Tom Robinson
2017-Jul-10 04:17 UTC
[Samba] domain member idmap wbinfo WBC_ERR_DOMAIN_NOT_FOUND
Hi, I've done a classic upgrade to from samba 3.6.23 to samba 4.6.5 bringing across all the user accounts. The samba 3.6.23 we set up with smbldap as an NT Domain with OpenLDAP. After a lot of effort the classic upgrade worked well but now I'm a bit stuck with idmapping. The new AD DC is running 4.6.5 on CentOS7 and I can connect using ADUC. I set up a separate AD DM on a another CentOS7 install but mapping id's is confusing me. All the users and groups brought across have 'UNIX Attributes' assigned when I check in ADUC. BUILTINs and other 'Well Known' SIDS don't. Part of my issue may stem from the fact that the original samba 3.6 POSIX UIDs/GIDs were all low numbers (starting at around 500 and up). The accounts are legacy upon legacy, originally coming from /etc/{passwd,group} files that were manually sync'ed from host to host to host a long time ago (before my time) then brought into samba 3.6.23/OpenLDAP and now samba 4.6.5. Are these low numbered UIDs an issue? On the DM I am getting an error: WBC_ERR_DOMAIN_NOT_FOUND when using wbinfo. This is very similar to thread: https://lists.samba.org/archive/samba/2015-November/195991.html On the DC: # wbinfo -u MY.DOM\administrator MY.DOM\auser MY.DOM\user2 MY.DOM\user3 ... # wbinfo -n auser S-1-5-21-2252255531-4061614174-2474224977-2184 SID_USER (1) # wbinfo -i auser MY.DOM\auser:*:592:100::/home/MY.DOM/auser:/bin/false On the DM: # wbinfo -u MY.DOM\administrator MY.DOM\auser MY.DOM\user2 MY.DOM\user3 ... # wbinfo -n auser S-1-5-21-2252255531-4061614174-2474224977-2184 SID_USER (1) # wbinfo -i auser failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user auser BUT still on the DM: # wbinfo -i MY.DOM\\auser MY.DOM\auser:*:592:513:Adam User:/home/MY.DOM/auser:/bin/false # getent passwd auser (returns with $?=2, no output) here's my DM config files: /etc/samba/smb.conf [global] security = ADS workgroup = MY.DOM realm = DOM.MOTEC.COM.AU log level = 1 winbind:1 idmap:1 idmap config * : backend = tdb idmap config * : range = 3000000-3999999 idmap config MY.DOM : backend = ad idmap config MY.DOM : schema_mode = rfc2307 idmap config MY.DOM : range = 500-10000 idmap config MY.DOM : unix_nss_info = yes # grep winbind /etc/nsswitch.conf passwd: files winbind sss group: files winbind sss Any help is appreciated. Kind regards, Tom -- Tom Robinson IT Manager/System Administrator MoTeC Pty Ltd 121 Merrindale Drive Croydon South 3136 Victoria Australia T: +61 3 9761 5050 F: +61 3 9761 5051 E: tom.robinson at motec.com.au -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20170710/bea7f8db/signature.sig>
Rowland Penny
2017-Jul-10 07:05 UTC
[Samba] domain member idmap wbinfo WBC_ERR_DOMAIN_NOT_FOUND
On Mon, 10 Jul 2017 14:17:42 +1000 Tom Robinson via samba <samba at lists.samba.org> wrote:> Hi, > > I've done a classic upgrade to from samba 3.6.23 to samba 4.6.5 > bringing across all the user accounts. The samba 3.6.23 we set up > with smbldap as an NT Domain with OpenLDAP. After a lot of effort the > classic upgrade worked well but now I'm a bit stuck with idmapping. > > The new AD DC is running 4.6.5 on CentOS7 and I can connect using > ADUC. I set up a separate AD DM on a another CentOS7 install but > mapping id's is confusing me. > > All the users and groups brought across have 'UNIX Attributes' > assigned when I check in ADUC. BUILTINs and other 'Well Known' SIDS > don't. > > Part of my issue may stem from the fact that the original samba 3.6 > POSIX UIDs/GIDs were all low numbers (starting at around 500 and up). > The accounts are legacy upon legacy, originally coming > from /etc/{passwd,group} files that were manually sync'ed from host > to host to host a long time ago (before my time) then brought into > samba 3.6.23/OpenLDAP and now samba 4.6.5. Are these low numbered > UIDs an issue? > > On the DM I am getting an error: WBC_ERR_DOMAIN_NOT_FOUND when using > wbinfo. This is very similar to thread: > > https://lists.samba.org/archive/samba/2015-November/195991.html > > On the DC: > > # wbinfo -u > MY.DOM\administrator > MY.DOM\auser > MY.DOM\user2 > MY.DOM\user3 > ... > > # wbinfo -n auser > S-1-5-21-2252255531-4061614174-2474224977-2184 SID_USER (1) > > # wbinfo -i auser > MY.DOM\auser:*:592:100::/home/MY.DOM/auser:/bin/false > > On the DM: > > # wbinfo -u > MY.DOM\administrator > MY.DOM\auser > MY.DOM\user2 > MY.DOM\user3 > ... > > # wbinfo -n auser > S-1-5-21-2252255531-4061614174-2474224977-2184 SID_USER (1) > > # wbinfo -i auser > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user auser > > BUT still on the DM: > > # wbinfo -i MY.DOM\\auser > MY.DOM\auser:*:592:513:Adam User:/home/MY.DOM/auser:/bin/false > > # getent passwd auser > > (returns with $?=2, no output) > > here's my DM config files: > > /etc/samba/smb.conf > > [global] > security = ADS > workgroup = MY.DOM > realm = DOM.MOTEC.COM.AU > > log level = 1 winbind:1 idmap:1 > > idmap config * : backend = tdb > idmap config * : range = 3000000-3999999 > idmap config MY.DOM : backend = ad > idmap config MY.DOM : schema_mode = rfc2307 > idmap config MY.DOM : range = 500-10000 > idmap config MY.DOM : unix_nss_info = yes > > # grep winbind /etc/nsswitch.conf > passwd: files winbind sss > group: files winbind sss > > Any help is appreciated. > > Kind regards, > Tom >Before 4.6.0 all users had to use 'Domain Users' as their primary group and so you had to give 'Domain Users' a gidNumber inside the range set in smb.conf (in your case 500-10000). From 4.6.0, you still have to do this unless you also added this 'idmap config <DOMAIN> : unix_primary_group = yes' to smb.conf. You will then have to give every user a gidNumber attribute, this attribute will contain the ID number of the group you want to use for the user (which of course means the group in question will also have to have a gidNumber containing the same ID number) The problem with using low ID numbers with Samba, isn't a problem for Samba, up until something goes wrong. At this point, the only user that will be able to login would be root, this is because you will not be able to have ANY local Unix users (or groups). I hope that 'MY.DOM' is just a placeholder for your Netbios domain name and your real one is just one word without dots. Why do you have sssd installed, I hope you are not using it for authentication in any way. Rowland
Tom Robinson
2017-Jul-10 23:41 UTC
[Samba] domain member idmap wbinfo WBC_ERR_DOMAIN_NOT_FOUND
On 10/07/17 17:05, Rowland Penny via samba wrote:> On Mon, 10 Jul 2017 14:17:42 +1000 > Tom Robinson via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> I've done a classic upgrade to from samba 3.6.23 to samba 4.6.5 >> bringing across all the user accounts. The samba 3.6.23 we set up >> with smbldap as an NT Domain with OpenLDAP. After a lot of effort the >> classic upgrade worked well but now I'm a bit stuck with idmapping. >> >> The new AD DC is running 4.6.5 on CentOS7 and I can connect using >> ADUC. I set up a separate AD DM on a another CentOS7 install but >> mapping id's is confusing me. >> >> All the users and groups brought across have 'UNIX Attributes' >> assigned when I check in ADUC. BUILTINs and other 'Well Known' SIDS >> don't. >> >> Part of my issue may stem from the fact that the original samba 3.6 >> POSIX UIDs/GIDs were all low numbers (starting at around 500 and up). >> The accounts are legacy upon legacy, originally coming >> from /etc/{passwd,group} files that were manually sync'ed from host >> to host to host a long time ago (before my time) then brought into >> samba 3.6.23/OpenLDAP and now samba 4.6.5. Are these low numbered >> UIDs an issue? >> >> On the DM I am getting an error: WBC_ERR_DOMAIN_NOT_FOUND when using >> wbinfo. This is very similar to thread: >> >> https://lists.samba.org/archive/samba/2015-November/195991.html >> >> On the DC: >> >> # wbinfo -u >> MY.DOM\administrator >> MY.DOM\auser >> MY.DOM\user2 >> MY.DOM\user3 >> ... >> >> # wbinfo -n auser >> S-1-5-21-2252255531-4061614174-2474224977-2184 SID_USER (1) >> >> # wbinfo -i auser >> MY.DOM\auser:*:592:100::/home/MY.DOM/auser:/bin/false >> >> On the DM: >> >> # wbinfo -u >> MY.DOM\administrator >> MY.DOM\auser >> MY.DOM\user2 >> MY.DOM\user3 >> ... >> >> # wbinfo -n auser >> S-1-5-21-2252255531-4061614174-2474224977-2184 SID_USER (1) >> >> # wbinfo -i auser >> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND >> Could not get info for user auser >> >> BUT still on the DM: >> >> # wbinfo -i MY.DOM\\auser >> MY.DOM\auser:*:592:513:Adam User:/home/MY.DOM/auser:/bin/false >> >> # getent passwd auser >> >> (returns with $?=2, no output) >> >> here's my DM config files: >> >> /etc/samba/smb.conf >> >> [global] >> security = ADS >> workgroup = MY.DOM >> realm = DOM.MOTEC.COM.AU >> >> log level = 1 winbind:1 idmap:1 >> >> idmap config * : backend = tdb >> idmap config * : range = 3000000-3999999 >> idmap config MY.DOM : backend = ad >> idmap config MY.DOM : schema_mode = rfc2307 >> idmap config MY.DOM : range = 500-10000 >> idmap config MY.DOM : unix_nss_info = yes >> >> # grep winbind /etc/nsswitch.conf >> passwd: files winbind sss >> group: files winbind sss >> >> Any help is appreciated. >> >> Kind regards, >> Tom >> > Before 4.6.0 all users had to use 'Domain Users' as their primary group > and so you had to give 'Domain Users' a gidNumber inside the range set > in smb.conf (in your case 500-10000). From 4.6.0, you still have to do > this unless you also added this 'idmap config <DOMAIN> : > unix_primary_group = yes' to smb.conf. You will then have to give every > user a gidNumber attribute, this attribute will contain the ID number > of the group you want to use for the user (which of course means the > group in question will also have to have a gidNumber containing the > same ID number)Hi Rowland, Thanks for that detailed explanation. On the samba 3.6 NT Domain we have been using 'Domain Users' as the default group for all users. I checked all my 'Well Known' users via ADSIEdit on the DC and discovered that some of them do in fact have 'gidNumber's assigned (sorry for that previously misleading statement): MY.DOM Domain Users,513 Domain Guests,514 Domain Computers,515 Domain Admins,512 BUILTIN Administrators,544 Account Operators,548 Print Operators,550 Backup Operators,551 Replicator,552 This is confusing though... wbinfo reports the gidNumber for 'Domain Users' on the DC as 100 but on the DM as 513 (see also wbinfo -i output in my original post for the 'default group' assigned to users and below for the group query). DC: # wbinfo --group-info Domain\ Users MY.DOM\domain users:x:100: DM: # wbinfo --group-info Domain\ Users <--still give an error unless I provide the 'domain' failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for group Domain Users # wbinfo --group-info MY.DOM\\Domain\ Users MY.DOM\domain users:x:513: Why is the gidNumber 100 on the DC and 513 on the DM? So, given that I have a gidNumber already set on 'Domain Users' and that shows up on the DM side (but only if I put the domain component in my query), whey do I get the WBC_ERR_DOMAIN_NOT_FOUND error? Why is that happening and should I be concerned? Is that something to do with the gidNumber mismatch on DC/DM?> The problem with using low ID numbers with Samba, isn't a problem for > Samba, up until something goes wrong. At this point, the only user that > will be able to login would be root, this is because you will not be > able to have ANY local Unix users (or groups).What do you mean by 'something goes wrong'? Can I expect that something?> I hope that 'MY.DOM' is just a placeholder for your Netbios domain > name and your real one is just one word without dots.On Samba4 my actual REALM is MRC.MOTEC.COM.AU; the workgroup is set to MY.DOM. On samba 3.6, MY.DOM was the 'NT Domain' (workgroup setting in samba 3.6 smb.conf). During the classicupgrade I tried but couldn't change it (or did it wrong). If I can change that during the classicupgrade and can get some pointers on how to do that, I will do the classicupgrade again. I would actually prefer it to be something simpler like MRC. On that topic, when I joined a Windows computer to the domain I had to put in MY.DOM to join but now that it's joined it shows MRC.MOTEC.COM.AU as the domain. Which one is the real domain?> Why do you have sssd installed, I hope you are not using it for > authentication in any way. >A really good question. No, I'm not using sssd and I don't even have it installed. The entry comes from an 'updated' nsswitch.conf provided through an updated package for CentOS7. It installed on the system as /etc/nsswitch.conf.rpmnew and I moved it into place. I will remove the sss entries as I don't see them as providing anything at this stage. Kind regards, Tom -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20170711/2e7203b6/signature.sig>