[Samba] Winbind issues with AD member file server

Eric Shell eshell at ucsc.edu
Tue Jul 9 17:38:22 UTC 2019 

I am setting up a CentOS 7 system as a file server within an AD domain,
following the following Red Hat documentation:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers

Here is some information that likely complicates things:

- we have a number of users and groups with sub-1000 uid or gid numbers
which can't easily be addressed
- the system is integrated into a OpenLDAP service but UNIX attributes are
replicated to AD from OpenLDAP so uid and gid values match across all users
and groups
- the system's samba shares are themselves NFS-mounted from a ZFS file
server

--------------------------------------------------------------------------------

Thus far I've done the following:

1. installed packages - realmd oddjob-mkhomedir oddjob
samba-winbind-clients samba-winbind samba-common-tools samba
samba-winbind-krb5-locator
2. joined the AD domain with "realm join" and the --automatic-id-mapping=no
option, as we wish to use uidNumber and gidNumber attributes we've added to
users and groups in AD
3. at this point I attempted to query AD records but couldn't, so I updated
/etc/krb5.conf to set the default realm and to add the "dns_lookup_kdc =
true" option, which allowed me to kinit successfully but still not see
records
4. I added the following two idmap configuration options to
/etc/samba/smb.conf and was then able to retrieve user and group records
from AD, but the group members aren't included:

idmap config BSOE : unix_nss_info = yes
idmap config BSOE : unix_primary_group = yes

# getent passwd BSOE\\eshell
BSOE\eshell:*:3392:325::/soe/eshell:/bin/bash
# getent group "BSOE\\staff-group"
BSOE\staff-group:x:552:

5. I've found that querying some groups returns no information, perhaps
because of low gidNumber values (BSOE\staff-group has gidNumber 552):

# getent group "BSOE\\staff-group"
#

6. I tried changing the idmap config range from 500-999999 to 100-999999
but it doesn't seem to affect these queries.

--------------------------------------------------------------------------------

Some things appear to be working properly.  I can "su - BSOE\\eshell" and I
am able to mount and access the NFS directories appropriately.  "id eshell"
and "id BSOE\\eshell" return the same information.  I can also successfully
authenticate to samba with my AD account, but then I am told that there are
no available shares.  I'm guessing that this is related to the NSS group
issues I'm having.

Why can't I see the members of some groups?  How do I debug this behavior?

Why isn't samba able to mount the NFS shares after a user has authenticated
when I can do so in a shell by becoming that user on the samba host?

Thanks in advance for any help you can provide.

More information about the samba mailing list