[Samba] [samba] Member server winbind issue

mathias dufresne infractory at gmail.com
Sun Jul 23 11:33:05 UTC 2017 

2017-07-23 12:46 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Sun, 23 Jul 2017 12:03:03 +0200
> mathias dufresne via samba <samba at lists.samba.org> wrote:
>
> > 2017-07-23 11:59 GMT+02:00 mathias dufresne <infractory at gmail.com>:
> >
> > >
> > >
> > > 2017-07-23 11:23 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
> > >
> > >> On Sun, 2017-07-23 at 11:10 +0200, mathias dufresne via samba
> > >> wrote:
> > >> > Hi all,
> > >> >
> > >> > Thank you both for your replies. I did tried both options
> > >> > (removing both keytab related lines as proposed by Andrew then
> > >> > using both lines
> > >> proposed
> > >> > by Rowland) without success.
> > >>
> > >> Just because it didn't work doesn't mean just put it back.
> > >>
> > >> I'm not going to help you any more until you can confirm you have
> > >> an smb.conf like:
> > >>
> > >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domai
> > >> n_Member#Setting_up_a_Basic_smb.conf_File
> > >>
> > >> and joined the domain with:
> > >>
> > >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domai
> > >> n_Member#Joining_the_Domain
> > >>
> > >> Please follow that HOWTO, try not to be fancy, special or different
> > >> until you have it working.
> > >>
> > >
> > > That's the whole point, I don't see what I'm doing wrong (except
> > > re-inserting keytab lines).
> > >
> > > The whole smb.conf is the following:
> > > --------------------------------------------------
> > > [global]
> > >         security = ADS
> > >         workgroup = AD
> > >         realm = AD.DOMAIN.TLD
> > >
> > >         log file = /var/log/samba/%m.log
> > >         log level = 1
> > >
> > >         # Default ID mapping configuration for local BUILTIN
> > > accounts # and groups on a domain member. The default (*) domain:
> > >         # - must not overlap with any domain ID mapping
> > > configuration! # - must use a read-write-enabled back end, such as
> > > tdb. # - Adding just this is not enough
> > >         # - You must set a DOMAIN backend configuration, see below
> > >         idmap config * : backend = tdb
> > >         idmap config * : range = 3000-7999
> > >
> > >         winbind nss info = rfc2307
> > >
> > >         # idmap config for the AD domain
> > >         idmap config AD:backend = ad
> > >         idmap config AD:schema_mode = rfc2307
> > >         idmap config AD:range = 8000-99999999
> > > --------------------------------------------------
> > >
> > > It was obtained with copy paste from first given link, modifying
> > > ranges and domain names. I didn't added user mapping as it is
> > > mentioned to be optional.
> > >
> > > The join is the following, using kerberos as authentication method
> > > (which works well and, I hope, should not be considered as too much
> > > fancy), after I left the domain:
> > >
> > > smbsrv:/etc/samba# net ads leave -k
> > > Deleted account for 'SMBSRV' in realm 'AD.DOMAIN.TLD'
> > > smbsrv:/etc/samba# net ads join -k
> > > Using short domain name -- AD
> > > Joined 'SMBSRV' to dns domain 'ad.domain.tld'
> > >
> > > And here the behavior is the same: wbinfo -n and -S are working, -i
> > > is not working.
> > >
> > > I've got no more logs generated in log.winbindd which is normal as I
> > > removed log level.
> > >
> > > And I still don't understand what I do wrong :/
> > >
> >
> > I forget to mentioned how is configured the testuser, so here it is:
> > dc02:~# ldbsearch -H $sam samaccountname=testuser uidNumber gidNumber
> > loginShell unixHomeDirectory primaryGroupID uid msSFU30Name
> > msSFU30NisDomain # record 1
> > dn: CN=test user,OU=Personnes,DC=ad,DC=domain,DC=tld
> > primaryGroupID: 513
> > msSFU30NisDomain: ad
> > uidNumber: 10000001
> > loginShell: /bin/bash
> > unixHomeDirectory: /home/testuser
> > gidNumber: 20000100
> > msSFU30Name: testuser
> > uid: testuser
>
> What version of Samba are you using on the member server, if you
> are using a version >= 4.6.0, then your smb.conf is now wrong.
>

Samba is 4.5.8+dfsg-2+deb9u1+b1 (it's a debian).


>
> Does a group in AD have the gidNumber '20000100' ?
>

Yes:
dc02:~# ldbsearch -H $sam gidNumber=20000100 dn objectclass gidNumber
...
# record 2
dn: CN=Unix-Users,OU=Unix,OU=Groupes,DC=ad,DC=infractory,DC=org
objectClass: top
objectClass: group
gidNumber: 20000100

On the Gentoo Samba is 4.5.10 and behaviour is exactly the same:
- wbinfo -n testuser -> OK, gives testuser's SID
- wbinfo -S SID -> OK, gives uidNumber declared into AD
- wbinfo -i testuser -> NOT OK, it gives the same as on the Debian:
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user testuser

And with log level increased in log.winbindd there is:
[2017/07/23 12:11:18.654687,  5]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
  Could not convert sid S-1-5-21-3491498633-2139045408-86603964-2607:
NT_STATUS_NONE_MAPPED

On Gentoo side I did not touched yet to nsswitch.conf nor PAM config.

As there must a good point, at least the behaviour of my winbindd are
consistent :)


> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list