[Samba] Users created in last few years cannot login after 4.7 -> 4.8 + winbind

Fri Jan 4 09:57:11 UTC 2019

On Thu, 3 Jan 2019 17:46:51 -0500 (EST)
Paul Raines via samba <samba at lists.samba.org> wrote:

> TLDR: after upgrading our CentOS 7.5 servers using Samba 4.7.x with
> security = ads and no winbind to CentOS 7.6 with Samba 4.8.x with
> security = ads + winbind all users accounts created in the last few
> years can no longer login.
> 
> Explaining this requires a fairly long back story
> 
> Our corporate is primarily a Windows shop while our own research
> department primarly uses Linux.  For over a decade we used our own
> account/group/file namespace in our Linux infrastructure totally
> separate from corporate.
> 
> A couple years ago for new security hardening purposes corporate has
> dictated all logins need to be based off their AD server so they
> can manage/monitor/enforce password changes, access, etc.

So go back to them, point out it isn't working and they need to
extend AD by adding the IDMU ldif and create your users and groups in
AD with the correct ID's ;-)

> 
> The issue was we had petabytes of data using our accounts which had
> in most cases both different names and underlying user ids. For
> example, my Linux username is raines with ID 5829 

I take it this ID is the Unix users ID found in /etc/passwd

>and my corparte/AD username is per2 with ID 2040470.

And this is the users AD RID

>  And groups have no relation
> whatsoever. Simply reconfiguring our Linux servers to do straight
> LDAP or winbind/nss to corporate AD was not possible without a
> wholesale painful re-ID-ing of files and breakage of lots of apps
> that hard code usernames in settings.

It wouldn't have been a problem if AD had been extended properly.

> 
> For all non-Samba resources (login, web, LDAP-based apps, ...) I
> could solve this issue using LDAP SASL passthru.  In this scheme you
> set the user LDAP record the userPassword field to be something like
> 
> userPassword:: {SASL}per2
> 
> and any authentication to the LDAP server for user 'raines' is passed
> through to the AD server as authentication for user 'per2'.
> 
> The issue was this did not work for Samba.  The solution I came up
> with was to create a "username map = /etc/samba/users.map" with lines
> like
> 
> raines = MYDOMAIN\per2
> aea32 = MYDOMAIN\aea32

That's one way of doing it, it isn't how I would have done it.

> 
> and then have in smb.conf
> 
>  	workgroup = MYDOMAIN
>          security = ads
>          passdb backend = tdbsam
>          realm = MYDOMAIN.ORG
> 
>          dedicated keytab file = /etc/krb5.keytab
>          kerberos method = secrets and keytab
>          preferred master = no
>          encrypt passwords = yes
> 
>          socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 
> SO_SNDBUF=65536 SO_KEEPALIVE
> 
>          idmap config *:backend = tdb
>          idmap config *:range = 100-999999

That is a foolish range, it interferes with the local system users.
The '*' domain is for the Well Known Sids and anything outside the
'MYDOMAIN' domain.

>          idmap config MYDOMAIN:backend = ad
>          idmap config MYDOMAIN:schema_mode = rfc2307
>          idmap config MYDOMAIN:range = 1000000-9999999

Sorry, but this is wrong for your Samba version, see here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

and here:

https://wiki.samba.org/index.php/Idmap_config_ad

The range must reflect the uidNumber & gidNumber attributes in AD.

Rowland