samba - Dec 2019 - security = ads, backend = ad parameter not working in samba 4.10.10

On Thu, 2019-12-05 at 04:57 +0000, S?rgio Basto via samba
wrote:
> On Fri, 2019-11-29 at 18:33 +0000, Rowland penny via samba wrote:
> > On 29/11/2019 18:17, S?rgio Basto via samba wrote:
> > > On Fri, 2019-11-29 at 17:19 +0000, Rowland penny via samba wrote:
> > > > Lets start by removing this: krb5-server-1.15.1-
> > > > 37.el7_7.2.x86_64
> > > ATM I can't, it will remove all samba packages :)
> > 
> > Then your packages are depending on the krb5-server package, which
> > is 
> > MIT, which is experimental. This shouldn't be a problem on a Unix
> > domain 
> > member, but there is absolutely no need for it.
> > 
> > Are absolutely wedded to red-hat, it is so much easier with Debian
> > based 
> > distros ;-)
> 
> OK , removed krb5-server packages , I did a lot of things ( I can
> detail later) , and suddenly it started to work [1] it starts to work
> with one ll [2] note that the first line was not converted only the
> second but when I did the same "ll" again, I got first line
correctly
> converted [3] .
> And it start working as expect, 
Sorry , I spoke too soon getent passwd "a new user to this server"
doesn't work . 
But wbinfo -u or wbinfo -g always worked perfectly in any case , why
getent don't ?   

> now in my lab machine I still haven't
> got a successful request [4], I can't find the trick :) .
> 
> 
> [4]
>   Could not convert sid S-1-5-21-2685600491-4108878147-961307473-513:
> NT_STATUS_NONE_MAPPED
> 
> 
> 
> [2]
> ll /srv/samba/users/
> total 24
> drwx------ 2          1000011 domain users 4096 Nov  7 19:21
> administrator
> drwx------ 2 use    domain users 4096 Nov 11 12:12 use
> drwx------ 3 use2           domain users 4096 Nov  7 18:28 use2
> drwx------ 2 use3      domain users 4096 Nov  8 12:32 use3
> drwx------ 2 usee     domain users 4096 Nov  7 15:17 usee
> 
> 
> [3]
> ll /srv/samba/users/
> total 24
> drwx------ 2          administrator domain users 4096 Nov  7 19:21
> administrator
> drwx------ 2 use    domain users 4096 Nov 11 12:12 use
> drwx------ 3 use2           domain users 4096 Nov  7 18:28 use2
> drwx------ 2 use3      domain users 4096 Nov  8 12:32 use3
> drwx------ 2 usee     domain users 4096 Nov  7 15:17 usee
> 
> 
> [1]
> [2019/12/05 03:41:14.726754,  5]
> ../../source3/winbindd/winbindd_getgrgid.c:121(winbindd_getgrgid_recv
> )
>   Could not convert sid S-0-0: NT_STATUS_INVALID_SID
> [2019/12/05 03:41:14.728266,  6]
> ../../source3/winbindd/winbindd.c:969(winbind_client_request_read)
>   closing socket 23, client exited
> [2019/12/05 03:41:20.020502,  6]
> ../../source3/winbindd/winbindd.c:920(new_connection)
>   accepted socket 23
> [2019/12/05 03:41:20.020798,  3]
> ../../source3/winbindd/winbindd_misc.c:432(winbindd_interface_version
> )
>   winbindd_interface_version: [nss_winbind (9484)]: request interface
> version (version = 31)
> [2019/12/05 03:41:20.021194,  3]
> ../../source3/winbindd/winbindd_getpwuid.c:52(winbindd_getpwuid_send)
>   winbindd_getpwuid_send: [nss_winbind (9484)] getpwuid 1000011
> [2019/12/05 03:41:20.057413,  5]
> ../../source3/winbindd/winbindd_getpwuid.c:116(winbindd_getpwuid_recv
> )
>   Could not convert sid S-1-5-21-2685600491-4108878147-961307473-500:
> NT_STATUS_NO_SUCH_USER
> [2019/12/05 03:41:20.058286,  3]
> ../../source3/winbindd/winbindd_getgrgid.c:55(winbindd_getgrgid_send)
>   winbindd_getgrgid_send: [nss_winbind (9484)] getgrgid 1000000
> [2019/12/05 03:41:20.084188,  3]
> ../../source3/winbindd/winbindd_getpwuid.c:52(winbindd_getpwuid_send)
>   winbindd_getpwuid_send: [nss_winbind (9484)] getpwuid 1000012
> [2019/12/05 03:41:20.090949,  3]
> ../../source3/winbindd/winbindd_getpwuid.c:52(winbindd_getpwuid_send)
>   winbindd_getpwuid_send: [nss_winbind (9484)] getpwuid 1000001
> [2019/12/05 03:41:20.100765,  3]
> ../../source3/winbindd/winbindd_getpwuid.c:52(winbindd_getpwuid_send)
>   winbindd_getpwuid_send: [nss_winbind (9484)] getpwuid 1000016
> [2019/12/05 03:41:20.116817,  3]
> ../../source3/winbindd/winbindd_getpwuid.c:52(winbindd_getpwuid_send)
>   winbindd_getpwuid_send: [nss_winbind (9484)] getpwuid 1000017
> [2019/12/05 03:41:20.129758,  3]
> ../../source3/winbindd/winbindd_getpwuid.c:52(winbindd_getpwuid_send)
>   winbindd_getpwuid_send: [nss_winbind (9484)] getpwuid 1000004
> 
> > Rowland
> > 
> > 
> > 
> -- 
> S?rgio M. B.
> 
> 
-- 
S?rgio M. B.

On 05/12/2019 06:16, S?rgio Basto wrote:
> Sorry , I spoke too soon getent passwd "a new user to this
server"
> doesn't work .
> But wbinfo -u or wbinfo -g always worked perfectly in any case , why
> getent don't ?
>
If 'wbinfo -u' works, 'getent passwd username' doesn't, then
it points
to a lack of, or wrong, rfc2307 attributes (if you are using the 'ad' 
backend).

Any users you want to be visible to Unix, must have a uidNumber 
attribute containing a unique number inside the DOMAIN range set in 
smb.conf. You MUST also give Domain Users a gidNumber containing a 
number inside the same range.

Rowland

On Thu, 2019-12-05 at 10:15 +0000, Rowland penny via samba
wrote:
> On 05/12/2019 06:16, S?rgio Basto wrote:
> > Sorry , I spoke too soon getent passwd "a new user to this
server"
> > doesn't work .
> > But wbinfo -u or wbinfo -g always worked perfectly in any case ,
> > why
> > getent don't ?
> > 
> If 'wbinfo -u' works, 'getent passwd username' doesn't,
then it
> points 
> to a lack of, or wrong, rfc2307 attributes (if you are using the
> 'ad' 
> backend).
> 
> Any users you want to be visible to Unix, must have a uidNumber 
> attribute containing a unique number inside the DOMAIN range set in 
> smb.conf. You MUST also give Domain Users a gidNumber containing a 
> number inside the same range.
yes, I use backend = ad , if configure backend = ad with realm [1] (as
you said is wrong ) every 'getent passwd username' give me a new
uidNumber or make a new uidNumber in sequence [1].
when I  configure backend = ad with workgroup (as you said that must
have to be ) 'getent passwd username' don't produce any new id .
and in /var/log/samba/winbindd.log I see 
Could not convert sid S-1-5-21-2685600491-4108878147-961307473-2662:
NT_STATUS_NO_SUCH_USER


[1]
idmap config CORP.LOCAL : backend = ad

[2]
root at repo:~# getent passwd "vmjp01"
vmjp01:*:1000019:1000000::/srv/samba/users/vmjp01:/bin/false
root at repo:~# getent passwd "maa001"
maa001:*:1000020:1000000::/srv/samba/users/maa001:/bin/false
root at repo:~# getent passwd "tsdg01"
tsdg01:*:1000021:1000000::/srv/samba/users/tsdg01:/bin/false
root at repo:~# getent passwd "rmac01"
rmac01:*:1000022:1000000::/srv/samba/users/rmac01:/bin/false


> Rowland
> 
> 
> 
-- 
S?rgio M. B.