[Samba] winbind rfc2307 not being obeyed

Jeff Sadowski jeff.sadowski at gmail.com
Mon Oct 30 16:54:48 UTC 2017 

My smb.conf file now looks like so
[global]
#--authconfig--start-line--

# Generated by authconfig on 2017/10/30 10:47:34
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = MIND
   password server = MIND.UNM.EDU
   realm = MIND.UNM.EDU
   security = ads
   idmap config * : range = 2000-7999
   template homedir = /na/homes/%U
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = true
   winbind offline logon = false

#--authconfig--end-line--
;   security = ads
;   realm = MIND.UNM.EDU
;   workgroup = MIND
   idmap config * : backend = tdb
   idmap config * : range = 2000-7999
   idmap config MIND:backend = ad
   idmap config MIND:schema_mode = rfc2307
   idmap config MIND:range = 8000-9999999
   winbind nss info = rfc2307
;   winbind use default domain = yes
   # so that the users show up in getent
   winbind enum users = yes
   # so that the groups show up in getent
   winbind enum groups = yes
   restrict anonymous = 2
   #added the following 2 for the Badlock updates that change the defaults
   #to no longer work with my domain controllers
   ldap server require strong auth = no
   client ldap sasl wrapping = plain
;   template homedir=/na/homes/%U
;   template shell=/bin/bash

On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
> fedora's authconfig must edit a bunch of files
>
> On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>> I found what I needed to do
>> DOMAIN=MIND.UNM.EDU
>> SHORT=MIND
>> authconfig --enablekrb5 --krb5kdc=${DOMAIN}
>> --krb5adminserver=${DOMAIN} --krb5realm=${DOMAIN} --enablewinbind
>> --enablewinbindauth --smbsecurity=ads --smbrealm=${DOMAIN}
>> --smbservers=${DOMAIN} --smbworkgroup=${SHORT}
>> --winbindtemplatehomedir=/na/homes/%U --winbindtemplateshell=/bin/bash
>> --enablemkhomedir --enablewinbindusedefaultdomain --update
>>
>> this worked
>>
>> On Mon, Oct 30, 2017 at 10:11 AM, Rowland Penny via samba
>> <samba at lists.samba.org> wrote:
>>> On Mon, 30 Oct 2017 09:49:24 -0600
>>> Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>>>
>>>> OS:fedora-26
>>>> SAMBA:4.6.8
>>>> [root at squints ~]# cat /etc/samba/smb.conf
>>>> [global]
>>>>    security = ads
>>>>    realm = MIND.UNM.EDU
>>>>    workgroup = MIND
>>>>    idmap config * : backend = tdb
>>>>    idmap config * : range = 2000-7999
>>>>    idmap config MIND:backend = ad
>>>>    idmap config MIND:schema_mode = rfc2307
>>>>    idmap config MIND:range = 8000-9999999
>>>>    winbind nss info = rfc2307
>>>>    winbind use default domain = yes
>>>>    # so that the users show up in getent
>>>>    winbind enum users = yes
>>>>    # so that the groups show up in getent
>>>>    winbind enum groups = yes
>>>>    restrict anonymous = 2
>>>>    #added the following 2 for the Badlock updates that change the
>>>> defaults #to no longer work with my domain controllers
>>>>    ldap server require strong auth = no
>>>>    client ldap sasl wrapping = plain
>>>>
>>>> [root at squints ~]# getent passwd jsadowski
>>>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>>>>
>>>> however from an ubuntu machine with the same smb.conf it looks like so
>>>> OS:ubuntu-16.04
>>>> SAMBA:4.3.11
>>>> root at daddles:~# getent passwd jsadowski
>>>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>>>
>>>> which is how AD shows it as well.
>>>>
>>>> Did something change in newer versions of samba that I need to add
>>>> more config options?
>>>>
>>>
>>> Yes, there have been changes and no, you don't have to use them and
>>> they wouldn't cause your problem.
>>>
>>> Your smb.conf shows you are using the 'ad' backend and you say you are
>>> using the same smb.conf on both machines.
>>>
>>> So, why are there these different:
>>>
>>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>>
>>> Which RFC2307 attributes have you added to AD ?
>>> The above user seems to have the same uidNumber, but Domain Users
>>> seems to have two different gidNumbers (8513 and 8000), the
>>> unixHomeDirectory also has two identities, as does loginShell
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list