Hi all,
I'm wondering about winbind[d] behaviour.
I tried the following with:
auth methods = sam winbindd
and the same with only one d:
auth methods = sam winbind
One user:
ldbsearch -H $sam '(cn=another.fakeuser)' homeDirectory loginShell
gidnumber uidnumber
# record 1
dn: CN=another.fakeuser,OU=a,OU=Standards,OU=Utilisateurs,DC=ad,DC=dgfip
homeDirectory: */home/another.fakeuser*
uidNumber: 1000210377
gidNumber: 1000210377
loginShell: */bin/bash*
Seen through winbind eyes:
wbinfo -i another.fakeuser
another.fakeuser:*:1000210377:100:another.fakeuser:
*/home/AD/another.fakeuser*:*/bin/false*
Using winbind in nsswitch.conf I could see the same through getent:
getent passwd another.fakeuser
another.fakeuser:*:1000210377:100:another.fakeuser:
*/home/AD/another.fakeuser*:*/bin/false*
Regarding gidNumber I thought it was because no group with that GID was
existing, after creating one, no change.
Finally I thought about caching issue as I could have change these values
after user craetion, so I removed /var/lib/samba/winbindd_cache.tdb after
stopping samba, then starting it again. Same answers from getent and wbinfo.
I also wondering why GID of this user is 100. I expect this 100 stand for
"Domain users" and I imagine "Domain users" has no members
as it contains
all non-computer user objects (at least it how I see that...)
ldbsearch -H $sam '(cn=administrator)' memberOf
..
dn: CN=Administrator,CN=Users,DC=ad,DC=dgfip
memberOf: CN=Administrators,CN=Builtin,DC=ad,DC=dgfip
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=ad,DC=dgfip
memberOf: CN=Enterprise Admins,CN=Users,DC=ad,DC=dgfip
memberOf: CN=Schema Admins,CN=Users,DC=ad,DC=dgfip
memberOf: CN=Domain Admins,CN=Users,DC=ad,DC=dgfip
..
getent passwd administrator
administrator:*:0:100::/home/AD/administrator:/bin/false
To resume I don't understand why wbinfo does not use attributes values from
LDB or why it rewrite it.
Best regards,
mathias
PS: my /etc/samba/smb.conf :
---------------------------------------------------------------------------
# Global parameters
[global]
workgroup = AD.DOMAIN
realm = ad.domain.tld
netbios name = DCname
server role = active directory domain controller
dns forwarder = A.B.C.D
idmap_ldb:use rfc2307 = yes
auth methods = sam winbindd
#auth methods = winbind sam
time server = yes
wins support = yes
idmap config * : backend = tdb
idmap config * : range = 2000-999999999
idmap config AD.DOMAIN : backend = ad
idmap config AD.DOMAIN : schema_mode = rfc2307
idmap config AD.DOMAIN : range = 1000000000-3999999999
# Use home directory and shell information from AD
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind expand groups = 3
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
server services = +smb -s3fs
#dcerpc endpoint servers = +winreg +srvsvc
#dbwrap_tdb_mutexes:* = yes
#log level = 0 auth:0 sam:0 passdb:0
[netlogon]
path = /var/lib/samba/sysvol/ad.dgfip.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
---------------------------------------------------------------------------
On 25/06/15 15:27, mathias dufresne wrote:> Hi all, > > I'm wondering about winbind[d] behaviour. > I tried the following with: > auth methods = sam winbindd > and the same with only one d: > auth methods = sam winbind > > One user: > ldbsearch -H $sam '(cn=another.fakeuser)' homeDirectory loginShell > gidnumber uidnumber > # record 1 > dn: CN=another.fakeuser,OU=a,OU=Standards,OU=Utilisateurs,DC=ad,DC=dgfip > homeDirectory: */home/another.fakeuser* > uidNumber: 1000210377 > gidNumber: 1000210377 > loginShell: */bin/bash* > > Seen through winbind eyes: > wbinfo -i another.fakeuser > another.fakeuser:*:1000210377:100:another.fakeuser: > */home/AD/another.fakeuser*:*/bin/false* > Using winbind in nsswitch.conf I could see the same through getent: > getent passwd another.fakeuser > another.fakeuser:*:1000210377:100:another.fakeuser: > */home/AD/another.fakeuser*:*/bin/false* > > Regarding gidNumber I thought it was because no group with that GID was > existing, after creating one, no change. > > Finally I thought about caching issue as I could have change these values > after user craetion, so I removed /var/lib/samba/winbindd_cache.tdb after > stopping samba, then starting it again. Same answers from getent and wbinfo. > > I also wondering why GID of this user is 100. I expect this 100 stand for > "Domain users" and I imagine "Domain users" has no members as it contains > all non-computer user objects (at least it how I see that...) > > ldbsearch -H $sam '(cn=administrator)' memberOf > .. > dn: CN=Administrator,CN=Users,DC=ad,DC=dgfip > memberOf: CN=Administrators,CN=Builtin,DC=ad,DC=dgfip > memberOf: CN=Group Policy Creator Owners,CN=Users,DC=ad,DC=dgfip > memberOf: CN=Enterprise Admins,CN=Users,DC=ad,DC=dgfip > memberOf: CN=Schema Admins,CN=Users,DC=ad,DC=dgfip > memberOf: CN=Domain Admins,CN=Users,DC=ad,DC=dgfip > .. > > > getent passwd administrator > administrator:*:0:100::/home/AD/administrator:/bin/false > > To resume I don't understand why wbinfo does not use attributes values from > LDB or why it rewrite it. > > Best regards, > > mathias > > PS: my /etc/samba/smb.conf : > > --------------------------------------------------------------------------- > # Global parameters > [global] > workgroup = AD.DOMAIN > realm = ad.domain.tld > netbios name = DCname > server role = active directory domain controller > > dns forwarder = A.B.C.D > idmap_ldb:use rfc2307 = yes > > auth methods = sam winbindd > #auth methods = winbind sam > time server = yes > wins support = yes > > idmap config * : backend = tdb > idmap config * : range = 2000-999999999 > idmap config AD.DOMAIN : backend = ad > idmap config AD.DOMAIN : schema_mode = rfc2307 > idmap config AD.DOMAIN : range = 1000000000-3999999999 > > # Use home directory and shell information from AD > winbind nss info = rfc2307 > > winbind trusted domains only = no > winbind use default domain = yes > winbind expand groups = 3 > > winbind enum users = yes > winbind enum groups = yes > > winbind refresh tickets = Yes > > server services = +smb -s3fs > #dcerpc endpoint servers = +winreg +srvsvc > > #dbwrap_tdb_mutexes:* = yes > > #log level = 0 auth:0 sam:0 passdb:0 > > [netlogon] > path = /var/lib/samba/sysvol/ad.dgfip.lan/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > ---------------------------------------------------------------------------Hi, you have fallen into the trap of believing that you can set up a DC just like a member server, sorry but you cannot, all those winbind lines you have added are not doing anything :-) The xidNumber '100' is coming from idmap.ldb and is indeed 'Domain Users' Rowland
On Thu, 2015-06-25 at 16:27 +0200, mathias dufresne wrote:> Hi all, > > I'm wondering about winbind[d] behaviour. > I tried the following with: > auth methods = sam winbindd > and the same with only one d: > auth methods = sam winbindPlease never set these manually. There are almost no situations where these need to be manually managed, the defaults based on the server role will behave correctly and as expected. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
@Andrew: I expect these lines came from RDP issue workaround which should
be happening with previous Samba version. I removed all these lines as now,
with 4.2.2 Samba version RDP and RSAT are working well without them.
I removed also each and every idmap lines, commented most of winbind lines
too and now my smb.conf is:
------------------------------------------------------------
[global]
workgroup = AD.DOMAIN
realm = ad.domain.tld
netbios name = DC01
server role = active directory domain controller
dns forwarder = 10.0.0.240
wins support = yes
winbind nss info = rfc2307
[netlogon]
path = /var/lib/samba/sysvol/ad.domain.tld/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
------------------------------------------------------------
There is still something I don't understand:
"wbinfo -i some.user" does not show configured homeDirectory nor
loginShell
nor for gidNumber
For loginShell it displays "/bin/false" rather than configured
"/bin/bash"
For homeDirectory it displays "/home/AD.DOMAIN/some.user" rather
configured
"/home/some.user"
For gidNumber it displays "100" rather than content of
"gidNumber".
SSSD can easily be configured on non-DC to replace winbind and it gives
possibility to configure which LDB attributes are retrieved.
On DC I'm still facing incompatibility between Sernet's Samba and SSSD
package (on Centos 6 & 7 and Debian 8) so initially I planned to use
winbind in nsswitch.conf and pam.d/* on DC to be able to check ACLs on
sysvol folder but the fact using winbind all users have "Domain users"
as
primary group seems to me an issue to agree with that solution...
As far I understand wbinfo fill user's primary group according to
"primaryGroup" value.
Is there a way to configure winbind to fill user's primary group using
"gidNumber" rather than "primaryGroup"?
Cheers,
mathias
2015-06-29 11:18 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
> On Thu, 2015-06-25 at 16:27 +0200, mathias dufresne wrote:
> > Hi all,
> >
> > I'm wondering about winbind[d] behaviour.
> > I tried the following with:
> > auth methods = sam winbindd
> > and the same with only one d:
> > auth methods = sam winbind
>
> Please never set these manually.
>
> There are almost no situations where these need to be manually managed,
> the defaults based on the server role will behave correctly and as
> expected.
>
> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>