[Samba] Winbind on AD DC not honoring rfc2307 gid entries
Data Control Systems - Mike Elkevizth
mike at datacontrolsystems.com
Fri May 27 16:44:41 UTC 2016
Hi,
I have a somewhat complicated Samba AD DC setup with four remote site AD
DCs (connected via VPN). These DCs also act as file servers (yes, I read
the warning in the documentation, but we don't have the resources to add
separate file servers at each site and we would like each server to be a DC
because of the sometimes flaky VPN connections). We have some notebook
"workstations" that travel between sites and have to be able to access the
files on the file server (which is the DC) and occasionally login to the DC
directly. The main issue that I'm having (there are plenty of little
naggers too) is that the winbind nss on the DCs won't honor the rfc2307
entries consistently. One of the DCs (the newest one) is honoring the
rfc2307 gid map entries, but the other ones are not. None of them seem to
honor the rfc2307 login shell entries, but I've found adding the template
shell = configuration option does allow the login shell to be set (although
for all users as opposed to the per user rfc2307 entries). The smb.conf
configurations are identical except for the netbios names, interfaces, and
tls key filenames. It seems like there is something hardcoded into the DCs
that wants to make the Domain Users group map to the standard unix
"users:x:100:" group and it also wants to map the administrator user
account to "root:x:0:..." Any ideas about what can be done to get this to
work?
# getent group (on DC3)
...
DCS\domain admins:x:2000: <---- Correct (rfc2307 entry mapped)
DCS\domain users:x:2001: <---- Correct (rfc2307 entry mapped)
DCS\domain guests:x:2002: <---- Correct (rfc2307 entry mapped)
DCS\domain computers:x:3000038:
DCS\domain controllers:x:3000039:
...
# getent group (on DC1)
...
DCS\domain admins:x:3000008: <---- Incorrect (rfc2307 entry not mapped)
DCS\domain users:x:100: <---- Incorrect (rfc2307 entry not
mapped)
DCS\domain guests:x:2002: <---- Correct (rfc2307 entry mapped)
DCS\domain computers:x:3000038:
DCS\domain controllers:x:3000039:
...
# getent group (on DC2)
...
DCS\domain admins:x:2000: <---- Correct (rfc2307 entry mapped)
DCS\domain users:x:100: <---- Incorrect (rfc2307 entry not
mapped)
DCS\domain guests:x:2002: <---- Correct (rfc2307 entry mapped)
DCS\domain computers:x:3000034:
DCS\domain controllers:x:3000035:
...
# getent group 2001 (on DC3)
DCS\domain users:x:2001:
# getent group 2001 (on DC1 and DC2) <---- So somehow, winbind knows
the 2001 rfc2307 entry, but maps it incorrectly
DCS\domain users:x:100:
# testparm
[global]
workgroup = DCS
realm = DCS.DATACONTROLSYSTEMS.COM
interfaces = 192.168.8.5 127.0.0.1
bind interfaces only = Yes
server role = active directory domain controller
passdb backend = samba_dsdb
printcap name = /dev/null
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
tls keyfile = /var/lib/samba/private/tls/dcss501_key.pem
tls certfile = /var/lib/samba/private/tls/dcss501_cert.pem
tls cafile =
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
printing = bsd
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[shares]...
Thanks for the help.
Mike E.
More information about the samba
mailing list