[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber
Rowland Penny
rowlandpenny241155 at gmail.com
Tue Nov 10 13:57:33 UTC 2015
On 10/11/15 13:42, mathias dufresne wrote:
> Thank you for this quick answer Louis.
>
> On DC:
>
> On DC I had to add one line to have winbind retrieving uidNumber AD field
> rather than having Winbind chosing some random UID for my users.
> This line is:
>
> idmap_ldb:use rfc2307 = yes
>
> as explained in https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>
> That's a start.
>
> Unfortunately winbind is still giving my users GID number set to 100, which
> is "Domain Users" group, when my users have gidNumber attribute set.
unfortunately the contents of the 'gidNumber' attribute is not used for
the users GID, you need to give 'Domain Users' a gidNumber and this is
what will be used.
>
> Same for shell, in AD loginShell is defined to /bin/bash for all my UNIX
> users and winbind gives /bin/false on DC. Perhaps that's what it expected
> by that tool but I still found that behaviour very confusing.
> Please note I know there is a "template shell" option in smb.conf.
> Unfortunately this option is, I think, to set all shell equal to that
> template, for all users. That's not what we need. If some user in AD wants
> to use CSH, this user must have a shell set to /bin/csh (or wherever it is
> installed), if some user has to be set to /bin/false, it must be. And for
> most of our users they would receive /bin/bash because it is what we
> configure in loginShell by default.
You can only use the 'template' lines on the DC, if you need to have
different home dirs or shells, use a member server.
>
> Same for home directories. In AD I set unixHomeDirectory (I also tried with
> homeDirectory field) to /home/<username> and in getent passwd <username> I
> get home set to /home/<SAMBA.DOMAIN>/<username>
>
> Anyway getent passwd <username> on DC is now working with users having UID
> set to content of uidNumber field.
> None of these users can connect on DC (even if uidNumber = 0) and I expect
> this behaviour is because they have a shell set to /bin/false.
Correct, if you want to login to the DC, use 'template shell = /bin/bash'
Rowland
> On member:
>
> my smb.conf (from testparm)
> ---------------------------------------------------------------------
> [global]
> workgroup = SAMBA.DOMAIN
> realm = SAMBA.DOMAIN.TLD
> server string = Samba Server Version %v
> security = ADS
> log file = /var/log/samba/log.%m
> max log size = 2048
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind nss info = rfc2307
> winbind normalize names = Yes
> idmap config SAMBA.DOMAIN:range = 10000-2000000000
> idmap config SAMBA.DOMAIN:schema_mode = rfc2307
> idmap config SAMBA.DOMAIN:backend = ad
> idmap config *:range = 2000-9999
> idmap config * : backend = ad
> cups options = raw
>
> [homes]
> comment = Home Directories
> read only = No
> browseable = No
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> printable = Yes
> print ok = Yes
> browseable = No
> ---------------------------------------------------------------------
>
> nsswitch.conf:
> passwd: files winbind
> shadow: files winbind
> group: files winbind
>
> and pam.d files are both configured:
> ---------------------------------------------------------------------
> grep winb /etc/pam.d/*
> /etc/pam.d/fingerprint-auth:account [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/fingerprint-auth:session optional pam_winbind.so
> /etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/fingerprint-auth-ac:session optional pam_winbind.so
> /etc/pam.d/password-auth:auth sufficient pam_winbind.so
> use_first_pass
> /etc/pam.d/password-auth:account [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/password-auth:password sufficient pam_winbind.so
> use_authtok
> /etc/pam.d/password-auth:session optional pam_winbind.so
> /etc/pam.d/password-auth-ac:auth sufficient pam_winbind.so
> use_first_pass
> /etc/pam.d/password-auth-ac:account [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/password-auth-ac:password sufficient pam_winbind.so
> use_authtok
> /etc/pam.d/password-auth-ac:session optional pam_winbind.so
> /etc/pam.d/smartcard-auth:account [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/smartcard-auth:session optional pam_winbind.so
> /etc/pam.d/smartcard-auth-ac:account [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/smartcard-auth-ac:session optional pam_winbind.so
> /etc/pam.d/system-auth:auth sufficient pam_winbind.so
> use_first_pass
> /etc/pam.d/system-auth:account [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/system-auth:password sufficient pam_winbind.so use_authtok
> /etc/pam.d/system-auth:session optional pam_winbind.so
> /etc/pam.d/system-auth-ac:auth sufficient pam_winbind.so
> use_first_pass
> /etc/pam.d/system-auth-ac:account [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/system-auth-ac:password sufficient pam_winbind.so
> use_authtok
> /etc/pam.d/system-auth-ac:session optional pam_winbind.so
> ---------------------------------------------------------------------
>
> Here are the logs generated during getent passwd commands, extracted from
> log.winbindd on member server (with log level = 3 winbind:9)
>
> getent passwd <username>
> ---------------------------------------------------------------------
> [2015/11/10 13:16:37.550045, 6]
> ../source3/winbindd/winbindd.c:871(new_connection)
> accepted socket 22
> [2015/11/10 13:16:37.550141, 3]
> ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
> [ 2906]: request interface version
> [2015/11/10 13:16:37.550294, 3]
> ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
> [ 2906]: request location of privileged pipe
> [2015/11/10 13:16:37.550440, 6]
> ../source3/winbindd/winbindd.c:871(new_connection)
> accepted socket 28
> [2015/11/10 13:16:37.550478, 6]
> ../source3/winbindd/winbindd.c:919(winbind_client_request_read)
> closing socket 22, client exited
> [2015/11/10 13:16:37.550506, 3]
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> getpwnam stephane.morin
> [2015/11/10 13:16:37.550633, 7]
> ../source3/winbindd/winbindd_ads.c:61(ads_cached_connection_reuse)
> Current tickets expire in 34856 seconds (at 1447192653, time is now
> 1447157797)
> [2015/11/10 13:16:41.259064, 5]
> ../source3/winbindd/winbindd_cache.c:1272(resolve_alias_to_username)
> resolve_alias_to_username: backend query returned NT_STATUS_OK
> [2015/11/10 13:16:41.281997, 5]
> ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
> Could not convert sid S-1-5-21-569364669-4183652282-291509484-43151:
> NT_STATUS_NONE_MAPPED
> [2015/11/10 13:16:41.282169, 6]
> ../source3/winbindd/winbindd.c:919(winbind_client_request_read)
> closing socket 28, client exited
>
>
> getent passwd SAMBA.DOMAIN\\<username>
> ---------------------------------------------------------------------
> [2015/11/10 13:16:50.109816, 6]
> ../source3/winbindd/winbindd.c:871(new_connection)
> accepted socket 22
> [2015/11/10 13:16:50.109924, 3]
> ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
> [ 2907]: request interface version
> [2015/11/10 13:16:50.109977, 3]
> ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
> [ 2907]: request location of privileged pipe
> [2015/11/10 13:16:50.110069, 6]
> ../source3/winbindd/winbindd.c:871(new_connection)
> accepted socket 28
> [2015/11/10 13:16:50.110130, 6]
> ../source3/winbindd/winbindd.c:919(winbind_client_request_read)
> closing socket 22, client exited
> [2015/11/10 13:16:50.110162, 3]
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> getpwnam ad.dgfip\stephane.morin
> [2015/11/10 13:16:50.110403, 5]
> ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
> Could not convert sid S-1-5-21-569364669-4183652282-291509484-43151:
> NT_STATUS_NONE_MAPPED
> [2015/11/10 13:16:50.110552, 6]
> ../source3/winbindd/winbindd.c:919(winbind_client_request_read)
> closing socket 28, client exited
> ---------------------------------------------------------------------
>
> And wbinfo -i <username> does not work:
> wbinfo -i administrator
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user administrator
> Same behaviour for others users.
>
> ---------------------------------------------------------------------------------------------------
> ---------------------------------------------------------------------------------------------------
>
> Now wbinfo:
> -------------------------------------------------
> wbinfo -u
> -------------------------------------------------
> On DCs:
> wbinfo -u on DCs does not show anything. It just gives up after few seconds
> (around 10s on both DCs tested).
>
> On member:
> wbinfo -u | wc -l
> 49504
>
> when
> ldbsearch -H $sam objectcategory=person | tail -3
> # returned 49507 records
> # 49504 entries
> # 3 referrals
>
> So wbinfo -u returns all users on this member server.
>
>
> -------------------------------------------------
> wbinfo -i <username>
> -------------------------------------------------
> On DCs:
> wbinfo -i administrator
> SAMBA.DOMAIN\administrator:*:0:100::/home/SAMBA.DOMAIN/administrator:/bin/false
> wbinfo -i mathias
> SAMBA.DOMAIN\mathias:*:0:100:mathias
> dufresne:/home/SAMBA.DOMAIN/mathias:/bin/false
> wbinfo -i <username>
> SAMBA.DOMAIN\<username>:*:1013569430:100:<username>:/home/SAMBA.DOMAIN/<username>:/bin/false
>
> On member:
> wbinfo -i administrator
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user administrator
> wbinfo -i mathias
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user mathias
> wbinfo -i <username>
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user <username>
>
> On member I was using Samba packages from Centos 7 (it's a Centos 7) with
> version 4.1.12-24.el7_1.
> I switched to version 4.3.1 (the one I'm using for DCs) and result are the
> same.
>
> I'm facing a real lack of knowledge and I didn't yet find what to read to
> fill these lacks.
>
> Cheers,
>
> mathias
>
>
More information about the samba
mailing list