[Samba] idmap_ad and RFC2370 (inconsistent results)
Rowland Penny
rpenny at samba.org
Mon Aug 8 16:09:01 UTC 2016
See inline comments
On Mon, 8 Aug 2016 17:33:59 +0200
Stefano Pardini <stefanopardini at gmail.com> wrote:
> Hi everyone.
> I'm encountering problems with the management of the id of the users,
> in the DC and in the domain members (RFC2370).
>
> I'm using Samba Version 4.2.10-Debian on Debian8.5.
>
> This is the DC configuration / result.
>
> root at samba4:/var/lib/samba# cat /etc/samba/smb.conf |grep -v '#'
> [global]
> workgroup = MYNET
> realm = ad.mynet.lan
> netbios name = SAMBA4
> server role = active directory domain controller
> server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, smb
> server services = -s3fs -dns
Why are you using the deprecated 'ntvfs' backend ?
> dcerpc endpoint servers = +winreg +srvsvc
> interfaces = 192.168.10.7
> log file = /var/log/samba/mynet.log
> syslog = 0
> log level = 3 passdb:0 auth:0 winbind:0 vfs:0
> vfs objects = full_audit
>
> idmap_ldb:use rfc2307 = yes
The lines below do nothing on a DC:
> winbind nss info = rfc2307
>
> idmap config *:backend = tdb
> idmap config *:range = 10000-49999
>
> idmap config MYNET:backend = ad
> idmap config MYNET:schema_mode = rfc2307
> idmap config MYNET:range = 50000-99999
These will work:
>
> winbind enum users = Yes
> winbind enum groups = Yes
>
> winbind use default domain = Yes
> winbind refresh tickets = Yes
> winbind normalize names = Yes
>
> dsdb:schema update allowed = true
>
> tls enabled = yes
> tls keyfile = /etc/samba/certs/samba4.server.mynet.lan.key
> tls certfile = /etc/samba/certs/samba4.server.mynet.lan.crt
>
> kerberos method = system keytab
> client ldap sasl wrapping = sign
> allow dns updates = nonsecure and secure
> nsupdate command = /usr/bin/nsupdate -g
>
> ldap server require strong auth = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/ad.mynet.lan/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> This is the result of the provisioning operation.
> root at samba4:~# /usr/bin/samba-tool domain provision
> --realm=ad.mynet.lan --domain=MYNET --adminpass='p4ssw0rd'
> --server-role=dc --dns-backend=BIND9_DLZ --function-level=2008_R2
> --use-xattr=yes --host-ip=192.168.10.7 --use-rfc2307
> ...
> Server Role: active directory domain controller
> Hostname: samba4
> NetBIOS Domain: MYNET
> DNS Domain: ad.mynet.lan
> DOMAIN SID: S-1-5-21-1682454527-3772531157-3555914497
>
> root at samba4:~# head /etc/nsswitch.conf |grep -v '#'
> passwd: compat winbind
> group: compat winbind
>
> root at samba4:/var/lib/samba# getent passwd testuser
> MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false
>
> root at samba4:/var/lib/samba# id testuser
> uid=10001(MYNET\testuser) gid=100(users) groups=100(users)
>
> root at adclient:/etc/samba# wbinfo -i testuser
> MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false
>
>
>
> This is the domain member configuration / result.
>
> root at adclient:/etc/samba# id testuser
> uid=10005(testuser) gid=10000(domain users) groups=10000(domain
> users),10023(BUILTIN\users)
>
> root at adclient:/etc/samba# getent passwd testuser
> testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false
>
> root at adclient:/etc/samba# wbinfo -i testuser
> testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false
>
> root at adclient:~# head /etc/nsswitch.conf |grep -v '#'
> passwd: compat winbind
> group: compat winbind
>
> root at adclient:~# net ads info
> LDAP server: 192.168.10.7
> LDAP server name: samba4.ad.mynet.lan
> Realm: AD.MYNET.LAN
> Bind Path: dc=AD,dc=MYNET,dc=LAN
> LDAP port: 389
> Server time: Mon, 08 Aug 2016 16:22:35 CEST
> KDC server: 192.168.10.7
> Server time offset: 25
>
> root at adclient:~# net ads testjoin
> Join is OK
>
> root at adclient:/etc/ldap# cat /etc/samba/smb.conf |grep -v '#'
> [global]
> netbios name = ADCLIENT
> security = ads
> workgroup = MYNET
> realm = AD.MYNET.LAN
> server string = Active Directory Domain Member (test)
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
> winbind trusted domains only = no
> winbind use default domain = yes
>
> winbind enum users = yes
> winbind enum groups = yes
>
> log file = /var/log/samba/mynet.log
> syslog = 0
> log level = 3 passdb:0 auth:0 winbind:0 vfs:0
>
> idmap config MYNET:backend = ad
> idmap config MYNET:schema_mode = rfc2307
> idmap config MYNET:range = 50000-99999
> winbind nss info = rfc2307
>
You do not seem to have the '*' domain set up and the next line does
not have any place on a domain member
> idmap_ldb:use rfc2307 = yes
>
>
>
> This is a ldapsearch result for 'testuser'.
> root at samba4:/var/lib/samba# ldapsearch -x -h samba4.server.mynet.lan
> -b 'ou=Teachers,ou=Users,ou=MyNet,dc=ad,dc=mynet,dc=lan' -D
> 'administrator at ad.mynet.lan' -w 'p4ssw0rd'
> '(&(objectClass=person)(sAMAccountName=testuser))'
> ...
> uidNumber: 10001
> unixHomeDirectory: /home/testuser
> gidNumber: 10000
> msSFU30Name: testuser
> unixUserPassword: ABCD!efgh12345$67890
> uid: testuser
> loginShell: /bin/bash
> ...
>
>
>
> As you can see, the NIS attributes are correcty stored inside the
> LDAP tree. But the results are very different in each location.
> In the DC: uidNumber and gidNumber are correctly extracted and viewed
> (but the loginShell and unixHomeDirectory are wrong).
> In the domain member: everything is independent from the AD stored
> user. I'm alredy deleted the winbind cache with 'net cache flush'
> command, tried to leave and join again the domain, and removed the
> *tdb files. I've created 'testuser' with the ADUC utility running on
> Windows7 (I've enabled the UNIX attributes section).
If you have RFC2307 attributes in AD, then you should get the same IDs
on all Samba computers, DCs & domain members
i.e.
root at dc1:~# getent passwd rowland
SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
rowland at devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
Can I suggest you have a look here:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
Rowland
More information about the samba
mailing list