Fred Smith
2015-Apr-23 01:48 UTC
[Samba] RFC2307 attributes not being read by DC2 in 4.2.1
Hi all
On latest samba 4.2.1 I have provisioned a new domain on DC1 that
successfully reads RFC2307 attributes set on a user account through
ADUC.
wbinfo (correct uid gets resolved from sid)
wbinfo -n fsmith
S-1-5-21-1273750850-484487853-1026460749-1120 SID_USER (1)
wbinfo -S S-1-5-21-1273750850-484487853-1026460749-1120
1000006
ldbsearch
sudo ldbsearch -H '/usr/local/samba/private/sam.ldb' -b
'DC=samdom,DC=example,DC=org' -s sub
'(&(objectCategory=Person)(CN=Fred Smith))'
# record 1
dn: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org
cn: Fred Smith
sn: Smith
givenName: Fred
instanceType: 4
whenCreated: 20150422234928.0Z
displayName: Fred Smith
uSNCreated: 4558
name: Fred Smith
objectGUID: 7b49274a-9ac9-48bd-9af7-e51e8ea17c9a
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
profilePath: %LOGONSERVER%\profiles\%USERNAME%
objectSid: S-1-5-21-1273750850-484487853-1026460749-1120
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: fsmith
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=org
uid: fsmith
uidNumber: 1000006
gidNumber: 50023
loginShell: /bin/false
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
pwdLastSet: 130742201680000000
userAccountControl: 512
msSFU30NisDomain: samdom
unixHomeDirectory: /dev/null
msSFU30Name: fsmith
unixUserPassword: ABCD!efgh12345$67890
userPrincipalName: fsmith at samdom.example.org
whenChanged: 20150422234929.0Z
uSNChanged: 4565
distinguishedName: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org
provision domain command
sudo samba-tool domain provision --use-rfc2307 --site="DC1"
--interactive
Realm: SAMDOM.EXAMPLE.ORG
Domain: SAMDOM
Server Role: dc
DNS backend: BIND9_DLZ
DC1 smb.conf
cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.ORG
netbios name = DC1
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
# Disable printing
printcap name = /dev/null
load printers = no
printing = bsd
[netlogon]
path = /usr/local/samba/var/locks/sysvol/samdom.example.org/scripts
read only = No
browseable = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
browseable = No
But when I join DC2 to the domain and attempt to retrieve RFC2307
attributes they don't get read.
wbinfo (wrong uid gets resolved from sid)
wbinfo -n fsmith
S-1-5-21-1273750850-484487853-1026460749-1120 SID_USER (1)
wbinfo -S S-1-5-21-1273750850-484487853-1026460749-1120
3000017
ldbsearch
sudo ldbsearch -H '/usr/local/samba/private/sam.ldb' -b
'DC=samdom,DC=example,DC=org' -s sub
'(&(objectCategory=Person)(CN=Fred Smith))'
# record 1
dn: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Fred Smith
sn: Smith
givenName: Fred
instanceType: 4
whenCreated: 20150422234928.0Z
whenChanged: 20150422234929.0Z
displayName: Fred Smith
uSNCreated: 4494
uSNChanged: 4494
name: Fred Smith
objectGUID: 7b49274a-9ac9-48bd-9af7-e51e8ea17c9a
userAccountControl: 512
codePage: 0
countryCode: 0
pwdLastSet: 130742201680000000
primaryGroupID: 513
profilePath: %LOGONSERVER%\profiles\%USERNAME%
objectSid: S-1-5-21-1273750850-484487853-1026460749-1120
accountExpires: 9223372036854775807
sAMAccountName: fsmith
sAMAccountType: 805306368
userPrincipalName: fsmith at example.org
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=org
unixUserPassword: ABCD!efgh12345$67890
uid: fsmith
msSFU30Name: fsmith
msSFU30NisDomain: samdom
uidNumber: 1000006
gidNumber: 50023
unixHomeDirectory: /dev/null
loginShell: /bin/false
distinguishedName: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org
join domain command
sudo samba-tool domain join samdom.example.org DC -UAdministrator
--realm=samdom.example.org --site=DC2 --dns-backend=BIND9_DLZ
DC2 smb.conf
cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
workgroup = SAMDOM
realm = samdom.example.org
netbios name = DC2
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 # Added manually after join domain
# Disable printing
printcap name = /dev/null
load printers = no
printing = bsd
[netlogon]
path = /usr/local/samba/var/locks/sysvol/samdom.example.org/scripts
read only = No
browseable = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
browseable = No
Reading RFC2307 attributes on DC2 worked well using the same
configuration on samba 4.1.x.
Thanks
Fred.
Rowland Penny
2015-Apr-23 08:01 UTC
[Samba] RFC2307 attributes not being read by DC2 in 4.2.1
On 23/04/15 02:48, Fred Smith wrote:> Hi all > > On latest samba 4.2.1 I have provisioned a new domain on DC1 that > successfully reads RFC2307 attributes set on a user account through > ADUC. > > wbinfo (correct uid gets resolved from sid) > > wbinfo -n fsmith > S-1-5-21-1273750850-484487853-1026460749-1120 SID_USER (1) > wbinfo -S S-1-5-21-1273750850-484487853-1026460749-1120 > 1000006 > > > ldbsearch > > sudo ldbsearch -H '/usr/local/samba/private/sam.ldb' -b > 'DC=samdom,DC=example,DC=org' -s sub > '(&(objectCategory=Person)(CN=Fred Smith))' > # record 1 > dn: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org > cn: Fred Smith > sn: Smith > givenName: Fred > instanceType: 4 > whenCreated: 20150422234928.0Z > displayName: Fred Smith > uSNCreated: 4558 > name: Fred Smith > objectGUID: 7b49274a-9ac9-48bd-9af7-e51e8ea17c9a > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > primaryGroupID: 513 > profilePath: %LOGONSERVER%\profiles\%USERNAME% > objectSid: S-1-5-21-1273750850-484487853-1026460749-1120 > accountExpires: 9223372036854775807 > logonCount: 0 > sAMAccountName: fsmith > sAMAccountType: 805306368 > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=org > uid: fsmith > uidNumber: 1000006 > gidNumber: 50023 > loginShell: /bin/false > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > pwdLastSet: 130742201680000000 > userAccountControl: 512 > msSFU30NisDomain: samdom > unixHomeDirectory: /dev/null > msSFU30Name: fsmith > unixUserPassword: ABCD!efgh12345$67890 > userPrincipalName: fsmith at samdom.example.org > whenChanged: 20150422234929.0Z > uSNChanged: 4565 > distinguishedName: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org > > > provision domain command > > sudo samba-tool domain provision --use-rfc2307 --site="DC1" --interactive > > Realm: SAMDOM.EXAMPLE.ORG > Domain: SAMDOM > Server Role: dc > DNS backend: BIND9_DLZ > > > DC1 smb.conf > > cat /usr/local/samba/etc/smb.conf > # Global parameters > [global] > workgroup = SAMDOM > realm = SAMDOM.EXAMPLE.ORG > netbios name = DC1 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > > # Disable printing > printcap name = /dev/null > load printers = no > printing = bsd > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/samdom.example.org/scripts > read only = No > browseable = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > browseable = No > > > > > > > But when I join DC2 to the domain and attempt to retrieve RFC2307 > attributes they don't get read. > > > wbinfo (wrong uid gets resolved from sid) > > wbinfo -n fsmith > S-1-5-21-1273750850-484487853-1026460749-1120 SID_USER (1) > wbinfo -S S-1-5-21-1273750850-484487853-1026460749-1120 > 3000017 > > > ldbsearch > > sudo ldbsearch -H '/usr/local/samba/private/sam.ldb' -b > 'DC=samdom,DC=example,DC=org' -s sub > '(&(objectCategory=Person)(CN=Fred Smith))' > # record 1 > dn: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: Fred Smith > sn: Smith > givenName: Fred > instanceType: 4 > whenCreated: 20150422234928.0Z > whenChanged: 20150422234929.0Z > displayName: Fred Smith > uSNCreated: 4494 > uSNChanged: 4494 > name: Fred Smith > objectGUID: 7b49274a-9ac9-48bd-9af7-e51e8ea17c9a > userAccountControl: 512 > codePage: 0 > countryCode: 0 > pwdLastSet: 130742201680000000 > primaryGroupID: 513 > profilePath: %LOGONSERVER%\profiles\%USERNAME% > objectSid: S-1-5-21-1273750850-484487853-1026460749-1120 > accountExpires: 9223372036854775807 > sAMAccountName: fsmith > sAMAccountType: 805306368 > userPrincipalName: fsmith at example.org > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=org > unixUserPassword: ABCD!efgh12345$67890 > uid: fsmith > msSFU30Name: fsmith > msSFU30NisDomain: samdom > uidNumber: 1000006 > gidNumber: 50023 > unixHomeDirectory: /dev/null > loginShell: /bin/false > distinguishedName: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org > > > join domain command > > sudo samba-tool domain join samdom.example.org DC -UAdministrator > --realm=samdom.example.org --site=DC2 --dns-backend=BIND9_DLZ > > > > DC2 smb.conf > > cat /usr/local/samba/etc/smb.conf > # Global parameters > [global] > workgroup = SAMDOM > realm = samdom.example.org > netbios name = DC2 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 # Added manually after join domain > > # Disable printing > printcap name = /dev/null > load printers = no > printing = bsd > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/samdom.example.org/scripts > read only = No > browseable = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > browseable = No > > Reading RFC2307 attributes on DC2 worked well using the same > configuration on samba 4.1.x. > > Thanks > > Fred.Hmm, you seem to be the second person reporting something similar, have a look here: https://lists.samba.org/archive/samba-technical/2015-April/106942.html Could you try replacing 'winbindd' with 'winbind' in the 'server services' line in your smb.conf files on all DCs, restart samba and run your tests again. If it now works, I think you need to raise a bug report. Rowland
miguelmedalha at sapo.pt
2015-Apr-23 15:06 UTC
[Samba] RFC2307 attributes not being read by DC2 in 4.2.1
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdateSince "winbindd" is included in this line, shouldn't also "-winbind" be there? I think that when you use the normal winbind you must disable the internal one. Could the simultaneous use of both winbinds be the cause of the confusion?
Fred Smith
2015-Apr-27 00:47 UTC
[Samba] RFC2307 attributes not being read by DC2 in 4.2.1
Thanks for your suggestions, I have tried both and neither helped unfortunately: Replacing winbindd with winbind on the existing server services line or adding with"server services = -winbindd +winbind" to smb.conf on all DCs did not solve the issue. Adding "server services = -winbind" did not solve the issue either. On Thu, Apr 23, 2015 at 11:18 AM, Fred Smith <fs582087 at gmail.com> wrote:> Hi all > > On latest samba 4.2.1 I have provisioned a new domain on DC1 that > successfully reads RFC2307 attributes set on a user account through > ADUC. > > wbinfo (correct uid gets resolved from sid) > > wbinfo -n fsmith > S-1-5-21-1273750850-484487853-1026460749-1120 SID_USER (1) > wbinfo -S S-1-5-21-1273750850-484487853-1026460749-1120 > 1000006 > > > ldbsearch > > sudo ldbsearch -H '/usr/local/samba/private/sam.ldb' -b > 'DC=samdom,DC=example,DC=org' -s sub > '(&(objectCategory=Person)(CN=Fred Smith))' > # record 1 > dn: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org > cn: Fred Smith > sn: Smith > givenName: Fred > instanceType: 4 > whenCreated: 20150422234928.0Z > displayName: Fred Smith > uSNCreated: 4558 > name: Fred Smith > objectGUID: 7b49274a-9ac9-48bd-9af7-e51e8ea17c9a > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > primaryGroupID: 513 > profilePath: %LOGONSERVER%\profiles\%USERNAME% > objectSid: S-1-5-21-1273750850-484487853-1026460749-1120 > accountExpires: 9223372036854775807 > logonCount: 0 > sAMAccountName: fsmith > sAMAccountType: 805306368 > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=org > uid: fsmith > uidNumber: 1000006 > gidNumber: 50023 > loginShell: /bin/false > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > pwdLastSet: 130742201680000000 > userAccountControl: 512 > msSFU30NisDomain: samdom > unixHomeDirectory: /dev/null > msSFU30Name: fsmith > unixUserPassword: ABCD!efgh12345$67890 > userPrincipalName: fsmith at samdom.example.org > whenChanged: 20150422234929.0Z > uSNChanged: 4565 > distinguishedName: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org > > > provision domain command > > sudo samba-tool domain provision --use-rfc2307 --site="DC1" --interactive > > Realm: SAMDOM.EXAMPLE.ORG > Domain: SAMDOM > Server Role: dc > DNS backend: BIND9_DLZ > > > DC1 smb.conf > > cat /usr/local/samba/etc/smb.conf > # Global parameters > [global] > workgroup = SAMDOM > realm = SAMDOM.EXAMPLE.ORG > netbios name = DC1 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > > # Disable printing > printcap name = /dev/null > load printers = no > printing = bsd > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/samdom.example.org/scripts > read only = No > browseable = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > browseable = No > > > > > > > But when I join DC2 to the domain and attempt to retrieve RFC2307 > attributes they don't get read. > > > wbinfo (wrong uid gets resolved from sid) > > wbinfo -n fsmith > S-1-5-21-1273750850-484487853-1026460749-1120 SID_USER (1) > wbinfo -S S-1-5-21-1273750850-484487853-1026460749-1120 > 3000017 > > > ldbsearch > > sudo ldbsearch -H '/usr/local/samba/private/sam.ldb' -b > 'DC=samdom,DC=example,DC=org' -s sub > '(&(objectCategory=Person)(CN=Fred Smith))' > # record 1 > dn: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: Fred Smith > sn: Smith > givenName: Fred > instanceType: 4 > whenCreated: 20150422234928.0Z > whenChanged: 20150422234929.0Z > displayName: Fred Smith > uSNCreated: 4494 > uSNChanged: 4494 > name: Fred Smith > objectGUID: 7b49274a-9ac9-48bd-9af7-e51e8ea17c9a > userAccountControl: 512 > codePage: 0 > countryCode: 0 > pwdLastSet: 130742201680000000 > primaryGroupID: 513 > profilePath: %LOGONSERVER%\profiles\%USERNAME% > objectSid: S-1-5-21-1273750850-484487853-1026460749-1120 > accountExpires: 9223372036854775807 > sAMAccountName: fsmith > sAMAccountType: 805306368 > userPrincipalName: fsmith at example.org > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=org > unixUserPassword: ABCD!efgh12345$67890 > uid: fsmith > msSFU30Name: fsmith > msSFU30NisDomain: samdom > uidNumber: 1000006 > gidNumber: 50023 > unixHomeDirectory: /dev/null > loginShell: /bin/false > distinguishedName: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org > > > join domain command > > sudo samba-tool domain join samdom.example.org DC -UAdministrator > --realm=samdom.example.org --site=DC2 --dns-backend=BIND9_DLZ > > > > DC2 smb.conf > > cat /usr/local/samba/etc/smb.conf > # Global parameters > [global] > workgroup = SAMDOM > realm = samdom.example.org > netbios name = DC2 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 # Added manually after join domain > > # Disable printing > printcap name = /dev/null > load printers = no > printing = bsd > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/samdom.example.org/scripts > read only = No > browseable = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > browseable = No > > Reading RFC2307 attributes on DC2 worked well using the same > configuration on samba 4.1.x. > > Thanks > > Fred.