samba - Dec 2015 - Samba4 ad dc with Centos7

Hello, I may have a problem with winbind setup.

-with wbinfo -g and wbinfo -u I get all group/user from AD/DC.
-with getent group "Domain Users" and getent passwd
"remote_user" I can see
the info about the specific group and specific user.
-with getent group and getent passwd I only see my local group/users.

-I believe that using "getent group" and "getent passwd" I
must see all
users, right ?


-I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7;
-ps auxf show me:
root     24519  0.0  4.5 578196 45700 ?        Ss   09:59   0:00
/usr/sbin/samba -D
root     24527  0.0  3.2 578196 32812 ?        S    09:59   0:00  \_
/usr/sbin/samba -D
root     24529  0.0  4.7 617856 48016 ?        Ss   09:59   0:00  |   \_
/usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root     24546  0.0  3.2 617856 32936 ?        S    09:59   0:00  |
\_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground

root     24536  0.0  3.2 578196 32788 ?        S    09:59   0:00  \_
/usr/sbin/samba -D
root     24541  0.0  4.5 587664 46480 ?        Ss   09:59   0:00  |   \_
/usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
root     24545  0.0  3.5 605676 36492 ?        S    09:59   0:00  |
\_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
root     24555  0.0  3.6 605992 36680 ?        S    10:00   0:00  |
\_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground

-ls /lib64
lrwxrwxrwx. 1 root root  19 Dez  3 11:09 /lib64/libnss_winbind.so ->
libnss_winbind.so.2
-rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2

-/etc/nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind

-smb.conf
[global]
        workgroup = INTRANET
        realm = INTRANET.UNV
        netbios name = ITU
        server role = active directory domain controller
        dns forwarder = 10.2.3.4
        idmap_ldb:use rfc2307 = yes

        idmap config INTRANET:backend = ad
        idmap config INTRANET:schema_mode = rfc2307
        idmap config INTRANET:range = 10000-9999999

        idmap uid = 10000-9999999
        idmap gid = 1000-9999999

        # Use settings from AD for login shell and home directory
        winbind nss info = rfc2307

        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes

I appreciate any help about this issue.
Thank you.

Hai, 

Few things. 
> idmap gid = 1000-9999999 
did you also change the start GID in the AD? 
https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC#Defining_the_next_UID.2FGID_to_use
> "getent group" and "getent passwd"
On a DC, use  : getent group "domain users"  
shows only the group name + GID. 

You setup looks almost good, im only missing something like : 

      ## map id's outside to domain to tdb files. 
	## map ids from the domain and (*) the range may not overlap !
      idmap config * : backend = tdb
      idmap config * : range = 2000-9999


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Costa
> Verzonden: dinsdag 8 december 2015 13:28
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba4 ad dc with Centos7
> 
> Hello, I may have a problem with winbind setup.
> 
> -with wbinfo -g and wbinfo -u I get all group/user from AD/DC.
> -with getent group "Domain Users" and getent passwd
"remote_user" I can
> see
> the info about the specific group and specific user.
> -with getent group and getent passwd I only see my local group/users.
> 
> -I believe that using "getent group" and "getent
passwd" I must see all
> users, right ?
> 
> 
> -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7;
> -ps auxf show me:
> root     24519  0.0  4.5 578196 45700 ?        Ss   09:59   0:00
> /usr/sbin/samba -D
> root     24527  0.0  3.2 578196 32812 ?        S    09:59   0:00  \_
> /usr/sbin/samba -D
> root     24529  0.0  4.7 617856 48016 ?        Ss   09:59   0:00  |   \_
> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> root     24546  0.0  3.2 617856 32936 ?        S    09:59   0:00  |
> \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> 
> root     24536  0.0  3.2 578196 32788 ?        S    09:59   0:00  \_
> /usr/sbin/samba -D
> root     24541  0.0  4.5 587664 46480 ?        Ss   09:59   0:00  |   \_
> /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
> root     24545  0.0  3.5 605676 36492 ?        S    09:59   0:00  |
> \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> foreground
> root     24555  0.0  3.6 605992 36680 ?        S    10:00   0:00  |
> \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> foreground
> 
> -ls /lib64
> lrwxrwxrwx. 1 root root  19 Dez  3 11:09 /lib64/libnss_winbind.so ->
> libnss_winbind.so.2
> -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2
> 
> -/etc/nsswitch.conf
> passwd:     files winbind
> shadow:     files winbind
> group:      files winbind
> 
> -smb.conf
> [global]
>         workgroup = INTRANET
>         realm = INTRANET.UNV
>         netbios name = ITU
>         server role = active directory domain controller
>         dns forwarder = 10.2.3.4
>         idmap_ldb:use rfc2307 = yes
> 
>         idmap config INTRANET:backend = ad
>         idmap config INTRANET:schema_mode = rfc2307
>         idmap config INTRANET:range = 10000-9999999
> 
>         idmap uid = 10000-9999999
>         idmap gid = 1000-9999999
> 
>         # Use settings from AD for login shell and home directory
>         winbind nss info = rfc2307
> 
>         winbind use default domain = yes
>         winbind enum users = yes
>         winbind enum groups = yes
> 
> I appreciate any help about this issue.
> Thank you.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

I believe there is no enumeration allowed by default whatever you use to
generate system users from AD (winbind, sssd or nslcd).

Cheers,

mathias

2015-12-08 13:42 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>:
> Hai,
>
> Few things.
>
> > idmap gid = 1000-9999999
> did you also change the start GID in the AD?
>
>
https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC#Defining_the_next_UID.2FGID_to_use
>
> > "getent group" and "getent passwd"
> On a DC, use  : getent group "domain users"
> shows only the group name + GID.
>
> You setup looks almost good, im only missing something like :
>
>       ## map id's outside to domain to tdb files.
>         ## map ids from the domain and (*) the range may not overlap !
>       idmap config * : backend = tdb
>       idmap config * : range = 2000-9999
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio
Costa
> > Verzonden: dinsdag 8 december 2015 13:28
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Samba4 ad dc with Centos7
> >
> > Hello, I may have a problem with winbind setup.
> >
> > -with wbinfo -g and wbinfo -u I get all group/user from AD/DC.
> > -with getent group "Domain Users" and getent passwd
"remote_user" I can
> > see
> > the info about the specific group and specific user.
> > -with getent group and getent passwd I only see my local group/users.
> >
> > -I believe that using "getent group" and "getent
passwd" I must see all
> > users, right ?
> >
> >
> > -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7;
> > -ps auxf show me:
> > root     24519  0.0  4.5 578196 45700 ?        Ss   09:59   0:00
> > /usr/sbin/samba -D
> > root     24527  0.0  3.2 578196 32812 ?        S    09:59   0:00  \_
> > /usr/sbin/samba -D
> > root     24529  0.0  4.7 617856 48016 ?        Ss   09:59   0:00  |  
\_
> > /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> > root     24546  0.0  3.2 617856 32936 ?        S    09:59   0:00  |
> > \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
> >
> > root     24536  0.0  3.2 578196 32788 ?        S    09:59   0:00  \_
> > /usr/sbin/samba -D
> > root     24541  0.0  4.5 587664 46480 ?        Ss   09:59   0:00  |  
\_
> > /usr/sbin/winbindd -D --option=server role check:inhibit=yes
--foreground
> > root     24545  0.0  3.5 605676 36492 ?        S    09:59   0:00  |
> > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> > foreground
> > root     24555  0.0  3.6 605992 36680 ?        S    10:00   0:00  |
> > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> > foreground
> >
> > -ls /lib64
> > lrwxrwxrwx. 1 root root  19 Dez  3 11:09 /lib64/libnss_winbind.so
->
> > libnss_winbind.so.2
> > -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2
> >
> > -/etc/nsswitch.conf
> > passwd:     files winbind
> > shadow:     files winbind
> > group:      files winbind
> >
> > -smb.conf
> > [global]
> >         workgroup = INTRANET
> >         realm = INTRANET.UNV
> >         netbios name = ITU
> >         server role = active directory domain controller
> >         dns forwarder = 10.2.3.4
> >         idmap_ldb:use rfc2307 = yes
> >
> >         idmap config INTRANET:backend = ad
> >         idmap config INTRANET:schema_mode = rfc2307
> >         idmap config INTRANET:range = 10000-9999999
> >
> >         idmap uid = 10000-9999999
> >         idmap gid = 1000-9999999
> >
> >         # Use settings from AD for login shell and home directory
> >         winbind nss info = rfc2307
> >
> >         winbind use default domain = yes
> >         winbind enum users = yes
> >         winbind enum groups = yes
> >
> > I appreciate any help about this issue.
> > Thank you.
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 08/12/15 12:27, Marcio Costa wrote:
> Hello, I may have a problem with winbind setup.
>
> -with wbinfo -g and wbinfo -u I get all group/user from AD/DC.
> -with getent group "Domain Users" and getent passwd
"remote_user" I can see
> the info about the specific group and specific user.
> -with getent group and getent passwd I only see my local group/users.
>
> -I believe that using "getent group" and "getent
passwd" I must see all
> users, right ?
>
>
> -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7;
> -ps auxf show me:
> root     24519  0.0  4.5 578196 45700 ?        Ss   09:59   0:00
> /usr/sbin/samba -D
> root     24527  0.0  3.2 578196 32812 ?        S    09:59   0:00  \_
> /usr/sbin/samba -D
> root     24529  0.0  4.7 617856 48016 ?        Ss   09:59   0:00  |   \_
> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> root     24546  0.0  3.2 617856 32936 ?        S    09:59   0:00  |
> \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>
> root     24536  0.0  3.2 578196 32788 ?        S    09:59   0:00  \_
> /usr/sbin/samba -D
> root     24541  0.0  4.5 587664 46480 ?        Ss   09:59   0:00  |   \_
> /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
> root     24545  0.0  3.5 605676 36492 ?        S    09:59   0:00  |
> \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes
--foreground
> root     24555  0.0  3.6 605992 36680 ?        S    10:00   0:00  |
> \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes
--foreground
>
> -ls /lib64
> lrwxrwxrwx. 1 root root  19 Dez  3 11:09 /lib64/libnss_winbind.so ->
> libnss_winbind.so.2
> -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2
>
> -/etc/nsswitch.conf
> passwd:     files winbind
> shadow:     files winbind
> group:      files winbind
>
> -smb.conf
> [global]
>          workgroup = INTRANET
>          realm = INTRANET.UNV
>          netbios name = ITU
>          server role = active directory domain controller
>          dns forwarder = 10.2.3.4
>          idmap_ldb:use rfc2307 = yes
You might as well remove these lines below, they do nothing on a Samba 
DC, well they have *never* worked for me, winbind on a DC works 
differently from on a domain member.
>
>          idmap config INTRANET:backend = ad
>          idmap config INTRANET:schema_mode = rfc2307
>          idmap config INTRANET:range = 10000-9999999
>
>          idmap uid = 10000-9999999
>          idmap gid = 1000-9999999
>
>          # Use settings from AD for login shell and home directory
>          winbind nss info = rfc2307
>
>          winbind use default domain = yes
>          winbind enum users = yes
>          winbind enum groups = yes
>
> I appreciate any help about this issue.
> Thank you.
If you want to use the DC for anything other than authentication and 
don't want to use the 3000000 numbers, you will need to give your users 
a uidNumber attribute containing a unique number inside the range you 
want to use.

Rowland

Wel, thats wrong, when i to the following.  

 

wbinfo –u  i get all my users.

wbinfo –g i get all my groups

getent passwd username   i get my user:UID:GID:NAME:homedir:shel 

id username  gives also the correct info.. (uid= .. gid= ) groups =  etc..  

 

And i use winbind on a DC. ( samba 4.2.5 sernet  on debian wheezy ) 

 

 

Greetz, 

 

Louis

 

 

 

 


Van: mathias dufresne [mailto:infractory at gmail.com] 
Verzonden: dinsdag 8 december 2015 14:11
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Samba4 ad dc with Centos7


 

I believe there is no enumeration allowed by default whatever you use to
generate system users from AD (winbind, sssd or nslcd).

 


Cheers,


 


mathias



 

2015-12-08 13:42 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>:

Hai,

Few things.
> idmap gid = 1000-9999999
did you also change the start GID in the AD?
https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC#Defining_the_next_UID.2FGID_to_use
> "getent group" and "getent passwd"
On a DC, use  : getent group "domain users"
shows only the group name + GID.

You setup looks almost good, im only missing something like :

      ## map id's outside to domain to tdb files.
        ## map ids from the domain and (*) the range may not overlap !
      idmap config * : backend = tdb
      idmap config * : range = 2000-9999


Greetz,

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Costa
> Verzonden: dinsdag 8 december 2015 13:28
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba4 ad dc with Centos7
>
> Hello, I may have a problem with winbind setup.
>
> -with wbinfo -g and wbinfo -u I get all group/user from AD/DC.
> -with getent group "Domain Users" and getent passwd
"remote_user" I can
> see
> the info about the specific group and specific user.
> -with getent group and getent passwd I only see my local group/users.
>
> -I believe that using "getent group" and "getent
passwd" I must see all
> users, right ?
>
>
> -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7;
> -ps auxf show me:
> root     24519  0.0  4.5 578196 45700 ?        Ss   09:59   0:00
> /usr/sbin/samba -D
> root     24527  0.0  3.2 578196 32812 ?        S    09:59   0:00  \_
> /usr/sbin/samba -D
> root     24529  0.0  4.7 617856 48016 ?        Ss   09:59   0:00  |   \_
> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> root     24546  0.0  3.2 617856 32936 ?        S    09:59   0:00  |
> \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>
> root     24536  0.0  3.2 578196 32788 ?        S    09:59   0:00  \_
> /usr/sbin/samba -D
> root     24541  0.0  4.5 587664 46480 ?        Ss   09:59   0:00  |   \_
> /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
> root     24545  0.0  3.5 605676 36492 ?        S    09:59   0:00  |
> \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> foreground
> root     24555  0.0  3.6 605992 36680 ?        S    10:00   0:00  |
> \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> foreground
>
> -ls /lib64
> lrwxrwxrwx. 1 root root  19 Dez  3 11:09 /lib64/libnss_winbind.so ->
> libnss_winbind.so.2
> -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2
>
> -/etc/nsswitch.conf
> passwd:     files winbind
> shadow:     files winbind
> group:      files winbind
>
> -smb.conf
> [global]
>         workgroup = INTRANET
>         realm = INTRANET.UNV
>         netbios name = ITU
>         server role = active directory domain controller
>         dns forwarder = 10.2.3.4
>         idmap_ldb:use rfc2307 = yes
>
>         idmap config INTRANET:backend = ad
>         idmap config INTRANET:schema_mode = rfc2307
>         idmap config INTRANET:range = 10000-9999999
>
>         idmap uid = 10000-9999999
>         idmap gid = 1000-9999999
>
>         # Use settings from AD for login shell and home directory
>         winbind nss info = rfc2307
>
>         winbind use default domain = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>
> I appreciate any help about this issue.
> Thank you.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




 

Lets keep it on the samba list, so everbody can learn from it..  

 

You did modify nsswitch.conf  

 

passwd:         compat winbind

group:          compat winbind

 

Greetz, 

 

Louis

 

 


Van: Marcio Costa [mailto:marciofoz at gmail.com] 
Verzonden: dinsdag 8 december 2015 14:11
Aan: L.P.H. van Belle
Onderwerp: Re: [Samba] Samba4 ad dc with Centos7


 

Hi!.


-> Yes, in RSAT I've assigned:



Domain Users->properties->Unix Attributes->


NIS: intranet


GID: 10000

 


remote user->properties->Unix Attributes->


NIS Domain: intranet


UID: 10000


Primay group name/GID: Domain Users


->do modifications, but still not working...
        idmap config *:backend = tdb 
        idmap config *:range = 2000-9999

        idmap config INTRANET:backend = ad
        idmap config INTRANET:schema_mode = rfc2307
        idmap config INTRANET:range = 10000-9999999
        idmap uid = 10000-9999999
        idmap gid = 10000-9999999


Its may be a missing library ?


Regards


Marcio


 


 

2015-12-08 10:42 GMT-02:00 L.P.H. van Belle <belle at bazuin.nl>:

Hai,

Few things.
> idmap gid = 1000-9999999
did you also change the start GID in the AD?
https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC#Defining_the_next_UID.2FGID_to_use
> "getent group" and "getent passwd"
On a DC, use  : getent group "domain users"
shows only the group name + GID.

You setup looks almost good, im only missing something like :

      ## map id's outside to domain to tdb files.
        ## map ids from the domain and (*) the range may not overlap !
      idmap config * : backend = tdb
      idmap config * : range = 2000-9999


Greetz,

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Costa
> Verzonden: dinsdag 8 december 2015 13:28
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba4 ad dc with Centos7
>
> Hello, I may have a problem with winbind setup.
>
> -with wbinfo -g and wbinfo -u I get all group/user from AD/DC.
> -with getent group "Domain Users" and getent passwd
"remote_user" I can
> see
> the info about the specific group and specific user.
> -with getent group and getent passwd I only see my local group/users.
>
> -I believe that using "getent group" and "getent
passwd" I must see all
> users, right ?
>
>
> -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7;
> -ps auxf show me:
> root     24519  0.0  4.5 578196 45700 ?        Ss   09:59   0:00
> /usr/sbin/samba -D
> root     24527  0.0  3.2 578196 32812 ?        S    09:59   0:00  \_
> /usr/sbin/samba -D
> root     24529  0.0  4.7 617856 48016 ?        Ss   09:59   0:00  |   \_
> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> root     24546  0.0  3.2 617856 32936 ?        S    09:59   0:00  |
> \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>
> root     24536  0.0  3.2 578196 32788 ?        S    09:59   0:00  \_
> /usr/sbin/samba -D
> root     24541  0.0  4.5 587664 46480 ?        Ss   09:59   0:00  |   \_
> /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
> root     24545  0.0  3.5 605676 36492 ?        S    09:59   0:00  |
> \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> foreground
> root     24555  0.0  3.6 605992 36680 ?        S    10:00   0:00  |
> \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> foreground
>
> -ls /lib64
> lrwxrwxrwx. 1 root root  19 Dez  3 11:09 /lib64/libnss_winbind.so ->
> libnss_winbind.so.2
> -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2
>
> -/etc/nsswitch.conf
> passwd:     files winbind
> shadow:     files winbind
> group:      files winbind
>
> -smb.conf
> [global]
>         workgroup = INTRANET
>         realm = INTRANET.UNV
>         netbios name = ITU
>         server role = active directory domain controller
>         dns forwarder = 10.2.3.4
>         idmap_ldb:use rfc2307 = yes
>
>         idmap config INTRANET:backend = ad
>         idmap config INTRANET:schema_mode = rfc2307
>         idmap config INTRANET:range = 10000-9999999
>
>         idmap uid = 10000-9999999
>         idmap gid = 1000-9999999
>
>         # Use settings from AD for login shell and home directory
>         winbind nss info = rfc2307
>
>         winbind use default domain = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>
> I appreciate any help about this issue.
> Thank you.

> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba