[Samba] Samba with AD : SID rejected

Vincent Ducot vincent.ducot at rubycat-labs.com
Fri Apr 26 08:39:47 UTC 2019 

Hello,
I'm building a samba share with Active Directory authentication, based
on samba wiki documentation.
I'm using Samba Version 4.7.6-Ubuntu (Ubuntu 18.04) and Windows Server 2019.
I added manually Unix fields in my AD users attributes (based on
https://wiki.samba.org/index.php/Installing_RSAT#Missing_Unix_Attributes_tab_in_ADUC_on_Windows_10_and_Windows_Server_2016)
I joined correctly the domain, I see my computer in my AD.

The problem is I can't list users/groups with getent command or get some
info with wbinfo.

The commands that work :
wbinfo -t returns "checking the trust secret for domain FOO via RPC
calls succeeded"
wbinfo -u correctly displays users
wbinfo -g correctly displays groups
wbinfo -D FOO
wbinfo -n FOO\\vincent shows me the SID

but wbinfo --user-sids=<SID> returns
failed to call wbcLookupUserSids: WBC_ERR_DOMAIN_NOT_FOUND
Could not get group SIDs for user SID
S-1-5-21-2816186202-4468957523-2022743653-4403

wbinfo -r FOO\\vincent returns
failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user FOO\vincent

I got these logs in winbindd.log :

[2019/04/26 10:11:27.061645,  1, pid=3586, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:468(ndr_print_function_debug)
       wbint_LookupName: struct wbint_LookupName
          in: struct wbint_LookupName
              domain                   : *
                  domain                   : 'FOO'
              name                     : *
                  name                     : 'VINCENT'
              flags                    : 0x00000008 (8)
[2019/04/26 10:11:27.061974,  1, pid=3586, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:468(ndr_print_function_debug)
       wbint_LookupName: struct wbint_LookupName
          out: struct wbint_LookupName
              type                     : *
                  type                     : SID_NAME_USER (1)
              sid                      : *
                  sid                      :
S-1-5-21-2816186202-4468957523-2022743653-4403
              result                   : NT_STATUS_OK
[2019/04/26 10:11:27.062006,  3, pid=3586, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/wb_queryuser.c:59(wb_queryuser_send)
  wb_queryuser_send: My domain -- rejecting
S-1-5-21-2816186202-4468957523-2022743653-4403
[2019/04/26 10:11:27.062019,  5, pid=3586, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_getgroups.c:235(winbindd_getgroups_recv)
  Could not convert sid S-1-5-21-2816186202-4468957523-2022743653-4403:
NT_STATUS_NO_SUCH_USER

What I am missing ?
Thanks in advance.

Vincent
------------------------------------------
Here are my config files:

/etc/krb5.conf

[libdefaults]
    default_realm = FOO.LAB
    dns_lookup_realm = false
    dns_lookup_kdc = true

# The following krb5.conf variables are only for MIT Kerberos.
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

[realms]
    FOO.LAB = {
        kdc = dc.test.lan
    }

/etc/nsswitch.conf with
passwd:     compat winbind
group:      compat winbind

/etc/samba/user.map

!root = FOO\administrateur

/etc/samba/smb.conf

[global]

security = ADS
workgroup = FOO
realm = FOO.LAB
netbios name= share

log file = /var/log/samba/%m.log
log level = 10

preferred master = no
domain master = no
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the FOO domain
idmap config FOO:backend = ad
idmap config FOO:schema_mode = rfc2307
idmap config FOO:range = 10000-999999
idmap config FOO:unix_nss_info = yes
idmap config FOO:unix_primary_group = yes

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U

username map = /etc/samba/user.map

winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind trusted domains only = yes
winbind nss info = rfc2307
winbind expand groups = 4

server role = member server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user

More information about the samba mailing list