[Samba] winbind rfc2307 - wbinfo -i fails

Rowland Penny rpenny at samba.org
Thu Dec 8 12:55:20 UTC 2016 

On Thu, 8 Dec 2016 12:52:53 +0100
Oliver Heinz via samba <samba at lists.samba.org> wrote:

> 
> I'm trying to get Samba 4 AD to work with rfc2307 extensions.
> 
> wbinfo -i fails
> 
> root at m1:~# wbinfo -i SAMDOM\\demo01
> 
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> 
> 
> winbindd.log it here: http://pastebin.com/X0rEaLt2
> 
> Pretty much everything else seems to work:
> 
> root at m1:~# wbinfo --ping-dc
> 
> checking the NETLOGON for domain[SAMDOM] dc connection to
> "dc1.samdom.example.com" succeeded
> 
> root at m1:~# wbinfo  --uid-to-sid=10000
> 
> S-1-5-21-2104162034-3764151921-3268498227-1108
> 
> root at m1:~# wbinfo --name-to-sid SAMDOM\\demo01
> 
> S-1-5-21-2104162034-3764151921-3268498227-1108 SID_USER (1)
> 
> 
> What did  I miss?
> 
> 
> My setup:
> 
> dc1.example.com as per 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> m1.example.com as per 
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> 
> Both with SerNet 4.5.2-9 Packages
> 
> 
> root at dc1:~# cat /etc/samba/smb.conf
> 
> # Global parameters
> 
> [global]
> 
>          netbios name = DC1
> 
>          realm = SAMDOM.EXAMPLE.COM
> 
>          workgroup = SAMDOM
> 
>          dns forwarder = 192.168.8.10
> 
>          server role = active directory domain controller
> 
>          idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
> 
>          path = /var/lib/samba/sysvol/samdom.example.com/scripts
> 
>          read only = No
> 
> [sysvol]
> 
>          path = /var/lib/samba/sysvol
> 
>          read only = No
> 
> root at m1:~# cat /etc/samba/smb.conf
> 
> [global]
> 
>         security = ADS
> 
>         workgroup = SAMDOM
> 
>         realm = SAMDOM.EXAMPLE.COM
> 
>         log file = /var/log/samba/%m.log
> 
>         log level = 1 winbind:10
> 
>         # idmap config used for your domain.
> 
>         # Click on the following links for more information
> 
>         # on the available winbind idmap backends,
> 
>         # Choose the one that fits your requirements
> 
>         # then add the corresponding configuration.
> 
>         idmap config * : backend = tdb
> 
>         idmap config * : range = 2000-9999
> 
>         # idmap config for the SAMDOM domain
> 
>         idmap config SAMDOM:backend = ad
> 
>         idmap config SAMDOM:schema_mode = rfc2307
> 
>         idmap config SAMDOM:range = 10000-999999
> 
>         winbind nss info = rfc2307
> 
> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234!
> samaccountname=demo01
> 
> # record 1
> 
> dn: CN=demo01,OU=example,DC=samdom,DC=example,DC=com
> 
> objectClass: top
> 
> objectClass: person
> 
> objectClass: organizationalPerson
> 
> objectClass: user
> 
> cn: demo01
> 
> instanceType: 4
> 
> whenCreated: 20161207153641.0Z
> 
> uSNCreated: 3797
> 
> name: demo01
> 
> objectGUID: f636d153-a965-4251-a5ae-64ac05c89e5d
> 
> badPwdCount: 0
> 
> codePage: 0
> 
> countryCode: 0
> 
> badPasswordTime: 0
> 
> lastLogoff: 0
> 
> lastLogon: 0
> 
> primaryGroupID: 513
> 
> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1108
> 
> accountExpires: 9223372036854775807
> 
> logonCount: 0
> 
> sAMAccountName: demo01
> 
> sAMAccountType: 805306368
> 
> userPrincipalName: demo01 at samdom.example.com
> 
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
> 
>   om
> 
> uidNumber: 10000
> 
> loginShell: /bin/bash
> 
> unixHomeDirectory: /home/demo01
> 
> msSFU30NisDomain: samdom
> 
> msSFU30Name: demo01
> 
> unixUserPassword: ABCD!efgh12345$67890
> 
> pwdLastSet: 131255986018743120
> 
> userAccountControl: 512
> 
> gidNumber: 10000
> 
> uid: demo01
> 
> whenChanged: 20161208113015.0Z
> 
> uSNChanged: 3832
> 
> distinguishedName: CN=demo01,OU=example,DC=samdom,DC=example,DC=com
> 
> # Referral
> 
> ref:
> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
> 
> # Referral
> 
> ref:
> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> 
> # Referral
> 
> ref:
> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
> 
> # returned 4 records
> 
> # 1 entries
> 
> # 3 referrals
> 
> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234!
> cn=demogroup
> 
> # record 1
> 
> dn: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com
> 
> objectClass: top
> 
> objectClass: group
> 
> cn: demogroup
> 
> instanceType: 4
> 
> whenCreated: 20161207161213.0Z
> 
> uSNCreated: 3815
> 
> name: demogroup
> 
> objectGUID: 30ea6c61-63fc-44f7-87d9-0311abbac9ae
> 
> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1110
> 
> sAMAccountName: demogroup
> 
> sAMAccountType: 268435456
> 
> groupType: -2147483646
> 
> objectCategory:
> CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=co
> 
>   m
> 
> msSFU30NisDomain: SAMDOM
> 
> gidNumber: 10000
> 
> whenChanged: 20161208104335.0Z
> 
> uSNChanged: 3824
> 
> distinguishedName: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com
> 
> # Referral
> 
> ref:
> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
> 
> # Referral
> 
> ref:
> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> 
> # Referral
> 
> ref:
> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
> 
> # returned 4 records
> 
> # 1 entries
> 
> # 3 referrals
> 
> 
> TIA,
> Oliver
> 
> 
> 


Have you given 'Domain Users' a gidNumber attribute containing a number
inside '10000-999999' ?

Rowland

More information about the samba mailing list