[Samba] winbind idmap_ad rfc2037 can't read UIdnumber
mathias dufresne
infractory at gmail.com
Tue Jul 5 14:26:34 UTC 2016
A dumb question: can you perform ldapsearch on same object(s) with same
account (the one not working when used with net command)?
2016-07-05 16:11 GMT+02:00 Raphaël RIGNIER <r.rignier at leschartreux.net>:
> Le 05/07/2016 à 09:33, Raphaël RIGNIER a écrit :
>
>> Le 04/07/2016 à 20:09, Rowland penny a écrit :
>>
>>> On 04/07/16 18:35, Raphaël RIGNIER wrote:
>>>
>>>> Hi samba team !
>>>>
>>>> I try to resolve for hours a problem I have with a Linux Host (Samba
>>>> 4.3.9 ubutnu 16.04) as AD member.DCs are Windows 2008 R2, One is 2012 R2.
>>>> Forest level is 2003 R2.
>>>>
>>>> my smb.conf :
>>>> [GLOBAL]
>>>> netbios name = CR-DEV-01
>>>> security = ADS
>>>> workgroup = ADDOMAIN
>>>> realm = ADDOMAIN.COM
>>>>
>>>>
>>>> idmap config *:backend = tdb
>>>> idmap config *:range = 2000-9998
>>>>
>>>> idmap config ADDOMAIN:backend = ad
>>>> idmap config ADDOMAIN:schema_mode = rfc2307
>>>> idmap config ADDOMAIN:range = 9999-999999
>>>>
>>>> winbind nss info = rfc2307
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>> winbind use default domain = yes
>>>>
>>>> 9999 start range is "Domain's user" GidNumber. To have a default
>>>> primary group.
>>>> Shared uid and gid starts with 10000.
>>>>
>>>> The test for groups :
>>>> --------------
>>>> # net ads search '(SamAccountName=info2)' samaccountname gidnumber -P
>>>> Got 1 replies
>>>>
>>>> sAMAccountName: info2
>>>> gidNumber: 10002
>>>> ------------------
>>>> # getent group info2
>>>> info2:x:10002:
>>>> ------------------
>>>> All is OK
>>>>
>>>>
>>>>
>>>> For the User, it is not working as expected :
>>>> -------------
>>>> # net ads search '(SamAccountName=b.btstest)' samaccountName uinumber
>>>> gidnumber gecos -P
>>>> Got 1 replies
>>>>
>>>> sAMAccountName: b.btstest
>>>> --------------------------------
>>>> No uidnumber,gidnumber,gecos ?
>>>>
>>>> Same search with admin account :
>>>> ------------------------
>>>> net ads search '(SamAccountName=b.btstest)' samaccountName uinumber
>>>> gidnumber gecos -U administrator
>>>> Enter administrator's password:
>>>> Got 1 replies
>>>>
>>>> sAMAccountName: b.btstest
>>>> uidNumber: 13367
>>>> gidNumber: 10002
>>>> gecos: BTSTEST B
>>>> ---------------
>>>>
>>>> -----
>>>> #getent passwd b.btstest (no output)
>>>> ------
>>>> Winbind output
>>>> ------
>>>> getpwnam b.btstest
>>>> Could not convert sid S-1-5-21-4272071638-3509717963-3151537417-7471:
>>>> NT_STATUS_NONE_MAPPED
>>>> ----------
>>>> This is the same for all mapped AD users (3042 users).
>>>>
>>>> Does Winbind makes queries on DCs with machine account ?
>>>> Does that mean bad AD schema ?
>>>>
>>>> Strange behavior.
>>>>
>>>> Thanks for help.
>>>>
>>>>
>>> What 'libpam-*' packages do you have installed ?
>>>
>>> What have you got in /etc/nsswitch.conf
>>>
>>> Rowland
>>>
>>>
>>> AFAIK, libpam is not used at this stage of test. Only libnss_winbind
>> should be used.
>> Here is the libpam list :
>>
>> ii libpam-cap:amd64 1:2.24-12
>> ii libpam-ck-connector:amd64 0.4.6-5
>> ii libpam-gnome-keyring:amd64 3.18.3-0ubuntu2
>> ii libpam-krb5:amd64 4.7-2
>> ii libpam-modules:amd64 1.1.8-3.2ubuntu2
>> ii libpam-modules-bin 1.1.8-3.2ubuntu2
>> ii libpam-runtime 1.1.8-3.2ubuntu2
>> ii libpam-systemd:amd64 229-4ubuntu6
>> ii libpam-winbind:amd64 2:4.3.9+dfsg-0ubuntu0.16.04.2
>> ii libpam0g:amd64 1.1.8-3.2ubuntu2
>>
>> pam_krb5 (my old auth method) is disabled via pam-update-auth
>>
>> my /etc/nsswitch.conf
>> passwd: compat winbind
>> group: compat winbind
>> #passwd: compat ldap
>> #group: compat ldap
>> shadow: compat
>>
>> hosts: files mdns4_minimal [NOTFOUND=return] dns
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>> netgroup: nis
>>
>>
>> I have checked PosixGroup and PosixAccount schema rights on the DC and
> those are the same.
>
> Rejoin of llinux host did nothing. Still investigating.
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list