[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber
mathias dufresne
infractory at gmail.com
Tue Nov 10 13:42:36 UTC 2015
Thank you for this quick answer Louis.
On DC:
On DC I had to add one line to have winbind retrieving uidNumber AD field
rather than having Winbind chosing some random UID for my users.
This line is:
idmap_ldb:use rfc2307 = yes
as explained in https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
That's a start.
Unfortunately winbind is still giving my users GID number set to 100, which
is "Domain Users" group, when my users have gidNumber attribute set.
Same for shell, in AD loginShell is defined to /bin/bash for all my UNIX
users and winbind gives /bin/false on DC. Perhaps that's what it expected
by that tool but I still found that behaviour very confusing.
Please note I know there is a "template shell" option in smb.conf.
Unfortunately this option is, I think, to set all shell equal to that
template, for all users. That's not what we need. If some user in AD wants
to use CSH, this user must have a shell set to /bin/csh (or wherever it is
installed), if some user has to be set to /bin/false, it must be. And for
most of our users they would receive /bin/bash because it is what we
configure in loginShell by default.
Same for home directories. In AD I set unixHomeDirectory (I also tried with
homeDirectory field) to /home/<username> and in getent passwd <username> I
get home set to /home/<SAMBA.DOMAIN>/<username>
Anyway getent passwd <username> on DC is now working with users having UID
set to content of uidNumber field.
None of these users can connect on DC (even if uidNumber = 0) and I expect
this behaviour is because they have a shell set to /bin/false.
On member:
my smb.conf (from testparm)
---------------------------------------------------------------------
[global]
workgroup = SAMBA.DOMAIN
realm = SAMBA.DOMAIN.TLD
server string = Samba Server Version %v
security = ADS
log file = /var/log/samba/log.%m
max log size = 2048
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
winbind normalize names = Yes
idmap config SAMBA.DOMAIN:range = 10000-2000000000
idmap config SAMBA.DOMAIN:schema_mode = rfc2307
idmap config SAMBA.DOMAIN:backend = ad
idmap config *:range = 2000-9999
idmap config * : backend = ad
cups options = raw
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
print ok = Yes
browseable = No
---------------------------------------------------------------------
nsswitch.conf:
passwd: files winbind
shadow: files winbind
group: files winbind
and pam.d files are both configured:
---------------------------------------------------------------------
grep winb /etc/pam.d/*
/etc/pam.d/fingerprint-auth:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/fingerprint-auth:session optional pam_winbind.so
/etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/fingerprint-auth-ac:session optional pam_winbind.so
/etc/pam.d/password-auth:auth sufficient pam_winbind.so
use_first_pass
/etc/pam.d/password-auth:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/password-auth:password sufficient pam_winbind.so
use_authtok
/etc/pam.d/password-auth:session optional pam_winbind.so
/etc/pam.d/password-auth-ac:auth sufficient pam_winbind.so
use_first_pass
/etc/pam.d/password-auth-ac:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/password-auth-ac:password sufficient pam_winbind.so
use_authtok
/etc/pam.d/password-auth-ac:session optional pam_winbind.so
/etc/pam.d/smartcard-auth:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/smartcard-auth:session optional pam_winbind.so
/etc/pam.d/smartcard-auth-ac:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/smartcard-auth-ac:session optional pam_winbind.so
/etc/pam.d/system-auth:auth sufficient pam_winbind.so
use_first_pass
/etc/pam.d/system-auth:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/system-auth:password sufficient pam_winbind.so use_authtok
/etc/pam.d/system-auth:session optional pam_winbind.so
/etc/pam.d/system-auth-ac:auth sufficient pam_winbind.so
use_first_pass
/etc/pam.d/system-auth-ac:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/system-auth-ac:password sufficient pam_winbind.so
use_authtok
/etc/pam.d/system-auth-ac:session optional pam_winbind.so
---------------------------------------------------------------------
Here are the logs generated during getent passwd commands, extracted from
log.winbindd on member server (with log level = 3 winbind:9)
getent passwd <username>
---------------------------------------------------------------------
[2015/11/10 13:16:37.550045, 6]
../source3/winbindd/winbindd.c:871(new_connection)
accepted socket 22
[2015/11/10 13:16:37.550141, 3]
../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
[ 2906]: request interface version
[2015/11/10 13:16:37.550294, 3]
../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
[ 2906]: request location of privileged pipe
[2015/11/10 13:16:37.550440, 6]
../source3/winbindd/winbindd.c:871(new_connection)
accepted socket 28
[2015/11/10 13:16:37.550478, 6]
../source3/winbindd/winbindd.c:919(winbind_client_request_read)
closing socket 22, client exited
[2015/11/10 13:16:37.550506, 3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
getpwnam stephane.morin
[2015/11/10 13:16:37.550633, 7]
../source3/winbindd/winbindd_ads.c:61(ads_cached_connection_reuse)
Current tickets expire in 34856 seconds (at 1447192653, time is now
1447157797)
[2015/11/10 13:16:41.259064, 5]
../source3/winbindd/winbindd_cache.c:1272(resolve_alias_to_username)
resolve_alias_to_username: backend query returned NT_STATUS_OK
[2015/11/10 13:16:41.281997, 5]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-569364669-4183652282-291509484-43151:
NT_STATUS_NONE_MAPPED
[2015/11/10 13:16:41.282169, 6]
../source3/winbindd/winbindd.c:919(winbind_client_request_read)
closing socket 28, client exited
getent passwd SAMBA.DOMAIN\\<username>
---------------------------------------------------------------------
[2015/11/10 13:16:50.109816, 6]
../source3/winbindd/winbindd.c:871(new_connection)
accepted socket 22
[2015/11/10 13:16:50.109924, 3]
../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
[ 2907]: request interface version
[2015/11/10 13:16:50.109977, 3]
../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
[ 2907]: request location of privileged pipe
[2015/11/10 13:16:50.110069, 6]
../source3/winbindd/winbindd.c:871(new_connection)
accepted socket 28
[2015/11/10 13:16:50.110130, 6]
../source3/winbindd/winbindd.c:919(winbind_client_request_read)
closing socket 22, client exited
[2015/11/10 13:16:50.110162, 3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
getpwnam ad.dgfip\stephane.morin
[2015/11/10 13:16:50.110403, 5]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-569364669-4183652282-291509484-43151:
NT_STATUS_NONE_MAPPED
[2015/11/10 13:16:50.110552, 6]
../source3/winbindd/winbindd.c:919(winbind_client_request_read)
closing socket 28, client exited
---------------------------------------------------------------------
And wbinfo -i <username> does not work:
wbinfo -i administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user administrator
Same behaviour for others users.
---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
Now wbinfo:
-------------------------------------------------
wbinfo -u
-------------------------------------------------
On DCs:
wbinfo -u on DCs does not show anything. It just gives up after few seconds
(around 10s on both DCs tested).
On member:
wbinfo -u | wc -l
49504
when
ldbsearch -H $sam objectcategory=person | tail -3
# returned 49507 records
# 49504 entries
# 3 referrals
So wbinfo -u returns all users on this member server.
-------------------------------------------------
wbinfo -i <username>
-------------------------------------------------
On DCs:
wbinfo -i administrator
SAMBA.DOMAIN\administrator:*:0:100::/home/SAMBA.DOMAIN/administrator:/bin/false
wbinfo -i mathias
SAMBA.DOMAIN\mathias:*:0:100:mathias
dufresne:/home/SAMBA.DOMAIN/mathias:/bin/false
wbinfo -i <username>
SAMBA.DOMAIN\<username>:*:1013569430:100:<username>:/home/SAMBA.DOMAIN/<username>:/bin/false
On member:
wbinfo -i administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user administrator
wbinfo -i mathias
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user mathias
wbinfo -i <username>
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user <username>
On member I was using Samba packages from Centos 7 (it's a Centos 7) with
version 4.1.12-24.el7_1.
I switched to version 4.3.1 (the one I'm using for DCs) and result are the
same.
I'm facing a real lack of knowledge and I didn't yet find what to read to
fill these lacks.
Cheers,
mathias
2015-11-10 10:02 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>:
> Really.... here are your pointers..
>
> First choose, since your not telling.. ADDC or Member server?
>
> ADDC >
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>
> Member >
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
> ID Mapping => https://wiki.samba.org/index.php/Identity_Mapping_(idmap)
>
> And when all configured, assigned if needed uid/gids..
>
> Type :
>
> getent passwd username ( DONT TEST WITH ADMINISTRATOR )
> getent group "groupname" ( groups with spaces use the ")
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias
> dufresne
> > Verzonden: dinsdag 10 november 2015 9:49
> > Aan: samba
> > Onderwerp: [Samba] [samba] How to configure Winbind to use uidNumber and
> > gidNumber
> >
> > Hi all,
> >
> > How can we configure winbind to retrieve uidNumber and gidNumber declared
> > in AD?
> >
> > Thanks and regards,
> >
> > mathias
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list