[Samba] winbind rfc2307 - wbinfo -i fails
Oliver Heinz
o.heinz at schunk.net
Thu Dec 8 13:31:40 UTC 2016
Am 08.12.2016 um 13:55 schrieb Rowland Penny via samba:
> On Thu, 8 Dec 2016 12:52:53 +0100
> Oliver Heinz via samba <samba at lists.samba.org> wrote:
>
>> I'm trying to get Samba 4 AD to work with rfc2307 extensions.
>>
>> wbinfo -i fails
>>
>> root at m1:~# wbinfo -i SAMDOM\\demo01
>>
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>
>>
>> winbindd.log it here: http://pastebin.com/X0rEaLt2
>>
>> Pretty much everything else seems to work:
>>
>> root at m1:~# wbinfo --ping-dc
>>
>> checking the NETLOGON for domain[SAMDOM] dc connection to
>> "dc1.samdom.example.com" succeeded
>>
>> root at m1:~# wbinfo --uid-to-sid=10000
>>
>> S-1-5-21-2104162034-3764151921-3268498227-1108
>>
>> root at m1:~# wbinfo --name-to-sid SAMDOM\\demo01
>>
>> S-1-5-21-2104162034-3764151921-3268498227-1108 SID_USER (1)
>>
>>
>> What did I miss?
>>
>>
>> My setup:
>>
>> dc1.example.com as per
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
>> m1.example.com as per
>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>
>> Both with SerNet 4.5.2-9 Packages
>>
>>
>> root at dc1:~# cat /etc/samba/smb.conf
>>
>> # Global parameters
>>
>> [global]
>>
>> netbios name = DC1
>>
>> realm = SAMDOM.EXAMPLE.COM
>>
>> workgroup = SAMDOM
>>
>> dns forwarder = 192.168.8.10
>>
>> server role = active directory domain controller
>>
>> idmap_ldb:use rfc2307 = yes
>>
>> [netlogon]
>>
>> path = /var/lib/samba/sysvol/samdom.example.com/scripts
>>
>> read only = No
>>
>> [sysvol]
>>
>> path = /var/lib/samba/sysvol
>>
>> read only = No
>>
>> root at m1:~# cat /etc/samba/smb.conf
>>
>> [global]
>>
>> security = ADS
>>
>> workgroup = SAMDOM
>>
>> realm = SAMDOM.EXAMPLE.COM
>>
>> log file = /var/log/samba/%m.log
>>
>> log level = 1 winbind:10
>>
>> # idmap config used for your domain.
>>
>> # Click on the following links for more information
>>
>> # on the available winbind idmap backends,
>>
>> # Choose the one that fits your requirements
>>
>> # then add the corresponding configuration.
>>
>> idmap config * : backend = tdb
>>
>> idmap config * : range = 2000-9999
>>
>> # idmap config for the SAMDOM domain
>>
>> idmap config SAMDOM:backend = ad
>>
>> idmap config SAMDOM:schema_mode = rfc2307
>>
>> idmap config SAMDOM:range = 10000-999999
>>
>> winbind nss info = rfc2307
>>
>> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234!
>> samaccountname=demo01
>>
>> # record 1
>>
>> dn: CN=demo01,OU=example,DC=samdom,DC=example,DC=com
>>
>> objectClass: top
>>
>> objectClass: person
>>
>> objectClass: organizationalPerson
>>
>> objectClass: user
>>
>> cn: demo01
>>
>> instanceType: 4
>>
>> whenCreated: 20161207153641.0Z
>>
>> uSNCreated: 3797
>>
>> name: demo01
>>
>> objectGUID: f636d153-a965-4251-a5ae-64ac05c89e5d
>>
>> badPwdCount: 0
>>
>> codePage: 0
>>
>> countryCode: 0
>>
>> badPasswordTime: 0
>>
>> lastLogoff: 0
>>
>> lastLogon: 0
>>
>> primaryGroupID: 513
>>
>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1108
>>
>> accountExpires: 9223372036854775807
>>
>> logonCount: 0
>>
>> sAMAccountName: demo01
>>
>> sAMAccountType: 805306368
>>
>> userPrincipalName: demo01 at samdom.example.com
>>
>> objectCategory:
>> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
>>
>> om
>>
>> uidNumber: 10000
>>
>> loginShell: /bin/bash
>>
>> unixHomeDirectory: /home/demo01
>>
>> msSFU30NisDomain: samdom
>>
>> msSFU30Name: demo01
>>
>> unixUserPassword: ABCD!efgh12345$67890
>>
>> pwdLastSet: 131255986018743120
>>
>> userAccountControl: 512
>>
>> gidNumber: 10000
>>
>> uid: demo01
>>
>> whenChanged: 20161208113015.0Z
>>
>> uSNChanged: 3832
>>
>> distinguishedName: CN=demo01,OU=example,DC=samdom,DC=example,DC=com
>>
>> # Referral
>>
>> ref:
>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
>>
>> # Referral
>>
>> ref:
>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>
>> # Referral
>>
>> ref:
>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>
>> # returned 4 records
>>
>> # 1 entries
>>
>> # 3 referrals
>>
>> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234!
>> cn=demogroup
>>
>> # record 1
>>
>> dn: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com
>>
>> objectClass: top
>>
>> objectClass: group
>>
>> cn: demogroup
>>
>> instanceType: 4
>>
>> whenCreated: 20161207161213.0Z
>>
>> uSNCreated: 3815
>>
>> name: demogroup
>>
>> objectGUID: 30ea6c61-63fc-44f7-87d9-0311abbac9ae
>>
>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1110
>>
>> sAMAccountName: demogroup
>>
>> sAMAccountType: 268435456
>>
>> groupType: -2147483646
>>
>> objectCategory:
>> CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=co
>>
>> m
>>
>> msSFU30NisDomain: SAMDOM
>>
>> gidNumber: 10000
>>
>> whenChanged: 20161208104335.0Z
>>
>> uSNChanged: 3824
>>
>> distinguishedName: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com
>>
>> # Referral
>>
>> ref:
>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
>>
>> # Referral
>>
>> ref:
>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>
>> # Referral
>>
>> ref:
>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>
>> # returned 4 records
>>
>> # 1 entries
>>
>> # 3 referrals
>>
>>
>> TIA,
>> Oliver
>>
>>
>>
>
> Have you given 'Domain Users' a gidNumber attribute containing a number
> inside '10000-999999' ?
>
> Rowland
>
I did not touch the builtin domain groups. I thought it was sufficient
if the the primary posix group of that user (demogroup) was within the
range. demogroup has a gidNumber of 10000.
Do I need still to modify the domain users in that case? Any other
domain groups that I need to modify?
Oliver
More information about the samba
mailing list