Hi all, We're in the process of finally moving from our aging Samba3-based infrastructure across to Samba4. Rather than trying to migrate, we're just making a clean break so that we can do it properly from day one, as there were likely some mistakes that were made years ago we want to leave behind. The machines under test are virtual machines running Ubuntu 14.04 LTS AMD64. I've just did an `apt-get dist-upgrade` this morning. We've got an AD server going happily, with the relevant NIS extensions running and winbindd. All is good. I can create a user on the server, and it appears along with a UID.> root at bnedevdc0:~# samba-tool user add testuser2 --random-password > User 'testuser2' created successfully > root at bnedevdc0:~# wbinfo -i testuser2 > VRTAD\testuser2:*:3000032:10000::/home/VRTAD/testuser2:/bin/falseOther users work too:> root at bnedevdc0:~# wbinfo -i testuser > VRTAD\testuser:*:123456:10000::/home/VRTAD/testuser:/bin/falseNow, I move across to my member server and try to repeat the two `wbinfo` commands:> root at bnedevmail:~# wbinfo -i testuser > testuser:*:123456:10000:testuser:/home/VRTAD/testuser:/bin/bash > root at bnedevmail:~# wbinfo -i testuser2 > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user testuser2I can do `id` and other commands with 'testuser' as if it were a local Unix account, but not with 'testuser2'. The only thing different about these, is when creating 'testuser', I explicitly provided --uid-number, setting it to 123456 as a test. It got stored in LDAP as uidNumber, which is fine. Somewhere, the AD server decided upon 300032 as the UID number for 'testuser2', however it forgot to write that into LDAP, and so the member server can't see it. I see reference to xidNumber in places too -- it didn't bother to write that to LDAP either. On the old server `smbldap-useradd` would take care of assigning unique user IDs, so I know Samba supports this feature. I've checked configuration files and logs, the only thing I see is in `winbindd` logs on the member server:> ==> /var/log/samba/log.winbindd <=> [2016/02/01 12:52:31.513489, 5] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) > Could not convert sid S-1-5-21-3300742366-236599213-516333450-7025: NT_STATUS_NONE_MAPPEDYet, it's clearly mapped when I try to do the same thing on the domain controller itself. Is there something that I'm missing? Regards, -- _ ___ Stuart Longland - Systems Engineer \ /|_) | T: +61 7 3535 9619 \/ | \ | 38b Douglas Street F: +61 7 3535 9699 SYSTEMS Milton QLD 4064 http://www.vrt.com.au
On 01/02/16 02:52, Stuart Longland wrote:> Hi all, > > We're in the process of finally moving from our aging Samba3-based > infrastructure across to Samba4. > > Rather than trying to migrate, we're just making a clean break so that > we can do it properly from day one, as there were likely some mistakes > that were made years ago we want to leave behind. > > The machines under test are virtual machines running Ubuntu 14.04 LTS > AMD64. I've just did an `apt-get dist-upgrade` this morning. > > We've got an AD server going happily, with the relevant NIS extensions > running and winbindd. All is good. I can create a user on the server, > and it appears along with a UID. > >> root at bnedevdc0:~# samba-tool user add testuser2 --random-password >> User 'testuser2' created successfully >> root at bnedevdc0:~# wbinfo -i testuser2 >> VRTAD\testuser2:*:3000032:10000::/home/VRTAD/testuser2:/bin/false > Other users work too: >> root at bnedevdc0:~# wbinfo -i testuser >> VRTAD\testuser:*:123456:10000::/home/VRTAD/testuser:/bin/false > Now, I move across to my member server and try to repeat the two > `wbinfo` commands: > >> root at bnedevmail:~# wbinfo -i testuser >> testuser:*:123456:10000:testuser:/home/VRTAD/testuser:/bin/bash >> root at bnedevmail:~# wbinfo -i testuser2 >> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND >> Could not get info for user testuser2 > I can do `id` and other commands with 'testuser' as if it were a local > Unix account, but not with 'testuser2'. > > The only thing different about these, is when creating 'testuser', I > explicitly provided --uid-number, setting it to 123456 as a test. It > got stored in LDAP as uidNumber, which is fine. > > Somewhere, the AD server decided upon 300032 as the UID number for > 'testuser2', however it forgot to write that into LDAP, and so the > member server can't see it. I see reference to xidNumber in places too > -- it didn't bother to write that to LDAP either. > > On the old server `smbldap-useradd` would take care of assigning unique > user IDs, so I know Samba supports this feature. > > I've checked configuration files and logs, the only thing I see is in > `winbindd` logs on the member server: > >> ==> /var/log/samba/log.winbindd <=>> [2016/02/01 12:52:31.513489, 5] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) >> Could not convert sid S-1-5-21-3300742366-236599213-516333450-7025: NT_STATUS_NONE_MAPPED > Yet, it's clearly mapped when I try to do the same thing on the domain > controller itself. Is there something that I'm missing? > > Regards,Yes, The DCs and domain members work differently. On a DC, windows users are mapped to Unix users in 'idmap.ldb', this is where you will find the xidNumber attributes. On a domain member, the users are mapped via winbind and there are several backends available, though only two are really used, the 'ad' & 'rid' backends. If you use the 'ad' backend, you will have to give all users, that you want to be visible to Unix, a uidNumber attribute and Domain Users (at least) a gidNumber. If you use the 'rid' backend, you do not have to add anything to AD, but you may want to add the 'template' lines to smb.conf on the domain member (see man smb.conf). You may also want investigate using a later version of Samba, the version available from ubuntu is old and in fact when Samba 4.4.0 comes out (due start of March), the 4.1.x series will go EOL. You could use the latest freely available Sernet version, this will get you 4.2.x, or you could very easily compile Samba yourself, if you go down this path, you can get the latest version. Rowland
On 01/02/16 19:20, Rowland penny wrote:> Yes, The DCs and domain members work differently. On a DC, windows users > are mapped to Unix users in 'idmap.ldb', this is where you will find the > xidNumber attributes. On a domain member, the users are mapped via > winbind and there are several backends available, though only two are > really used, the 'ad' & 'rid' backends. If you use the 'ad' backend, you > will have to give all users, that you want to be visible to Unix, a > uidNumber attribute and Domain Users (at least) a gidNumber. If you use > the 'rid' backend, you do not have to add anything to AD, but you may > want to add the 'template' lines to smb.conf on the domain member (see > man smb.conf).Sounds like the 'rid' backend may prove more flexible in many ways. I take it that using the 'rid' backend, I still get group membership information and other metadata provided? Alternatively, is there a flag I can pass to `samba-tool` that would automatically assign a uidNumber as this is what smbldap-tools and the good ol'e useradd tools did. (e.g. adding one to the last allocated UID. Or using xidNumber, since that works too for our needs.)> You may also want investigate using a later version of Samba, the > version available from ubuntu is old and in fact when Samba 4.4.0 comes > out (due start of March), the 4.1.x series will go EOL. You could use > the latest freely available Sernet version, this will get you 4.2.x, or > you could very easily compile Samba yourself, if you go down this path, > you can get the latest version.Indeed, the fun of using the stable branch of a Linux distribution. If I had my way, we'd be running Gentoo and thus have the latest Samba by default. I'll have a look at the Sernet and see if there's any other Samba backports to Ubuntu 14.04 -- I can't be the only one facing this issue. (Probably wouldn't be hard to nick the deb sources from the upcoming Ubuntu 16.04 and re-compile them on 14.04 too.) Regards, -- _ ___ Stuart Longland - Systems Engineer \ /|_) | T: +61 7 3535 9619 \/ | \ | 38b Douglas Street F: +61 7 3535 9699 SYSTEMS Milton QLD 4064 http://www.vrt.com.au