[Samba] SOLVED: WINBIND: UID and GID false mappings on domain member

Wed Aug 17 12:33:44 UTC 2016

On Wed, 17 Aug 2016 04:54:41 -0700 (PDT)
rawi via samba <samba at lists.samba.org> wrote:

> I bump this only to say SOLVED and many thanks to Rowland.
> 
> Lessons learned:
> 
> 1.
> Indeed, my problems where related to not having a gidNumber for
> "Domain Users".
> After adding it I got real wbinfo --user-info on the domain member
> (file server).
> My test user could log in in his old home from the NT domain
> preserving the old UID and GID.
> 
> 2. (question = why?)
> And login.bat was called at login time _only_ after moving the
> [netlogon] share from the domain member to the ad-dc.
> Why on earth it could not be called from the file server remains a
> mystery to me.
> The LDAP field scriptPath was configured:
> \\member_server\netlogon\login.bat.
> 
> 3.
> To bind the homeDrive I had to put a colon (:) after the drive letter.
> 
> 4. (question = how changing/correct surname, givenName?)
> wbinfo output is slightly different on ad-dc and domain member with
> regard to the Geckos

I think you mean 'gecos', a Gecko is a type of lizard ;-)

> 
> On the ad-dc:
> HUMGEN\test:*:9439:5000: WT. Test --given-name=Want
> To:/home/HUMGEN/test:/bin/false
> 
> The Geckos on ad-dc are composed from initials + surname + givenName.
> 
> On the domain member (real Geckos field or may be description) :
> test:*:9439:5000:Want to
> Test://hg004.humgen.0zone/test/linhome:/bin/bash
> 
> The Geckos from the ad-dc will be sent as FullName to a joined
> Windows 8.1 computer.

This is a known problem, winbindd on the DC only extracts uidNumber &
gidNumber attributes, I just wish somebody would fix this.

> 
> The fields (I gave them to samba-tool by creating the test user)
> surname and givenName are not visible in the output of ldbsearch.
> So, how would one modify the surname after a women married and
> changed it?

you should get virtually all of a users attributes, there are a few
exceptions i.e. the users unicode password.

root at dc1:~# ldbsearch -H /usr/local/samba/private/sam.ldb '(&(objectclass=user)(samaccountname=rowland))'
# record 1
dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
cn: Rowland Penny
sn: Penny
givenName: Rowland
instanceType: 4
whenCreated: 20151109093821.0Z
displayName: Rowland Penny
uSNCreated: 3871
name: Rowland Penny
objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
logonCount: 0
sAMAccountName: rowland
sAMAccountType: 805306368
userPrincipalName: rowland at samdom.example.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
 om
pwdLastSet: 130915355010000000
unixUserPassword: ABCD!efgh12345$67890
uid: rowland
msSFU30Name: rowland
msSFU30NisDomain: samdom
uidNumber: 10000
unixHomeDirectory: /home/rowland
loginShell: /bin/bash
userAccountControl: 66048
accountExpires: 0
gidNumber: 10000
objectClass: top
objectClass: securityPrincipal
objectClass: person
objectClass: organizationalPerson
objectClass: user
gecos: Rowland Penny
memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
homeDrive: H:
homeDirectory: \\DC2\home\rowland
whenChanged: 20160813074443.0Z
uSNChanged: 283069
lastLogonTimestamp: 131155478831131360
lastLogon: 131158939536858180
distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com

> 
> 5. (bug?)
> Adding "hosts allow =" on the ad-dc breaks everything.
> wbinfo will give no output on the ad-dc and an error on the domain
> member.
> 

If you can duplicate this at will, then it does sound like a bug. 

> 6.
> After spying what dnsupdate does (rndc dumpdb -zones) I could take
> out the server service dnsupdate from smb.conf and insert the records
> statically in bind9. So I have all my subnet uniformly in one place
> (dhcp+bind, forward+reverse) regardless if the computer or printer is
> in the domain or not.
> 

I do something like this, but use dhcp to do it automatically, for
static IPs, I use samba-tool to add them. If ypu mean that you have
removed 'dnsupdate' from the 'server services' line, can I recommend
you put it back, you need it for the 'samba_dnsupdate' script.

> 7.
> The share [homes] (on the domain member) will generate after a generic
> path=/path/to/homes a share like \\file-server\test and inside this
> is again a directory test.
> So to have the home directory content directly inside the homeDrive
> one has to declare the path=/path/to/homes/%S.
> 
> 8.
> With a combination of chmod g+s on a directory and "inherit
> permissions" in the smb.conf I can avoid a lot of the acl default
> hassle and administer the file system like in the old linux times,
> acl remaining a possibility.
> 
> 9.
> Given the developments it's pity that Ubuntu Xenial LTS won't upgrade
> to the last branch. If I move now my NT domain to 4.3 I'll stay so
> for the next 10 years - for fear to break something.

Don't be afraid of breaking things, that way you will miss a lot of the
changes that have already happened and the ones to come.

Rowland