[Samba] winbind rfc2307 - wbinfo -i fails
Rowland Penny
rpenny at samba.org
Thu Dec 8 13:48:03 UTC 2016
On Thu, 8 Dec 2016 14:44:16 +0100
Oliver Heinz via samba <samba at lists.samba.org> wrote:
>
>
> Am 08.12.2016 um 14:31 schrieb Oliver Heinz:
> >
> >
> > Am 08.12.2016 um 13:55 schrieb Rowland Penny via samba:
> >> On Thu, 8 Dec 2016 12:52:53 +0100
> >> Oliver Heinz via samba <samba at lists.samba.org> wrote:
> >>
> >>> I'm trying to get Samba 4 AD to work with rfc2307 extensions.
> >>>
> >>> wbinfo -i fails
> >>>
> >>> root at m1:~# wbinfo -i SAMDOM\\demo01
> >>>
> >>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> >>>
> >>>
> >>> winbindd.log it here: http://pastebin.com/X0rEaLt2
> >>>
> >>> Pretty much everything else seems to work:
> >>>
> >>> root at m1:~# wbinfo --ping-dc
> >>>
> >>> checking the NETLOGON for domain[SAMDOM] dc connection to
> >>> "dc1.samdom.example.com" succeeded
> >>>
> >>> root at m1:~# wbinfo --uid-to-sid=10000
> >>>
> >>> S-1-5-21-2104162034-3764151921-3268498227-1108
> >>>
> >>> root at m1:~# wbinfo --name-to-sid SAMDOM\\demo01
> >>>
> >>> S-1-5-21-2104162034-3764151921-3268498227-1108 SID_USER (1)
> >>>
> >>>
> >>> What did I miss?
> >>>
> >>>
> >>> My setup:
> >>>
> >>> dc1.example.com as per
> >>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> >>>
> >>> m1.example.com as per
> >>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> >>>
> >>> Both with SerNet 4.5.2-9 Packages
> >>>
> >>>
> >>> root at dc1:~# cat /etc/samba/smb.conf
> >>>
> >>> # Global parameters
> >>>
> >>> [global]
> >>>
> >>> netbios name = DC1
> >>>
> >>> realm = SAMDOM.EXAMPLE.COM
> >>>
> >>> workgroup = SAMDOM
> >>>
> >>> dns forwarder = 192.168.8.10
> >>>
> >>> server role = active directory domain controller
> >>>
> >>> idmap_ldb:use rfc2307 = yes
> >>>
> >>> [netlogon]
> >>>
> >>> path = /var/lib/samba/sysvol/samdom.example.com/scripts
> >>>
> >>> read only = No
> >>>
> >>> [sysvol]
> >>>
> >>> path = /var/lib/samba/sysvol
> >>>
> >>> read only = No
> >>>
> >>> root at m1:~# cat /etc/samba/smb.conf
> >>>
> >>> [global]
> >>>
> >>> security = ADS
> >>>
> >>> workgroup = SAMDOM
> >>>
> >>> realm = SAMDOM.EXAMPLE.COM
> >>>
> >>> log file = /var/log/samba/%m.log
> >>>
> >>> log level = 1 winbind:10
> >>>
> >>> # idmap config used for your domain.
> >>>
> >>> # Click on the following links for more information
> >>>
> >>> # on the available winbind idmap backends,
> >>>
> >>> # Choose the one that fits your requirements
> >>>
> >>> # then add the corresponding configuration.
> >>>
> >>> idmap config * : backend = tdb
> >>>
> >>> idmap config * : range = 2000-9999
> >>>
> >>> # idmap config for the SAMDOM domain
> >>>
> >>> idmap config SAMDOM:backend = ad
> >>>
> >>> idmap config SAMDOM:schema_mode = rfc2307
> >>>
> >>> idmap config SAMDOM:range = 10000-999999
> >>>
> >>> winbind nss info = rfc2307
> >>>
> >>> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234!
> >>> samaccountname=demo01
> >>>
> >>> # record 1
> >>>
> >>> dn: CN=demo01,OU=example,DC=samdom,DC=example,DC=com
> >>>
> >>> objectClass: top
> >>>
> >>> objectClass: person
> >>>
> >>> objectClass: organizationalPerson
> >>>
> >>> objectClass: user
> >>>
> >>> cn: demo01
> >>>
> >>> instanceType: 4
> >>>
> >>> whenCreated: 20161207153641.0Z
> >>>
> >>> uSNCreated: 3797
> >>>
> >>> name: demo01
> >>>
> >>> objectGUID: f636d153-a965-4251-a5ae-64ac05c89e5d
> >>>
> >>> badPwdCount: 0
> >>>
> >>> codePage: 0
> >>>
> >>> countryCode: 0
> >>>
> >>> badPasswordTime: 0
> >>>
> >>> lastLogoff: 0
> >>>
> >>> lastLogon: 0
> >>>
> >>> primaryGroupID: 513
> >>>
> >>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1108
> >>>
> >>> accountExpires: 9223372036854775807
> >>>
> >>> logonCount: 0
> >>>
> >>> sAMAccountName: demo01
> >>>
> >>> sAMAccountType: 805306368
> >>>
> >>> userPrincipalName: demo01 at samdom.example.com
> >>>
> >>> objectCategory:
> >>> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
> >>>
> >>> om
> >>>
> >>> uidNumber: 10000
> >>>
> >>> loginShell: /bin/bash
> >>>
> >>> unixHomeDirectory: /home/demo01
> >>>
> >>> msSFU30NisDomain: samdom
> >>>
> >>> msSFU30Name: demo01
> >>>
> >>> unixUserPassword: ABCD!efgh12345$67890
> >>>
> >>> pwdLastSet: 131255986018743120
> >>>
> >>> userAccountControl: 512
> >>>
> >>> gidNumber: 10000
> >>>
> >>> uid: demo01
> >>>
> >>> whenChanged: 20161208113015.0Z
> >>>
> >>> uSNChanged: 3832
> >>>
> >>> distinguishedName:
> >>> CN=demo01,OU=example,DC=samdom,DC=example,DC=com
> >>>
> >>> # Referral
> >>>
> >>> ref:
> >>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
> >>>
> >>> # Referral
> >>>
> >>> ref:
> >>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> >>>
> >>> # Referral
> >>>
> >>> ref:
> >>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
> >>>
> >>> # returned 4 records
> >>>
> >>> # 1 entries
> >>>
> >>> # 3 referrals
> >>>
> >>> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234!
> >>> cn=demogroup
> >>>
> >>> # record 1
> >>>
> >>> dn: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com
> >>>
> >>> objectClass: top
> >>>
> >>> objectClass: group
> >>>
> >>> cn: demogroup
> >>>
> >>> instanceType: 4
> >>>
> >>> whenCreated: 20161207161213.0Z
> >>>
> >>> uSNCreated: 3815
> >>>
> >>> name: demogroup
> >>>
> >>> objectGUID: 30ea6c61-63fc-44f7-87d9-0311abbac9ae
> >>>
> >>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1110
> >>>
> >>> sAMAccountName: demogroup
> >>>
> >>> sAMAccountType: 268435456
> >>>
> >>> groupType: -2147483646
> >>>
> >>> objectCategory:
> >>> CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=co
> >>>
> >>> m
> >>>
> >>> msSFU30NisDomain: SAMDOM
> >>>
> >>> gidNumber: 10000
> >>>
> >>> whenChanged: 20161208104335.0Z
> >>>
> >>> uSNChanged: 3824
> >>>
> >>> distinguishedName:
> >>> CN=demogroup,OU=example,DC=samdom,DC=example,DC=com
> >>>
> >>> # Referral
> >>>
> >>> ref:
> >>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
> >>>
> >>> # Referral
> >>>
> >>> ref:
> >>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> >>>
> >>> # Referral
> >>>
> >>> ref:
> >>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
> >>>
> >>> # returned 4 records
> >>>
> >>> # 1 entries
> >>>
> >>> # 3 referrals
> >>>
> >>>
> >>> TIA,
> >>> Oliver
> >>>
> >>>
> >>>
> >>
> >> Have you given 'Domain Users' a gidNumber attribute containing a
> >> number inside '10000-999999' ?
> >>
> >> Rowland
> >>
> >
> >
> > I did not touch the builtin domain groups. I thought it was
> > sufficient if the the primary posix group of that user (demogroup)
> > was within the range. demogroup has a gidNumber of 10000.
> > Do I need still to modify the domain users in that case? Any other
> > domain groups that I need to modify?
> >
> > Oliver
>
> So I gave Domain Users 99999 and voilĂ :
>
> root at m1:~# wbinfo -i SAMDOM\\demo01
> SAMDOM\demo01:*:10000:99999:demo01:/home/demo01:/bin/bash
>
> Seems samba always uses the primaryGroupID which for demo01 is set to
> 'Domain Users'. Im just wondering a bit then why there is a gidNumber
> as an user attribute, as it is not used in the posix context.
>
> Thanks for your help,
> Oliver
>
>
>
If a group doesn't have a gidNumber it is invisible to Unix.
Rowland
More information about the samba
mailing list