[Samba] winbind idmap_ad rfc2037 can't read UIdnumber
Raphaël RIGNIER
r.rignier at leschartreux.net
Tue Jul 5 07:33:21 UTC 2016
Le 04/07/2016 à 20:09, Rowland penny a écrit :
> On 04/07/16 18:35, Raphaël RIGNIER wrote:
>> Hi samba team !
>>
>> I try to resolve for hours a problem I have with a Linux Host (Samba
>> 4.3.9 ubutnu 16.04) as AD member.DCs are Windows 2008 R2, One is 2012
>> R2. Forest level is 2003 R2.
>>
>> my smb.conf :
>> [GLOBAL]
>> netbios name = CR-DEV-01
>> security = ADS
>> workgroup = ADDOMAIN
>> realm = ADDOMAIN.COM
>>
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9998
>>
>> idmap config ADDOMAIN:backend = ad
>> idmap config ADDOMAIN:schema_mode = rfc2307
>> idmap config ADDOMAIN:range = 9999-999999
>>
>> winbind nss info = rfc2307
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind use default domain = yes
>>
>> 9999 start range is "Domain's user" GidNumber. To have a default
>> primary group.
>> Shared uid and gid starts with 10000.
>>
>> The test for groups :
>> --------------
>> # net ads search '(SamAccountName=info2)' samaccountname gidnumber -P
>> Got 1 replies
>>
>> sAMAccountName: info2
>> gidNumber: 10002
>> ------------------
>> # getent group info2
>> info2:x:10002:
>> ------------------
>> All is OK
>>
>>
>>
>> For the User, it is not working as expected :
>> -------------
>> # net ads search '(SamAccountName=b.btstest)' samaccountName
>> uinumber gidnumber gecos -P
>> Got 1 replies
>>
>> sAMAccountName: b.btstest
>> --------------------------------
>> No uidnumber,gidnumber,gecos ?
>>
>> Same search with admin account :
>> ------------------------
>> net ads search '(SamAccountName=b.btstest)' samaccountName uinumber
>> gidnumber gecos -U administrator
>> Enter administrator's password:
>> Got 1 replies
>>
>> sAMAccountName: b.btstest
>> uidNumber: 13367
>> gidNumber: 10002
>> gecos: BTSTEST B
>> ---------------
>>
>> -----
>> #getent passwd b.btstest (no output)
>> ------
>> Winbind output
>> ------
>> getpwnam b.btstest
>> Could not convert sid S-1-5-21-4272071638-3509717963-3151537417-7471:
>> NT_STATUS_NONE_MAPPED
>> ----------
>> This is the same for all mapped AD users (3042 users).
>>
>> Does Winbind makes queries on DCs with machine account ?
>> Does that mean bad AD schema ?
>>
>> Strange behavior.
>>
>> Thanks for help.
>>
>
> What 'libpam-*' packages do you have installed ?
>
> What have you got in /etc/nsswitch.conf
>
> Rowland
>
>
AFAIK, libpam is not used at this stage of test. Only libnss_winbind
should be used.
Here is the libpam list :
ii libpam-cap:amd64 1:2.24-12
ii libpam-ck-connector:amd64 0.4.6-5
ii libpam-gnome-keyring:amd64 3.18.3-0ubuntu2
ii libpam-krb5:amd64 4.7-2
ii libpam-modules:amd64 1.1.8-3.2ubuntu2
ii libpam-modules-bin 1.1.8-3.2ubuntu2
ii libpam-runtime 1.1.8-3.2ubuntu2
ii libpam-systemd:amd64 229-4ubuntu6
ii libpam-winbind:amd64 2:4.3.9+dfsg-0ubuntu0.16.04.2
ii libpam0g:amd64 1.1.8-3.2ubuntu2
pam_krb5 (my old auth method) is disabled via pam-update-auth
my /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
#passwd: compat ldap
#group: compat ldap
shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
More information about the samba
mailing list