[Samba] idmap_ad and RFC2370 (inconsistent results)

Stefano Pardini stefanopardini at gmail.com
Mon Aug 8 15:33:59 UTC 2016 

Hi everyone.
I'm encountering problems with the management of the id of the users,
in the DC and in the domain members (RFC2370).

I'm using Samba Version 4.2.10-Debian on Debian8.5.

This is the DC configuration / result.

root at samba4:/var/lib/samba# cat /etc/samba/smb.conf |grep -v '#'
[global]
    workgroup = MYNET
    realm = ad.mynet.lan
    netbios name = SAMBA4
    server role = active directory domain controller
    server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, smb
    server services = -s3fs -dns
    dcerpc endpoint servers = +winreg +srvsvc
    interfaces = 192.168.10.7
    log file = /var/log/samba/mynet.log
    syslog = 0
    log level = 3 passdb:0 auth:0 winbind:0 vfs:0
    vfs objects = full_audit

    idmap_ldb:use rfc2307 = yes
    winbind nss info = rfc2307

    idmap config *:backend = tdb
    idmap config *:range = 10000-49999

    idmap config MYNET:backend = ad
    idmap config MYNET:schema_mode = rfc2307
    idmap config MYNET:range = 50000-99999

    winbind enum users = Yes
    winbind enum groups = Yes

    winbind use default domain = Yes
    winbind refresh tickets = Yes
    winbind normalize names = Yes

    dsdb:schema update allowed = true

    tls enabled  = yes
    tls keyfile  = /etc/samba/certs/samba4.server.mynet.lan.key
    tls certfile = /etc/samba/certs/samba4.server.mynet.lan.crt

    kerberos method = system keytab
    client ldap sasl wrapping = sign
    allow dns updates = nonsecure and secure
    nsupdate command =  /usr/bin/nsupdate -g

    ldap server require strong auth = No

[netlogon]
    path = /var/lib/samba/sysvol/ad.mynet.lan/scripts
    read only = No

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

This is the result of the provisioning operation.
root at samba4:~# /usr/bin/samba-tool domain provision
--realm=ad.mynet.lan --domain=MYNET --adminpass='p4ssw0rd'
--server-role=dc --dns-backend=BIND9_DLZ --function-level=2008_R2
--use-xattr=yes --host-ip=192.168.10.7 --use-rfc2307
...
Server Role:           active directory domain controller
Hostname:              samba4
NetBIOS Domain:        MYNET
DNS Domain:            ad.mynet.lan
DOMAIN SID:            S-1-5-21-1682454527-3772531157-3555914497

root at samba4:~# head /etc/nsswitch.conf |grep -v '#'
passwd:         compat winbind
group:          compat winbind

root at samba4:/var/lib/samba# getent passwd testuser
MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false

root at samba4:/var/lib/samba# id testuser
uid=10001(MYNET\testuser) gid=100(users) groups=100(users)

root at adclient:/etc/samba# wbinfo -i testuser
MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false



This is the domain member configuration / result.

root at adclient:/etc/samba# id testuser
uid=10005(testuser) gid=10000(domain users) groups=10000(domain
users),10023(BUILTIN\users)

root at adclient:/etc/samba# getent passwd testuser
testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false

root at adclient:/etc/samba# wbinfo -i testuser
testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false

root at adclient:~# head /etc/nsswitch.conf |grep -v '#'
passwd:         compat winbind
group:          compat winbind

root at adclient:~# net ads info
LDAP server: 192.168.10.7
LDAP server name: samba4.ad.mynet.lan
Realm: AD.MYNET.LAN
Bind Path: dc=AD,dc=MYNET,dc=LAN
LDAP port: 389
Server time: Mon, 08 Aug 2016 16:22:35 CEST
KDC server: 192.168.10.7
Server time offset: 25

root at adclient:~# net ads testjoin
Join is OK

root at adclient:/etc/ldap# cat /etc/samba/smb.conf |grep -v '#'
[global]
    netbios name = ADCLIENT
    security = ads
    workgroup = MYNET
    realm = AD.MYNET.LAN
    server string = Active Directory Domain Member (test)

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    winbind refresh tickets = yes
    winbind trusted domains only = no
    winbind use default domain = yes

    winbind enum users  = yes
    winbind enum groups = yes

    log file = /var/log/samba/mynet.log
    syslog = 0
    log level = 3 passdb:0 auth:0 winbind:0 vfs:0

    idmap config MYNET:backend = ad
    idmap config MYNET:schema_mode = rfc2307
    idmap config MYNET:range = 50000-99999
    winbind nss info = rfc2307

    idmap_ldb:use rfc2307 = yes



This is a ldapsearch result for 'testuser'.
root at samba4:/var/lib/samba# ldapsearch -x -h samba4.server.mynet.lan
-b 'ou=Teachers,ou=Users,ou=MyNet,dc=ad,dc=mynet,dc=lan' -D
'administrator at ad.mynet.lan' -w 'p4ssw0rd'
'(&(objectClass=person)(sAMAccountName=testuser))'
...
uidNumber: 10001
unixHomeDirectory: /home/testuser
gidNumber: 10000
msSFU30Name: testuser
unixUserPassword: ABCD!efgh12345$67890
uid: testuser
loginShell: /bin/bash
...



As you can see, the NIS attributes are correcty stored inside the LDAP tree.
But the results are very different in each location.
In the DC: uidNumber and gidNumber are correctly extracted and viewed
(but the loginShell and unixHomeDirectory are wrong).
In the domain member: everything is independent from the AD stored user.
I'm alredy deleted the winbind cache with 'net cache flush' command,
tried to leave and join again the domain, and removed the *tdb files.
I've created 'testuser' with the ADUC utility running on Windows7
(I've enabled the UNIX attributes section).

Thanks in advance for your help.

More information about the samba mailing list