[Samba] WINBIND: UID and GID false mappings on domain member
Rowland Penny
rpenny at samba.org
Fri Aug 12 15:45:19 UTC 2016
On Fri, 12 Aug 2016 07:33:27 -0700 (PDT)
rawi via samba <samba at lists.samba.org> wrote:
> Hi @ALL
>
> Trying to migrate to Samba AD after 12 lucky years with samba
> NT-domain + server profiles and homes in a small research institute.
>
> I decided to provision a new domain and create the users and groups
> using samba-tool with most of its parameters.
> I decided against classicupgrade, because I didn't get all posix
> attributes automatically set and I cannot do LDAP kung-fu.
>
> Intention is to administer most of it with samba-tool and Co, not
> Windows RSAT.
> In the NT domain I set till now all rights trough the Unix-rights,
> UID and GID.
>
> Even if I'm willing to recreate users and groups accordingly to the
> old UID and GID (not that many), I am _desperately_ needing to
> transfer the data with its original ownership.
>
> I've set an "_ONLY_ DOMAIN CONTROLLER" and a first "DOMAIN MEMBER" as
> file server.
>
> Mostly all is good, ntp, dns, kinit are working, the member server
> could join the dc, authentication works.
>
> WHAT I DO NOT GET CORRECTLY are the UID and GID of users and groups
> on the domain member (PARTIALLY DEPENDING if I have the lines with
> "idmap config *:..." or not ??? - see below)
Have you added uidNumber & gidNumber attributes to the user &
groupobjects in AD ?
>
> And yes, I red in the last _weeks_ most of the docs and Q&A I could
> find. I've said I'm desperate...
>
> Please see the configs and the tests. May the force be with you :)
>
> Many thanks in advance!
>
> Environment: Ubuntu Server 16.04.1 + Samba 4.3.9
>
> ### DOMAIN CONTROLLER
> root at hg-dc1:/etc/samba# cat smb.conf
> # Global parameters
> [global]
> workgroup = HUMGEN
> realm = HUMGEN.0ZONE
> netbios name = HG-DC1
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc
>
> idmap_ldb:use rfc2307 = yes
> dns-nameservers 127.0.0.1
I take it you are using bind9 as the nameserver and you have set it up
correctly ?
In which case you will have a line similar to this in
named.conf.options:
forwarders { 8.8.8.8; 8.8.4.4; };
So remove 'dns-nameservers 127.0.0.1' from smb.conf, I don't recognise
it, so I suppose Samba won't either, there is the setting 'dns
forwarder' but this is only used with the internal DNS server and you
wouldn't use '127.0.0.1'
>
> tls enabled = yes
> tls keyfile = tls/myKey.pem
> tls certfile = tls/myCert.pem
> tls cafile =
>
> # [netlogon] is on the member server and defined in the user's object
I suggest you put it back
> # I let sysvol here, as I don't understand it's role
I suggest you find out, it is rather important, I will give you a hint,
GPOs
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> ### DOMAIN MEMBER
> root at hg004:/etc/samba# cat smb.conf
> netbios name = HG004
> server string = Fileserver HG004 - Samba 4.3.9-Ubuntu
> security = ADS
> workgroup = HUMGEN
> realm = HUMGEN.0ZONE
> server role = member server
>
> server services = -dnsupdate -dns
You do not need these lines on a domain member
>
> interfaces = bond0, lo
> bind interfaces only = yes
>
From here:
> domain master = no
> local master = no
> preferred master = no
> domain logons = no
>
> encrypt passwords = yes
>
To here, can be removed.
> log file = /var/log/samba/%m.log
> log level = passdb:5 auth:10 winbind:10
>
> syslog only = no
> # syslog 0=LOG_ERR, 1=LOG_WARNING, 2=LOG_NOTICE, 3=LOG_INFO
> syslog = 0
>
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 2000-4000
>
> # idmap config for domain HUMGEN
> idmap config HUMGEN:backend = ad
> idmap config HUMGEN:schema_mode = rfc2307
> idmap config HUMGEN:range = 5000-30000
> idmap config HUMGEN:default = yes
>
> # Use settings from AD for login shell and home directory
> winbind use default domain = yes
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
>
> # no logon with cached credentials
> winbind offline logon = no
>
> winbind refresh tickets = yes
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
>
Again remove lines, from here:
> wins server = hg-dc1.humgen.0zone
>
> socket options = TCP_NODELAY IPTOS_LOWDELAY
>
> # no templates. They are coming from LDAP in Active Directory
> template homedir =
> template shell =
>
> # They are also coming from LDAP in Active Directory
> logon script =
> logon path =
> logon drive =
> logon home =
>
To here.
> # case sensitive: auto=NO for Windows and maybe YES for CIFS
> case sensitive = no
> preserve case = Yes
> short preserve case = Yes
>
> # don't show the shares
> browseable = no
>
> map to guest = never
>
> # default. Speeds transfers up. There are also others oplocks params
> oplocks = yes
> veto oplock files = /*.mdb/*.MDB/*.mde/*.MDE/*.mdw/*.MDW/*.ldb/*.LDB
>
> # allow no local caching of data on the client
> csc policy = disable
>
> hide unreadable = yes
> hide dot files = no
>
> reset on zero vc = yes
>
Remove these next lines and put them back on the DC:
> [netlogon]
> path = /mnt/SRVDATA_crypt/samba/netlogon
> read only = yes
>
> [homes]
> comment = %u's Home Directory
> path = /mnt/SRVDATA_crypt/samba/home/%S
> browsable = no
> read only = no
> valid users = %S
>
> # server profiles are inside the user's home on the domain member and
> defined in the user's object in AD
> ;[profiles]
>
> ### TEST USER
> root at hg-dc1:/etc/samba# ldbsearch -H /var/lib/samba/private/sam.ldb
> '(cn=test)'
> # record 1
> dn: CN=test,CN=Users,DC=humgen,DC=0zone
> cn: test
> sn:: VGVzdOKAiC0tZ2l2ZW4tbmFtZT1XYW50IFRv
> title: Test Pilot
> description: Want to Test
> physicalDeliveryOfficeName: Bldg. 11, 12th floor, Room 1234
> telephoneNumber: 12345
> initials: WT.
> instanceType: 4
> whenCreated: 20160728135850.0Z
> displayName:: IFdULiBUZXN04oCILS1naXZlbi1uYW1lPVdhbnQgVG8=
> uSNCreated: 3803
> department:: SW5zdGl0dXRl
> company:: VU5J
> wWWHomePage: institute.uni.de
> name: test
> objectGUID: af9cf66f-d5c7-4d7f-980f-c4c87a5765e5
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-1231847632-1110290357-1532217621-1108
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: test
> sAMAccountType: 805306368
> userPrincipalName: test at humgen.0zone
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=humgen,DC=0zone mail:
> test at humgen.0zone uid: test
> uidNumber: 9439
> gidNumber: 5001
> gecos: Want to Test
> loginShell: /bin/bash
> msSFU30NisDomain: humgen
> msSFU30Name: test
> unixUserPassword: ABCD!efgh12345$67890
> objectClass: top
> objectClass: posixAccount
You do not need and should not add the POSIX objectclasses
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> userAccountControl: 512
> pwdLastSet: 131142705100000000
> scriptPath: \\hg004.humgen.0zone\netlogon\login.bat
> homeDirectory: \\hg004.humgen.0zone\%USERNAME%
> homeDrive: U
> profilePath: \\hg004.humgen.0zone\%USERNAME%\winprofile
> unixHomeDirectory: //hg004.humgen.0zone/test/linhome
> lastLogonTimestamp: 131153950658668290
> whenChanged: 20160811131745.0Z
> uSNChanged: 3847
> lastLogon: 131154694735501500
> distinguishedName: CN=test,CN=Users,DC=humgen,DC=0zone
>
> ### TEST GROUP
> root at hg-dc1:/etc/samba# ldbsearch -H /var/lib/samba/private/sam.ldb
> '(cn=hg_allg)'
> # record 1
> dn: CN=hg_allg,CN=Users,DC=humgen,DC=0zone
> objectClass: top
> objectClass: group
> cn: hg_allg
> description: All Users of HumGen
> instanceType: 4
> whenCreated: 20160801120752.0Z
> whenChanged: 20160801120752.0Z
> uSNCreated: 3835
> uSNChanged: 3835
> name: hg_allg
> objectGUID: 7acc757d-3164-471c-a101-c8f8ed5d8339
> objectSid: S-1-5-21-1231847632-1110290357-1532217621-1113
> sAMAccountName: hg_allg
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=humgen,DC=0zone
> msSFU30Name: hg_allg
> msSFU30NisDomain: humgen
> gidNumber: 5001
> distinguishedName: CN=hg_allg,CN=Users,DC=humgen,DC=0zone
>
> ###
> # on the domain controller
> ###
>
> root at hg-dc1:/etc/bind# wbinfo --user-info test
> HUMGEN\test:*:9439:100: WT. Test --given-name=Want
> To:/home/HUMGEN/test:/bin/false
>
> root at hg-dc1:/etc/bind# wbinfo --group-info hg_allg
> HUMGEN\hg_allg:x:5001:
>
> ###
> # on the member server
> ###
> root at hg004:/etc/samba# wbinfo -u
> administrator
> dns-hg-dc1
> krbtgt
> guest
> test
>
> root at hg004:/etc/samba# wbinfo -g
> allowed rodc password replication group
> enterprise read-only domain controllers
> denied rodc password replication group
> read-only domain controllers
> group policy creator owners
> ras and ias servers
> domain controllers
> enterprise admins
> domain computers
> cert publishers
> dnsupdateproxy
> domain admins
> domain guests
> schema admins
> domain users
> dnsadmins
> hg_allg
>
> root at hg004:/etc/samba# wbinfo --group-info hg_allg
> hg_allg:x:5001: # correct
>
> root at hg004:/etc/samba# wbinfo --user-info test
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user test
> ### ?!?!?! PROBLEM
>
> root at hg004:/etc/samba# wbinfo -n test
> S-1-5-21-1231847632-1110290357-1532217621-1108 SID_USER (1)
>
> root at hg004:/etc/samba# wbinfo --sid-to-uid
> S-1-5-21-1231847632-1110290357-1532217621-1108
> 9439 # correct
>
> root at hg004:/etc/samba# getent passwd
> #... only local users, NO USER test - PROBLEM
>
> root at hg004:/etc/samba# getent group
> #... local and domain groups - correct
> hg_allg:x:5001:
>
> ###
> # if I comment or delete:
> # idmap config *:backend = tdb
> # idmap config *:range = 2000-4000
> # I get all I want - with false UID and GID
> ###
>
> root at hg004:/home/iroot# getent passwd test
> test:*:4294967295:4294967295:Want to
> Test://hg004.humgen.0zone/test/linhome:/bin/bash
>
> root at hg004:/etc/samba# getent group hg_allg
> hg_allg:x:4294967295:
>
> ###
> # Thank you for enduring this to its bitter end.
> ###
>
>
>
Have you given 'Domain Users' a gidNumber inside the range 5000-30000 ?
Rowland
More information about the samba
mailing list