[Samba] Winbind issues with AD member file server
Eric Shell
eshell at ucsc.edu
Tue Jul 9 17:38:22 UTC 2019
I am setting up a CentOS 7 system as a file server within an AD domain,
following the following Red Hat documentation:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers
Here is some information that likely complicates things:
- we have a number of users and groups with sub-1000 uid or gid numbers
which can't easily be addressed
- the system is integrated into a OpenLDAP service but UNIX attributes are
replicated to AD from OpenLDAP so uid and gid values match across all users
and groups
- the system's samba shares are themselves NFS-mounted from a ZFS file
server
--------------------------------------------------------------------------------
Thus far I've done the following:
1. installed packages - realmd oddjob-mkhomedir oddjob
samba-winbind-clients samba-winbind samba-common-tools samba
samba-winbind-krb5-locator
2. joined the AD domain with "realm join" and the --automatic-id-mapping=no
option, as we wish to use uidNumber and gidNumber attributes we've added to
users and groups in AD
3. at this point I attempted to query AD records but couldn't, so I updated
/etc/krb5.conf to set the default realm and to add the "dns_lookup_kdc =
true" option, which allowed me to kinit successfully but still not see
records
4. I added the following two idmap configuration options to
/etc/samba/smb.conf and was then able to retrieve user and group records
from AD, but the group members aren't included:
idmap config BSOE : unix_nss_info = yes
idmap config BSOE : unix_primary_group = yes
# getent passwd BSOE\\eshell
BSOE\eshell:*:3392:325::/soe/eshell:/bin/bash
# getent group "BSOE\\staff-group"
BSOE\staff-group:x:552:
5. I've found that querying some groups returns no information, perhaps
because of low gidNumber values (BSOE\staff-group has gidNumber 552):
# getent group "BSOE\\staff-group"
#
6. I tried changing the idmap config range from 500-999999 to 100-999999
but it doesn't seem to affect these queries.
--------------------------------------------------------------------------------
Some things appear to be working properly. I can "su - BSOE\\eshell" and I
am able to mount and access the NFS directories appropriately. "id eshell"
and "id BSOE\\eshell" return the same information. I can also successfully
authenticate to samba with my AD account, but then I am told that there are
no available shares. I'm guessing that this is related to the NSS group
issues I'm having.
Why can't I see the members of some groups? How do I debug this behavior?
Why isn't samba able to mount the NFS shares after a user has authenticated
when I can do so in a shell by becoming that user on the samba host?
Thanks in advance for any help you can provide.
More information about the samba
mailing list