[Samba] winbind rfc2307 - wbinfo -i fails

Oliver Heinz o.heinz at schunk.net
Thu Dec 8 13:44:16 UTC 2016 


Am 08.12.2016 um 14:31 schrieb Oliver Heinz:
>
>
> Am 08.12.2016 um 13:55 schrieb Rowland Penny via samba:
>> On Thu, 8 Dec 2016 12:52:53 +0100
>> Oliver Heinz via samba <samba at lists.samba.org> wrote:
>>
>>> I'm trying to get Samba 4 AD to work with rfc2307 extensions.
>>>
>>> wbinfo -i fails
>>>
>>> root at m1:~# wbinfo -i SAMDOM\\demo01
>>>
>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>>
>>>
>>> winbindd.log it here: http://pastebin.com/X0rEaLt2
>>>
>>> Pretty much everything else seems to work:
>>>
>>> root at m1:~# wbinfo --ping-dc
>>>
>>> checking the NETLOGON for domain[SAMDOM] dc connection to
>>> "dc1.samdom.example.com" succeeded
>>>
>>> root at m1:~# wbinfo  --uid-to-sid=10000
>>>
>>> S-1-5-21-2104162034-3764151921-3268498227-1108
>>>
>>> root at m1:~# wbinfo --name-to-sid SAMDOM\\demo01
>>>
>>> S-1-5-21-2104162034-3764151921-3268498227-1108 SID_USER (1)
>>>
>>>
>>> What did  I miss?
>>>
>>>
>>> My setup:
>>>
>>> dc1.example.com as per
>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller 
>>>
>>> m1.example.com as per
>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>>
>>> Both with SerNet 4.5.2-9 Packages
>>>
>>>
>>> root at dc1:~# cat /etc/samba/smb.conf
>>>
>>> # Global parameters
>>>
>>> [global]
>>>
>>>           netbios name = DC1
>>>
>>>           realm = SAMDOM.EXAMPLE.COM
>>>
>>>           workgroup = SAMDOM
>>>
>>>           dns forwarder = 192.168.8.10
>>>
>>>           server role = active directory domain controller
>>>
>>>           idmap_ldb:use rfc2307 = yes
>>>
>>> [netlogon]
>>>
>>>           path = /var/lib/samba/sysvol/samdom.example.com/scripts
>>>
>>>           read only = No
>>>
>>> [sysvol]
>>>
>>>           path = /var/lib/samba/sysvol
>>>
>>>           read only = No
>>>
>>> root at m1:~# cat /etc/samba/smb.conf
>>>
>>> [global]
>>>
>>>          security = ADS
>>>
>>>          workgroup = SAMDOM
>>>
>>>          realm = SAMDOM.EXAMPLE.COM
>>>
>>>          log file = /var/log/samba/%m.log
>>>
>>>          log level = 1 winbind:10
>>>
>>>          # idmap config used for your domain.
>>>
>>>          # Click on the following links for more information
>>>
>>>          # on the available winbind idmap backends,
>>>
>>>          # Choose the one that fits your requirements
>>>
>>>          # then add the corresponding configuration.
>>>
>>>          idmap config * : backend = tdb
>>>
>>>          idmap config * : range = 2000-9999
>>>
>>>          # idmap config for the SAMDOM domain
>>>
>>>          idmap config SAMDOM:backend = ad
>>>
>>>          idmap config SAMDOM:schema_mode = rfc2307
>>>
>>>          idmap config SAMDOM:range = 10000-999999
>>>
>>>          winbind nss info = rfc2307
>>>
>>> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234!
>>> samaccountname=demo01
>>>
>>> # record 1
>>>
>>> dn: CN=demo01,OU=example,DC=samdom,DC=example,DC=com
>>>
>>> objectClass: top
>>>
>>> objectClass: person
>>>
>>> objectClass: organizationalPerson
>>>
>>> objectClass: user
>>>
>>> cn: demo01
>>>
>>> instanceType: 4
>>>
>>> whenCreated: 20161207153641.0Z
>>>
>>> uSNCreated: 3797
>>>
>>> name: demo01
>>>
>>> objectGUID: f636d153-a965-4251-a5ae-64ac05c89e5d
>>>
>>> badPwdCount: 0
>>>
>>> codePage: 0
>>>
>>> countryCode: 0
>>>
>>> badPasswordTime: 0
>>>
>>> lastLogoff: 0
>>>
>>> lastLogon: 0
>>>
>>> primaryGroupID: 513
>>>
>>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1108
>>>
>>> accountExpires: 9223372036854775807
>>>
>>> logonCount: 0
>>>
>>> sAMAccountName: demo01
>>>
>>> sAMAccountType: 805306368
>>>
>>> userPrincipalName: demo01 at samdom.example.com
>>>
>>> objectCategory:
>>> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
>>>
>>>    om
>>>
>>> uidNumber: 10000
>>>
>>> loginShell: /bin/bash
>>>
>>> unixHomeDirectory: /home/demo01
>>>
>>> msSFU30NisDomain: samdom
>>>
>>> msSFU30Name: demo01
>>>
>>> unixUserPassword: ABCD!efgh12345$67890
>>>
>>> pwdLastSet: 131255986018743120
>>>
>>> userAccountControl: 512
>>>
>>> gidNumber: 10000
>>>
>>> uid: demo01
>>>
>>> whenChanged: 20161208113015.0Z
>>>
>>> uSNChanged: 3832
>>>
>>> distinguishedName: CN=demo01,OU=example,DC=samdom,DC=example,DC=com
>>>
>>> # Referral
>>>
>>> ref:
>>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
>>>
>>> # Referral
>>>
>>> ref:
>>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>>
>>> # Referral
>>>
>>> ref:
>>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>>
>>> # returned 4 records
>>>
>>> # 1 entries
>>>
>>> # 3 referrals
>>>
>>> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234!
>>> cn=demogroup
>>>
>>> # record 1
>>>
>>> dn: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com
>>>
>>> objectClass: top
>>>
>>> objectClass: group
>>>
>>> cn: demogroup
>>>
>>> instanceType: 4
>>>
>>> whenCreated: 20161207161213.0Z
>>>
>>> uSNCreated: 3815
>>>
>>> name: demogroup
>>>
>>> objectGUID: 30ea6c61-63fc-44f7-87d9-0311abbac9ae
>>>
>>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1110
>>>
>>> sAMAccountName: demogroup
>>>
>>> sAMAccountType: 268435456
>>>
>>> groupType: -2147483646
>>>
>>> objectCategory:
>>> CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=co
>>>
>>>    m
>>>
>>> msSFU30NisDomain: SAMDOM
>>>
>>> gidNumber: 10000
>>>
>>> whenChanged: 20161208104335.0Z
>>>
>>> uSNChanged: 3824
>>>
>>> distinguishedName: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com
>>>
>>> # Referral
>>>
>>> ref:
>>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
>>>
>>> # Referral
>>>
>>> ref:
>>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>>
>>> # Referral
>>>
>>> ref:
>>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>>
>>> # returned 4 records
>>>
>>> # 1 entries
>>>
>>> # 3 referrals
>>>
>>>
>>> TIA,
>>> Oliver
>>>
>>>
>>>
>>
>> Have you given 'Domain Users' a gidNumber attribute containing a number
>> inside '10000-999999' ?
>>
>> Rowland
>>
>
>
> I did not touch the builtin domain groups. I thought it was sufficient 
> if the the primary posix group of that user (demogroup) was within the 
> range. demogroup has a gidNumber of 10000.
> Do I need still to modify the domain users in that case? Any other 
> domain groups that I need to modify?
>
> Oliver

So I gave Domain Users 99999 and voilĂ :

root at m1:~# wbinfo -i SAMDOM\\demo01
SAMDOM\demo01:*:10000:99999:demo01:/home/demo01:/bin/bash

Seems samba always uses the primaryGroupID which for demo01 is set to 
'Domain Users'. Im just wondering a bit then why there is a gidNumber as 
an user attribute, as it is not used in the posix context.

Thanks for your help,
Oliver

More information about the samba mailing list