[Samba] Winbind issues with AD member file server

Eric Shell eshell at ucsc.edu
Wed Jul 10 16:20:39 UTC 2019 

I agree that this sounds like, and indeed is, a recipe for disaster.  I was
going to explain some of the woes of our environment but I don't think it's
actually relevant after looking at my problem a bit more.  If I'm way off
base I'm happy to be herded back, but please tolerate me as I share what I
am seeing today because I really hope to solve the narrow issue of SMB file
access without delving too far into the proper long-term fixes we require.

I can see now that authentication works fine and I can access shares on the
local filesystem.  What seems to be failing is the mount performed by
gssproxy when trying to access a share.  The NFS server isn't kerberized so
the Samba server should be mounting everything with the sys mount option,
but gssproxy appears to only perform mounts with krb5.  When I try to
access even an already-mounted NFS directory to which I have permission,
gssproxy complains:

Jul 10 08:55:51 smb gssproxy: gssproxy[1469]: (OID: { 1 2 840 113554 1 2 2
}) Unspecified GSS failure.  Minor code may provide more information,
Client 'host/smb.soe.ucsc.edu at AD.SOE.UCSC.EDU' not found in Kerberos
database

We have an existing Samba 4.8.3 server that is configured to use the ldap
backend and does not run winbind, which gives us the desired behavior.  I
was hoping to replace that server because it has its own issues, but with
the ad backend since the ldap one is no longer recommended.  gssproxy's man
page indicates that it cannot be configured to mount otherwise.  Am I out
of luck with winbind?

On Tue, Jul 9, 2019 at 12:08 PM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 09/07/2019 20:00, Eric Shell wrote:
> > Hi Rowland,
> >
> > Currently Domain Users doesn't have a gidNumber because it didn't have
> > a corresponding group in OpenLDAP, which is our master directory.
> Did you miss the bit where I said Domain Users MUST have a gidNumber ?
> >
> > The primary Unix group gidNumber for each user is replicated from
> > their OpenLDAP records, but the AD groups have a suffix due to
> > historical name collisions - a POSIX group called harry would be
> > harry-group in AD, but with a matching gidNumber.
>
> That sounds like a recipe for disaster, but then again, if it works for
> you, however it sounds like it doesn't ;-)
>
> What do you use the openldap server for ?
>
> Could you move whatever it is to the Samba AD ?
>
> Rowland
>
>
> >
> > On Tue, Jul 9, 2019 at 11:53 AM Rowland penny via samba
> > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
> >
> >     On 09/07/2019 19:46, Eric Shell via samba wrote:
> >     > Hi Rowland,
> >     >
> >     > Thanks for the prompt reply.  The gidNumber attribute is set to the
> >     > appropriate primary UNIX group for each user already. Are there
> >     any ways
> >     > to work around the ID issue, or at least to mitigate some of the
> >     > consequences?  We looked at updating uid/gid values across the
> >     board but
> >     > there is so much data owned by existing users and groups that we
> >     haven't
> >     > been able to proceed.
> >
> >     I sort of thought that would be the case.
> >
> >     Does Domain Users have a gidNumber ?
> >
> >     You say 'appropriate primary Unix group', are these groups in AD
> >     and how
> >     are they named ?
> >
> >     Rowland
> >
> >
> >
> >     --
> >     To unsubscribe from this list go to the following URL and read the
> >     instructions: https://lists.samba.org/mailman/options/samba
> >
> >
> >
> > --
> > Eric Shell
> > BSOE Technical Staff
> > eshell at ucsc.edu <mailto:eshell at ucsc.edu>
> > 831 459 4919
> > Baskin Engineering, Room 313
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Eric Shell
BSOE Technical Staff
eshell at ucsc.edu
831 459 4919
Baskin Engineering, Room 313

More information about the samba mailing list