[Samba] winbind idmap_ad rfc2037 can't read UIdnumber

Raphaël RIGNIER r.rignier at leschartreux.net
Tue Jul 5 07:33:21 UTC 2016 

Le 04/07/2016 à 20:09, Rowland penny a écrit :
> On 04/07/16 18:35, Raphaël RIGNIER wrote:
>> Hi samba team !
>>
>> I try to resolve for hours a problem I have with a Linux Host (Samba 
>> 4.3.9 ubutnu 16.04) as AD member.DCs are Windows 2008 R2, One is 2012 
>> R2. Forest level is 2003 R2.
>>
>> my smb.conf :
>> [GLOBAL]
>>         netbios name = CR-DEV-01
>>         security = ADS
>>         workgroup = ADDOMAIN
>>         realm = ADDOMAIN.COM
>>
>>
>>         idmap config *:backend = tdb
>>         idmap config *:range = 2000-9998
>>
>>         idmap config ADDOMAIN:backend = ad
>>         idmap config ADDOMAIN:schema_mode = rfc2307
>>         idmap config ADDOMAIN:range = 9999-999999
>>
>>         winbind nss info = rfc2307
>>         winbind enum users = yes
>>         winbind enum groups = yes
>>         winbind use default domain = yes
>>
>> 9999 start range is "Domain's user" GidNumber. To have a default 
>> primary group.
>> Shared uid and gid starts with 10000.
>>
>> The test for groups :
>> --------------
>> # net ads search '(SamAccountName=info2)' samaccountname gidnumber  -P
>> Got 1 replies
>>
>> sAMAccountName: info2
>> gidNumber: 10002
>> ------------------
>> #  getent group info2
>> info2:x:10002:
>> ------------------
>> All is OK
>>
>>
>>
>> For the User, it is not working as expected :
>> -------------
>> # net ads search '(SamAccountName=b.btstest)'  samaccountName 
>> uinumber gidnumber gecos -P
>> Got 1 replies
>>
>> sAMAccountName: b.btstest
>> --------------------------------
>> No uidnumber,gidnumber,gecos ?
>>
>> Same search with admin account :
>> ------------------------
>> net ads search '(SamAccountName=b.btstest)'  samaccountName uinumber 
>> gidnumber gecos -U administrator
>> Enter administrator's password:
>> Got 1 replies
>>
>> sAMAccountName: b.btstest
>> uidNumber: 13367
>> gidNumber: 10002
>> gecos: BTSTEST B
>> ---------------
>>
>> -----
>> #getent passwd b.btstest (no output)
>> ------
>> Winbind output
>> ------
>> getpwnam b.btstest
>> Could not convert sid S-1-5-21-4272071638-3509717963-3151537417-7471: 
>> NT_STATUS_NONE_MAPPED
>> ----------
>> This is the same for all mapped AD users (3042 users).
>>
>> Does Winbind makes queries on DCs with machine account ?
>> Does that mean bad AD schema ?
>>
>> Strange behavior.
>>
>> Thanks for help.
>>
>
> What 'libpam-*' packages do you have installed ?
>
> What have you got in /etc/nsswitch.conf
>
> Rowland
>
>
AFAIK, libpam is not used at this stage of test. Only libnss_winbind 
should be used.
Here is the libpam list :

ii  libpam-cap:amd64           1:2.24-12
ii  libpam-ck-connector:amd64  0.4.6-5
ii  libpam-gnome-keyring:amd64 3.18.3-0ubuntu2
ii  libpam-krb5:amd64          4.7-2
ii  libpam-modules:amd64       1.1.8-3.2ubuntu2
ii  libpam-modules-bin         1.1.8-3.2ubuntu2
ii  libpam-runtime             1.1.8-3.2ubuntu2
ii  libpam-systemd:amd64       229-4ubuntu6
ii  libpam-winbind:amd64       2:4.3.9+dfsg-0ubuntu0.16.04.2
ii  libpam0g:amd64             1.1.8-3.2ubuntu2

pam_krb5 (my old auth method) is disabled via pam-update-auth

my /etc/nsswitch.conf
passwd:         compat winbind
group:          compat winbind
#passwd:         compat ldap
#group:          compat ldap
shadow:         compat

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

More information about the samba mailing list