[Samba] "samba-tool user add" and idmap shenanigans

Mon Feb 1 09:20:18 UTC 2016

On 01/02/16 02:52, Stuart Longland wrote:
> Hi all,
>
> We're in the process of finally moving from our aging Samba3-based
> infrastructure across to Samba4.
>
> Rather than trying to migrate, we're just making a clean break so that
> we can do it properly from day one, as there were likely some mistakes
> that were made years ago we want to leave behind.
>
> The machines under test are virtual machines running Ubuntu 14.04 LTS
> AMD64.  I've just did an `apt-get dist-upgrade` this morning.
>
> We've got an AD server going happily, with the relevant NIS extensions
> running and winbindd.  All is good.  I can create a user on the server,
> and it appears along with a UID.
>
>> root at bnedevdc0:~# samba-tool user add testuser2 --random-password
>> User 'testuser2' created successfully
>> root at bnedevdc0:~# wbinfo -i testuser2
>> VRTAD\testuser2:*:3000032:10000::/home/VRTAD/testuser2:/bin/false
> Other users work too:
>> root at bnedevdc0:~# wbinfo -i testuser
>> VRTAD\testuser:*:123456:10000::/home/VRTAD/testuser:/bin/false
> Now, I move across to my member server and try to repeat the two
> `wbinfo` commands:
>
>> root at bnedevmail:~# wbinfo -i testuser
>> testuser:*:123456:10000:testuser:/home/VRTAD/testuser:/bin/bash
>> root at bnedevmail:~# wbinfo -i testuser2
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user testuser2
> I can do `id` and other commands with 'testuser' as if it were a local
> Unix account, but not with 'testuser2'.
>
> The only thing different about these, is when creating 'testuser', I
> explicitly provided --uid-number, setting it to 123456 as a test.  It
> got stored in LDAP as uidNumber, which is fine.
>
> Somewhere, the AD server decided upon 300032 as the UID number for
> 'testuser2', however it forgot to write that into LDAP, and so the
> member server can't see it.  I see reference to xidNumber in places too
> -- it didn't bother to write that to LDAP either.
>
> On the old server `smbldap-useradd` would take care of assigning unique
> user IDs, so I know Samba supports this feature.
>
> I've checked configuration files and logs, the only thing I see is in
> `winbindd` logs on the member server:
>
>> ==> /var/log/samba/log.winbindd <==
>> [2016/02/01 12:52:31.513489,  5] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>>    Could not convert sid S-1-5-21-3300742366-236599213-516333450-7025: NT_STATUS_NONE_MAPPED
> Yet, it's clearly mapped when I try to do the same thing on the domain
> controller itself.  Is there something that I'm missing?
>
> Regards,

Yes, The DCs and domain members work differently. On a DC, windows users 
are mapped to Unix users in 'idmap.ldb', this is where you will find the 
xidNumber attributes. On a domain member, the users are mapped via 
winbind and there are several backends available, though only two are 
really used, the 'ad' & 'rid' backends. If you use the 'ad' backend, you 
will have to give all users, that you want to be visible to Unix, a 
uidNumber attribute and Domain Users (at least) a gidNumber. If you use 
the 'rid' backend, you do not have to add anything to AD, but you may 
want to add the 'template' lines to smb.conf on the domain member (see 
man smb.conf).

You may also want investigate using a later version of Samba, the 
version available from ubuntu is old and in fact when Samba 4.4.0 comes 
out (due start of March), the 4.1.x series will go EOL. You could use 
the latest freely available Sernet version, this will get you 4.2.x, or 
you could very easily compile Samba yourself, if you go down this path, 
you can get the latest version.

Rowland