[Samba] SOLVED: WINBIND: UID and GID false mappings on domain member
rpenny at samba.org
Wed Aug 17 12:33:44 UTC 2016
On Wed, 17 Aug 2016 04:54:41 -0700 (PDT)
rawi via samba <samba at lists.samba.org> wrote:
> I bump this only to say SOLVED and many thanks to Rowland.
> Lessons learned:
> Indeed, my problems where related to not having a gidNumber for
> "Domain Users".
> After adding it I got real wbinfo --user-info on the domain member
> (file server).
> My test user could log in in his old home from the NT domain
> preserving the old UID and GID.
> 2. (question = why?)
> And login.bat was called at login time _only_ after moving the
> [netlogon] share from the domain member to the ad-dc.
> Why on earth it could not be called from the file server remains a
> mystery to me.
> The LDAP field scriptPath was configured:
> To bind the homeDrive I had to put a colon (:) after the drive letter.
> 4. (question = how changing/correct surname, givenName?)
> wbinfo output is slightly different on ad-dc and domain member with
> regard to the Geckos
I think you mean 'gecos', a Gecko is a type of lizard ;-)
> On the ad-dc:
> HUMGEN\test:*:9439:5000: WT. Test --given-name=Want
> The Geckos on ad-dc are composed from initials + surname + givenName.
> On the domain member (real Geckos field or may be description) :
> test:*:9439:5000:Want to
> The Geckos from the ad-dc will be sent as FullName to a joined
> Windows 8.1 computer.
This is a known problem, winbindd on the DC only extracts uidNumber &
gidNumber attributes, I just wish somebody would fix this.
> The fields (I gave them to samba-tool by creating the test user)
> surname and givenName are not visible in the output of ldbsearch.
> So, how would one modify the surname after a women married and
> changed it?
you should get virtually all of a users attributes, there are a few
exceptions i.e. the users unicode password.
root at dc1:~# ldbsearch -H /usr/local/samba/private/sam.ldb '(&(objectclass=user)(samaccountname=rowland))'
# record 1
dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
cn: Rowland Penny
displayName: Rowland Penny
name: Rowland Penny
userPrincipalName: rowland at samdom.example.com
gecos: Rowland Penny
distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> 5. (bug?)
> Adding "hosts allow =" on the ad-dc breaks everything.
> wbinfo will give no output on the ad-dc and an error on the domain
If you can duplicate this at will, then it does sound like a bug.
> After spying what dnsupdate does (rndc dumpdb -zones) I could take
> out the server service dnsupdate from smb.conf and insert the records
> statically in bind9. So I have all my subnet uniformly in one place
> (dhcp+bind, forward+reverse) regardless if the computer or printer is
> in the domain or not.
I do something like this, but use dhcp to do it automatically, for
static IPs, I use samba-tool to add them. If ypu mean that you have
removed 'dnsupdate' from the 'server services' line, can I recommend
you put it back, you need it for the 'samba_dnsupdate' script.
> The share [homes] (on the domain member) will generate after a generic
> path=/path/to/homes a share like \\file-server\test and inside this
> is again a directory test.
> So to have the home directory content directly inside the homeDrive
> one has to declare the path=/path/to/homes/%S.
> With a combination of chmod g+s on a directory and "inherit
> permissions" in the smb.conf I can avoid a lot of the acl default
> hassle and administer the file system like in the old linux times,
> acl remaining a possibility.
> Given the developments it's pity that Ubuntu Xenial LTS won't upgrade
> to the last branch. If I move now my NT domain to 4.3 I'll stay so
> for the next 10 years - for fear to break something.
Don't be afraid of breaking things, that way you will miss a lot of the
changes that have already happened and the ones to come.
More information about the samba