samba - Oct 2013 - User home directory UID:GID incorrect on VM Samba 4 AD client

I have a problem that has me completely perplexed. I have a home samba 
4.0.10 (sernet-samba-4.0.10-5) AD server setup on a DELL 2950III running 
CentOS 6.4. On my network I have another 2950iii with CentOS 6.4 used as 
a NAS box, 2 CentOS 6.4 desktops, 1 Windows XP PRO box, 1 Windows 7 PRO 
laptop and 1 CentOS 6.4 VM (on the Dell 2950iii AD server) all joined to 
the domain. For the NAS box, 2 desktops and Windows box everything works 
perfectly. I can authenticate, mount via autofs the home directories, 
use roaming profiles. manage the AD from the Windows boxes... everything 
is just fine. However on the CentOS guest on the 2950iii which provides 
the samba 4 AD server the domain user's home directory UID:GID are 
coming up as "nobody:nobody" instead of "username:domain
users".

Some debug on the VM I have tried follows (I have truncated output where 
appropriated and replaced actual domain names with fakes):

 > ps auxww
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root     19777  0.0  0.0 399424  7676 ?        Ss   Oct20   0:02 
/usr/sbin/smbd -D
root     19806  0.0  0.0 399424  3548 ?        S    Oct20   0:00 
/usr/sbin/smbd -D
root     19977  0.0  0.0 297212  2784 ?        Ss   Oct20   0:01 
/usr/sbin/nmbd -D
root     20173  0.0  0.0 361488  6724 ?        Ss   Oct20   0:00 
/usr/sbin/winbindd -D
root     20175  0.0  0.1 393136  8380 ?        S    Oct20   0:00 
/usr/sbin/winbindd -D
root     20368  0.0  0.0 361936  4140 ?        S    Oct21   0:00 
/usr/sbin/winbindd -D
root     20369  0.0  0.0 361560  4272 ?        S    Oct21   0:00 
/usr/sbin/winbindd -D
root     27394  0.0  0.0 363936  4132 ?        S    00:00   0:00 
/usr/sbin/winbindd -D

 > getent passwd
administrator:*:3000500:3000513:Administrator:/home/administrator:/bin/bash
ganci:*:3001106:3000513:Paul R. Ganci:/home/ganci:/bin/bash
krbtgt:*:3000502:3000513:krbtgt:/home/krbtgt:/bin/bash
guest:*:3000501:3000514:Guest:/home/guest:/bin/bash

 > getent group
roaming profile and folder redirection users:x:3001115:ganci,administrator
allowed rodc password replication group:x:3000571:
enterprise read-only domain controllers:x:3000498:
denied rodc password replication group:x:3000572:krbtgt
read-only domain controllers:x:3000521:
group policy creator owners:x:3000520:administrator
ras and ias servers:x:3000553:
domain controllers:x:3000516:
enterprise admins:x:3000519:administrator
domain computers:x:3000515:
cert publishers:x:3000517:
dnsupdateproxy:x:3001103:
domain admins:x:3000512:administrator
domain guests:x:3000514:
schema admins:x:3000518:administrator
domain users:x:3000513:
dnsadmins:x:3001102:

 > wbinfo -u
administrator
ganci
krbtgt
guest

 > wbinfo -g
roaming profile and folder redirection users
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins

 > klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at MYFAKE.FAKE.COM

Valid starting     Expires            Service principal
10/22/13 00:03:53  10/22/13 10:03:53 krbtgt/MYFAKE.FAKE.COM at MYFAKE.FAKE.COM
         renew until 10/29/13 00:03:46

 > cd ~ganci
 > ls -alt /home
total 12
drwxr-xr-x  72 nobody  nobody  4096 Oct 22 00:08 ganci
drwxr-xr-x    3 nobody  nobody        0 Oct 21, 23:59 .
dr-xr-xr-x.   25 root       root       4096 Oct 19 19:28 ..

On my working desktop the above commands give:

 > cd ~ganci
 > ls -alt /home
total 12
drwxr-xr-x  72 ganci domain users 4096 Oct 22 00:08 ganci
drwxr-xr-x   3  root   root                     0 Oct 21 00:19 .
dr-xr-xr-x. 26  root    root               4096 Oct 21 00:18 ..

The only thing that is screwed up is the VM client thinks nobody:nobody 
owns the user files and directories. Needless to say that means nothing 
really works for domain users who logon to the VM. I have copied (at 
least 3 times now) all the configuration from a working CentOS 6.4 
desktop to the VM and no matter what I do I can not get the VM to see 
the proper UID/GID for domain user home directories.

Here are the configs on my CentOS 6.4 VM:

/etc/samba/smb.conf:

[global]
    workgroup = MYFAKE
    realm = MYFAKE.FAKE.COM
    server string =WWW Samba Version %v
    netbios name = WWW
    security = ads
    idmap_ldb:use rfc2307 = yes
    idmap config *:backend = tdb
    idmap config *:range = 1000000-2999999
    idmap config MYFAKE:backend = rid
    idmap config MYFAKE:schema_mode = rfc2307
    idmap config MYFAKE:range = 3000000-40000000
    winbind use default domain = true
    winbind offline logon = false
    winbind enum groups = yes
    winbind enum users = yes
    template homedir = /home/%U
    template shell = /bin/bash

/etc/krb4.conf:

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = MYFAKE.FAKE.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true

[realms]
  MYFAKE.FAKE.COM = {
   kdc =dc.myfake.fake.com
   admin_server = dc.myfake.fake.com
  }

[domain_realm]
  .myfake.fake.com = MYFAKE.FAKE.COM
  myfake.fake.com = MYFAKE.FAKE.COM

/etc/nsswitch.conf

passwd:     files winbind
shadow:     files winbind
group:      files winbind

#hosts:     db files nisplus nis dns
hosts:      files dns
(truncated)

/etc/auto.home:

#
# File: /etc/auto.home
#
*       -acl dc.myfake.fake.com:/home/&

Can anyone think of something I am missing? I believe the VM 
configuration is the same as all my other Linux boxes. They work and the 
VM does not. Is there a limitation with a CentOS VM as a Samba 4 AD 
client? If anyone would like to see any other config or command output I 
would be happy to oblige. And thank you for any insight you can provide. 
I am at my wits end on this one and appreciate any thoughts. I can't 
help but think I overlooked something on the VM that I did properly on 
all the other Linux boxes.

-- 
Paul

On 10/22/2013 12:43 AM, Paul R. Ganci wrote:
> I have a problem that has me completely perplexed. <snip> on the 
> CentOS guest on the 2950iii which provides the samba 4 AD server the 
> domain user's home directory UID:GID are coming up as
"nobody:nobody"
> instead of "username:domain users".
I forgot a critical piece of information. The VM also worked perfectly 
as of Friday, October 18, 2013. That evening I updated my CentOS 6.4 on 
all my Linux boxes. That included updating from sernet-samba-4.0.9-5 to 
sernet-samba-4.0.10-5. I thought the issue was the version of samba so I 
immediately downgraded back to sernet-samba-4.0.9-5. However the problem 
on the VM persisted after moving back to sernet-samba-4.0.9-5. Therefore 
I am not sure what might have changed to break the VM box. All other 
Linux/Window boxes seem to be perfectly content with 
sernet-samba-4.0.10-5. That is why I am wondering if it might have 
something to do with the VM and having done an update to the VM CentOS 
6.4 OS ... maybe something was reset?

-- 
Paul (ganci at nurdog.com)

On 15:08:18 wrote Paul R. Ganci:
> I have a problem that has me completely perplexed. I have a home
> samba  4.0.10 (sernet-samba-4.0.10-5) AD server setup on a DELL
> 2950III running CentOS 6.4. On my network I have another 2950iii
> with CentOS 6.4 used as a NAS box, 2 CentOS 6.4 desktops, 1 Windows
> XP PRO box, 1 Windows 7 PRO laptop and 1 CentOS 6.4 VM (on the Dell
> 2950iii AD server) all joined to the domain. For the NAS box, 2
> desktops and Windows box everything works perfectly. I can
> authenticate, mount via autofs the home directories, use roaming
> profiles. manage the AD from the Windows boxes... everything is just
> fine. However on the CentOS guest on the 2950iii which provides the
> samba 4 AD server the domain user's home directory UID:GID are
> coming up as "nobody:nobody" instead of "username:domain
users".
I am not using centos but debian. But I've seen similiary problems when 
I changed my setup from "native kvm" to "kvm with libvirt".

Check the iptables output for dhcp and dns forwarding from the host to 
the vm. I solved this issue by not using libvirts networking definition. 
Instead I manualy create bridges and just add the vm taps to these 
bridges.



-- 


	Harry Jede