[Samba] Users created in last few years cannot login after 4.7 -> 4.8 + winbind

Rowland Penny rpenny at samba.org
Fri Jan 4 21:20:12 UTC 2019 

On Fri, 4 Jan 2019 15:14:06 -0500 (EST)
Paul Raines <raines at nmr.mgh.harvard.edu> wrote:

> On Fri, 4 Jan 2019 4:57am, Rowland Penny wrote:
> 
> > On Thu, 3 Jan 2019 17:46:51 -0500 (EST)
> > Paul Raines via samba <samba at lists.samba.org> wrote:
> >
> >> TLDR: after upgrading our CentOS 7.5 servers using Samba 4.7.x with
> >> security = ads and no winbind to CentOS 7.6 with Samba 4.8.x with
> >> security = ads + winbind all users accounts created in the last few
> >> years can no longer login.
> >>
> >> Explaining this requires a fairly long back story
> >>
> >> Our corporate is primarily a Windows shop while our own research
> >> department primarly uses Linux.  For over a decade we used our own
> >> account/group/file namespace in our Linux infrastructure totally
> >> separate from corporate.
> >>
> >> A couple years ago for new security hardening purposes corporate
> >> has dictated all logins need to be based off their AD server so
> >> they can manage/monitor/enforce password changes, access, etc.
> >
> > So go back to them, point out it isn't working and they need to
> > extend AD by adding the IDMU ldif and create your users and groups
> > in AD with the correct ID's ;-)
> 
> This is not an option for me.  Corporate is not going to change
> anything on AD for me.  And this would create the opposite problem
> were my users with resources on the corporate instrastructure will
> have things break if the IDs are changed.
> 
> >
> >>
> >> The issue was we had petabytes of data using our accounts which had
> >> in most cases both different names and underlying user ids. For
> >> example, my Linux username is raines with ID 5829
> >
> > I take it this ID is the Unix users ID found in /etc/passwd
> >
> 
> My LDAP server, but yes

This is the first mention of LDAP
> 
> >> and my corparte/AD username is per2 with ID 2040470.
> >
> > And this is the users AD RID
> 
> uidNumber you get when searching account on AD via LDAP

So, your users are stored in LDAP, I take it from 'uidNumber' that the
samba schema is installed.

> 
> >
> >>  And groups have no relation
> >> whatsoever. Simply reconfiguring our Linux servers to do straight
> >> LDAP or winbind/nss to corporate AD was not possible without a
> >> wholesale painful re-ID-ing of files and breakage of lots of apps
> >> that hard code usernames in settings.
> >
> > It wouldn't have been a problem if AD had been extended properly.
> >
> 
> I really don't see how that was realistically possible.  ANd I am
> positive the managers would not allow the UIDs in the range
> 5000-10000 I had use for my users.  I have a handful of users from
> the early 2000s with UIDs in the 100-5000 range (predates me -- this
> is before distros started enforcing user creation >500). It most
> likely conflicts with system accounts they had created.
> 
> >> raines = MYDOMAIN\per2
> >> aea32 = MYDOMAIN\aea32
> >
> > That's one way of doing it, it isn't how I would have done it.
> >
> 
> Except for "extending AD" as above is there another way.
> 
> All I want and need from corporate AD is password authentication.  I
> don't want or need anything else, including user or group ids. I
> want Samba to get everything else (user id, group ids, shell,
> homedir, ...) from the local NIS backend (i.e. my LDAP server)

Basically extending AD with IDMU means that NIS is put into AD.

> 
> >>
> >> and then have in smb.conf
> >>
> >>  	workgroup = MYDOMAIN
> >>          security = ads
> >>          passdb backend = tdbsam
> >>          realm = MYDOMAIN.ORG
> >>
> >>          dedicated keytab file = /etc/krb5.keytab
> >>          kerberos method = secrets and keytab
> >>          preferred master = no
> >>          encrypt passwords = yes
> >>
> >>          socket options = TCP_NODELAY IPTOS_LOWDELAY
> >> SO_RCVBUF=65536 SO_SNDBUF=65536 SO_KEEPALIVE
> >>
> >>          idmap config *:backend = tdb
> >>          idmap config *:range = 100-999999
> >
> > That is a foolish range, it interferes with the local system users.
> > The '*' domain is for the Well Known Sids and anything outside the
> > 'MYDOMAIN' domain.
> 
> Again, I am not using WINBIND for actual NIS in the system.  It
> will not be in /etc/nsswitch.conf, pam, etc.  I never used it before
> in Samba 4.7.x or before.  I am only running it because it is now
> required to use security=ads for authentication.  I DO want any
> login on the samba server of any system account to always fail.
> 
> >
> >>          idmap config MYDOMAIN:backend = ad
> >>          idmap config MYDOMAIN:schema_mode = rfc2307
> >>          idmap config MYDOMAIN:range = 1000000-9999999
> >
> > Sorry, but this is wrong for your Samba version, see here:
> >
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >
> > and here:
> >
> > https://wiki.samba.org/index.php/Idmap_config_ad
> >
> > The range must reflect the uidNumber & gidNumber attributes in AD.
> >
> 
> I have tried using the nss backend and the results are random.
> Sometimes it works.  Sometimes it doesn't.  It still always works
> for my "old" account.  Just not for new accounts.

What I was trying to point out was, 'idmap config' in smb.conf changed
at 4.6.0, yours is for pre 4.6.0
Not that it matters, because you are using 'security = ADS', the
machine must be joined to AD and all authentication will be coming from
AD, your ldap server will be ignored.

> 
> Do you have any configuration suggestion?
>

You could try this, use 'security = user' and run your server as a
standalone pulling your info from your ldap server.
 
> Is there a way to have winbind not fail a login just because it
> cannot map a SID to GID? Is there a way for me to force
> a mapping for S-1-5-21-8915387-943144406-1916815836-513?
> I tried wbinfo --set-gid-mapping but just got WBC_ERR_NOT_IMPLEMENTED

This isn't implemented for 'ADS' because it isn't required, you
normally just give Domain Users a gidNumber.

> 
> I guess for now I will continue to run Samba 4.7.x as long as I can
> still get it to run

4.7.x is still supported by Samba and will be until 4.10.0 comes out
(approx beginning of March)

Rowland

More information about the samba mailing list