samba - Apr 2014 - centos 6.5 sernet-samba 4.1.6 member server winbind idmap fail

Hi everybody,

I've searched deeply into the samba wiki and the list for some working 
examples, but I cannot find my way out, I'm a kind of rough samba user 
(let's say almost newbie).. so asking help here:

This is my setup:

DC (samba.my.domain.com <http://samba.my.domain.com/>): CentOS 6.5 with 
sernet-samba 4.1.6 started in "ad" mode
(upgraded successfully from early 4.0.5, working fine with windows 
clients and servers, deployed with rfc2307, wbinfo and getent working fine)

MEMBER (files.my.domain.com <http://files.my.domain.com/>): Centos 6.5 
with sernet-samba 4.1.6 started in "classic" mode
(successfully joined with net ads join, dns updated correctly and host 
is able to resolv domain names, followed the howto on samba wiki, tried 
also by installing from source with parameters suggested in but with no 
luck)

NOTE: disabled iptables and selinux in this test environment
NOTE: created testuser and testgroup with windowsRSAT (AD 
users&computers) and filled the UNIX attributes tab.. so I suppose at 
least for that 2 user and group I have correctly set UID GID

____________________config files_______________________________

##############/etc/samba/smb.conf
[global]

    workgroup = MY
    security = ADS
    realm = MY.DOMAIN.COM

    idmap config *:backend = tdb
    idmap config *:range = 70001-80000
    idmap config MY:backend = ad
    idmap config MY:schema_mode = rfc2307
    idmap config MY:range = 500-40000

    winbind nss info = rfc2307

[test]
    path = /condivisioni/test
    read only = no


#################/etc/krb5.conf
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = MY.DOMAIN.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true

[realms]
MY.DOMAIN.COM = {
   kdc = samba.my.domain.com
   admin_server = samba.my.domain.com }

[domain_realm]
  .my.domain.com = MY.DOMAIN.COM
my.domain.com = MY.DOMAIN.COM

#################/etc/nsswitch.conf (edited lines)
passwd:     files winbind
group:      files winbind

________________________________________________________

~> wbinfo -p
~> wbinfo -u
~> wbinfo -g
~> wbinfo -n testuser

return expected output

~> getent passwd
~> getent group

return only local unix users and groups

~> wbinfo -i testuser
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user testuser
~> wbinfo --group-info testgroup
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group testgroup


on DC getent is working correctly and also wbinfo -i:
~> wbinfo -i testuser
MY\testuser:*:10000:100:testuser:/home/MY/testuser:/bin/false
~> wbinfo --group-info testgroup
MY\testgroup:*:10000:
~> wbinfo -i marco
MY\marco:*:3000043:100:Marco:/home/MY/marco:/bin/false
~> wbinfo --group-info "domain users"
MY\Domain Users:*:100:


... any suggestions?
... I've searched the /vat/log/samba logs but can't find anythig 
relevant there about errors? should I look somewhere else?
... would it be better do add this MEMBER as a DC with samba tool? any 
gotchas in doing so?
... I read many times Steve and Rowland suggesting sssd over winbind.. 
I've tried to configure it but without success either (quite frustrated :( )

thanks

-- 

Lorenzo Faleschini
IT Manager @ Nord Est Systems srl
----------------------------------------
m: +39 335 6055225 | skype: falegalizeit

yes, the solution ( aka worked for me on debian with sernet ) 

make use of usermap 
add to smb.conf : 

  # user Administrator workaround, without it you are unable to set privileges
   username map = /etc/samba/samba_usermapping

add in the file samba_usermapping
!root = DOMAINNAME\Administrator DOMAINNAME\administrator

restart samba 

>-----Oorspronkelijk bericht-----
>Van: lorenzo.faleschini at nordestsystems.com 
>[mailto:samba-bounces at lists.samba.org] Namens Lorenzo Faleschini
>Verzonden: donderdag 10 april 2014 11:20
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] centos 6.5 sernet-samba 4.1.6 member server 
>winbind idmap fail
>
>Hi everybody,
>
>I've searched deeply into the samba wiki and the list for some working 
>examples, but I cannot find my way out, I'm a kind of rough samba user 
>(let's say almost newbie).. so asking help here:
>
>This is my setup:
>
>DC (samba.my.domain.com <http://samba.my.domain.com/>): CentOS 
>6.5 with 
>sernet-samba 4.1.6 started in "ad" mode
>(upgraded successfully from early 4.0.5, working fine with windows 
>clients and servers, deployed with rfc2307, wbinfo and getent 
>working fine)
>
>MEMBER (files.my.domain.com <http://files.my.domain.com/>): Centos 6.5
>with sernet-samba 4.1.6 started in "classic" mode
>(successfully joined with net ads join, dns updated correctly and host 
>is able to resolv domain names, followed the howto on samba 
>wiki, tried 
>also by installing from source with parameters suggested in 
>but with no 
>luck)
>
>NOTE: disabled iptables and selinux in this test environment
>NOTE: created testuser and testgroup with windowsRSAT (AD 
>users&computers) and filled the UNIX attributes tab.. so I suppose at 
>least for that 2 user and group I have correctly set UID GID
>
>____________________config files_______________________________
>
>##############/etc/samba/smb.conf
>[global]
>
>    workgroup = MY
>    security = ADS
>    realm = MY.DOMAIN.COM
>
>    idmap config *:backend = tdb
>    idmap config *:range = 70001-80000
>    idmap config MY:backend = ad
>    idmap config MY:schema_mode = rfc2307
>    idmap config MY:range = 500-40000
>
>    winbind nss info = rfc2307
>
>[test]
>    path = /condivisioni/test
>    read only = no
>
>
>#################/etc/krb5.conf
>[logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
>[libdefaults]
>  default_realm = MY.DOMAIN.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>
>[realms]
>MY.DOMAIN.COM = {
>   kdc = samba.my.domain.com
>   admin_server = samba.my.domain.com }
>
>[domain_realm]
>  .my.domain.com = MY.DOMAIN.COM
>my.domain.com = MY.DOMAIN.COM
>
>#################/etc/nsswitch.conf (edited lines)
>passwd:     files winbind
>group:      files winbind
>
>________________________________________________________
>
>~> wbinfo -p
>~> wbinfo -u
>~> wbinfo -g
>~> wbinfo -n testuser
>
>return expected output
>
>~> getent passwd
>~> getent group
>
>return only local unix users and groups
>
>~> wbinfo -i testuser
>failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>Could not get info for user testuser
>~> wbinfo --group-info testgroup
>failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
>Could not get info for group testgroup
>
>
>on DC getent is working correctly and also wbinfo -i:
>~> wbinfo -i testuser
>MY\testuser:*:10000:100:testuser:/home/MY/testuser:/bin/false
>~> wbinfo --group-info testgroup
>MY\testgroup:*:10000:
>~> wbinfo -i marco
>MY\marco:*:3000043:100:Marco:/home/MY/marco:/bin/false
>~> wbinfo --group-info "domain users"
>MY\Domain Users:*:100:
>
>
>... any suggestions?
>... I've searched the /vat/log/samba logs but can't find anythig 
>relevant there about errors? should I look somewhere else?
>... would it be better do add this MEMBER as a DC with samba tool? any 
>gotchas in doing so?
>... I read many times Steve and Rowland suggesting sssd over winbind.. 
>I've tried to configure it but without success either (quite 
>frustrated :( )
>
>thanks
>
>-- 
>
>Lorenzo Faleschini
>IT Manager @ Nord Est Systems srl
>----------------------------------------
>m: +39 335 6055225 | skype: falegalizeit
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

ok,
now if I specify domain in wbinfo and getent queries I get expected results
eg:

 > getent passwd MY\\userx
MY\userx:*:10001:10000:User X:/home/userx:/bin/sh
 > wbinfo -i MY\\userx
MY\userx:*:10001:10000:User X:/home/userx:/bin/sh

I can setup shares and manage trough ComputerManagement (logged as 
Domain Admin - Administrator),
but if I remove "Everyone" with "Full Control" from share
permissions I
cannot use the Security Tab anymore (until I set Full Control to 
Everyone back in share's permission)

this is weird IMHO and makes the fileserver unusable

I'll try a debian machine now. can you please post your working configs?


Il giorno gioved? 10 aprile 2014 15:00:02 UTC+2, L. P. H. van Belle ha 
scritto:
 > yes, the solution ( aka worked for me on debian with sernet )
 >
 >
 >
 > make use of usermap
 >
 > add to smb.conf :
 >
 >
 >
 >   # user Administrator workaround, without it you are unable to set 
privileges
 >
 >    username map = /etc/samba/samba_usermapping
 >
 >
 >
 > add in the file samba_usermapping
 >
 > !root = DOMAINNAME\Administrator DOMAINNAME\administrator
 >
 >
 >
 > restart samba
 >
 >
 >
 >
 >
 > >-----Oorspronkelijk bericht-----
 >
 > >Van: lorenzo.faleschini at nordestsystems.com
 >
 > >[mailto:samba-bounces at lists.samba.org] Namens Lorenzo Faleschini
 >
 > >Verzonden: donderdag 10 april 2014 11:20
 >
 > >Aan: samba at lists.samba.org
 >
 > >Onderwerp: [Samba] centos 6.5 sernet-samba 4.1.6 member server
 >
 > >winbind idmap fail
 >
 > >
 >
 > >Hi everybody,
 >
 > >
 >
 > >I've searched deeply into the samba wiki and the list for some
working
 >
 > >examples, but I cannot find my way out, I'm a kind of rough samba
user
 >
 > >(let's say almost newbie).. so asking help here:
 >
 > >
 >
 > >This is my setup:
 >
 > >
 >
 > >DC (samba.my.domain.com <http://samba.my.domain.com/>): CentOS
 >
 > >6.5 with
 >
 > >sernet-samba 4.1.6 started in "ad" mode
 >
 > >(upgraded successfully from early 4.0.5, working fine with windows
 >
 > >clients and servers, deployed with rfc2307, wbinfo and getent
 >
 > >working fine)
 >
 > >
 >
 > >MEMBER (files.my.domain.com <http://files.my.domain.com/>):
Centos 6.5
 >
 > >with sernet-samba 4.1.6 started in "classic" mode
 >
 > >(successfully joined with net ads join, dns updated correctly and host
 >
 > >is able to resolv domain names, followed the howto on samba
 >
 > >wiki, tried
 >
 > >also by installing from source with parameters suggested in
 >
 > >but with no
 >
 > >luck)
 >
 > >
 >
 > >NOTE: disabled iptables and selinux in this test environment
 >
 > >NOTE: created testuser and testgroup with windowsRSAT (AD
 >
 > >users&computers) and filled the UNIX attributes tab.. so I suppose
at
 >
 > >least for that 2 user and group I have correctly set UID GID
 >
 > >
 >
 > >____________________config files_______________________________
 >
 > >
 >
 > >##############/etc/samba/smb.conf
 >
 > >[global]
 >
 > >
 >
 > >    workgroup = MY
 >
 > >    security = ADS
 >
 > >    realm = MY.DOMAIN.COM
 >
 > >
 >
 > >    idmap config *:backend = tdb
 >
 > >    idmap config *:range = 70001-80000
 >
 > >    idmap config MY:backend = ad
 >
 > >    idmap config MY:schema_mode = rfc2307
 >
 > >    idmap config MY:range = 500-40000
 >
 > >
 >
 > >    winbind nss info = rfc2307
 >
 > >
 >
 > >[test]
 >
 > >    path = /condivisioni/test
 >
 > >    read only = no
 >
 > >
 >
 > >
 >
 > >#################/etc/krb5.conf
 >
 > >[logging]
 >
 > >  default = FILE:/var/log/krb5libs.log
 >
 > >  kdc = FILE:/var/log/krb5kdc.log
 >
 > >  admin_server = FILE:/var/log/kadmind.log
 >
 > >
 >
 > >[libdefaults]
 >
 > >  default_realm = MY.DOMAIN.COM
 >
 > >  dns_lookup_realm = false
 >
 > >  dns_lookup_kdc = false
 >
 > >  ticket_lifetime = 24h
 >
 > >  renew_lifetime = 7d
 >
 > >  forwardable = true
 >
 > >
 >
 > >[realms]
 >
 > >MY.DOMAIN.COM = {
 >
 > >   kdc = samba.my.domain.com
 >
 > >   admin_server = samba.my.domain.com }
 >
 > >
 >
 > >[domain_realm]
 >
 > >  .my.domain.com = MY.DOMAIN.COM
 >
 > >my.domain.com = MY.DOMAIN.COM
 >
 > >
 >
 > >#################/etc/nsswitch.conf (edited lines)
 >
 > >passwd:     files winbind
 >
 > >group:      files winbind
 >
 > >
 >
 > >________________________________________________________
 >
 > >
 >
 > >~> wbinfo -p
 >
 > >~> wbinfo -u
 >
 > >~> wbinfo -g
 >
 > >~> wbinfo -n testuser
 >
 > >
 >
 > >return expected output
 >
 > >
 >
 > >~> getent passwd
 >
 > >~> getent group
 >
 > >
 >
 > >return only local unix users and groups
 >
 > >
 >
 > >~> wbinfo -i testuser
 >
 > >failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
 >
 > >Could not get info for user testuser
 >
 > >~> wbinfo --group-info testgroup
 >
 > >failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
 >
 > >Could not get info for group testgroup
 >
 > >
 >
 > >
 >
 > >on DC getent is working correctly and also wbinfo -i:
 >
 > >~> wbinfo -i testuser
 >
 > >MY\testuser:*:10000:100:testuser:/home/MY/testuser:/bin/false
 >
 > >~> wbinfo --group-info testgroup
 >
 > >MY\testgroup:*:10000:
 >
 > >~> wbinfo -i marco
 >
 > >MY\marco:*:3000043:100:Marco:/home/MY/marco:/bin/false
 >
 > >~> wbinfo --group-info "domain users"
 >
 > >MY\Domain Users:*:100:
 >
 > >
 >
 > >
 >
 > >... any suggestions?
 >
 > >... I've searched the /vat/log/samba logs but can't find
anythig
 >
 > >relevant there about errors? should I look somewhere else?
 >
 > >... would it be better do add this MEMBER as a DC with samba tool? any
 >
 > >gotchas in doing so?
 >
 > >... I read many times Steve and Rowland suggesting sssd over winbind..
 >
 > >I've tried to configure it but without success either (quite
 >
 > >frustrated :( )
 >
 > >
 >
 > >thanks
 >
 > >
 >
 > >--
 >
 > >
 >
 > >Lorenzo Faleschini
 >
 > >IT Manager @ Nord Est Systems srl
 >
 > >----------------------------------------
 >
 > >m: +39 335 6055225 | skype: falegalizeit
 >
 > >
 >
 > >--
 >
 > >To unsubscribe from this list go to the following URL and read the
 >
 > >instructions: https://lists.samba.org/mailman/options/samba
 >
 > >
 >
 > >
 >
 >
 >
 > --
 >
 > To unsubscribe from this list go to the following URL and read the
 >
 > instructions: https://lists.samba.org/mailman/options/samba

On 10/04/14 10:20, Lorenzo Faleschini wrote:
> Hi everybody,
>
> I've searched deeply into the samba wiki and the list for some working 
> examples, but I cannot find my way out, I'm a kind of rough samba user 
> (let's say almost newbie).. so asking help here:
>
> This is my setup:
>
> DC (samba.my.domain.com <http://samba.my.domain.com/>): CentOS 6.5 
> with sernet-samba 4.1.6 started in "ad" mode
> (upgraded successfully from early 4.0.5, working fine with windows 
> clients and servers, deployed with rfc2307, wbinfo and getent working 
> fine)
>
> MEMBER (files.my.domain.com <http://files.my.domain.com/>): Centos
6.5
> with sernet-samba 4.1.6 started in "classic" mode
> (successfully joined with net ads join, dns updated correctly and host 
> is able to resolv domain names, followed the howto on samba wiki, 
> tried also by installing from source with parameters suggested in but 
> with no luck)
>
> NOTE: disabled iptables and selinux in this test environment
> NOTE: created testuser and testgroup with windowsRSAT (AD 
> users&computers) and filled the UNIX attributes tab.. so I suppose at 
> least for that 2 user and group I have correctly set UID GID
>
> ____________________config files_______________________________
>
> ##############/etc/samba/smb.conf
> [global]
>
>    workgroup = MY
>    security = ADS
>    realm = MY.DOMAIN.COM
>
>    idmap config *:backend = tdb
>    idmap config *:range = 70001-80000
>    idmap config MY:backend = ad
>    idmap config MY:schema_mode = rfc2307
>    idmap config MY:range = 500-40000
>
>    winbind nss info = rfc2307
>
> [test]
>    path = /condivisioni/test
>    read only = no
>
>
> #################/etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = MY.DOMAIN.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>
> [realms]
> MY.DOMAIN.COM = {
>   kdc = samba.my.domain.com
>   admin_server = samba.my.domain.com }
>
> [domain_realm]
>  .my.domain.com = MY.DOMAIN.COM
> my.domain.com = MY.DOMAIN.COM
>
> #################/etc/nsswitch.conf (edited lines)
> passwd:     files winbind
> group:      files winbind
>
> ________________________________________________________
>
> ~> wbinfo -p
> ~> wbinfo -u
> ~> wbinfo -g
> ~> wbinfo -n testuser
>
> return expected output
>
> ~> getent passwd
> ~> getent group
>
> return only local unix users and groups
>
> ~> wbinfo -i testuser
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user testuser
> ~> wbinfo --group-info testgroup
> failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for group testgroup
>
>
> on DC getent is working correctly and also wbinfo -i:
> ~> wbinfo -i testuser
> MY\testuser:*:10000:100:testuser:/home/MY/testuser:/bin/false
> ~> wbinfo --group-info testgroup
> MY\testgroup:*:10000:
> ~> wbinfo -i marco
> MY\marco:*:3000043:100:Marco:/home/MY/marco:/bin/false
> ~> wbinfo --group-info "domain users"
> MY\Domain Users:*:100:
>
Have you given 'Domain Users' a gidNumber and if so is that gidNumber 
'100' ?
If you are using '100' for your gidNumber, then it is below the range 
you set in smb.conf and winbind will not pass this to getent and 
therefore you get no domain users.
If you have not added a gidnumber, then the same applies, windbind will 
not pass this to getent and you get no domain users.

Rowland
>
> ... any suggestions?
> ... I've searched the /vat/log/samba logs but can't find anythig 
> relevant there about errors? should I look somewhere else?
> ... would it be better do add this MEMBER as a DC with samba tool? any 
> gotchas in doing so?
> ... I read many times Steve and Rowland suggesting sssd over winbind.. 
> I've tried to configure it but without success either (quite 
> frustrated :( )
>
> thanks
>