[Samba] winbind idmap_ad rfc2037 can't read UIdnumber

Raphaël RIGNIER r.rignier at leschartreux.net
Tue Jul 5 16:56:20 UTC 2016 

Le 05/07/2016 à 17:07, Rowland penny a écrit :
> On 05/07/16 08:33, Raphaël RIGNIER wrote:
>> Le 04/07/2016 à 20:09, Rowland penny a écrit :
>>> On 04/07/16 18:35, Raphaël RIGNIER wrote:
>>>> Hi samba team !
>>>>
>>>> I try to resolve for hours a problem I have with a Linux Host 
>>>> (Samba 4.3.9 ubutnu 16.04) as AD member.DCs are Windows 2008 R2, 
>>>> One is 2012 R2. Forest level is 2003 R2.
>>>>
>>>> my smb.conf :
>>>> [GLOBAL]
>>>>         netbios name = CR-DEV-01
>>>>         security = ADS
>>>>         workgroup = ADDOMAIN
>>>>         realm = ADDOMAIN.COM
>>>>
>>>>
>>>>         idmap config *:backend = tdb
>>>>         idmap config *:range = 2000-9998
>>>>
>>>>         idmap config ADDOMAIN:backend = ad
>>>>         idmap config ADDOMAIN:schema_mode = rfc2307
>>>>         idmap config ADDOMAIN:range = 9999-999999
>>>>
>>>>         winbind nss info = rfc2307
>>>>         winbind enum users = yes
>>>>         winbind enum groups = yes
>>>>         winbind use default domain = yes
>>>>
>>>> 9999 start range is "Domain's user" GidNumber. To have a default 
>>>> primary group.
>>>> Shared uid and gid starts with 10000.
>>>>
>>>> The test for groups :
>>>> --------------
>>>> # net ads search '(SamAccountName=info2)' samaccountname gidnumber  -P
>>>> Got 1 replies
>>>>
>>>> sAMAccountName: info2
>>>> gidNumber: 10002
>>>> ------------------
>>>> #  getent group info2
>>>> info2:x:10002:
>>>> ------------------
>>>> All is OK
>>>>
>>>>
>>>>
>>>> For the User, it is not working as expected :
>>>> -------------
>>>> # net ads search '(SamAccountName=b.btstest)' samaccountName 
>>>> uinumber gidnumber gecos -P
>>>> Got 1 replies
>>>>
>>>> sAMAccountName: b.btstest
>>>> --------------------------------
>>>> No uidnumber,gidnumber,gecos ?
>>>>
>>>> Same search with admin account :
>>>> ------------------------
>>>> net ads search '(SamAccountName=b.btstest)'  samaccountName 
>>>> uinumber gidnumber gecos -U administrator
>>>> Enter administrator's password:
>>>> Got 1 replies
>>>>
>>>> sAMAccountName: b.btstest
>>>> uidNumber: 13367
>>>> gidNumber: 10002
>>>> gecos: BTSTEST B
>>>> ---------------
>>>>
>>>> -----
>>>> #getent passwd b.btstest (no output)
>>>> ------
>>>> Winbind output
>>>> ------
>>>> getpwnam b.btstest
>>>> Could not convert sid 
>>>> S-1-5-21-4272071638-3509717963-3151537417-7471: NT_STATUS_NONE_MAPPED
>>>> ----------
>>>> This is the same for all mapped AD users (3042 users).
>>>>
>>>> Does Winbind makes queries on DCs with machine account ?
>>>> Does that mean bad AD schema ?
>>>>
>>>> Strange behavior.
>>>>
>>>> Thanks for help.
>>>>
>>>
>>> What 'libpam-*' packages do you have installed ?
>>>
>>> What have you got in /etc/nsswitch.conf
>>>
>>> Rowland
>>>
>>>
>> AFAIK, libpam is not used at this stage of test. Only libnss_winbind 
>> should be used.
>> Here is the libpam list :
>>
>> ii  libpam-cap:amd64           1:2.24-12
>> ii  libpam-ck-connector:amd64  0.4.6-5
>> ii  libpam-gnome-keyring:amd64 3.18.3-0ubuntu2
>> ii  libpam-krb5:amd64          4.7-2
>> ii  libpam-modules:amd64       1.1.8-3.2ubuntu2
>> ii  libpam-modules-bin         1.1.8-3.2ubuntu2
>> ii  libpam-runtime             1.1.8-3.2ubuntu2
>> ii  libpam-systemd:amd64       229-4ubuntu6
>> ii  libpam-winbind:amd64       2:4.3.9+dfsg-0ubuntu0.16.04.2
>> ii  libpam0g:amd64             1.1.8-3.2ubuntu2
>>
>> pam_krb5 (my old auth method) is disabled via pam-update-auth
>>
>> my /etc/nsswitch.conf
>> passwd:         compat winbind
>> group:          compat winbind
>> #passwd:         compat ldap
>> #group:          compat ldap
>> shadow:         compat
>>
>> hosts:          files mdns4_minimal [NOTFOUND=return] dns
>> networks:       files
>>
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>>
>> netgroup:       nis
>>
>>
>
> OK, everything looks correct there, but I have had a second thought, 
> you posted:
>
> net ads search '(SamAccountName=b.btstest)'  samaccountName uinumber 
> gidnumber gecos -U administrator
> Enter administrator's password:
> Got 1 replies
>
> sAMAccountName: b.btstest
> uidNumber: 13367
> gidNumber: 10002
> gecos: BTSTEST B
> ---------------
>
> -----
> #getent passwd b.btstest (no output)
> ------
>
> You also posted:
>
> # net ads search '(SamAccountName=info2)' samaccountname gidnumber -P
> Got 1 replies
>
> sAMAccountName: info2
> gidNumber: 10002
> ------------------
> #  getent group info2
> info2:x:10002:
>
> Now if I do something similar:
>
> net ads search '(SamAccountName=rowland)'  samaccountName uidnumber 
> gidnumber gecos -U administrator
> Enter administrator's password:
> Got 1 replies
>
> sAMAccountName: rowland
> uidNumber: 10000
> gidNumber: 10000
> gecos: Rowland Penny
>
> rowland at devstation:~/programming/git/samba-master$ getent group 10000
> domain_users:x:10000
>
> Have you changed the 'primaryGroupID' attribute for the users ?
>
> Rowland
>
>
The strange behavior is the different output between group object and 
user object

and
net ads search -U administrator
net ads search -P

in Samba Wiki, primarygroupid refers to the one for User's "Unix 
Attributes" tab. Which is in fact GidNumber. (I have made tests to check 
this)
The primaryGroupID attribute refers to Posix primary Group in user's 
"member of" tab. Which is a conversion from SID. Both are different 
numbers but points to same group.
I find this quite confusing.

More information about the samba mailing list