"Andreas Braml (BürgerEnergie Berlin)"
2015-Jan-27 15:13 UTC
[Samba] Can't get idmap_ad to work with winbind (only idmap_rid)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, thanks for your fast reply. It's always Rowland ;) On 27.01.2015 10:04, Rowland Penny wrote:> On 27/01/15 05:44, a.braml at buerger-energie-berlin.de wrote: >> Hi! >> >> With the end of support for Win XP from many application >> vendors, we finally decided to go AD with our small domain that >> right now consists of two XP desktop clients and one Samba PDC >> (3.6 from official Ubuntu 12.04 packages) that's also offering >> some file shares and a printer share. Since there already is one >> FreeBSD server for backup/mirroring, I decided to go all FreeBSD >> in the process. The final setup would consist of: >> >> Realm/Domain TEST.BUERGER-ENERGIE-BERLIN.DE FreeBSD 10.1-RELEASE >> AD DC with Samba 4 from ports (4.1.16 right now), single domain >> forest FreeBSD 10.1-RELEASE AD Member Server with Samba 4 from >> ports 2 Win 7 Professional SP1 desktop clients >> >> I installed everything in a Virtualbox host-only network with a >> layout identical to what the actual network will be. >> >> For the setup, I followed the Wiki at http://wiki.samba.org for >> the AD DC and AD Member server setup. I followed the >> instructions for RFC 2307 and decided to use RID+100000 for the >> default users/groups and 102XXX for my additional groups/users. I >> set the corresponding GID/UID in the UNIX attributes via ADUC >> from one of the Win 7 clients. And it works! Well, mostly... >> >> The problem is that on the AD member server, I can't use the ad >> backend with winbind. The rid backend works, though. This >> doesn't seem to be a problem with FreeBSD, as I can reproduce >> that error on member servers running Ubuntu 12.04 with Samba 3.6. >> or Ubuntu 14.04 with Samba 4. >> >> The behavior I get is as follows: >> >> When I set >> >> idmap config *:backend = tdb idmap config *:range = 70000-99999 >> idmap config TEST:backend = ad idmap config TEST:schema_mode = >> rfc2307 idmap config TEST:range = 100000-2000000 winbind nss >> info = rfc2307 >> >> in the AD member server's smb.conf, getent passwd gives me >> >> administrator:*:70000:70017:Administrator:/home/TEST/administrator:/bin/false >> >> >> >>test:*:70003:70004:Test User:/home/TEST/test:/bin/false>> krbtgt:*:70001:70004:krbtgt:/home/TEST/krbtgt:/bin/false >> guest:*:70002:70005:Guest:/home/TEST/guest:/bin/false >> >> So the TEST:range is ignored, *:range is used instead. User >> Shell, Home Dir and the UID (102000 for the test user) from the >> UNIX attributes in AD are ignored. >> >> When I set >> >> idmap config *:backend = tdb idmap config *:range = 70000-99999 >> idmap config TEST:backend = rid idmap config TEST:range = >> 100000-2000000 winbind nss info = rfc2307 >> >> instead, getent passwd gives me >> >> administrator:*:100500:100512:Administrator:/home/TEST/administrator:/bin/false >> >> >> >>test:*:101105:100513:Test User:/home/TEST/test:/bin/false>> krbtgt:*:100502:100513:krbtgt:/home/TEST/krbtgt:/bin/false >> guest:*:100501:100514:Guest:/home/TEST/guest:/bin/false >> >> So the TEST:range is respected now. But User Shell and Home Dir >> from the UNIX attributes in the AD are still ignored. >> >> There's log entries in the AD member server's log.winbindd >> stating "Added (BUILTIN|BSDMEM|TEST.BUERGER-ENERGIE-BERLIN.DE) >> ...". My log.winbindd-dc-connect is completely empty, though! Is >> this a first clue? >> >> It would be no problem to go with the RID backend for now. But >> as I understand, this might give trouble should I ever trust >> domains from another forest in the future. With a big warning in >> our documentation, I could live with that. But I'd prefer to get >> the ad backend working from the start. >> >> What's going on here? Any clues? I searched the list archives >> and the WWW with ixquick, but found no solution for my problem. >> >> The AD DC I provisioned with >> >> # samba-tool domain provision --use-rfc2307 --interactive >> --option "nsupdate command = /usr/local/bin/samba-nsupdate -g" >> >> The --option I appended because the message from the ports >> install told me to add this to my smb.conf. >> >> In the following interactive setup, I went with the defaults, >> adding only the dns forwarder. >> >> From this I got: >> >> # AD DC smb.conf [global] workgroup = TEST realm = >> TEST.BUERGER-ENERGIE-BERLIN.DE netbios name = BSDSRV server role >> = active directory domain controller dns forwarder = 62.109.121.2 >> idmap_ldb:use rfc2307 = yes >> >> nsupdate command = /usr/local/bin/samba-nsupdate -g >> >> [netlogon] path = >> /var/db/samba4/sysvol/test.buerger-energie-berlin.de/scripts >> read only = No >> >> [sysvol] path = /var/db/samba4/sysvol read only = No # END AD DC >> smb.conf >> >> On the AD member server, I edited my smb4.conf as follows >> >> # AD Member Server smb.conf [global] >> >> netbios name = BSDMEM workgroup = TEST security = ADS realm = >> TEST.BUERGER-ENERGIE-BERLIN.DE dedicated keytab file = >> /etc/krb5.keytab kerberos method = secrets and keytab >> >> idmap config *:backend = tdb idmap config *:range = 70000-99999 >> idmap config TEST:backend = ad idmap config TEST:schema_mode = >> rfc2307 idmap config TEST:range = 100000-2000000 >> >> winbind nss info = rfc2307 winbind trusted domains only = no >> winbind use default domain = yes winbind enum users = yes >> winbind enum groups = yes winbind refresh tickets = yes >> >> nsupdate command = /usr/local/bin/samba-nsupdate -g >> >> load printers = no >> >> log level = winbind:2 # END AD Member Server smb.conf >> >> Any help would be greatly appreciated! >> >> >> Cheers, Andreas > > Have you actually set any 'uidNumber' & 'gidNumber' attributes in > AD ?Yes, as I said: set them with ADUC, I even checked on the attributes with ADSI Edit (never trust a GUI by MS that feigns compatibility with the Unix world). uidNumber and gidNumber are there and in the range I reserved in the smb.conf. Still, they're ignored by winbind and I can't figure out why. What to check next? Which logs might give a clue here? Cheers, Andreas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUx6suAAoJEMs6lqj1bb0RbgUH/ipIkLEYzpWT2JLzSJTyIuPu 8f0QZZuNKifps+RI2qkeX/7lynsBuAnxbsn7veVZcRDh3zrJWeSsF6Xc2UyNDRIS 0zsqTWTOIriimJaunJOzkbsQWXTSoSepIIpxl5+GRr4X/hXEVsr5gPX4l7KfVN5e 8RyL0xTc/JrgUEPMU05jrQ/wuJMLM66S4viqSpVHDNxR0rInS54n2JZuUh2b0kw2 JO+JUl+KaBdkzOMvaYqpMtx6XNAW/z13uy1WVWMhPvXlyD+d6DWOd7OwQADRRj23 veuK1/d9yxb2BSMfOm/ethXV0aGKwmcgHmRU/lSd52/cbOZ3EKvkr/wf0NolVAQ=q2D7 -----END PGP SIGNATURE-----
Rowland Penny
2015-Jan-27 15:48 UTC
[Samba] Can't get idmap_ad to work with winbind (only idmap_rid)
On 27/01/15 15:13, "Andreas Braml (B?rgerEnergie Berlin)" wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > thanks for your fast reply. It's always Rowland ;) > > On 27.01.2015 10:04, Rowland Penny wrote: >> On 27/01/15 05:44, a.braml at buerger-energie-berlin.de wrote: >>> Hi! >>> >>> With the end of support for Win XP from many application >>> vendors, we finally decided to go AD with our small domain that >>> right now consists of two XP desktop clients and one Samba PDC >>> (3.6 from official Ubuntu 12.04 packages) that's also offering >>> some file shares and a printer share. Since there already is one >>> FreeBSD server for backup/mirroring, I decided to go all FreeBSD >>> in the process. The final setup would consist of: >>> >>> Realm/Domain TEST.BUERGER-ENERGIE-BERLIN.DE FreeBSD 10.1-RELEASE >>> AD DC with Samba 4 from ports (4.1.16 right now), single domain >>> forest FreeBSD 10.1-RELEASE AD Member Server with Samba 4 from >>> ports 2 Win 7 Professional SP1 desktop clients >>> >>> I installed everything in a Virtualbox host-only network with a >>> layout identical to what the actual network will be. >>> >>> For the setup, I followed the Wiki at http://wiki.samba.org for >>> the AD DC and AD Member server setup. I followed the >>> instructions for RFC 2307 and decided to use RID+100000 for the >>> default users/groups and 102XXX for my additional groups/users. I >>> set the corresponding GID/UID in the UNIX attributes via ADUC >>> from one of the Win 7 clients. And it works! Well, mostly... >>> >>> The problem is that on the AD member server, I can't use the ad >>> backend with winbind. The rid backend works, though. This >>> doesn't seem to be a problem with FreeBSD, as I can reproduce >>> that error on member servers running Ubuntu 12.04 with Samba 3.6. >>> or Ubuntu 14.04 with Samba 4. >>> >>> The behavior I get is as follows: >>> >>> When I set >>> >>> idmap config *:backend = tdb idmap config *:range = 70000-99999 >>> idmap config TEST:backend = ad idmap config TEST:schema_mode >>> rfc2307 idmap config TEST:range = 100000-2000000 winbind nss >>> info = rfc2307 >>> >>> in the AD member server's smb.conf, getent passwd gives me >>> >>> administrator:*:70000:70017:Administrator:/home/TEST/administrator:/bin/false >>> >>> >>> >>> > test:*:70003:70004:Test User:/home/TEST/test:/bin/false >>> krbtgt:*:70001:70004:krbtgt:/home/TEST/krbtgt:/bin/false >>> guest:*:70002:70005:Guest:/home/TEST/guest:/bin/false >>> >>> So the TEST:range is ignored, *:range is used instead. User >>> Shell, Home Dir and the UID (102000 for the test user) from the >>> UNIX attributes in AD are ignored. >>> >>> When I set >>> >>> idmap config *:backend = tdb idmap config *:range = 70000-99999 >>> idmap config TEST:backend = rid idmap config TEST:range >>> 100000-2000000 winbind nss info = rfc2307 >>> >>> instead, getent passwd gives me >>> >>> administrator:*:100500:100512:Administrator:/home/TEST/administrator:/bin/false >>> >>> >>> >>> > test:*:101105:100513:Test User:/home/TEST/test:/bin/false >>> krbtgt:*:100502:100513:krbtgt:/home/TEST/krbtgt:/bin/false >>> guest:*:100501:100514:Guest:/home/TEST/guest:/bin/false >>> >>> So the TEST:range is respected now. But User Shell and Home Dir >>> from the UNIX attributes in the AD are still ignored. >>> >>> There's log entries in the AD member server's log.winbindd >>> stating "Added (BUILTIN|BSDMEM|TEST.BUERGER-ENERGIE-BERLIN.DE) >>> ...". My log.winbindd-dc-connect is completely empty, though! Is >>> this a first clue? >>> >>> It would be no problem to go with the RID backend for now. But >>> as I understand, this might give trouble should I ever trust >>> domains from another forest in the future. With a big warning in >>> our documentation, I could live with that. But I'd prefer to get >>> the ad backend working from the start. >>> >>> What's going on here? Any clues? I searched the list archives >>> and the WWW with ixquick, but found no solution for my problem. >>> >>> The AD DC I provisioned with >>> >>> # samba-tool domain provision --use-rfc2307 --interactive >>> --option "nsupdate command = /usr/local/bin/samba-nsupdate -g" >>> >>> The --option I appended because the message from the ports >>> install told me to add this to my smb.conf. >>> >>> In the following interactive setup, I went with the defaults, >>> adding only the dns forwarder. >>> >>> From this I got: >>> >>> # AD DC smb.conf [global] workgroup = TEST realm >>> TEST.BUERGER-ENERGIE-BERLIN.DE netbios name = BSDSRV server role >>> = active directory domain controller dns forwarder = 62.109.121.2 >>> idmap_ldb:use rfc2307 = yes >>> >>> nsupdate command = /usr/local/bin/samba-nsupdate -g >>> >>> [netlogon] path >>> /var/db/samba4/sysvol/test.buerger-energie-berlin.de/scripts >>> read only = No >>> >>> [sysvol] path = /var/db/samba4/sysvol read only = No # END AD DC >>> smb.conf >>> >>> On the AD member server, I edited my smb4.conf as follows >>> >>> # AD Member Server smb.conf [global] >>> >>> netbios name = BSDMEM workgroup = TEST security = ADS realm >>> TEST.BUERGER-ENERGIE-BERLIN.DE dedicated keytab file >>> /etc/krb5.keytab kerberos method = secrets and keytab >>> >>> idmap config *:backend = tdb idmap config *:range = 70000-99999 >>> idmap config TEST:backend = ad idmap config TEST:schema_mode >>> rfc2307 idmap config TEST:range = 100000-2000000 >>> >>> winbind nss info = rfc2307 winbind trusted domains only = no >>> winbind use default domain = yes winbind enum users = yes >>> winbind enum groups = yes winbind refresh tickets = yes >>> >>> nsupdate command = /usr/local/bin/samba-nsupdate -g >>> >>> load printers = no >>> >>> log level = winbind:2 # END AD Member Server smb.conf >>> >>> Any help would be greatly appreciated! >>> >>> >>> Cheers, Andreas >> Have you actually set any 'uidNumber' & 'gidNumber' attributes in >> AD ? > Yes, as I said: set them with ADUC, I even checked on the attributes > with ADSI Edit (never trust a GUI by MS that feigns compatibility with > the Unix world). uidNumber and gidNumber are there and in the range I > reserved in the smb.conf. Still, they're ignored by winbind and I > can't figure out why. > > What to check next? Which logs might give a clue here? > > > Cheers, > Andreas > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQEcBAEBAgAGBQJUx6suAAoJEMs6lqj1bb0RbgUH/ipIkLEYzpWT2JLzSJTyIuPu > 8f0QZZuNKifps+RI2qkeX/7lynsBuAnxbsn7veVZcRDh3zrJWeSsF6Xc2UyNDRIS > 0zsqTWTOIriimJaunJOzkbsQWXTSoSepIIpxl5+GRr4X/hXEVsr5gPX4l7KfVN5e > 8RyL0xTc/JrgUEPMU05jrQ/wuJMLM66S4viqSpVHDNxR0rInS54n2JZuUh2b0kw2 > JO+JUl+KaBdkzOMvaYqpMtx6XNAW/z13uy1WVWMhPvXlyD+d6DWOd7OwQADRRj23 > veuK1/d9yxb2BSMfOm/ethXV0aGKwmcgHmRU/lSd52/cbOZ3EKvkr/wf0NolVAQ> =q2D7 > -----END PGP SIGNATURE-----OK, you posted 'I followed the instructions for RFC 2307 and decided to use RID+100000 for the default users/groups and 102XXX for my additional groups/users' What do you mean by 'default users/groups' and 'additional groups/users' ? You really only need to give Domain Users and Domain Admins a 'gidNumber' attribute, you then give your users a 'uidNumber' attribute. Why did you choose the numbers that you have ? you can start both 'uidNumber' & 'gidNumber' from 10000, this is what windows expects, there doesn't need to be any link between RID and uidNumber/gidNumber. I think your problem is that you have given your users/groups numbers that are outside the ranges you have set in AD. I can assure you, if you set the numbers correctly in AD it will work. Rowland
"Andreas Braml (BürgerEnergie Berlin)"
2015-Jan-28 19:56 UTC
[Samba] [SOLVED] (kinda) Re: Can't get idmap_ad to work with winbind (only idmap_rid)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! After a night of sleeping it over, I just started from scratch today. So I re-did all the client setups, starting with Ubuntu, this time 14.04, not 12.04 as when I first tried. Again I did what it says in the Wiki and - bingo! It works as advertised, Unix uid/gid, home directory and login shell information come from the directory now. Even PAM login works, although I don't need that for now. I wonder where I screwed up the first time. The steps aren't that complicated after all. Well... So the problem is not in the AD setup. But when I take the "known good" smb.conf to a fresh FreeBSD client installed from scratch, adjusting the netbios name and then doing the join, the behavior stays the same: backend rid works, ad does not. There seems to be a problem with FreeBSD as a member server after all. And I will check with Ubuntu 12.04 again. On 27.01.2015 16:48, Rowland Penny wrote:> OK, you posted 'I followed the instructions for RFC 2307 and > decided to use RID+100000 for the default users/groups and 102XXX > for my additional groups/users' What do you mean by 'default > users/groups'The ones you get after the provisioning step is done.> and 'additional groups/users' ?The ones that I add later.> You really only need to give Domain Users and Domain Admins a > 'gidNumber' attribute, you then give your users a 'uidNumber' > attribute.At one point I thought that this might be the problem - so long as there's only even one single group/user that doesn't have a [gu]idNumber set, it wouldn't work. That assumption was wrong, obviously. But it didn't hurt either with the hunt for the problem at hand. I won't do that in the production environment. So only groups/users that are relevant for what's shared on the member server (ACLs) will get the [gu]idNumber.> Why did you choose the numbers that you have ? you can start both > 'uidNumber' & 'gidNumber' from 10000, this is what windows > expects, there doesn't need to be any link between RID and > uidNumber/gidNumber.The highest uid in use on the BSD is for the 'nobody' user (65534). It might be a while before the AD user/group count gets to that, but I wanted to play it safe here and started beyond that. msSFU30MaxUidNumber and msSFU30MaxGidNumber are set accordingly.> I think your problem is that you have given your users/groups > numbers that are outside the ranges you have set in AD.No, it's not. (Since it works on Ubuntu now.) Sorry for the interruption - move along! Cheers, Andreas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUyT7lAAoJEMs6lqj1bb0REyQH/2+M8/DexlLWiO6miBL0cO7U yRZLjxagy7EG//av3vwv9+4xPqG0RwUdbDwjuKsAvPTiEmft+a5nPfoW2U/988HO zwwuOV3jqQ48wgvyYvdlR9tWLsR6u1cwL9wqrUmsLn8ZvC+XGBJ80UKlvws2GH7m mxGaZay1Blua2wfiwJDyvN/ScdwXvU178XbHIipC1nhVwY/9+oNzXVLeINQtwTPD Qs4i0hVkryqJl8evuOQcMWUrXWVqHhOutKXWwSpwVCBTEdfHW5CfjcKnBIJAU5BQ T84M40wKHeGl/wGZPIABopOP/prefXS1bfAD35QbtYNProbdHH2ghIXTONBYVUc=371f -----END PGP SIGNATURE-----
Seemingly Similar Threads
- [SOLVED] (kinda) Re: Can't get idmap_ad to work with winbind (only idmap_rid)
- Can't get idmap_ad to work with winbind (only idmap_rid)
- [SOLVED] (kinda) Re: Can't get idmap_ad to work with winbind (only idmap_rid)
- Can't get idmap_ad to work with winbind (only idmap_rid)
- Can't get idmap_ad to work with winbind (only idmap_rid)