samba - May 2010 - Query re winbind, primary group enumeration from Active Directory and Services For Unix

Query re winbind, primary group enumeration from Active Directory and Services
For Unix

I am wondering if anyone can explain to me how the GIDs work when using winbind
to extract them from an ADS server.

I have Unix servers running AIX 5.3 ML-10, an ADS server running Win 2003-SP2
with SFU 3.5 installed.
I have been configuring the Unix servers as domain members and using winbind to
extract the user id and primary group form the AD and SFU.  This in theory would
supply consistent uids and gids for the domian user accounts when logging into
the Unix servers.

I have been able to compile samba 3.4.7 and with ADS support successfully.  I
have also used version 3.4.7 from the pware site and get the same issues.

I have modified the /usr/security/user file to use WINBIND.

I have modified the /usr/lib/security/methods.cfg file to include a stanza for
WINBIND.

I can obtain a kerberos ticket successfully, (kinit valid-aduser).

I can join the domain successfully, (net ads join -Uvalid-ad-user).

I can run wbinfo -t, -u, -g, -i, etc succssfully.

Using "wbinfo -i valid-ad-user" returns the correct information as
stored under the users properties SFU tab.
If I change these settings, eg: home directory, primary group name/gid or login
shell they are reflected correctly by a subsequent "wbinfo -i".  That
is, they are correctly extracted/obtained from the ADS server.

However when I try to open a telnet session to the Unix server I have a problem
if the PGID is not related back to an actual group as stored within the AD.

That is, if I set the PGID to 208, which is a valid group id within the group
file on the Unix server but is not a valid group id within the AD I cannot
telnet to the Unix server.  The -i option of wbinfo shows the correct group id.

Eg: wbinfo -i  valid-ad-user
valid-ad-user:*:1009:208::/home/support/abc:/bin/ksh

When I try and open a telnet session I get the following error.

3004-010 Failed setting terminal ownership and mode.

Browsing the www indicates that this problem is due to an invalid group id. 
That the id is not stored within the group file.
But it is a valid group id.

If I change the gid to be 10001 which according to samba is BUILTIN\users

EG:
wbinfo --gid-info=10001
BUILTIN\users:x:10001

I can open a telnet session without any problems:

My understanding from reading the smb.conf man page is that for samba (aka
winbind) to extract the home directory, login shell, UID and GID from the ADS
server then you need to specify the options "winbind nss info" and
either "idmap backend = ad" or "idmap config DOMAIN:backend  =
ad" as well. I have these entries in the smb.conf file.

        idmap config ULTRADATA : default  = yes
        idmap config ULTRADATA : backend  = ad
        idmap config ULTRADATA : range  = 200-9999
        idmap config ULTRADATA : schema_mode = sfu
        winbind nss info = sfu

With these settings the userid that is extracted is the one that gets used when
a successful telnet session is made.  However the GID appears to be ignored.  It
looks like the GID must be one that is allocated to a valid group that is on the
ADS server.

What entries do I need to make in the smb.conf file to have samba/winbind use
the group id as stored on the ADS server?

I have included what I think is the pertinent info from the global section of
the smb.conf file:

        workgroup = REALMNAME
        security = ADS
        realm = REALMNAME.COM.AU
        encrypt passwords = Yes
        password server = 172.16.xx.xxx
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        log file = /etc/samba/var/%L-%m.log
        log level = 5
        interfaces = en0 lo0
        bind interfaces only = yes
        name resolve order = host wins bcast
        keepalive = 30
        os level = 0
        lm announce = False
        preferred master = False
        local master = No
        domain master = False
        wins server = 172.16.xx.xxx
        unix extensions = no

        auth methods = winbind
        idmap uid = 10000-200000
        idmap gid = 10000-200000
        idmap config REALMNAME : default  = yes
        idmap config REALMNAME : backend  = ad
        idmap config REALMNAME : range  = 200-9999
        idmap config REALMNAME : schema_mode = sfu

        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind nss info = sfu

Disclaimer Notice

This message contains privileged and confidential information intended only for
the use of the addressee named above. If you are not the intended recipient of
this message you are hereby notified that you must not disseminate, copy or take
any action or place any reliance on it. If you have received this message in
error please notify Ultradata immediately on +61 3 9291 1600. Any views
expressed in this message are those of the individual sender, except where the
sender specifically states them to be the views of Ultradata Australia Pty. Ltd.

To unsubscribe from receiving commercial electronic messages from Ultradata
Australia please email unsubscribe at ultradata.com.au with the subject heading
"Unsubscribe".