[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber

Rowland Penny rowlandpenny241155 at gmail.com
Tue Nov 10 13:57:33 UTC 2015


On 10/11/15 13:42, mathias dufresne wrote:
> Thank you for this quick answer Louis.
>
> On DC:
>
> On DC I had to add one line to have winbind retrieving uidNumber AD field
> rather than having Winbind chosing some random UID for my users.
> This line is:
>
> idmap_ldb:use rfc2307 = yes
>
> as explained in https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>
> That's a start.
>
> Unfortunately winbind is still giving my users GID number set to 100, which
> is "Domain Users" group, when my users have gidNumber attribute set.

unfortunately the contents of the 'gidNumber' attribute is not used for 
the users GID, you need to give 'Domain Users' a gidNumber and this is 
what will be used.

>
> Same for shell, in AD loginShell is defined to /bin/bash for all my UNIX
> users and winbind gives /bin/false on DC. Perhaps that's what it expected
> by that tool but I still found that behaviour very confusing.
> Please note I know there is a "template shell" option in smb.conf.
> Unfortunately this option is, I think, to set all shell equal to that
> template, for all users. That's not what we need. If some user in AD wants
> to use CSH, this user must have a shell set to /bin/csh (or wherever it is
> installed), if some user has to be set to /bin/false, it must be. And for
> most of our users they would receive /bin/bash because it is what we
> configure in loginShell by default.

You can only use the 'template' lines on the DC, if you need to have 
different home dirs or shells, use a member server.

>
> Same for home directories. In AD I set unixHomeDirectory (I also tried with
> homeDirectory field) to /home/<username> and in getent passwd <username> I
> get home set to /home/<SAMBA.DOMAIN>/<username>
>
> Anyway getent passwd <username> on DC is now working with users having UID
> set to content of uidNumber field.
> None of these users can connect on DC (even if uidNumber = 0) and I expect
> this behaviour is because they have a shell set to /bin/false.

Correct, if you want to login to the DC, use 'template shell = /bin/bash'

Rowland

> On member:
>
> my smb.conf (from testparm)
> ---------------------------------------------------------------------
> [global]
>          workgroup = SAMBA.DOMAIN
>          realm = SAMBA.DOMAIN.TLD
>          server string = Samba Server Version %v
>          security = ADS
>          log file = /var/log/samba/log.%m
>          max log size = 2048
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          winbind nss info = rfc2307
>          winbind normalize names = Yes
>          idmap config SAMBA.DOMAIN:range = 10000-2000000000
>          idmap config SAMBA.DOMAIN:schema_mode = rfc2307
>          idmap config SAMBA.DOMAIN:backend = ad
>          idmap config *:range = 2000-9999
>          idmap config * : backend = ad
>          cups options = raw
>
> [homes]
>          comment = Home Directories
>          read only = No
>          browseable = No
>
> [printers]
>          comment = All Printers
>          path = /var/spool/samba
>          printable = Yes
>          print ok = Yes
>          browseable = No
> ---------------------------------------------------------------------
>
> nsswitch.conf:
> passwd:     files  winbind
> shadow:     files  winbind
> group:      files  winbind
>
> and pam.d files are  both configured:
> ---------------------------------------------------------------------
> grep winb /etc/pam.d/*
> /etc/pam.d/fingerprint-auth:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/fingerprint-auth:session     optional      pam_winbind.so
> /etc/pam.d/fingerprint-auth-ac:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/fingerprint-auth-ac:session     optional      pam_winbind.so
> /etc/pam.d/password-auth:auth        sufficient    pam_winbind.so
> use_first_pass
> /etc/pam.d/password-auth:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/password-auth:password    sufficient    pam_winbind.so
> use_authtok
> /etc/pam.d/password-auth:session     optional      pam_winbind.so
> /etc/pam.d/password-auth-ac:auth        sufficient    pam_winbind.so
> use_first_pass
> /etc/pam.d/password-auth-ac:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/password-auth-ac:password    sufficient    pam_winbind.so
> use_authtok
> /etc/pam.d/password-auth-ac:session     optional      pam_winbind.so
> /etc/pam.d/smartcard-auth:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/smartcard-auth:session     optional      pam_winbind.so
> /etc/pam.d/smartcard-auth-ac:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/smartcard-auth-ac:session     optional      pam_winbind.so
> /etc/pam.d/system-auth:auth        sufficient    pam_winbind.so
> use_first_pass
> /etc/pam.d/system-auth:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/system-auth:password    sufficient    pam_winbind.so use_authtok
> /etc/pam.d/system-auth:session     optional      pam_winbind.so
> /etc/pam.d/system-auth-ac:auth        sufficient    pam_winbind.so
> use_first_pass
> /etc/pam.d/system-auth-ac:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/system-auth-ac:password    sufficient    pam_winbind.so
> use_authtok
> /etc/pam.d/system-auth-ac:session     optional      pam_winbind.so
> ---------------------------------------------------------------------
>
> Here are the logs generated during getent passwd commands, extracted from
> log.winbindd on member server (with log level = 3 winbind:9)
>
> getent passwd <username>
> ---------------------------------------------------------------------
> [2015/11/10 13:16:37.550045,  6]
> ../source3/winbindd/winbindd.c:871(new_connection)
>    accepted socket 22
> [2015/11/10 13:16:37.550141,  3]
> ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
>    [ 2906]: request interface version
> [2015/11/10 13:16:37.550294,  3]
> ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
>    [ 2906]: request location of privileged pipe
> [2015/11/10 13:16:37.550440,  6]
> ../source3/winbindd/winbindd.c:871(new_connection)
>    accepted socket 28
> [2015/11/10 13:16:37.550478,  6]
> ../source3/winbindd/winbindd.c:919(winbind_client_request_read)
>    closing socket 22, client exited
> [2015/11/10 13:16:37.550506,  3]
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>    getpwnam stephane.morin
> [2015/11/10 13:16:37.550633,  7]
> ../source3/winbindd/winbindd_ads.c:61(ads_cached_connection_reuse)
>    Current tickets expire in 34856 seconds (at 1447192653, time is now
> 1447157797)
> [2015/11/10 13:16:41.259064,  5]
> ../source3/winbindd/winbindd_cache.c:1272(resolve_alias_to_username)
>    resolve_alias_to_username: backend query returned NT_STATUS_OK
> [2015/11/10 13:16:41.281997,  5]
> ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>    Could not convert sid S-1-5-21-569364669-4183652282-291509484-43151:
> NT_STATUS_NONE_MAPPED
> [2015/11/10 13:16:41.282169,  6]
> ../source3/winbindd/winbindd.c:919(winbind_client_request_read)
>    closing socket 28, client exited
>
>
> getent passwd SAMBA.DOMAIN\\<username>
> ---------------------------------------------------------------------
> [2015/11/10 13:16:50.109816,  6]
> ../source3/winbindd/winbindd.c:871(new_connection)
>    accepted socket 22
> [2015/11/10 13:16:50.109924,  3]
> ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
>    [ 2907]: request interface version
> [2015/11/10 13:16:50.109977,  3]
> ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
>    [ 2907]: request location of privileged pipe
> [2015/11/10 13:16:50.110069,  6]
> ../source3/winbindd/winbindd.c:871(new_connection)
>    accepted socket 28
> [2015/11/10 13:16:50.110130,  6]
> ../source3/winbindd/winbindd.c:919(winbind_client_request_read)
>    closing socket 22, client exited
> [2015/11/10 13:16:50.110162,  3]
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>    getpwnam ad.dgfip\stephane.morin
> [2015/11/10 13:16:50.110403,  5]
> ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>    Could not convert sid S-1-5-21-569364669-4183652282-291509484-43151:
> NT_STATUS_NONE_MAPPED
> [2015/11/10 13:16:50.110552,  6]
> ../source3/winbindd/winbindd.c:919(winbind_client_request_read)
>    closing socket 28, client exited
> ---------------------------------------------------------------------
>
> And wbinfo -i <username> does not work:
> wbinfo -i administrator
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user administrator
> Same behaviour for others users.
>
> ---------------------------------------------------------------------------------------------------
> ---------------------------------------------------------------------------------------------------
>
> Now wbinfo:
> -------------------------------------------------
> wbinfo -u
> -------------------------------------------------
> On DCs:
> wbinfo -u on DCs does not show anything. It just gives up after few seconds
> (around 10s on both DCs tested).
>
> On member:
> wbinfo -u | wc -l
> 49504
>
> when
> ldbsearch -H $sam objectcategory=person | tail -3
> # returned 49507 records
> # 49504 entries
> # 3 referrals
>
> So wbinfo -u returns all users on this member server.
>
>
> -------------------------------------------------
> wbinfo -i <username>
> -------------------------------------------------
> On DCs:
> wbinfo -i administrator
> SAMBA.DOMAIN\administrator:*:0:100::/home/SAMBA.DOMAIN/administrator:/bin/false
> wbinfo -i mathias
> SAMBA.DOMAIN\mathias:*:0:100:mathias
> dufresne:/home/SAMBA.DOMAIN/mathias:/bin/false
> wbinfo -i <username>
> SAMBA.DOMAIN\<username>:*:1013569430:100:<username>:/home/SAMBA.DOMAIN/<username>:/bin/false
>
> On member:
> wbinfo -i administrator
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user administrator
>   wbinfo -i mathias
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user mathias
> wbinfo -i <username>
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user <username>
>
> On member I was using Samba packages from Centos 7 (it's a Centos 7) with
> version 4.1.12-24.el7_1.
> I switched to version 4.3.1 (the one I'm using for DCs) and result are the
> same.
>
> I'm facing a real lack of knowledge and I didn't yet find what to read to
> fill these lacks.
>
> Cheers,
>
> mathias
>
>




More information about the samba mailing list