggested.  I now have a config of:
>>>>
>>>>     [global]
>>>>
>>>>        netbios name = MS1
>>>>        workgroup = AD
>>>>        security = ADS
>>>>        realm = SAMDOM
>>>>        dedicated keytab file = /etc/krb5.keytab
>>>>        kerberos method = secrets and keytab
>>>>
>>>>        idmap config *:backend = tdb
>>>>        idmap config *:range = 30000000-40000000
>>>>        idmap config AD:backend = ad
>>>>        idmap config AD:schema_mode = rfc2307
>>>>        idmap config AD:range = 600-29999999
>>>>
>>>>        winbind nss info = rfc2307
>>>>        winbind trusted domains only = no
>>>>        winbind use default domain = yes
>>>>        winbind enum users  = yes
>>>>        winbind enum groups = yes
>>>>        winbind refresh tickets = Yes
>>>>
>>>>
>>>>     SAMDOM is as you say, a domain name for the AD.
>>>>
>>>>     I noticed that the UIDNumber of new accounts are overlapping with
>>>>     system accounts.
>>>>
>>>>     fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh
>>>> krbtgt:*:30000002:30000000:krbtgt:/home/AD/krbtgt:/bin/false
>>>>
>>>>     fred:*:30000000:30000000:Fred Nerks:/home/fred:/bin/tcsh
>>>> administrator:*:30000000:30000000:Administrator:/home/AD/administrator:/bin/false
>>>>
>>>>
>>>     Strange, have you tried running 'net cache flush' on the member 
>>> server ?
>>     No I hadn't.  I tried it.  Now 'getent passwd' gives only gives 
>> me the unix accounts on the server.  'wbinfo -u' works fine.
>>
>>>     Have you given all the users & groups an ID number in AD ?
>>     Only users and groups that I have created.  Do I have to do that 
>> for the default accounts too?
>>
>>>     Can you post the exact command you are using to create users.
>>>
>>     samba-tool user add fred --userou='OU=Test Users' 
>> --profile-path='\\ms1.example.com\profiles\fred' --home-drive='u:' 
>> --home-directory='\\ms1.example.com\fred' --login-shell='/bin/tcsh' 
>> --gecos='Fred Nerks' --gid-number='600' --uid-number='4999' 
>> --uid='fred' --unix-home='/home/fred' --nis-domain='AD' 
>> --surname='Nerks' --given-name='Fred' 
>> --mail-address='fred at example.com' --random-password
>>
>>
>    OK, I have recreated your user 'fred' on my DC, just a couple of 
> issues
>    first, shouldn't  --home-drive='u:' be
>    --home-drive='U:' and how will your user login, I ask this because you
>    (or fred) don't know the password ?
>
> This is a test set up, and I set the password up later using 
> 'smbpasswd [username]'

Why not do it all at the same time ? also I am not sure that this is 
really a supported way of changing AD passwords, just a thought, you 
haven't got Unix users with the same name as AD users ?

>
> The u: vs U:...  Not sure that's a problem (I could be wrong). The 
> account goes into AD okay, but I will change my scripts.
>

I am not sure either, but it is the way I have always done it and 
microsoft always refers to it in uppercase.

> Now, if I run 'getent passwd fred' on the DC, I get this:
>
>    EXAMPLE\fred:*:4999:10000:Fred Nerks:/home/EXAMPLE/fred:/bin/bash
>
> How come you get a line like that?  I get:
>
> fred:*:4999:4294967295:Fred Nerks:/kusers/techies/fred:/bin/tcsh
>

You probably have sssd running and it is either not set up to read the 
group gidNumber or the group hasn't got one. You also the template lines 
in the DC smb.conf


> normal unix style username, and a proper home directory and shell.
>
>    But I get nothing on a member server.
>
>    until I change the uidNumber for fred to 14999 which is inside the 
> range
>    I have in smb.conf:
>
>    idmap config EXAMPLE : range = 10000-999999
>
>    So, can we confirm that your line in smb.conf is:
>
>    idmap config AD : range = 600-29999999
>
> That was correct.  However I have changed them to: 600 - 2999999. I 
> saw errors about the original ones being out of range.  The errors 
> have stopped.  Winbindd is still giving me strange results.
>
> Earlier, you asked "Have you given all the users & groups an ID number 
> in AD ?".  Do you mean the default accounts and groups that come with 
> a fresh provision as well as the user accounts and groups I create 
> after the provision?
>
>

You can, if you so wish, give every user & group in AD a uidNumber or 
gidNumber, but this is not obligatory. You only need to give them to 
users & groups you want to be visible to Unix machines, the only group 
that must have a gidNumber is Domain Users, winbind will not work 
without this.

Have you considered coming over from the dark side to Debian ? It is so 
much easier over here :-)

Rowland

>
>
> I have some other questions.  When I run 'net cache flush' the 'getent 
> passwd' stops serving out any samba4 account information. 'wbinfo -u' 
> still works.  Why does the connectivity of getent disappear?  Starting 
> and stopping smbd and winbindd does not fix it.  Removing the above 
> mentioned winbind cache files doesn't help.  A re-boot of the server 
> mostly fixes it, but not always. What is the cause?  It's been broken 
> since Friday arvo.  How can I reliably kick winbindd and get it to 
> work again.
>
> I'm thinking a lot of it has to do with caching, but I don't know 
> enough to put my finger on it...
>
> I want to run all this in production, and have all OSX, Linux boxes, 
> and Windows clients using it as their sole account info/auth, but it 
> has to be rock solid and predictable.
>

More information about the samba mailing list