[Samba] Configured AD backend but getting different uid and gid

Alfonso Conner c1581634 at gmail.com
Tue Apr 23 03:40:43 UTC 2019 

 Hi Samba Team,

I hope I have sent my enquiries to the correct address list.
Need advise and support from the team. Here's the summary of my issues.
I try to provide as much details and information.

Due to the business nature of my company, I have a mixture of Windows (XP,
7, 8/10 in future) and Linux RHEL workstations (5U6, 5U8, 5U11, 6/7 in
future).
I have an existing Samba PDC VM Server (CentOS 6.10) hosting for Windows
Clients (XP, 7)
I am tasked to research ways to allow Windows 10 PC to join Samba and
followed the Classic Upgrade.
This is done following the setup guide from Samba Wedsite and I am happy
Windows 10 is able to join Samba AD with existing XP and 7 still able to
login without issues.

My next task is to join Linux workstations to Samba AD to centralize all
login accounts.

These accounts need to have the same uid and gid for access to exisitng
file servers using the correct NFS and CIFS credentials.
After study and decided using ad as backend would be the suitable choice
for me.

However, I have faced difficulties getting the same uid and gid for my
domain users after my Linux workstations join Samba AD.


Configurations as follows:

Samba PDC
Hostname: DC1
Workgroup: EXAMPLE.COM

Samba version for classic upgrade: 4.8.5
Packages installed: gcc python-devel gnutls-devel libacl-devel
openldap-devel pam-devel bind-utils krb5-workstation

Samba AD smb.configuration
Samba does not allow me to use same value for realm and workgroup
[global]
        netbios name = DC1
        realm = NEWEXAMPLE.COM
        server role = active directory domain controller
        workgroup = EXAMPLE.COM
        idmap_ldb:use rfc2307 = yes
        client max protocol = NT1
        ldap server require strong auth = no
        template shell = /bin/bash
        template homedir = /home/%U

Kerberos configuration
[libdefaults]
        default_realm = NEWEXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

No issues running wbinfo -u, wbinfo -g, getent passwd DOMAIN\\USER
EXAMPLE.COM\administrator
EXAMPLE.COM\krbtgt
EXAMPLE.COM\guest
EXAMPLE.COM\Users
..
..
..

I cannot change my netbios name nor change my AD Server hostname as I found
out my Linux member will have spnego invalid credentials error unabe to
join AD Domain.

Samba Domain member smb.conf using RHEL 5U11 for testing
Packages installed: samba3x-winbind-3.6.23-6.el5
system-config-samba-1.2.41-5.el5 samba3x-client-3.6.23-6.el5
samba3x-swat-3.6.23-6.el5 samba3x-3.6.23-6.el5

member smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
        workgroup = EXAMPLE.COM
        realm = NEWEXAMPLE.COM
        server string = Samba Server Version %v
        security = ADS
        username map = /etc/samba/user.map
        template homedir = /home/%U
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        winbind offline logon = Yes
        idmap config NEWEXAMPLE.COM : unix_primary_group = yes
        idmap config NEWEXAMPLE.COM : unix_nss_info = yes
        idmap config NEWEXAMPLE.COM : range = 1001-9999
        idmap config NEWEXAMPLE.COM : schema_mode = rfc2307
        idmap config NEWEXAMPLE.COM : backend = ad
        idmap config * : range = 10001-99999
        idmap config * : backend = tdb
        map acl inherit = Yes
        cups options = raw
        store dos attributes = Yes
        vfs objects = acl_xattr

AD Member krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = NEWEXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

After joined to AD, I am able to get results from wbinfo and getent passwd
but am getting Domain Users uid and gid starting from "*" range.
Have ensured all Computers, Users and Groups have assigned uid and gid
using RSAT from Windows 7 Client and able to see Attribute editor, Unix
attributes.

Please advise and appreciate for the response.

More information about the samba mailing list