[Samba] Winbind on AD DC not honoring rfc2307 gid entries

Rowland penny rpenny at samba.org
Fri May 27 17:10:59 UTC 2016 

On 27/05/16 17:44, Data Control Systems - Mike Elkevizth wrote:
> Hi,
>
> I have a somewhat complicated Samba AD DC setup with four remote site AD
> DCs (connected via VPN).  These DCs also act as file servers (yes, I read
> the warning in the documentation, but we don't have the resources to add
> separate file servers at each site and we would like each server to be a DC
> because of the sometimes flaky VPN connections).  We have some notebook
> "workstations" that travel between sites and have to be able to access the
> files on the file server (which is the DC) and occasionally login to the DC
> directly.  The main issue that I'm having (there are plenty of little
> naggers too) is that the winbind nss on the DCs won't honor the rfc2307
> entries consistently.  One of the DCs (the newest one) is honoring the
> rfc2307 gid map entries, but the other ones are not.  None of them seem to
> honor the rfc2307 login shell entries, but I've found adding the template
> shell = configuration option does allow the login shell to be set (although
> for all users as opposed to the per user rfc2307 entries).  The smb.conf
> configurations are identical except for the netbios names, interfaces, and
> tls key filenames.  It seems like there is something hardcoded into the DCs
> that wants to make the Domain Users group map to the standard unix
> "users:x:100:" group and it also wants to map the administrator user
> account to "root:x:0:..."  Any ideas about what can be done to get this to
> work?
>
> # getent group (on DC3)
> ...
> DCS\domain admins:x:2000:        <---- Correct (rfc2307 entry mapped)
> DCS\domain users:x:2001:           <---- Correct (rfc2307 entry mapped)
> DCS\domain guests:x:2002:         <---- Correct (rfc2307 entry mapped)
> DCS\domain computers:x:3000038:
> DCS\domain controllers:x:3000039:
> ...
>
> # getent group (on DC1)
> ...
> DCS\domain admins:x:3000008:  <---- Incorrect (rfc2307 entry not mapped)
> DCS\domain users:x:100:             <---- Incorrect (rfc2307 entry not
> mapped)
> DCS\domain guests:x:2002:         <---- Correct (rfc2307 entry mapped)
> DCS\domain computers:x:3000038:
> DCS\domain controllers:x:3000039:
> ...
>
> # getent group (on DC2)
> ...
> DCS\domain admins:x:2000:        <---- Correct (rfc2307 entry mapped)
> DCS\domain users:x:100:             <---- Incorrect (rfc2307 entry not
> mapped)
> DCS\domain guests:x:2002:         <---- Correct (rfc2307 entry mapped)
> DCS\domain computers:x:3000034:
> DCS\domain controllers:x:3000035:
> ...
>
> # getent group 2001 (on DC3)
> DCS\domain users:x:2001:
>
> # getent group 2001 (on DC1 and DC2)     <---- So somehow, winbind knows
> the 2001 rfc2307 entry, but maps it incorrectly
> DCS\domain users:x:100:
>
> # testparm
> [global]
>         workgroup = DCS
>         realm = DCS.DATACONTROLSYSTEMS.COM
>         interfaces = 192.168.8.5 127.0.0.1
>         bind interfaces only = Yes
>         server role = active directory domain controller
>         passdb backend = samba_dsdb
>         printcap name = /dev/null
>         template shell = /bin/bash
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind use default domain = Yes
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>         tls keyfile = /var/lib/samba/private/tls/dcss501_key.pem
>         tls certfile = /var/lib/samba/private/tls/dcss501_cert.pem
>         tls cafile =
>         rpc_server:tcpip = no
>         rpc_daemon:spoolssd = embedded
>         rpc_server:spoolss = embedded
>         rpc_server:winreg = embedded
>         rpc_server:ntsvcs = embedded
>         rpc_server:eventlog = embedded
>         rpc_server:srvsvc = embedded
>         rpc_server:svcctl = embedded
>         rpc_server:default = external
>         winbindd:use external pipes = true
>         idmap_ldb:use rfc2307 = yes
>         idmap config * : backend = tdb
>         printing = bsd
>         map archive = No
>         map readonly = no
>         store dos attributes = Yes
>         vfs objects = dfs_samba4 acl_xattr
> [shares]...
>
> Thanks for the help.
>
> Mike E.

This comes up from time to time, firstly on a DC you only get 
'uidNumber' & 'gidNumber' attributes from winbindd, all other rfc2307 
attributes are ignored, this is one of the reasons why the use of a DC 
as a fileserver is discouraged.

One other difference is that a DC uses 'idmap.ldb' to store the 
'xidNumber' attributes that are used if no 'uidNumber' & 'gidNumber' 
attributes are found. There is however a 'gotcha' here, if a group (or 
user) is given a 'xidNumber' before it is given a 'gidNumber', the 
'xidNumber' will take precedence. There is also yet another 'gotcha' 
with 'idmap.ldb', you are not bound to get the same 'xidNumber' on 
different DCs for the same group, 'idmap.ldb' is not replicated between DCs.

Try running 'net cache flush' on each DC, this should clear out the 
winbindd cache and then winbindd will then obtain the 'uidNumber' & 
'gidNumber' attributes from AD. If this fails, then open 'idmap.ldb' in 
ldbedit, search for group SIDs and delete them, run 'net cache flush' again.

I would not advise changing the 'Administrator' to 'root' mapping, the 
DC sort of depends on it.

Rowland

More information about the samba mailing list