[Samba] Winbind doesn't honor rfc2307 data set in AD (Samba 4.3.6 on Debian jessie)
Rowland penny
rpenny at samba.org
Thu Mar 24 10:26:08 UTC 2016
On 24/03/16 09:37, Simone Rossetto wrote:
> Hi all, I've just installed Samba 4.3.6 on Debian jessie amd64 (as
> described in the wiki [1]) and everything seems to work properly
> except for rfc2307 data that winbind doesn't retrieve from AD backend,
> shell is always "/bin/false", homedir is always
> "/home/DOMAIN/username" and "getent passwd" also lists user without
> unix attributes.
> I have configured idmap_ad as described here [2] with rfc2307.
>
> Hereafter my configuration:
>
> # cat /etc/samba/smb.conf
> [global]
> log level = 5
> workgroup = VBOX
> realm = VBOX.LOCAL
> netbios name = ARTURO
> interfaces = lo eth1
> bind interfaces only = Yes
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> allow dns updates = nonsecure
> dns forwarder = 192.168.0.1
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> idmap config VBOX:backend = ad
> idmap config VBOX:schema_mode = rfc2307
> idmap config VBOX:range = 10000-99999
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> [...]
>
> # cat /etc/nsswitch.conf
> passwd: compat winbind
> group: compat winbind
> [...]
>
> # getent passwd
> [...]
> VBOX\administrator:*:0:100::/home/VBOX/administrator:/bin/false
> VBOX\krbtgt:*:3000017:100::/home/VBOX/krbtgt:/bin/false
> VBOX\simone:*:10000:100:Simone Rossetto:/home/VBOX/simone:/bin/false
> VBOX\guest:*:3000011:100::/home/VBOX/guest:/bin/false
> VBOX\dhcp:*:3000044:100::/home/VBOX/dhcp:/bin/false
>
> # getent group
> [...]
> VBOX\domain admins:x:3000008:
> VBOX\domain users:x:100:
> VBOX\domain guests:x:3000012:
> [...]
>
>
> The user VBOX\dhcp has no unix attribute set but it is still listed
> with an uid-number outside "valid" range:
>
> # ldbsearch -H /var/lib/samba/private/sam.ldb cn=dhcp
> dn: CN=dhcp,CN=Users,DC=vbox,DC=local
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: dhcp
> description: Unprivileged user for DNS updates via DHCP server
> instanceType: 4
> whenCreated: 20160322092859.0Z
> uSNCreated: 3788
> name: dhcp
> objectGUID: f3db65e5-324e-4a7b-b2a7-0680cc15ea03
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-1467633039-1902955928-3249331824-1104
> logonCount: 0
> sAMAccountName: dhcp
> sAMAccountType: 805306368
> userPrincipalName: dhcp at vbox.local
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=vbox,DC=local
> pwdLastSet: 131031125390000000
> userAccountControl: 66048
> accountExpires: 0
> whenChanged: 20160322092935.0Z
> uSNChanged: 3791
> memberOf: CN=DnsAdmins,CN=Users,DC=vbox,DC=local
> distinguishedName: CN=dhcp,CN=Users,DC=vbox,DC=local
>
>
> While user VBOX\simone has both shell and homedir but they are not retrieved:
>
> # ldbsearch -H /var/lib/samba/private/sam.ldb cn=simone
> dn: CN=simone,CN=Users,DC=vbox,DC=local
> cn: simone
> sn: Rossetto
> givenName: Simone
> [...]
> uidNumber: 10000
> gecos: Simone Rossetto,,,
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> [...]
> msSFU30NisDomain: vbox
> msSFU30Name: simone
> unixUserPassword: ABCD!efgh12345$67890
> uid: simone
> lockoutTime: 0
> loginShell: /bin/bash
> gidNumber: 100
> unixHomeDirectory: /home/simone
>
>
> What have I misconfigured?
>
>
You are hitting one of the problems with using a DC as a fileserver, you
only get uidNumber & gidNumber attributes from AD.If these are found in
AD, they are used, if they aren't, then idmap will create one using the
'3000000' base.
You can set, per domain, home directories & loginshell with 'template
homedir' & 'template shell' i.e.
template homedir = /home/%U
template shell = /bin/bash
Rowland
More information about the samba
mailing list