[Samba] ADS domain member: winbind fails [SOLVED]

Rowland Penny rpenny at samba.org
Sun Jan 1 16:23:15 UTC 2017 

On Sun, 1 Jan 2017 16:37:41 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Am 2017-01-01 um 16:04 schrieb Rowland Penny via samba:
> 
> > So it looks like you only have 77 users, but cannot have any local
> > Unix users because your Unix users start at 1000. How do feel about
> > changing the uidNumbers ? 
> 
> feels scary and I'd like to avoid that :-)
> 
> > if so, the easiest way will be to open the AD database
> > with ldbedit:
> > 
> > ldbedit -e nano -H /usr/local/samba/private/sam.ldb
> > 
> > Then search through the file for 'uidNumber' and then change the
> > contents, I would just add a '0' after the first digit i.e. '1077'
> > would become '10077'
> 
> And that won't break things??
> 
> > Remove the uidNumber that contains '0'
> 
> I just have a look via ldbedit, yes, that points to:
> 
> distinguishedName: CN=root,CN=Users,DC=arbeitsgruppe,......
> 
> > check that Domain Users has a gidNumber attribute and that it
> > contains a number in the 10000 range
> 
> I doesn't have that attribute as far as I see.
> Do i just add that line?
> 
> > finally change 'idmap config ARBEITSGRUPPE:range = 1000-9999' to
> > 'idmap config ARBEITSGRUPPE:range = 10000-99999' and put the 'idmap
> > config SAMDOM : schema_mode = rfc2307' line back.
> >
> > restart the Samba deamons, run 'net cache flush' again then run
> > 'getent passwd sgw'
> 
> Feeling like a blind brain surgeon already ;-)
> I have to prepare myself mentally :-)
> 
> >> But the group is wrong.
> >>
> >> # wbinfo --group-info 'domain users'
> >> domain users:x:4294967295:
> >>
> >> What to correct here, please?
> >>
> >>
> > 
> > What is in the 'user.map' ?
> 
> I followed
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Mapping_the_Domain_Administrator_Account_to_the_Local_root_User
> 
> # cat user.map
> !root = ARBEITSGRUPPE\Administrator
> 
> 

OK, I am taking this off list ;-)

What you have to understand is that Windows and Unix do things
differently.

Windows uses SID-RID to identify users, group and computers, from your
posts you have a user with the SID-RID of
S-1-5-21-2777655458-4002997014-749295002-3000

The SID is S-1-5-21-2777655458-4002997014-749295002 and most things in
the domain will use this because it identifies the domain, I say most
things, because there are entities known as 'well known SIDs', see here:

https://support.microsoft.com/en-us/kb/243330

They (mostly) don't have RIDs

Windows identifies your users, groups and computers etc by the RID,
this a unique number. This along with the SID is meaningless to Unix.

Unix just uses a number and without the domain name, there is no way to
identify what machine it is from, there is no concept of SID with Unix.
This is where Samba comes in, it provides a bridge between Windows and
Unix on AD (and standalone servers, but that is a different subject
and has nothing to do with what we are discussing)

When you create a Windows user in a domain (and even a standalone
windows computer is a domain, its own domain) it is given the same RID
as every user in domain and a unique RID, going back to the SID-RID
shown earlier, this is '3000'. No other entity in the domain will get
the same RID, from what you posted earlier, I believe this is user
'sgw'.

To make the user 'sgw' visible on a domain joined Unix domain member
using the 'ad' winbind backend, a few things have to be set. At a
minimum 'sgw' must have a uidNumber attribute containing a unique
number, Domain Users must have a gidNumber attribute containing a
number and these two numbers must be inside the domain range set in
smb.conf on the domain member.

What complicates the problem is that Samba AD DCs work differently from
Samba domain members. On a DC, as standard, users and groups are mapped
from Windows users to Unix users in idmap.ldb, they all get numbers in
the '3000000' range, but can be changed by adding uidNumber and
gidNumber attributes, no other modifications need to be done to
smb.conf.
On a domain member, you need to use winbind and set it up accordingly.
There are various winbind backends but the two main ones are 'rid' and
'ad'. If you use the 'rid' backend, you do not need to change anything
in AD, the UIDs & GIDs will be calculated from the entities RID.
If you want to use the 'ad' backend, you will need to add uidNumbers to
users and a gidNumber to Domain Users.

I hope you can see from this that changing the contents of uidNumber,
will have no affect to how Windows works.

Any questions, please ask ;-)

Rowland

More information about the samba mailing list