[Samba] odd UID behaviour in Linux hosts connected to Samba AD
vincent at cojot.name
vincent at cojot.name
Thu Jan 16 11:21:42 UTC 2025
Hi everyone,
I've been running into a small issue in the past few days after figuring
out (or so I thought) how to properly map UIDs from AD to Linux clients so
that they are identical across environments and work on both Linux and
Windows boxes. Maybe I am doing something wrong.
I am wondering if someone could sched some light here.
My config is this:
- Two small VMs running Samba 4.20.z in AD mode.
- Several client endpoints.
- Several Linux (RHEL) AD clients configured to use winbind and acting as
fileservers.
(# authselect select winbind --nobackup -f)
On one of these fileservers, here is what I am observing:
Right after booting a fileserver, I can 'id' a local user just fine and
it's properly showing the local Linux groups:
# id raistlin
uid=1502(raistlin) gid=100(users)
groups=3(sys),7(lp),10(wheel),11(cdrom),39(video),63(audio),100(users),197(system)
However, if I query the AD user related to that local user, things start
going a -different- direction afterwards:
# id -a KRYNN_AD\\raistlin
uid=1502(KRYNN_AD\raistlin) gid=100(users) groups=10001(BUILTIN\users),10000(BUILTIN\administrators),100(users)
This is coming from the
but then I the output of the -first- command changes and the extra groups
are dropped and I can no longer query the local user:
# id -a raistlin
uid=1502(KRYNN_AD\raistlin) gid=100(users) groups=10001(BUILTIN\users),10000(BUILTIN\administrators),100(users)
The above fileserver is running RHEL 8.10. The nsswitch configuration
looks like this:
# grep winbind /etc/nsswitch.conf
passwd: db files winbind systemd
group: db files winbind systemd
the relevant samba configuration for the domain is this:
-------
security = ads
realm = AD.LASTHOME.SOLACE.KRYNN
vfs objects = acl_xattr
[....]
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
template shell = /bin/bash
template homedir = /export/home/%U
idmap_ldb:use rfc2307 = yes
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
winbind nss info = rfc2307
min domain uid = 1000
idmap config * : backend = tdb
idmap config * : range = 2000000-2999999
idmap config KRYNN_AD : backend = ad
idmap config KRYNN_AD : range = 1500-1999999
idmap config KRYNN_AD : schema_mode = rfc2307
idmap config KRYNN_AD : unix_nss_info = yes
idmap config KRYNN_AD : unix_primary_group = yes
While this 'works' as-is, I am a little concerned because of the
following:
1) Why is the AD user taking precedence in NSS resolution even though
winbind is listed later? (nsswitch.conf order shows it should hit the
local user first). This also shows up while doing simple things such as
'ls -l'.
the UID and GID in AD are coming from uidNumber and gidNumber which I have
configured to match those of the local user.
2) the extra groups are dropped and it is causing issues to the local
users when they login to the Linux workstations.
3) In this situation, is there a way to add the AD user to more groups on
the Linux systems? Since winbind seems to be taking over, is that an
attribute I could add in AD to add the missing groups?
Am I doing something totally wrong here? I admit I might have a knowledge
gap on those topics. This is just my Home Lab and I am just trying to
provide seamless Linux/Windows integration to just a few users..
Thank you for any help,
Vincent
More information about the samba
mailing list