[Samba] winbind idmap_ad rfc2037 can't read UIdnumber

Rowland penny rpenny at samba.org
Tue Jul 5 15:07:26 UTC 2016


On 05/07/16 08:33, Raphaël RIGNIER wrote:
> Le 04/07/2016 à 20:09, Rowland penny a écrit :
>> On 04/07/16 18:35, Raphaël RIGNIER wrote:
>>> Hi samba team !
>>>
>>> I try to resolve for hours a problem I have with a Linux Host (Samba 
>>> 4.3.9 ubutnu 16.04) as AD member.DCs are Windows 2008 R2, One is 
>>> 2012 R2. Forest level is 2003 R2.
>>>
>>> my smb.conf :
>>> [GLOBAL]
>>>         netbios name = CR-DEV-01
>>>         security = ADS
>>>         workgroup = ADDOMAIN
>>>         realm = ADDOMAIN.COM
>>>
>>>
>>>         idmap config *:backend = tdb
>>>         idmap config *:range = 2000-9998
>>>
>>>         idmap config ADDOMAIN:backend = ad
>>>         idmap config ADDOMAIN:schema_mode = rfc2307
>>>         idmap config ADDOMAIN:range = 9999-999999
>>>
>>>         winbind nss info = rfc2307
>>>         winbind enum users = yes
>>>         winbind enum groups = yes
>>>         winbind use default domain = yes
>>>
>>> 9999 start range is "Domain's user" GidNumber. To have a default 
>>> primary group.
>>> Shared uid and gid starts with 10000.
>>>
>>> The test for groups :
>>> --------------
>>> # net ads search '(SamAccountName=info2)' samaccountname gidnumber  -P
>>> Got 1 replies
>>>
>>> sAMAccountName: info2
>>> gidNumber: 10002
>>> ------------------
>>> #  getent group info2
>>> info2:x:10002:
>>> ------------------
>>> All is OK
>>>
>>>
>>>
>>> For the User, it is not working as expected :
>>> -------------
>>> # net ads search '(SamAccountName=b.btstest)'  samaccountName 
>>> uinumber gidnumber gecos -P
>>> Got 1 replies
>>>
>>> sAMAccountName: b.btstest
>>> --------------------------------
>>> No uidnumber,gidnumber,gecos ?
>>>
>>> Same search with admin account :
>>> ------------------------
>>> net ads search '(SamAccountName=b.btstest)'  samaccountName uinumber 
>>> gidnumber gecos -U administrator
>>> Enter administrator's password:
>>> Got 1 replies
>>>
>>> sAMAccountName: b.btstest
>>> uidNumber: 13367
>>> gidNumber: 10002
>>> gecos: BTSTEST B
>>> ---------------
>>>
>>> -----
>>> #getent passwd b.btstest (no output)
>>> ------
>>> Winbind output
>>> ------
>>> getpwnam b.btstest
>>> Could not convert sid 
>>> S-1-5-21-4272071638-3509717963-3151537417-7471: NT_STATUS_NONE_MAPPED
>>> ----------
>>> This is the same for all mapped AD users (3042 users).
>>>
>>> Does Winbind makes queries on DCs with machine account ?
>>> Does that mean bad AD schema ?
>>>
>>> Strange behavior.
>>>
>>> Thanks for help.
>>>
>>
>> What 'libpam-*' packages do you have installed ?
>>
>> What have you got in /etc/nsswitch.conf
>>
>> Rowland
>>
>>
> AFAIK, libpam is not used at this stage of test. Only libnss_winbind 
> should be used.
> Here is the libpam list :
>
> ii  libpam-cap:amd64           1:2.24-12
> ii  libpam-ck-connector:amd64  0.4.6-5
> ii  libpam-gnome-keyring:amd64 3.18.3-0ubuntu2
> ii  libpam-krb5:amd64          4.7-2
> ii  libpam-modules:amd64       1.1.8-3.2ubuntu2
> ii  libpam-modules-bin         1.1.8-3.2ubuntu2
> ii  libpam-runtime             1.1.8-3.2ubuntu2
> ii  libpam-systemd:amd64       229-4ubuntu6
> ii  libpam-winbind:amd64       2:4.3.9+dfsg-0ubuntu0.16.04.2
> ii  libpam0g:amd64             1.1.8-3.2ubuntu2
>
> pam_krb5 (my old auth method) is disabled via pam-update-auth
>
> my /etc/nsswitch.conf
> passwd:         compat winbind
> group:          compat winbind
> #passwd:         compat ldap
> #group:          compat ldap
> shadow:         compat
>
> hosts:          files mdns4_minimal [NOTFOUND=return] dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
>

OK, everything looks correct there, but I have had a second thought, you 
posted:

net ads search '(SamAccountName=b.btstest)'  samaccountName uinumber 
gidnumber gecos -U administrator
Enter administrator's password:
Got 1 replies

sAMAccountName: b.btstest
uidNumber: 13367
gidNumber: 10002
gecos: BTSTEST B
---------------

-----
#getent passwd b.btstest (no output)
------

You also posted:

# net ads search '(SamAccountName=info2)' samaccountname gidnumber -P
Got 1 replies

sAMAccountName: info2
gidNumber: 10002
------------------
#  getent group info2
info2:x:10002:

Now if I do something similar:

net ads search '(SamAccountName=rowland)'  samaccountName uidnumber 
gidnumber gecos -U administrator
Enter administrator's password:
Got 1 replies

sAMAccountName: rowland
uidNumber: 10000
gidNumber: 10000
gecos: Rowland Penny

rowland at devstation:~/programming/git/samba-master$ getent group 10000
domain_users:x:10000

Have you changed the 'primaryGroupID' attribute for the users ?

Rowland




More information about the samba mailing list