[Samba] Winbind on AD DC not honoring rfc2307 gid entries

Data Control Systems - Mike Elkevizth mike at datacontrolsystems.com
Fri May 27 20:42:17 UTC 2016

Hi Rowland,

Thanks for the great description of what's going on.  Running 'net cache
flush' on each DC did the trick.  I'm a little nervous about this happening
again, because all was working fine for a while.  I'm thinking about
creating a cron job to run 'net cache flush' on each DC at regular
intervals.  Would there be any problem with this approach?

Also, your description of how winbind is working was excellent.  Any chance
it can be added to the Samba wiki page?  It's much more insightful than the
"Additionally using distinct file servers avoids the idiosyncrasies in the
winbindd configuration on the Active Directory Domain Controller." which is
currently there.

Thanks again for the help,

Mike E.

On Fri, May 27, 2016 at 1:10 PM, Rowland penny <rpenny at samba.org> wrote:

> On 27/05/16 17:44, Data Control Systems - Mike Elkevizth wrote:
>> Hi,
>> I have a somewhat complicated Samba AD DC setup with four remote site AD
>> DCs (connected via VPN).  These DCs also act as file servers (yes, I read
>> the warning in the documentation, but we don't have the resources to add
>> separate file servers at each site and we would like each server to be a
>> DC
>> because of the sometimes flaky VPN connections).  We have some notebook
>> "workstations" that travel between sites and have to be able to access the
>> files on the file server (which is the DC) and occasionally login to the
>> DC
>> directly.  The main issue that I'm having (there are plenty of little
>> naggers too) is that the winbind nss on the DCs won't honor the rfc2307
>> entries consistently.  One of the DCs (the newest one) is honoring the
>> rfc2307 gid map entries, but the other ones are not.  None of them seem to
>> honor the rfc2307 login shell entries, but I've found adding the template
>> shell = configuration option does allow the login shell to be set
>> (although
>> for all users as opposed to the per user rfc2307 entries).  The smb.conf
>> configurations are identical except for the netbios names, interfaces, and
>> tls key filenames.  It seems like there is something hardcoded into the
>> DCs
>> that wants to make the Domain Users group map to the standard unix
>> "users:x:100:" group and it also wants to map the administrator user
>> account to "root:x:0:..."  Any ideas about what can be done to get this to
>> work?
>> # getent group (on DC3)
>> ...
>> DCS\domain admins:x:2000:        <---- Correct (rfc2307 entry mapped)
>> DCS\domain users:x:2001:           <---- Correct (rfc2307 entry mapped)
>> DCS\domain guests:x:2002:         <---- Correct (rfc2307 entry mapped)
>> DCS\domain computers:x:3000038:
>> DCS\domain controllers:x:3000039:
>> ...
>> # getent group (on DC1)
>> ...
>> DCS\domain admins:x:3000008:  <---- Incorrect (rfc2307 entry not mapped)
>> DCS\domain users:x:100:             <---- Incorrect (rfc2307 entry not
>> mapped)
>> DCS\domain guests:x:2002:         <---- Correct (rfc2307 entry mapped)
>> DCS\domain computers:x:3000038:
>> DCS\domain controllers:x:3000039:
>> ...
>> # getent group (on DC2)
>> ...
>> DCS\domain admins:x:2000:        <---- Correct (rfc2307 entry mapped)
>> DCS\domain users:x:100:             <---- Incorrect (rfc2307 entry not
>> mapped)
>> DCS\domain guests:x:2002:         <---- Correct (rfc2307 entry mapped)
>> DCS\domain computers:x:3000034:
>> DCS\domain controllers:x:3000035:
>> ...
>> # getent group 2001 (on DC3)
>> DCS\domain users:x:2001:
>> # getent group 2001 (on DC1 and DC2)     <---- So somehow, winbind knows
>> the 2001 rfc2307 entry, but maps it incorrectly
>> DCS\domain users:x:100:
>> # testparm
>> [global]
>>         workgroup = DCS
>>         interfaces =
>>         bind interfaces only = Yes
>>         server role = active directory domain controller
>>         passdb backend = samba_dsdb
>>         printcap name = /dev/null
>>         template shell = /bin/bash
>>         winbind enum users = Yes
>>         winbind enum groups = Yes
>>         winbind use default domain = Yes
>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> winbindd, ntp_signd, kcc, dnsupdate
>>         tls keyfile = /var/lib/samba/private/tls/dcss501_key.pem
>>         tls certfile = /var/lib/samba/private/tls/dcss501_cert.pem
>>         tls cafile =
>>         rpc_server:tcpip = no
>>         rpc_daemon:spoolssd = embedded
>>         rpc_server:spoolss = embedded
>>         rpc_server:winreg = embedded
>>         rpc_server:ntsvcs = embedded
>>         rpc_server:eventlog = embedded
>>         rpc_server:srvsvc = embedded
>>         rpc_server:svcctl = embedded
>>         rpc_server:default = external
>>         winbindd:use external pipes = true
>>         idmap_ldb:use rfc2307 = yes
>>         idmap config * : backend = tdb
>>         printing = bsd
>>         map archive = No
>>         map readonly = no
>>         store dos attributes = Yes
>>         vfs objects = dfs_samba4 acl_xattr
>> [shares]...
>> Thanks for the help.
>> Mike E.
> This comes up from time to time, firstly on a DC you only get 'uidNumber'
> & 'gidNumber' attributes from winbindd, all other rfc2307 attributes are
> ignored, this is one of the reasons why the use of a DC as a fileserver is
> discouraged.
> One other difference is that a DC uses 'idmap.ldb' to store the
> 'xidNumber' attributes that are used if no 'uidNumber' & 'gidNumber'
> attributes are found. There is however a 'gotcha' here, if a group (or
> user) is given a 'xidNumber' before it is given a 'gidNumber', the
> 'xidNumber' will take precedence. There is also yet another 'gotcha' with
> 'idmap.ldb', you are not bound to get the same 'xidNumber' on different DCs
> for the same group, 'idmap.ldb' is not replicated between DCs.
> Try running 'net cache flush' on each DC, this should clear out the
> winbindd cache and then winbindd will then obtain the 'uidNumber' &
> 'gidNumber' attributes from AD. If this fails, then open 'idmap.ldb' in
> ldbedit, search for group SIDs and delete them, run 'net cache flush' again.
> I would not advise changing the 'Administrator' to 'root' mapping, the DC
> sort of depends on it.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list