[Samba] idmap_ad and RFC2370 (inconsistent results)

Rowland Penny rpenny at samba.org
Mon Aug 8 16:13:56 UTC 2016 

On Mon, 8 Aug 2016 17:33:59 +0200
Stefano Pardini <stefanopardini at gmail.com> wrote:

> Hi everyone.
> I'm encountering problems with the management of the id of the users,
> in the DC and in the domain members (RFC2370).
> 
> I'm using Samba Version 4.2.10-Debian on Debian8.5.
> 
> This is the DC configuration / result.
> 
> root at samba4:/var/lib/samba# cat /etc/samba/smb.conf |grep -v '#'
> [global]
>     workgroup = MYNET
>     realm = ad.mynet.lan
>     netbios name = SAMBA4
>     server role = active directory domain controller
>     server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, smb
>     server services = -s3fs -dns
>     dcerpc endpoint servers = +winreg +srvsvc
>     interfaces = 192.168.10.7
>     log file = /var/log/samba/mynet.log
>     syslog = 0
>     log level = 3 passdb:0 auth:0 winbind:0 vfs:0
>     vfs objects = full_audit
> 
>     idmap_ldb:use rfc2307 = yes
>     winbind nss info = rfc2307
> 
>     idmap config *:backend = tdb
>     idmap config *:range = 10000-49999
> 
>     idmap config MYNET:backend = ad
>     idmap config MYNET:schema_mode = rfc2307
>     idmap config MYNET:range = 50000-99999
> 
>     winbind enum users = Yes
>     winbind enum groups = Yes
> 
>     winbind use default domain = Yes
>     winbind refresh tickets = Yes
>     winbind normalize names = Yes
> 
>     dsdb:schema update allowed = true
> 
>     tls enabled  = yes
>     tls keyfile  = /etc/samba/certs/samba4.server.mynet.lan.key
>     tls certfile = /etc/samba/certs/samba4.server.mynet.lan.crt
> 
>     kerberos method = system keytab
>     client ldap sasl wrapping = sign
>     allow dns updates = nonsecure and secure
>     nsupdate command =  /usr/bin/nsupdate -g
> 
>     ldap server require strong auth = No
> 
> [netlogon]
>     path = /var/lib/samba/sysvol/ad.mynet.lan/scripts
>     read only = No
> 
> [sysvol]
>     path = /var/lib/samba/sysvol
>     read only = No
> 
> This is the result of the provisioning operation.
> root at samba4:~# /usr/bin/samba-tool domain provision
> --realm=ad.mynet.lan --domain=MYNET --adminpass='p4ssw0rd'
> --server-role=dc --dns-backend=BIND9_DLZ --function-level=2008_R2
> --use-xattr=yes --host-ip=192.168.10.7 --use-rfc2307
> ...
> Server Role:           active directory domain controller
> Hostname:              samba4
> NetBIOS Domain:        MYNET
> DNS Domain:            ad.mynet.lan
> DOMAIN SID:            S-1-5-21-1682454527-3772531157-3555914497
> 
> root at samba4:~# head /etc/nsswitch.conf |grep -v '#'
> passwd:         compat winbind
> group:          compat winbind
> 
> root at samba4:/var/lib/samba# getent passwd testuser
> MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false
> 
> root at samba4:/var/lib/samba# id testuser
> uid=10001(MYNET\testuser) gid=100(users) groups=100(users)
> 
> root at adclient:/etc/samba# wbinfo -i testuser
> MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false
> 
> 
> 
> This is the domain member configuration / result.
> 
> root at adclient:/etc/samba# id testuser
> uid=10005(testuser) gid=10000(domain users) groups=10000(domain
> users),10023(BUILTIN\users)
> 
> root at adclient:/etc/samba# getent passwd testuser
> testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false
> 
> root at adclient:/etc/samba# wbinfo -i testuser
> testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false
> 
> root at adclient:~# head /etc/nsswitch.conf |grep -v '#'
> passwd:         compat winbind
> group:          compat winbind
> 
> root at adclient:~# net ads info
> LDAP server: 192.168.10.7
> LDAP server name: samba4.ad.mynet.lan
> Realm: AD.MYNET.LAN
> Bind Path: dc=AD,dc=MYNET,dc=LAN
> LDAP port: 389
> Server time: Mon, 08 Aug 2016 16:22:35 CEST
> KDC server: 192.168.10.7
> Server time offset: 25
> 
> root at adclient:~# net ads testjoin
> Join is OK
> 
> root at adclient:/etc/ldap# cat /etc/samba/smb.conf |grep -v '#'
> [global]
>     netbios name = ADCLIENT
>     security = ads
>     workgroup = MYNET
>     realm = AD.MYNET.LAN
>     server string = Active Directory Domain Member (test)
> 
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>     winbind refresh tickets = yes
>     winbind trusted domains only = no
>     winbind use default domain = yes
> 
>     winbind enum users  = yes
>     winbind enum groups = yes
> 
>     log file = /var/log/samba/mynet.log
>     syslog = 0
>     log level = 3 passdb:0 auth:0 winbind:0 vfs:0
> 
>     idmap config MYNET:backend = ad
>     idmap config MYNET:schema_mode = rfc2307
>     idmap config MYNET:range = 50000-99999
>     winbind nss info = rfc2307
> 
>     idmap_ldb:use rfc2307 = yes
> 
> 
> 
> This is a ldapsearch result for 'testuser'.
> root at samba4:/var/lib/samba# ldapsearch -x -h samba4.server.mynet.lan
> -b 'ou=Teachers,ou=Users,ou=MyNet,dc=ad,dc=mynet,dc=lan' -D
> 'administrator at ad.mynet.lan' -w 'p4ssw0rd'
> '(&(objectClass=person)(sAMAccountName=testuser))'
> ...
> uidNumber: 10001
> unixHomeDirectory: /home/testuser
> gidNumber: 10000
> msSFU30Name: testuser
> unixUserPassword: ABCD!efgh12345$67890
> uid: testuser
> loginShell: /bin/bash
> ...
> 
> 
> 
> As you can see, the NIS attributes are correcty stored inside the
> LDAP tree. But the results are very different in each location.
> In the DC: uidNumber and gidNumber are correctly extracted and viewed
> (but the loginShell and unixHomeDirectory are wrong).
> In the domain member: everything is independent from the AD stored
> user. I'm alredy deleted the winbind cache with 'net cache flush'
> command, tried to leave and join again the domain, and removed the
> *tdb files. I've created 'testuser' with the ADUC utility running on
> Windows7 (I've enabled the UNIX attributes section).
> 
> Thanks in advance for your help.
> 

I missed something, turn on 'winbindd' on the DC instead of the old,
deprecated 'winbind'

Rowland

More information about the samba mailing list