Łukasz Michalski
2019-Jun-05 07:32 UTC
[Samba] getent group does not list domain groups - question regarding default gidNumbers on PDC
Hi List, I am trying to setup samba PDC and samba file server for a small organization. I followed guidelines on samba wiki and Arch Linux wiki. I have two servers (10.21.0.2 PDC and 10.21.0.1 (file server) both with samba 4.10.6 installed. I joined 10.21.0.1 as domain member and decided to use idmap_ad backend and store uid and gid numbers on PDC. Now I have problems with id mapping configuration: wbinfo -u works. wbinfo -g works. getent group does not list domain users and groups. I logged into PDC and checked gidNumber for "Domain Users": [root at site-ad ~]# wbinfo --name-to-sid "Domain Users" S-1-5-21-4155694911-3186826046-1573605777-513 SID_DOM_GROUP (2) [root at site-ad ~]# wbinfo --sid-to-gid S-1-5-21-4155694911-3186826046-1573605777-513 985 (same as 'users' unix gid on host) And the same check for "Domain Admins": [root at site-ad ~]# wbinfo --sid-to-gid S-1-5-21-4155694911-3186826046-1573605777-512 3000004 My file server configuration: ---------------------- [global] security = ADS workgroup = EXAMPLE realm = SITE.EXAMPLE.PL bind interfaces only = yes interfaces = lo eno2 vboxnet0 log file = /var/log/samba/%m.log log level = 1 winbind enum users = yes winbind enum groups = yes # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999 # - You must set a DOMAIN backend configuration # idmap config for the EXAMPLE domain idmap config EXAMPLE:backend = ad idmap config EXAMPLE:schema_mode = rfc2307 idmap config EXAMPLE:range = 10000-999999 idmap config EXAMPLE:unix_nss_info = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # Template settings for login shell and home directory template shell = /bin/bash template homedir = /home/%U --------------------------- Wiki says that an uid and gid Number must be in the EXAMPLE:range, which I set to 10000-999999 I checked all groups and besides "Domain Members" all of them have the gidNumber > 3000000 Should I use ldbedit and change all mappings to fit inside my EXAMPLE:range? It looks like default gidNumbers after a domain provisioning are "by design" set to be outside idmap domain range. Why? Thanks in advance for explanations, Łukasz
Rowland penny
2019-Jun-05 08:06 UTC
[Samba] getent group does not list domain groups - question regarding default gidNumbers on PDC
On 05/06/2019 08:32, Łukasz Michalski via samba wrote:> Hi List, > > I am trying to setup samba PDC and samba file server for a small > organization.No you are not, you are setting up a Samba AD DC, a PDC is something entirely different.> I followed guidelines on samba wiki and Arch Linux wiki. > > I have two servers (10.21.0.2 PDC and 10.21.0.1 (file server) both > with samba 4.10.6 installed. > I joined 10.21.0.1 as domain member and decided to use idmap_ad > backend and store uid and gid numbers on PDC.The operative word there is 'store'> > Now I have problems with id mapping configuration: > > wbinfo -u works. > wbinfo -g works. > getent group does not list domain users and groups. > > I logged into PDC and checked gidNumber for "Domain Users": > > [root at site-ad ~]# wbinfo --name-to-sid "Domain Users" > S-1-5-21-4155694911-3186826046-1573605777-513 SID_DOM_GROUP (2)Nope, that is the 'SID-RID'> > [root at site-ad ~]# wbinfo --sid-to-gid > S-1-5-21-4155694911-3186826046-1573605777-513 > 985 (same as 'users' unix gid on host)where did the '985' come from ?> > > And the same check for "Domain Admins": > [root at site-ad ~]# wbinfo --sid-to-gid > S-1-5-21-4155694911-3186826046-1573605777-512 > 3000004Oh good, 'Domain Admins' doesn't have a gidNumber attribute.> > My file server configuration: > ---------------------- > [global] > security = ADS > workgroup = EXAMPLE > realm = SITE.EXAMPLE.PL > > bind interfaces only = yes > interfaces = lo eno2 vboxnet0 > > log file = /var/log/samba/%m.log > log level = 1 > > winbind enum users = yes > winbind enum groups = yes > > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use a read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > # - You must set a DOMAIN backend configuration > # idmap config for the EXAMPLE domain > idmap config EXAMPLE:backend = ad > idmap config EXAMPLE:schema_mode = rfc2307 > idmap config EXAMPLE:range = 10000-999999 > idmap config EXAMPLE:unix_nss_info = yes > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > # Template settings for login shell and home directory > template shell = /bin/bash > template homedir = /home/%U > --------------------------- >Absolutely nothing wrong with that smb.conf ;-)> Wiki says that an uid and gid Number must be in the EXAMPLE:range, > which I set to 10000-999999 > I checked all groups and besides "Domain Members" all of them have the > gidNumber > 3000000Where did you check ? In 'idmap.ldb' or 'sam.ldb' ?> > Should I use ldbedit and change all mappings to fit inside my > EXAMPLE:range?It all depends on what and where you are planning to do your changes.> > It looks like default gidNumbers after a domain provisioning are "by > design" set to be > outside idmap domain range. Why?I more and more think you are looking inside 'idmap.ldb' and mistaking 'xidNumber' attributes for 'uidNumber' & 'gidNumber' attributes. Rowland> > Thanks in advance for explanations, > Łukasz >
Łukasz Michalski
2019-Jun-05 09:04 UTC
[Samba] getent group does not list domain groups - question regarding default gidNumbers on PDC
On 6/5/19 10:06 AM, Rowland penny via samba wrote:>> >> Now I have problems with id mapping configuration: >> >> wbinfo -u works. >> wbinfo -g works. >> getent group does not list domain users and groups. >> >> I logged into PDC and checked gidNumber for "Domain Users": >> >> [root at site-ad ~]# wbinfo --name-to-sid "Domain Users" >> S-1-5-21-4155694911-3186826046-1573605777-513 SID_DOM_GROUP (2) > Nope, that is the 'SID-RID' >> >> [root at site-ad ~]# wbinfo --sid-to-gid S-1-5-21-4155694911-3186826046-1573605777-513 >> 985 (same as 'users' unix gid on host) > where did the '985' come from ?I think from there: [root at site-ad ~]# ldbsearch -H /var/lib/samba/private/idmap.ldb objectsid=S-1-5-21-4155694911-3186826046-1573605777-513 # record 1 dn: CN=S-1-5-21-4155694911-3186826046-1573605777-513 cn: S-1-5-21-4155694911-3186826046-1573605777-513 objectClass: sidMap objectSid: S-1-5-21-4155694911-3186826046-1573605777-513 type: ID_TYPE_GID xidNumber: 985 distinguishedName: CN=S-1-5-21-4155694911-3186826046-1573605777-513 [root at site-ad ~]# ldbsearch -H /var/lib/samba/private/sam.ldb objectsid=S-1-5-21-4155694911-3186826046-1573605777-513 |grep gidNumber (returns nothing)>> >> And the same check for "Domain Admins": >> [root at site-ad ~]# wbinfo --sid-to-gid S-1-5-21-4155694911-3186826046-1573605777-512 >> 3000004 > Oh good, 'Domain Admins' doesn't have a gidNumber attribute. >> >> > Absolutely nothing wrong with that smb.conf ;-) >> Wiki says that an uid and gid Number must be in the EXAMPLE:range, which I set to 10000-999999 >> I checked all groups and besides "Domain Members" all of them have the gidNumber > 3000000 > > Where did you check ? > > In 'idmap.ldb' or 'sam.ldb' ? > > > I more and more think you are looking inside 'idmap.ldb' and mistaking 'xidNumber' attributes for 'uidNumber' & 'gidNumber' attributes. >Yes, that is the case. I added gidNumber: 10000 to sam.ldb and now I see "Domain Users" group on member: [root at universe ~]# getent group |grep EXAMPLE EXAMPLE\domain users:x:10000: Should I leave xidNumber set to 985 in idmap.ldb? Should I add gidNumber to all groups listed by wbinfo -g? Many thanks for your help, ?ukasz
Possibly Parallel Threads
- getent group does not list domain groups - question regarding default gidNumbers on PDC
- getent group does not list domain groups - question regarding default gidNumbers on PDC
- getent group does not list domain groups - question regarding default gidNumbers on PDC
- getent group does not list domain groups - question regarding default gidNumbers on PDC
- getent group does not list domain groups - question regarding default gidNumbers on PDC