[Samba] winbind rfc2307 - wbinfo -i fails
Rowland Penny
rpenny at samba.org
Thu Dec 8 16:36:32 UTC 2016
On Thu, 8 Dec 2016 17:04:52 +0100
Oliver Heinz via samba <samba at lists.samba.org> wrote:
>
>
> Am 08.12.2016 um 14:48 schrieb Rowland Penny via samba:
> > On Thu, 8 Dec 2016 14:44:16 +0100
> > Oliver Heinz via samba <samba at lists.samba.org> wrote:
> >
> >>
> >> Am 08.12.2016 um 14:31 schrieb Oliver Heinz:
> >>>
> >>> Am 08.12.2016 um 13:55 schrieb Rowland Penny via samba:
> >>>> On Thu, 8 Dec 2016 12:52:53 +0100
> >>>> Oliver Heinz via samba <samba at lists.samba.org> wrote:
> >>>>
> >>>>> I'm trying to get Samba 4 AD to work with rfc2307 extensions.
> >>>>>
> >>>>> wbinfo -i fails
> >>>>>
> >>>>> root at m1:~# wbinfo -i SAMDOM\\demo01
> >>>>>
> >>>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> >>>>>
> >>>>>
> >>>>> winbindd.log it here: http://pastebin.com/X0rEaLt2
> >>>>>
> >>>>> Pretty much everything else seems to work:
> >>>>>
> >>>>> root at m1:~# wbinfo --ping-dc
> >>>>>
> >>>>> checking the NETLOGON for domain[SAMDOM] dc connection to
> >>>>> "dc1.samdom.example.com" succeeded
> >>>>>
> >>>>> root at m1:~# wbinfo --uid-to-sid=10000
> >>>>>
> >>>>> S-1-5-21-2104162034-3764151921-3268498227-1108
> >>>>>
> >>>>> root at m1:~# wbinfo --name-to-sid SAMDOM\\demo01
> >>>>>
> >>>>> S-1-5-21-2104162034-3764151921-3268498227-1108 SID_USER (1)
> >>>>>
> >>>>>
> >>>>> What did I miss?
> >>>>>
> >>>>>
> >>>>> My setup:
> >>>>>
> >>>>> dc1.example.com as per
> >>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> >>>>>
> >>>>> m1.example.com as per
> >>>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> >>>>>
> >>>>> Both with SerNet 4.5.2-9 Packages
> >>>>>
> >>>>>
> >>>>> root at dc1:~# cat /etc/samba/smb.conf
> >>>>>
> >>>>> # Global parameters
> >>>>>
> >>>>> [global]
> >>>>>
> >>>>> netbios name = DC1
> >>>>>
> >>>>> realm = SAMDOM.EXAMPLE.COM
> >>>>>
> >>>>> workgroup = SAMDOM
> >>>>>
> >>>>> dns forwarder = 192.168.8.10
> >>>>>
> >>>>> server role = active directory domain controller
> >>>>>
> >>>>> idmap_ldb:use rfc2307 = yes
> >>>>>
> >>>>> [netlogon]
> >>>>>
> >>>>> path
> >>>>> = /var/lib/samba/sysvol/samdom.example.com/scripts
> >>>>>
> >>>>> read only = No
> >>>>>
> >>>>> [sysvol]
> >>>>>
> >>>>> path = /var/lib/samba/sysvol
> >>>>>
> >>>>> read only = No
> >>>>>
> >>>>> root at m1:~# cat /etc/samba/smb.conf
> >>>>>
> >>>>> [global]
> >>>>>
> >>>>> security = ADS
> >>>>>
> >>>>> workgroup = SAMDOM
> >>>>>
> >>>>> realm = SAMDOM.EXAMPLE.COM
> >>>>>
> >>>>> log file = /var/log/samba/%m.log
> >>>>>
> >>>>> log level = 1 winbind:10
> >>>>>
> >>>>> # idmap config used for your domain.
> >>>>>
> >>>>> # Click on the following links for more information
> >>>>>
> >>>>> # on the available winbind idmap backends,
> >>>>>
> >>>>> # Choose the one that fits your requirements
> >>>>>
> >>>>> # then add the corresponding configuration.
> >>>>>
> >>>>> idmap config * : backend = tdb
> >>>>>
> >>>>> idmap config * : range = 2000-9999
> >>>>>
> >>>>> # idmap config for the SAMDOM domain
> >>>>>
> >>>>> idmap config SAMDOM:backend = ad
> >>>>>
> >>>>> idmap config SAMDOM:schema_mode = rfc2307
> >>>>>
> >>>>> idmap config SAMDOM:range = 10000-999999
> >>>>>
> >>>>> winbind nss info = rfc2307
> >>>>>
> >>>>> root at dc1:~# ldbsearch -H ldap://localhost
> >>>>> -Uadministrator%Test234! samaccountname=demo01
> >>>>>
> >>>>> # record 1
> >>>>>
> >>>>> dn: CN=demo01,OU=example,DC=samdom,DC=example,DC=com
> >>>>>
> >>>>> objectClass: top
> >>>>>
> >>>>> objectClass: person
> >>>>>
> >>>>> objectClass: organizationalPerson
> >>>>>
> >>>>> objectClass: user
> >>>>>
> >>>>> cn: demo01
> >>>>>
> >>>>> instanceType: 4
> >>>>>
> >>>>> whenCreated: 20161207153641.0Z
> >>>>>
> >>>>> uSNCreated: 3797
> >>>>>
> >>>>> name: demo01
> >>>>>
> >>>>> objectGUID: f636d153-a965-4251-a5ae-64ac05c89e5d
> >>>>>
> >>>>> badPwdCount: 0
> >>>>>
> >>>>> codePage: 0
> >>>>>
> >>>>> countryCode: 0
> >>>>>
> >>>>> badPasswordTime: 0
> >>>>>
> >>>>> lastLogoff: 0
> >>>>>
> >>>>> lastLogon: 0
> >>>>>
> >>>>> primaryGroupID: 513
> >>>>>
> >>>>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1108
> >>>>>
> >>>>> accountExpires: 9223372036854775807
> >>>>>
> >>>>> logonCount: 0
> >>>>>
> >>>>> sAMAccountName: demo01
> >>>>>
> >>>>> sAMAccountType: 805306368
> >>>>>
> >>>>> userPrincipalName: demo01 at samdom.example.com
> >>>>>
> >>>>> objectCategory:
> >>>>> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
> >>>>>
> >>>>> om
> >>>>>
> >>>>> uidNumber: 10000
> >>>>>
> >>>>> loginShell: /bin/bash
> >>>>>
> >>>>> unixHomeDirectory: /home/demo01
> >>>>>
> >>>>> msSFU30NisDomain: samdom
> >>>>>
> >>>>> msSFU30Name: demo01
> >>>>>
> >>>>> unixUserPassword: ABCD!efgh12345$67890
> >>>>>
> >>>>> pwdLastSet: 131255986018743120
> >>>>>
> >>>>> userAccountControl: 512
> >>>>>
> >>>>> gidNumber: 10000
> >>>>>
> >>>>> uid: demo01
> >>>>>
> >>>>> whenChanged: 20161208113015.0Z
> >>>>>
> >>>>> uSNChanged: 3832
> >>>>>
> >>>>> distinguishedName:
> >>>>> CN=demo01,OU=example,DC=samdom,DC=example,DC=com
> >>>>>
> >>>>> # Referral
> >>>>>
> >>>>> ref:
> >>>>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
> >>>>>
> >>>>> # Referral
> >>>>>
> >>>>> ref:
> >>>>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> >>>>>
> >>>>> # Referral
> >>>>>
> >>>>> ref:
> >>>>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
> >>>>>
> >>>>> # returned 4 records
> >>>>>
> >>>>> # 1 entries
> >>>>>
> >>>>> # 3 referrals
> >>>>>
> >>>>> root at dc1:~# ldbsearch -H ldap://localhost
> >>>>> -Uadministrator%Test234! cn=demogroup
> >>>>>
> >>>>> # record 1
> >>>>>
> >>>>> dn: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com
> >>>>>
> >>>>> objectClass: top
> >>>>>
> >>>>> objectClass: group
> >>>>>
> >>>>> cn: demogroup
> >>>>>
> >>>>> instanceType: 4
> >>>>>
> >>>>> whenCreated: 20161207161213.0Z
> >>>>>
> >>>>> uSNCreated: 3815
> >>>>>
> >>>>> name: demogroup
> >>>>>
> >>>>> objectGUID: 30ea6c61-63fc-44f7-87d9-0311abbac9ae
> >>>>>
> >>>>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1110
> >>>>>
> >>>>> sAMAccountName: demogroup
> >>>>>
> >>>>> sAMAccountType: 268435456
> >>>>>
> >>>>> groupType: -2147483646
> >>>>>
> >>>>> objectCategory:
> >>>>> CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=co
> >>>>>
> >>>>> m
> >>>>>
> >>>>> msSFU30NisDomain: SAMDOM
> >>>>>
> >>>>> gidNumber: 10000
> >>>>>
> >>>>> whenChanged: 20161208104335.0Z
> >>>>>
> >>>>> uSNChanged: 3824
> >>>>>
> >>>>> distinguishedName:
> >>>>> CN=demogroup,OU=example,DC=samdom,DC=example,DC=com
> >>>>>
> >>>>> # Referral
> >>>>>
> >>>>> ref:
> >>>>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
> >>>>>
> >>>>> # Referral
> >>>>>
> >>>>> ref:
> >>>>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> >>>>>
> >>>>> # Referral
> >>>>>
> >>>>> ref:
> >>>>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
> >>>>>
> >>>>> # returned 4 records
> >>>>>
> >>>>> # 1 entries
> >>>>>
> >>>>> # 3 referrals
> >>>>>
> >>>>>
> >>>>> TIA,
> >>>>> Oliver
> >>>>>
> >>>>>
> >>>>>
> >>>> Have you given 'Domain Users' a gidNumber attribute containing a
> >>>> number inside '10000-999999' ?
> >>>>
> >>>> Rowland
> >>>>
> >>>
> >>> I did not touch the builtin domain groups. I thought it was
> >>> sufficient if the the primary posix group of that user (demogroup)
> >>> was within the range. demogroup has a gidNumber of 10000.
> >>> Do I need still to modify the domain users in that case? Any other
> >>> domain groups that I need to modify?
> >>>
> >>> Oliver
> >> So I gave Domain Users 99999 and voilĂ :
> >>
> >> root at m1:~# wbinfo -i SAMDOM\\demo01
> >> SAMDOM\demo01:*:10000:99999:demo01:/home/demo01:/bin/bash
> >>
> >> Seems samba always uses the primaryGroupID which for demo01 is set
> >> to 'Domain Users'. Im just wondering a bit then why there is a
> >> gidNumber as an user attribute, as it is not used in the posix
> >> context.
> >>
> >> Thanks for your help,
> >> Oliver
> >>
> >>
> >>
> > If a group doesn't have a gidNumber it is invisible to Unix.
> >
> > Rowland
> >
> But what is the user's gidNumber attribute good for? Seems it is
> never used - at least with winbind.
>
> Oliver
>
To be honest, I have never found a use for it. If a user is a member of
an AD group and that group has a gidNumber it is available to be used
with Unix.
Rowland
More information about the samba
mailing list