[Samba] winbind rfc2307 - wbinfo -i fails

Rowland Penny rpenny at samba.org
Thu Dec 8 13:46:40 UTC 2016 

On Thu, 8 Dec 2016 14:31:40 +0100
Oliver Heinz via samba <samba at lists.samba.org> wrote:

> 
> 
> Am 08.12.2016 um 13:55 schrieb Rowland Penny via samba:
> > On Thu, 8 Dec 2016 12:52:53 +0100
> > Oliver Heinz via samba <samba at lists.samba.org> wrote:
> >
> >> I'm trying to get Samba 4 AD to work with rfc2307 extensions.
> >>
> >> wbinfo -i fails
> >>
> >> root at m1:~# wbinfo -i SAMDOM\\demo01
> >>
> >> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> >>
> >>
> >> winbindd.log it here: http://pastebin.com/X0rEaLt2
> >>
> >> Pretty much everything else seems to work:
> >>
> >> root at m1:~# wbinfo --ping-dc
> >>
> >> checking the NETLOGON for domain[SAMDOM] dc connection to
> >> "dc1.samdom.example.com" succeeded
> >>
> >> root at m1:~# wbinfo  --uid-to-sid=10000
> >>
> >> S-1-5-21-2104162034-3764151921-3268498227-1108
> >>
> >> root at m1:~# wbinfo --name-to-sid SAMDOM\\demo01
> >>
> >> S-1-5-21-2104162034-3764151921-3268498227-1108 SID_USER (1)
> >>
> >>
> >> What did  I miss?
> >>
> >>
> >> My setup:
> >>
> >> dc1.example.com as per
> >> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> >> m1.example.com as per
> >> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> >>
> >> Both with SerNet 4.5.2-9 Packages
> >>
> >>
> >> root at dc1:~# cat /etc/samba/smb.conf
> >>
> >> # Global parameters
> >>
> >> [global]
> >>
> >>           netbios name = DC1
> >>
> >>           realm = SAMDOM.EXAMPLE.COM
> >>
> >>           workgroup = SAMDOM
> >>
> >>           dns forwarder = 192.168.8.10
> >>
> >>           server role = active directory domain controller
> >>
> >>           idmap_ldb:use rfc2307 = yes
> >>
> >> [netlogon]
> >>
> >>           path = /var/lib/samba/sysvol/samdom.example.com/scripts
> >>
> >>           read only = No
> >>
> >> [sysvol]
> >>
> >>           path = /var/lib/samba/sysvol
> >>
> >>           read only = No
> >>
> >> root at m1:~# cat /etc/samba/smb.conf
> >>
> >> [global]
> >>
> >>          security = ADS
> >>
> >>          workgroup = SAMDOM
> >>
> >>          realm = SAMDOM.EXAMPLE.COM
> >>
> >>          log file = /var/log/samba/%m.log
> >>
> >>          log level = 1 winbind:10
> >>
> >>          # idmap config used for your domain.
> >>
> >>          # Click on the following links for more information
> >>
> >>          # on the available winbind idmap backends,
> >>
> >>          # Choose the one that fits your requirements
> >>
> >>          # then add the corresponding configuration.
> >>
> >>          idmap config * : backend = tdb
> >>
> >>          idmap config * : range = 2000-9999
> >>
> >>          # idmap config for the SAMDOM domain
> >>
> >>          idmap config SAMDOM:backend = ad
> >>
> >>          idmap config SAMDOM:schema_mode = rfc2307
> >>
> >>          idmap config SAMDOM:range = 10000-999999
> >>
> >>          winbind nss info = rfc2307
> >>
> >> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234!
> >> samaccountname=demo01
> >>
> >> # record 1
> >>
> >> dn: CN=demo01,OU=example,DC=samdom,DC=example,DC=com
> >>
> >> objectClass: top
> >>
> >> objectClass: person
> >>
> >> objectClass: organizationalPerson
> >>
> >> objectClass: user
> >>
> >> cn: demo01
> >>
> >> instanceType: 4
> >>
> >> whenCreated: 20161207153641.0Z
> >>
> >> uSNCreated: 3797
> >>
> >> name: demo01
> >>
> >> objectGUID: f636d153-a965-4251-a5ae-64ac05c89e5d
> >>
> >> badPwdCount: 0
> >>
> >> codePage: 0
> >>
> >> countryCode: 0
> >>
> >> badPasswordTime: 0
> >>
> >> lastLogoff: 0
> >>
> >> lastLogon: 0
> >>
> >> primaryGroupID: 513
> >>
> >> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1108
> >>
> >> accountExpires: 9223372036854775807
> >>
> >> logonCount: 0
> >>
> >> sAMAccountName: demo01
> >>
> >> sAMAccountType: 805306368
> >>
> >> userPrincipalName: demo01 at samdom.example.com
> >>
> >> objectCategory:
> >> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
> >>
> >>    om
> >>
> >> uidNumber: 10000
> >>
> >> loginShell: /bin/bash
> >>
> >> unixHomeDirectory: /home/demo01
> >>
> >> msSFU30NisDomain: samdom
> >>
> >> msSFU30Name: demo01
> >>
> >> unixUserPassword: ABCD!efgh12345$67890
> >>
> >> pwdLastSet: 131255986018743120
> >>
> >> userAccountControl: 512
> >>
> >> gidNumber: 10000
> >>
> >> uid: demo01
> >>
> >> whenChanged: 20161208113015.0Z
> >>
> >> uSNChanged: 3832
> >>
> >> distinguishedName: CN=demo01,OU=example,DC=samdom,DC=example,DC=com
> >>
> >> # Referral
> >>
> >> ref:
> >> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
> >>
> >> # Referral
> >>
> >> ref:
> >> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> >>
> >> # Referral
> >>
> >> ref:
> >> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
> >>
> >> # returned 4 records
> >>
> >> # 1 entries
> >>
> >> # 3 referrals
> >>
> >> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234!
> >> cn=demogroup
> >>
> >> # record 1
> >>
> >> dn: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com
> >>
> >> objectClass: top
> >>
> >> objectClass: group
> >>
> >> cn: demogroup
> >>
> >> instanceType: 4
> >>
> >> whenCreated: 20161207161213.0Z
> >>
> >> uSNCreated: 3815
> >>
> >> name: demogroup
> >>
> >> objectGUID: 30ea6c61-63fc-44f7-87d9-0311abbac9ae
> >>
> >> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1110
> >>
> >> sAMAccountName: demogroup
> >>
> >> sAMAccountType: 268435456
> >>
> >> groupType: -2147483646
> >>
> >> objectCategory:
> >> CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=co
> >>
> >>    m
> >>
> >> msSFU30NisDomain: SAMDOM
> >>
> >> gidNumber: 10000
> >>
> >> whenChanged: 20161208104335.0Z
> >>
> >> uSNChanged: 3824
> >>
> >> distinguishedName:
> >> CN=demogroup,OU=example,DC=samdom,DC=example,DC=com
> >>
> >> # Referral
> >>
> >> ref:
> >> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
> >>
> >> # Referral
> >>
> >> ref:
> >> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> >>
> >> # Referral
> >>
> >> ref:
> >> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
> >>
> >> # returned 4 records
> >>
> >> # 1 entries
> >>
> >> # 3 referrals
> >>
> >>
> >> TIA,
> >> Oliver
> >>
> >>
> >>
> >
> > Have you given 'Domain Users' a gidNumber attribute containing a
> > number inside '10000-999999' ?
> >
> > Rowland
> >
> 
> 
> I did not touch the builtin domain groups. I thought it was
> sufficient if the the primary posix group of that user (demogroup)
> was within the range. demogroup has a gidNumber of 10000.

Sorry but it isn't enough ;-)
> Do I need still to modify the domain users in that case?

Most definitely yes, every AD users primary group is 'Domain Users' and
winbind will not show any users unless this is given a gidNumber.

> Any other 
> domain groups that I need to modify?

Probably 'Domain Admins'

Rowland

More information about the samba mailing list