[Samba] WINBIND: UID and GID false mappings on domain member

rawi only4com at web.de
Fri Aug 12 14:33:27 UTC 2016 

Hi @ALL

Trying to migrate to Samba AD after 12 lucky years with samba NT-domain +
server profiles and homes in a small research institute.

I decided to provision a new domain and create the users and groups using
samba-tool with most of its parameters.
I decided against classicupgrade, because I didn't get all posix attributes
automatically set and I cannot do LDAP kung-fu.

Intention is to administer most of it with samba-tool and Co, not Windows
RSAT.
In the NT domain I set till now all rights trough the Unix-rights, UID and
GID.

Even if I'm willing to recreate users and groups accordingly to the old UID
and GID (not that many), I am _desperately_ needing to transfer the data
with its original ownership.

I've set an "_ONLY_ DOMAIN CONTROLLER" and a first "DOMAIN MEMBER" as file
server.

Mostly all is good, ntp, dns, kinit are working, the member server could
join the dc, authentication works.

WHAT I DO NOT GET CORRECTLY are the UID and GID of users and groups on the
domain member (PARTIALLY DEPENDING if I have the lines with "idmap config
*:..." or not ??? - see below)

And yes, I red in the last _weeks_ most of the docs and Q&A I could find.
I've said I'm desperate...

Please see the configs and the tests. May the force be with you :)

Many thanks in advance!

Environment: Ubuntu Server 16.04.1 + Samba 4.3.9

### DOMAIN CONTROLLER
root at hg-dc1:/etc/samba# cat smb.conf
# Global parameters
[global]
        workgroup = HUMGEN
        realm = HUMGEN.0ZONE
        netbios name = HG-DC1
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc

        idmap_ldb:use rfc2307 = yes
        dns-nameservers 127.0.0.1

        tls enabled  = yes
        tls keyfile  = tls/myKey.pem
        tls certfile = tls/myCert.pem
        tls cafile   = 

# [netlogon] is on the member server and defined in the user's object

# I let sysvol here, as I don't understand it's role
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

### DOMAIN MEMBER
root at hg004:/etc/samba# cat smb.conf
netbios name = HG004
server string = Fileserver HG004 - Samba 4.3.9-Ubuntu
security = ADS
workgroup = HUMGEN
realm = HUMGEN.0ZONE
server role = member server

server services = -dnsupdate -dns

interfaces = bond0, lo
bind interfaces only = yes

domain master = no
local master = no
preferred master = no
domain logons = no

encrypt passwords = yes

log file = /var/log/samba/%m.log
log level = passdb:5 auth:10 winbind:10

syslog only = no
# syslog 0=LOG_ERR, 1=LOG_WARNING, 2=LOG_NOTICE, 3=LOG_INFO
syslog = 0

# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-4000

# idmap config for domain HUMGEN
idmap config HUMGEN:backend = ad
idmap config HUMGEN:schema_mode = rfc2307
idmap config HUMGEN:range = 5000-30000
idmap config HUMGEN:default = yes

# Use settings from AD for login shell and home directory
winbind use default domain = yes
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes

# no logon with cached credentials
winbind offline logon = no

winbind refresh tickets = yes
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab

wins server = hg-dc1.humgen.0zone

socket options = TCP_NODELAY IPTOS_LOWDELAY

# no templates. They are coming from LDAP in Active Directory
template homedir =
template shell =

# They are also coming from LDAP in Active Directory
logon script =
logon path =
logon drive =
logon home =

# case sensitive: auto=NO for Windows and maybe YES for CIFS
case sensitive = no
preserve case = Yes
short preserve case = Yes

# don't show the shares
browseable = no

map to guest = never

# default. Speeds transfers up. There are also others oplocks params
oplocks = yes
veto oplock files = /*.mdb/*.MDB/*.mde/*.MDE/*.mdw/*.MDW/*.ldb/*.LDB

# allow no local caching of data on the client
csc policy = disable

hide unreadable = yes
hide dot files = no

reset on zero vc = yes

[netlogon]
    path = /mnt/SRVDATA_crypt/samba/netlogon
    read only = yes

[homes]
    comment = %u's Home Directory
    path = /mnt/SRVDATA_crypt/samba/home/%S
    browsable = no
    read only = no
    valid users = %S

# server profiles are inside the user's home on the domain member and
defined in the user's object in AD
;[profiles]

### TEST USER
root at hg-dc1:/etc/samba# ldbsearch -H /var/lib/samba/private/sam.ldb
'(cn=test)'
# record 1
dn: CN=test,CN=Users,DC=humgen,DC=0zone
cn: test
sn:: VGVzdOKAiC0tZ2l2ZW4tbmFtZT1XYW50IFRv
title: Test Pilot
description: Want to Test
physicalDeliveryOfficeName: Bldg. 11, 12th floor, Room 1234
telephoneNumber: 12345
initials: WT.
instanceType: 4
whenCreated: 20160728135850.0Z
displayName:: IFdULiBUZXN04oCILS1naXZlbi1uYW1lPVdhbnQgVG8=
uSNCreated: 3803
department:: SW5zdGl0dXRl
company:: VU5J
wWWHomePage: institute.uni.de
name: test
objectGUID: af9cf66f-d5c7-4d7f-980f-c4c87a5765e5
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-1231847632-1110290357-1532217621-1108
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: test
sAMAccountType: 805306368
userPrincipalName: test at humgen.0zone
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=humgen,DC=0zone
mail: test at humgen.0zone
uid: test
uidNumber: 9439
gidNumber: 5001
gecos: Want to Test
loginShell: /bin/bash
msSFU30NisDomain: humgen
msSFU30Name: test
unixUserPassword: ABCD!efgh12345$67890
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
userAccountControl: 512
pwdLastSet: 131142705100000000
scriptPath: \\hg004.humgen.0zone\netlogon\login.bat
homeDirectory: \\hg004.humgen.0zone\%USERNAME%
homeDrive: U
profilePath: \\hg004.humgen.0zone\%USERNAME%\winprofile
unixHomeDirectory: //hg004.humgen.0zone/test/linhome
lastLogonTimestamp: 131153950658668290
whenChanged: 20160811131745.0Z
uSNChanged: 3847
lastLogon: 131154694735501500
distinguishedName: CN=test,CN=Users,DC=humgen,DC=0zone

### TEST GROUP
root at hg-dc1:/etc/samba# ldbsearch -H /var/lib/samba/private/sam.ldb
'(cn=hg_allg)' 
# record 1
dn: CN=hg_allg,CN=Users,DC=humgen,DC=0zone
objectClass: top
objectClass: group
cn: hg_allg
description: All Users of HumGen
instanceType: 4
whenCreated: 20160801120752.0Z
whenChanged: 20160801120752.0Z
uSNCreated: 3835
uSNChanged: 3835
name: hg_allg
objectGUID: 7acc757d-3164-471c-a101-c8f8ed5d8339
objectSid: S-1-5-21-1231847632-1110290357-1532217621-1113
sAMAccountName: hg_allg
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=humgen,DC=0zone
msSFU30Name: hg_allg
msSFU30NisDomain: humgen
gidNumber: 5001
distinguishedName: CN=hg_allg,CN=Users,DC=humgen,DC=0zone

###
# on the domain controller
###

root at hg-dc1:/etc/bind# wbinfo --user-info test
HUMGEN\test:*:9439:100: WT. Test --given-name=Want
To:/home/HUMGEN/test:/bin/false

root at hg-dc1:/etc/bind# wbinfo --group-info hg_allg
HUMGEN\hg_allg:x:5001:

###
# on the member server
###
root at hg004:/etc/samba# wbinfo -u
administrator
dns-hg-dc1
krbtgt
guest
test

root at hg004:/etc/samba# wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins
hg_allg

root at hg004:/etc/samba# wbinfo --group-info hg_allg
hg_allg:x:5001: # correct

root at hg004:/etc/samba# wbinfo --user-info test
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user test
### ?!?!?! PROBLEM

root at hg004:/etc/samba# wbinfo -n test
S-1-5-21-1231847632-1110290357-1532217621-1108 SID_USER (1)

root at hg004:/etc/samba# wbinfo --sid-to-uid
S-1-5-21-1231847632-1110290357-1532217621-1108
9439 # correct

root at hg004:/etc/samba# getent passwd
#... only local users, NO USER test - PROBLEM

root at hg004:/etc/samba# getent group
#... local and domain groups - correct
hg_allg:x:5001:

###
# if I comment or delete:
# idmap config *:backend = tdb
# idmap config *:range = 2000-4000
# I get all I want - with false UID and GID
###

root at hg004:/home/iroot# getent passwd test
test:*:4294967295:4294967295:Want to
Test://hg004.humgen.0zone/test/linhome:/bin/bash

root at hg004:/etc/samba# getent group hg_allg
hg_allg:x:4294967295:

###
# Thank you for enduring this to its bitter end.
###



--
View this message in context: http://samba.2283325.n4.nabble.com/WINBIND-UID-and-GID-false-mappings-on-domain-member-tp4706553.html
Sent from the Samba - General mailing list archive at Nabble.com.

More information about the samba mailing list