[Samba] wbinfo -u does not listed trusted users, wbinfo -n works, idmap not working
Gaiseric Vandal
gaiseric.vandal at gmail.com
Mon Dec 19 22:17:42 UTC 2016
On both Samba 4.5.1 member server and Samba 3.6.25 member server I tried
the following command
wbinfo –set-uid-mapping=35049,S-1-5-21-xx-xx-xxx-xxx
this should have created a mapping entry consistent with the one on the
domain controller for a trusted user
But I got the following error
failed to call wbcSetUidMapping: WBC_ERR_NOT_IMPLEMENTED
As far as I can tell from network captures and looking at logs on the
PDC, any "wbinfo" commands on the member servers only query the PDC for
their own domain, even if they are querying info on users from a trusted
domain.
wbinfo -a (--authenticate) does work from member servers
# /usr/local/samba/bin/wbinfo -a "TRUSTEDDOMAIN\someuser "
EnterTRUSTEDDOMAIN\someuserr's password:
plaintext password authentication succeeded
Enter TRUSTEDDOMAIN\someuser's password:
challenge/response password authentication succeeded
#
On 12/14/16 14:46, Gaiseric Vandal wrote:
> On a samba 4.5.1 domain controllers (PDC and BDC), classic domain ,
> LDAP is used as the backend for both user accounts AND for the
> idmapping of trusted domains . Partial smb.conf below
>
> workgroup = THISDOMAIN
> security = user
> passdb backend = ldapsam:ldap://xxxxxxxxxxxxxxxxx
>
> idmap config * : backend = tdb
> idmap config * : range = 5000-6000
>
>
> idmap config THISDOMAIN : backend = nss
> idmap config THISDOMAIN : range = 100-300
>
>
> idmap config TRUSTEDDOMAIN:backend = ldap
> idmap config TRUSTEDDOMAIN:readonly = no
> idmap config TRUSTEDDOMAIN:default=no
> idmap config TRUSTEDDOMAIN:ldap_base_dn = ou=xxxxxxxxxx
> idmap config TRUSTEDDOMAIN:ldap_user_dn = xxxxxxxxx
> idmap config TRUSTEDDOMAIN:ldap_url = ldap://xxxxxxxxxxx
> idmap config TRUSTEDDOMAIN:range = 30000-39999
>
>
>
> On the 4.5.1 domain members I have tried TDB backend for trusted
> domains idmapping ...
>
>
> idmap config TRUSTEDDOMAIN : backend = tdb
> idmap config TRUSTEDDOMAIN : range = 30000-39999
>
>
>
>
> ...and I have tried LDAP backend
>
> idmap config TRUSTEDDOMAIN:backend = ldap
> idmap config TRUSTEDDOMAIN:readonly = no
> idmap config TRUSTEDDOMAIN:default=no
> idmap config TRUSTEDDOMAIN:ldap_base_dn = ou=xxxxxxxxxx
> idmap config TRUSTEDDOMAIN:ldap_user_dn = xxxxxxxxx
> idmap config TRUSTEDDOMAIN:ldap_url = ldap://xxxxxxxxxxx
> idmap config TRUSTEDDOMAIN:range = 30000-39999
>
>
>
>
>
>
>
> But idmap fails regardless on the domain members.
>
> # /usr/local/samba/bin/wbinfo -n "THISDOMAIN\myname"
> S-1-5-21-xxx-xxx-xxx-xxx SID_USER (1)
>
> # /usr/local/samba/bin/wbinfo -i "THISDOMAIN\myname"
> THISDOMAIN\myname:*:123:100:My Name
> :/home/THISDOMAIN/myname:/bin/false
>
>
> # /usr/local/samba/bin/wbinfo -n "TRUSTEDUSER\someuser"
> S-1-5-21-xxx-xxx-xxx-xxx SID_USER (1)
>
> # /usr/local/samba/bin/wbinfo -i "TRUSTEDUSER\someuser"
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user TRUSTEDUSER\someuser
> #
>
>
> # /usr/local/samba/bin/wbinfo --allocate-uid
>
> failed to call wbcAllocateUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not allocate a uid
> #
>
>
>
> I could never get idmapping for trusted domains working on member
> servers with samba 3.6.x either.
>
>
> It seems that wbinfo just doesn't like trusted domains.
>
>
> I am presuming that I can only use idmap ad backend for my "own"
> domain (if I were in an AD domain) and not for trusted domains. I
> also suspect that idmap ldap backend is only valid on domain controllers.
>
>
> Appreciate any help.
>
> Thanks
>
>
>
>
>
>
>
>
>
>
>
> On 12/13/16 09:51, Gaiseric Vandal wrote:
>> Running a mix of samba versions (3.6.25 and 4.5.1) in two domains-
>> one "classic" (with samba domain controllers) and one AD (with
>> windows domain controllers.) The eventual goal is to drop the
>> classic domain in favor of the AD domain. Also trying to move from
>> samba 3.x to 4.x since Samba 3 is EOL'd.
>>
>>
>> the "wbinfo -u" command will list users in the servers domain but not
>> trusted domains. However the "wbinfo -n" comand (e.g. "wbinfo -n
>> TRUSTEDDOMAIN\username") does return the user's SID, and "getent
>> passwd" may be able to show the trusted user (depending on idmap
>> config.)
>>
>>
>> Typical winbind settings are
>>
>>
>> # testparm -v | grep winbind
>> ....
>>
>> winbind separator = \
>> winbind cache time = 300
>> winbind reconnect delay = 30
>> winbind max clients = 200
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = No
>> winbind trusted domains only = No
>> winbind nested groups = Yes
>> winbind expand groups = 1
>> winbind nss info = template
>> winbind refresh tickets = No
>> winbind offline logon = No
>> winbind normalize names = No
>> winbind rpc only = No
>> winbind max domain connections = 1
>> #
>>
>> Changing "winbind use default domain" or "winbind trusted domains
>> only" to yes will change the how the own domain users are displayed
>> ("MYDOMAIN\username" vs "username")
>>
>>
>> Logs show errors about winbind not being able to to connect to either
>> the own or trusted domains when I restart the winbind svc. It
>> seems like winbind has issues when it starts but then future "wbinfo
>> -n" lookups do connect. "wbinfo -D TRUSTDOMAIN" works.
>>
>> I used to run just samba 3.6.25 in classic domain. Trusts with AD
>> domains were fine uninstall the various BADLOCK related patches came
>> out for windows. Samba 3.6.25 with backported badlock patches
>> seemed to fix trusts issues with domains BUT broke windows client
>> logins. I think I just need to get away from samba 3 (and
>> classic domains) or I will continue to have issues with the latest
>> versions of windows.
>>
>>
>>
>>
>> thanks
>>
>>
>>
>>
>>
>
More information about the samba
mailing list