Emmanuel Florac
2017-Feb-18 12:20 UTC
[Samba] wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
I've got a Debian/Jessie Samba 4.2.14 running as an AD member. ADC is a Windows2008R2 server. Join worked without problem. # net ads testjoin Join is OK wbinfo -u and wbinfo -g work perfectly and provides a list of users and groups from the AD as expected. wbinfo -i <user> works too: # wbinfo -i TESTAD\\testuser TESTAD\testuser:*:4294967295:4294967295:testuser:/home/TESTAD/testuser:/bin/false Edit: something's wrong here, because wbinfo -i maps all users and groups to the id 4294967295 which is, as @TheSkunk remarked, 2^32 -1. However getent passwd TESTAD\\testuser fails: # getent passwd TESTAD\\testuser # echo $? 2 I can connect to the server with any AD account using smbclient: # smbclient //srv1/data -U TESTAD\\testuser Enter TESTAD\testuser's password: Domain=[TESTAD] OS=[Windows 6.1] Server=[Samba 4.2.14-Debian] smb: \> ls . D 0 Fri Feb 17 16:23:04 2017 .. D 0 Wed Feb 1 16:47:02 2017 test.txt N 5 Fri Feb 17 14:38:21 2017 popo D 0 Fri Feb 17 16:23:04 2017 117125466112 blocks of size 1024. 117052392484 blocks available smb: \> However the connection is mapped to nobody/nogroup, and created files are owned by nobody too. Windows machines fail to connect using any AD account. However if I create a local account with smbpasswd -a <user>, they can connect using it. However, their connection parameters, files, etc. are all mapped to nobody though the account exists locally too. Here's the current smb.conf (as close to default as possible): [global] workgroup = TESTAD realm = TESTAD.lan server role = member server security = ADS map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb inherit permissions = Yes inherit acls = Yes [DATA] path = /mnt/raid/ read only = No guest ok = Yes here is /etc/nsswitch.conf (I've tried adding and removing 'winbind' from shadow, no change at all): # cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat winbind gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns wins networks: files protocols: db files services: db files ethers: db files rpc: db files I don't understand why authentication never seems to go through winbind. I'm getting desperate, any ideas? -- ------------------------------------------------------------------------ Emmanuel Florac | Direction technique | Intellique | <eflorac at intellique.com> | +33 1 78 94 84 02 ------------------------------------------------------------------------
Emmanuel Florac
2017-Feb-18 12:50 UTC
[Samba] wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
Le Sat, 18 Feb 2017 13:20:52 +0100 Emmanuel Florac via samba <samba at lists.samba.org> écrivait:> I've got a Debian/Jessie Samba 4.2.14 running as an AD member. ADC is > a Windows2008R2 server. Join worked without problem. > > # net ads testjoin > Join is OK > > wbinfo -u and wbinfo -g work perfectly and provides a list of users > and groups from the AD as expected. wbinfo -i <user> works too: > > # wbinfo -i TESTAD\\testuser > TESTAD\testuser:*:4294967295:4294967295:testuser:/home/TESTAD/testuser:/bin/false > > Edit: something's wrong here, because wbinfo -i maps all users and > groups to the id 4294967295 which is, as @TheSkunk remarked, 2^32 -1.I've added idmap config * : backend = tdb idmap config * : range = 10000-30000 to smb.conf, and now 'wbinfo -i TESTDOMAIN\\user' returns correct ids. I've found in the FAQ a mention of this, however it's obsolete: I have set up a domain member using the idmap_ad backend, but getent passwd and getent group does not show users or groups If you want to show all users and groups, you will need to add these lines to smb.conf: winbind enumerate users = yes winbind enumerate groups = yes These options are not recognized by 'testparm'. -- ------------------------------------------------------------------------ Emmanuel Florac | Direction technique | Intellique | <eflorac at intellique.com> | +33 1 78 94 84 02 ------------------------------------------------------------------------
Rowland Penny
2017-Feb-18 13:10 UTC
[Samba] wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
On Sat, 18 Feb 2017 13:20:52 +0100 Emmanuel Florac via samba <samba at lists.samba.org> wrote:> I've got a Debian/Jessie Samba 4.2.14 running as an AD member. ADC is > a Windows2008R2 server. > > Here's the current smb.conf (as close to default as possible): >Try making it look like this: [global] workgroup = TESTAD realm = TESTAD.lan # note: don't use .lan server role = member server security = ADS map to guest = Bad User # note: not a good idea syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 10000-999999 vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes> > here is /etc/nsswitch.conf (I've tried adding and removing 'winbind' > from shadow, no change at all):Remove it from shadow Rowland
Rowland Penny
2017-Feb-18 13:18 UTC
[Samba] wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
On Sat, 18 Feb 2017 13:50:52 +0100 Emmanuel Florac via samba <samba at lists.samba.org> wrote:> Le Sat, 18 Feb 2017 13:20:52 +0100 > Emmanuel Florac via samba <samba at lists.samba.org> écrivait: > > > I've added > > idmap config * : backend = tdb > idmap config * : range = 10000-30000 > > to smb.conf, and now 'wbinfo -i TESTDOMAIN\\user' returns correct ids.Don't rely on 'wbinfo' it is meaningless to the underlying OS, use 'getent' instead.> > I've found in the FAQ a mention of this, however it's obsolete:Which FAQ, where ?> > I have set up a domain member using the idmap_ad backend, but getent > passwd and getent group does not show users or groupsThis is correct, think about it, what if you 500,000 users or more ?> > If you want to show all users and groups, you will need to add these > lines to smb.conf: > > winbind enumerate users = yes > winbind enumerate groups = yesOnly do this for testing.> > These options are not recognized by 'testparm'. > >Yes they are. Rowland
Emmanuel Florac
2017-Feb-18 16:33 UTC
[Samba] wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
Le Sat, 18 Feb 2017 13:10:36 +0000 Rowland Penny via samba <samba at lists.samba.org> écrivait:> idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config SAMDOM : backend = rid > idmap config SAMDOM : range = 10000-999999 >You mean TESTAD instead of SAMDOM, don't you? -- ------------------------------------------------------------------------ Emmanuel Florac | Direction technique | Intellique | <eflorac at intellique.com> | +33 1 78 94 84 02 ------------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 181 bytes Desc: Signature digitale OpenPGP URL: <http://lists.samba.org/pipermail/samba/attachments/20170218/138f44e5/attachment.sig>
Possibly Parallel Threads
- wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
- wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
- wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
- wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
- wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all