samba - Aug 2016 - SOLVED: WINBIND: UID and GID false mappings on domain member

> Just provisioning with --rfc2307 isn't enough, you personally need to 
> add any required RFC2307 attributes.
But you see my test user has his attributes. From samba-tool. Do you mean
the basic objects, the templates for the user and group? If yes, how to do
it?

> Can I suggest you put dnsupdate back and then setup bind9 on the DC 
> correctly.
I will...

> You must be using an old version of samba-tool, it doesn't do that now.
Version 4.3.9 from the last fresh ubuntu LTS.
And I asked on FreeNode, they would not upgrade to the 4.4. branch if 4.3
hasn't bugs...

> No they are not: 
> 
> dn: CN=test,CN=Users,DC=humgen,DC=0zone 
> ...... 
> primaryGroupID: 513 
Oh, I hoped winbind would give me:
uidNumber: 9439 
gidNumber: 5001
... from the posix attributes

> This makes the users primary group 'Domain Users' and as such, the 
> primary group must have a gidNumber, or all your users will be ignored 
> by winbind. Do not think of changing the users primaryGroupID, windows 
> expects all users to be members of 'Domain Users' 
I'll remember this
How would behave a group mapping of "domain users" on my group 5001
(hg_allg) ?

> No, just that you have set up Samba incorrectly, you are trying to use 
> AD like you used your old NT4-style domain. 
> 
> Can I suggest that you go and read the Samba wiki:
OK, I'll set dnsupdate back and all the rest new.
I tryed to find my way around the problem with the data's posix rights.

Would be sssd a better fit for this?

Can you think of a work around, to transfer the current data with the old
unix UID/GID, so that the users will see it the same?
How should I define the new created users for this?

Thank you Rowland!




--
View this message in context:
http://samba.2283325.n4.nabble.com/WINBIND-UID-and-GID-false-mappings-on-domain-member-tp4706553p4706568.html
Sent from the Samba - General mailing list archive at Nabble.com.

On Fri, 12 Aug 2016 10:42:54 -0700 (PDT)
rawi via samba <samba at lists.samba.org> wrote:
> 
> > Just provisioning with --rfc2307 isn't enough, you personally need
> > to add any required RFC2307 attributes.
> 
> But you see my test user has his attributes. From samba-tool. Do you
> mean the basic objects, the templates for the user and group? If yes,
> how to do it?
OOPS, red face time, you are correct, they are there.
> 
> 
> > Can I suggest you put dnsupdate back and then setup bind9 on the DC 
> > correctly.
> 
> I will...
> 
> 
> > You must be using an old version of samba-tool, it doesn't do that
> > now.
> 
> Version 4.3.9 from the last fresh ubuntu LTS.
> And I asked on FreeNode, they would not upgrade to the 4.4. branch if
> 4.3 hasn't bugs...
Ubuntu will not want to materially change an LTS version and Samba
changes so fast, in fact version 4.5.0 is slated for release in min
September.
 
> 
> 
> > No they are not: 
> > 
> > dn: CN=test,CN=Users,DC=humgen,DC=0zone 
> > ...... 
> > primaryGroupID: 513 
> 
> Oh, I hoped winbind would give me:
> uidNumber: 9439 
> gidNumber: 5001
> ... from the posix attributes
> 
Well, it will use the uidNumber as the users Unix UID, but winbind will
use the gidNumber attribute from 'Domain Users' and if it isn't
found,
all users will be ignored. The gidNumber attribute will be used as
another group for the user.
> 
> > This makes the users primary group 'Domain Users' and as such,
the
> > primary group must have a gidNumber, or all your users will be
> > ignored by winbind. Do not think of changing the users
> > primaryGroupID, windows expects all users to be members of 'Domain
> > Users' 
> 
> I'll remember this
> How would behave a group mapping of "domain users" on my group
5001
> (hg_allg) ?
You don't map groups anymore
> 
> 
> > No, just that you have set up Samba incorrectly, you are trying to
> > use AD like you used your old NT4-style domain. 
> > 
> > Can I suggest that you go and read the Samba wiki:
> 
> OK, I'll set dnsupdate back and all the rest new.
> I tryed to find my way around the problem with the data's posix
> rights.
> 
> Would be sssd a better fit for this?
No, because it works pretty much like winbind.
> 
> Can you think of a work around, to transfer the current data with the
> old unix UID/GID, so that the users will see it the same?
> How should I define the new created users for this?
Well, you could try creating the users as you have done, but without
the gidNumber. Now create (or extend) your group with a gidNumber, Now
add your users to the group, now provide you copy the data over and set
the permissions correctly, I think it should work.

Rowland

I bump this only to say SOLVED and many thanks to Rowland.

Lessons learned:

1.
Indeed, my problems where related to not having a gidNumber for "Domain
Users".
After adding it I got real wbinfo --user-info on the domain member (file
server).
My test user could log in in his old home from the NT domain preserving the
old UID and GID.

2. (question = why?)
And login.bat was called at login time _only_ after moving the [netlogon]
share from the domain member to the ad-dc.
Why on earth it could not be called from the file server remains a mystery
to me.
The LDAP field scriptPath was configured:
\\member_server\netlogon\login.bat.

3.
To bind the homeDrive I had to put a colon (:) after the drive letter.

4. (question = how changing/correct surname, givenName?)
wbinfo output is slightly different on ad-dc and domain member with regard
to the Geckos

On the ad-dc:
HUMGEN\test:*:9439:5000: WT. Test --given-name=Want
To:/home/HUMGEN/test:/bin/false

The Geckos on ad-dc are composed from initials + surname + givenName.

On the domain member (real Geckos field or may be description) :
test:*:9439:5000:Want to Test://hg004.humgen.0zone/test/linhome:/bin/bash

The Geckos from the ad-dc will be sent as FullName to a joined Windows 8.1
computer.

The fields (I gave them to samba-tool by creating the test user) surname and
givenName are not visible in the output of ldbsearch.
So, how would one modify the surname after a women married and changed it?

5. (bug?)
Adding "hosts allow =" on the ad-dc breaks everything.
wbinfo will give no output on the ad-dc and an error on the domain member.

6.
After spying what dnsupdate does (rndc dumpdb -zones) I could take out the
server service dnsupdate from smb.conf and insert the records statically in
bind9. So I have all my subnet uniformly in one place (dhcp+bind,
forward+reverse) regardless if the computer or printer is in the domain or
not.

7.
The share [homes] (on the domain member) will generate after a generic
path=/path/to/homes a share like \\file-server\test and inside this is again
a directory test.
So to have the home directory content directly inside the homeDrive one has
to declare the path=/path/to/homes/%S.

8.
With a combination of chmod g+s on a directory and "inherit
permissions" in
the smb.conf I can avoid a lot of the acl default hassle and administer the
file system like in the old linux times, acl remaining a possibility.

9.
Given the developments it's pity that Ubuntu Xenial LTS won't upgrade to
the
last branch. If I move now my NT domain to 4.3 I'll stay so for the next 10
years - for fear to break something.

All the above is for all of you common knowledge.
This were now discoveries for me after sleeping the last 12 years behind an
old samba NT domain :)

Thanks to all samba team and forum helpers for making it happen again and
again.

rawi




--
View this message in context:
http://samba.2283325.n4.nabble.com/WINBIND-UID-and-GID-false-mappings-on-domain-member-tp4706553p4706722.html
Sent from the Samba - General mailing list archive at Nabble.com.