[Samba] winbind rfc2307 - wbinfo -i fails

Oliver Heinz o.heinz at schunk.net
Thu Dec 8 16:04:52 UTC 2016



Am 08.12.2016 um 14:48 schrieb Rowland Penny via samba:
> On Thu, 8 Dec 2016 14:44:16 +0100
> Oliver Heinz via samba <samba at lists.samba.org> wrote:
>
>>
>> Am 08.12.2016 um 14:31 schrieb Oliver Heinz:
>>>
>>> Am 08.12.2016 um 13:55 schrieb Rowland Penny via samba:
>>>> On Thu, 8 Dec 2016 12:52:53 +0100
>>>> Oliver Heinz via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> I'm trying to get Samba 4 AD to work with rfc2307 extensions.
>>>>>
>>>>> wbinfo -i fails
>>>>>
>>>>> root at m1:~# wbinfo -i SAMDOM\\demo01
>>>>>
>>>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>>>>
>>>>>
>>>>> winbindd.log it here: http://pastebin.com/X0rEaLt2
>>>>>
>>>>> Pretty much everything else seems to work:
>>>>>
>>>>> root at m1:~# wbinfo --ping-dc
>>>>>
>>>>> checking the NETLOGON for domain[SAMDOM] dc connection to
>>>>> "dc1.samdom.example.com" succeeded
>>>>>
>>>>> root at m1:~# wbinfo  --uid-to-sid=10000
>>>>>
>>>>> S-1-5-21-2104162034-3764151921-3268498227-1108
>>>>>
>>>>> root at m1:~# wbinfo --name-to-sid SAMDOM\\demo01
>>>>>
>>>>> S-1-5-21-2104162034-3764151921-3268498227-1108 SID_USER (1)
>>>>>
>>>>>
>>>>> What did  I miss?
>>>>>
>>>>>
>>>>> My setup:
>>>>>
>>>>> dc1.example.com as per
>>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
>>>>>
>>>>> m1.example.com as per
>>>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>>>>
>>>>> Both with SerNet 4.5.2-9 Packages
>>>>>
>>>>>
>>>>> root at dc1:~# cat /etc/samba/smb.conf
>>>>>
>>>>> # Global parameters
>>>>>
>>>>> [global]
>>>>>
>>>>>            netbios name = DC1
>>>>>
>>>>>            realm = SAMDOM.EXAMPLE.COM
>>>>>
>>>>>            workgroup = SAMDOM
>>>>>
>>>>>            dns forwarder = 192.168.8.10
>>>>>
>>>>>            server role = active directory domain controller
>>>>>
>>>>>            idmap_ldb:use rfc2307 = yes
>>>>>
>>>>> [netlogon]
>>>>>
>>>>>            path = /var/lib/samba/sysvol/samdom.example.com/scripts
>>>>>
>>>>>            read only = No
>>>>>
>>>>> [sysvol]
>>>>>
>>>>>            path = /var/lib/samba/sysvol
>>>>>
>>>>>            read only = No
>>>>>
>>>>> root at m1:~# cat /etc/samba/smb.conf
>>>>>
>>>>> [global]
>>>>>
>>>>>           security = ADS
>>>>>
>>>>>           workgroup = SAMDOM
>>>>>
>>>>>           realm = SAMDOM.EXAMPLE.COM
>>>>>
>>>>>           log file = /var/log/samba/%m.log
>>>>>
>>>>>           log level = 1 winbind:10
>>>>>
>>>>>           # idmap config used for your domain.
>>>>>
>>>>>           # Click on the following links for more information
>>>>>
>>>>>           # on the available winbind idmap backends,
>>>>>
>>>>>           # Choose the one that fits your requirements
>>>>>
>>>>>           # then add the corresponding configuration.
>>>>>
>>>>>           idmap config * : backend = tdb
>>>>>
>>>>>           idmap config * : range = 2000-9999
>>>>>
>>>>>           # idmap config for the SAMDOM domain
>>>>>
>>>>>           idmap config SAMDOM:backend = ad
>>>>>
>>>>>           idmap config SAMDOM:schema_mode = rfc2307
>>>>>
>>>>>           idmap config SAMDOM:range = 10000-999999
>>>>>
>>>>>           winbind nss info = rfc2307
>>>>>
>>>>> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234!
>>>>> samaccountname=demo01
>>>>>
>>>>> # record 1
>>>>>
>>>>> dn: CN=demo01,OU=example,DC=samdom,DC=example,DC=com
>>>>>
>>>>> objectClass: top
>>>>>
>>>>> objectClass: person
>>>>>
>>>>> objectClass: organizationalPerson
>>>>>
>>>>> objectClass: user
>>>>>
>>>>> cn: demo01
>>>>>
>>>>> instanceType: 4
>>>>>
>>>>> whenCreated: 20161207153641.0Z
>>>>>
>>>>> uSNCreated: 3797
>>>>>
>>>>> name: demo01
>>>>>
>>>>> objectGUID: f636d153-a965-4251-a5ae-64ac05c89e5d
>>>>>
>>>>> badPwdCount: 0
>>>>>
>>>>> codePage: 0
>>>>>
>>>>> countryCode: 0
>>>>>
>>>>> badPasswordTime: 0
>>>>>
>>>>> lastLogoff: 0
>>>>>
>>>>> lastLogon: 0
>>>>>
>>>>> primaryGroupID: 513
>>>>>
>>>>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1108
>>>>>
>>>>> accountExpires: 9223372036854775807
>>>>>
>>>>> logonCount: 0
>>>>>
>>>>> sAMAccountName: demo01
>>>>>
>>>>> sAMAccountType: 805306368
>>>>>
>>>>> userPrincipalName: demo01 at samdom.example.com
>>>>>
>>>>> objectCategory:
>>>>> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
>>>>>
>>>>>     om
>>>>>
>>>>> uidNumber: 10000
>>>>>
>>>>> loginShell: /bin/bash
>>>>>
>>>>> unixHomeDirectory: /home/demo01
>>>>>
>>>>> msSFU30NisDomain: samdom
>>>>>
>>>>> msSFU30Name: demo01
>>>>>
>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>
>>>>> pwdLastSet: 131255986018743120
>>>>>
>>>>> userAccountControl: 512
>>>>>
>>>>> gidNumber: 10000
>>>>>
>>>>> uid: demo01
>>>>>
>>>>> whenChanged: 20161208113015.0Z
>>>>>
>>>>> uSNChanged: 3832
>>>>>
>>>>> distinguishedName:
>>>>> CN=demo01,OU=example,DC=samdom,DC=example,DC=com
>>>>>
>>>>> # Referral
>>>>>
>>>>> ref:
>>>>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
>>>>>
>>>>> # Referral
>>>>>
>>>>> ref:
>>>>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>>>>
>>>>> # Referral
>>>>>
>>>>> ref:
>>>>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>>>>
>>>>> # returned 4 records
>>>>>
>>>>> # 1 entries
>>>>>
>>>>> # 3 referrals
>>>>>
>>>>> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234!
>>>>> cn=demogroup
>>>>>
>>>>> # record 1
>>>>>
>>>>> dn: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com
>>>>>
>>>>> objectClass: top
>>>>>
>>>>> objectClass: group
>>>>>
>>>>> cn: demogroup
>>>>>
>>>>> instanceType: 4
>>>>>
>>>>> whenCreated: 20161207161213.0Z
>>>>>
>>>>> uSNCreated: 3815
>>>>>
>>>>> name: demogroup
>>>>>
>>>>> objectGUID: 30ea6c61-63fc-44f7-87d9-0311abbac9ae
>>>>>
>>>>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1110
>>>>>
>>>>> sAMAccountName: demogroup
>>>>>
>>>>> sAMAccountType: 268435456
>>>>>
>>>>> groupType: -2147483646
>>>>>
>>>>> objectCategory:
>>>>> CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=co
>>>>>
>>>>>     m
>>>>>
>>>>> msSFU30NisDomain: SAMDOM
>>>>>
>>>>> gidNumber: 10000
>>>>>
>>>>> whenChanged: 20161208104335.0Z
>>>>>
>>>>> uSNChanged: 3824
>>>>>
>>>>> distinguishedName:
>>>>> CN=demogroup,OU=example,DC=samdom,DC=example,DC=com
>>>>>
>>>>> # Referral
>>>>>
>>>>> ref:
>>>>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
>>>>>
>>>>> # Referral
>>>>>
>>>>> ref:
>>>>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>>>>
>>>>> # Referral
>>>>>
>>>>> ref:
>>>>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>>>>
>>>>> # returned 4 records
>>>>>
>>>>> # 1 entries
>>>>>
>>>>> # 3 referrals
>>>>>
>>>>>
>>>>> TIA,
>>>>> Oliver
>>>>>
>>>>>
>>>>>
>>>> Have you given 'Domain Users' a gidNumber attribute containing a
>>>> number inside '10000-999999' ?
>>>>
>>>> Rowland
>>>>
>>>
>>> I did not touch the builtin domain groups. I thought it was
>>> sufficient if the the primary posix group of that user (demogroup)
>>> was within the range. demogroup has a gidNumber of 10000.
>>> Do I need still to modify the domain users in that case? Any other
>>> domain groups that I need to modify?
>>>
>>> Oliver
>> So I gave Domain Users 99999 and voilĂ :
>>
>> root at m1:~# wbinfo -i SAMDOM\\demo01
>> SAMDOM\demo01:*:10000:99999:demo01:/home/demo01:/bin/bash
>>
>> Seems samba always uses the primaryGroupID which for demo01 is set to
>> 'Domain Users'. Im just wondering a bit then why there is a gidNumber
>> as an user attribute, as it is not used in the posix context.
>>
>> Thanks for your help,
>> Oliver
>>
>>
>>
> If a group doesn't have a gidNumber it is invisible to Unix.
>
> Rowland
>
But what is the user's gidNumber attribute good for? Seems it is never 
used -  at least with winbind.

Oliver



More information about the samba mailing list