Rowland penny
2020-Dec-14 19:20 UTC
[Samba] Client machine not fetching user accounts from AD domain
On 14/12/2020 18:51, Z Z via samba wrote:> I have Samba AD DC working OK with a little over 400 domain members. > However, there is one single Debian server that's giving me trouble when I > add him to the AD. > > There is a local user 'peter' with uid 905. Also there is user 'peter' in > the AD domain with id 10300.Which one do you want keep ? Decide which, then delete the other, you cannot have the same user in AD and in /etc/passwd> > *id peter* (on the Debian) provides the following output: > > uid=905(peter) gid=905(peter) > groups=905(peter),27(sudo),1000(domaingroup),1001(domaingroup),10001(domaingroup),1035(domaingroup)Well it would, nsswitch checks /etc/passwd first> So basically, it's merging local user with the domain groups, instead of > pulling all the stuff from the AD domain.Yes, anything that is in /etc/passwd or /etc/group (that is also in AD) will be used before the AD data> It's not respecting the > nsswitch.conf. Here it is: > > passwd: compat winbind > group: compat winbind > shadow: winbind files > gshadow: winbind filesThe first two lines are correct, but you shouldn't have 'winbind' in the other two lines.> > It gets even worse as I can only resolve users that have local profile.I think by 'local profile' that you mean 'local Unix users' or users that are in /etc/passwd.> Every other AD user isn't showing. If I try with another user, that *doesn't > have local profile:* > *id userfromad* > id: ?userfromad ?: no such userYour computer has no idea who 'userfromad' is> > From here I'm unable to use this user in this particular member: > > *su userfromad* > No passwd entry for user 'userfromad ' > (it's looking for local passwd entry, wtf)No, it is saying that nsswitch cannot find the user> > Even though I can see and use this and every other other AD user from any > other of my 400 computers that are members of the AD DC this Debian machine > is refusing to work properly.Let me guess, the other computers are all Windows machines.> > Next, > > *wbinfo -u and wbinfo -g *provide all groups and users. So Winbind > obviously sees them as it should.that is meaningless to Unix> > Here's my smb.conf as well > > [global] > > workgroup = DOM > realm = DOM.AIN > security = ADS > > idmap config dom: unix_primary_group = yes > idmap config dom : unix_nss_info = no > idmap config dom : range = 1000-999999 > idmap config dom : schema = rfc2307 > idmap config dom : backend = ad > > idmap config * : range = 300-999 > idmap config * : backend = tdbWhy such low numbers for the ranges ? The '*' domain is mainly for the Well Known SID's, so you can probably get away with 300-999, but I wouldn't use it Now we come to the big one, you are using the winbind 'ad' backend for the 'DOM' domain, so have you given your users a uidNumber attribute containing a unique number inside the 1000-999999 range ? and have you given the 'Domain Users' group, a gidNumber attribute inside the same range ? and as you have 'unix_primary_group = yes', have you given your users a gidNumber attribute containing the Unix ID (gidNumber) of the group that you want to use for each user ? Rowland
Z Z
2020-Dec-14 20:14 UTC
[Samba] Client machine not fetching user accounts from AD domain
Greetings Rowland. I'm a bit confused because I have another Debian server, joined pretty much the same way (having single local user with matching name) but this time, on this computer the AD record is honored first (*id peter* provides ALL the records from the AD, even though there's local one with local uid): *cat /etc/passwd:* *peter:x:905:905::/home/peter:* Almost all of my domain members are CentOS machines, that's why I'm not very familiar with Debian. And yes, since I'm using the 'ad' backend I've manually added uidNumber, gid attributes and they are within the specified range. As I mentioned this config works flawlessly on many other machines. I'm starting to think that something is wrong with the Debian itself. It's a 9.4 version with Samba v 4.5.16 On Mon, Dec 14, 2020 at 9:21 PM Rowland penny via samba < samba at lists.samba.org> wrote:> On 14/12/2020 18:51, Z Z via samba wrote: > > I have Samba AD DC working OK with a little over 400 domain members. > > However, there is one single Debian server that's giving me trouble when > I > > add him to the AD. > > > > There is a local user 'peter' with uid 905. Also there is user 'peter' in > > the AD domain with id 10300. > > Which one do you want keep ? > > Decide which, then delete the other, you cannot have the same user in AD > and in /etc/passwd > > > > > *id peter* (on the Debian) provides the following output: > > > > uid=905(peter) gid=905(peter) > > > groups=905(peter),27(sudo),1000(domaingroup),1001(domaingroup),10001(domaingroup),1035(domaingroup) > Well it would, nsswitch checks /etc/passwd first > > So basically, it's merging local user with the domain groups, instead of > > pulling all the stuff from the AD domain. > Yes, anything that is in /etc/passwd or /etc/group (that is also in AD) > will be used before the AD data > > It's not respecting the > > nsswitch.conf. Here it is: > > > > passwd: compat winbind > > group: compat winbind > > shadow: winbind files > > gshadow: winbind files > The first two lines are correct, but you shouldn't have 'winbind' in the > other two lines. > > > > It gets even worse as I can only resolve users that have local profile. > I think by 'local profile' that you mean 'local Unix users' or users > that are in /etc/passwd. > > Every other AD user isn't showing. If I try with another user, that > *doesn't > > have local profile:* > > *id userfromad* > > id: ?userfromad ?: no such user > Your computer has no idea who 'userfromad' is > > > > From here I'm unable to use this user in this particular member: > > > > *su userfromad* > > No passwd entry for user 'userfromad ' > > (it's looking for local passwd entry, wtf) > No, it is saying that nsswitch cannot find the user > > > > Even though I can see and use this and every other other AD user from any > > other of my 400 computers that are members of the AD DC this Debian > machine > > is refusing to work properly. > Let me guess, the other computers are all Windows machines. > > > > Next, > > > > *wbinfo -u and wbinfo -g *provide all groups and users. So Winbind > > obviously sees them as it should. > that is meaningless to Unix > > > > Here's my smb.conf as well > > > > [global] > > > > workgroup = DOM > > realm = DOM.AIN > > security = ADS > > > > idmap config dom: unix_primary_group = yes > > idmap config dom : unix_nss_info = no > > idmap config dom : range = 1000-999999 > > idmap config dom : schema = rfc2307 > > idmap config dom : backend = ad > > > > idmap config * : range = 300-999 > > idmap config * : backend = tdb > > Why such low numbers for the ranges ? > > The '*' domain is mainly for the Well Known SID's, so you can probably > get away with 300-999, but I wouldn't use it > > Now we come to the big one, you are using the winbind 'ad' backend for > the 'DOM' domain, so have you given your users a uidNumber attribute > containing a unique number inside the 1000-999999 range ? and have you > given the 'Domain Users' group, a gidNumber attribute inside the same > range ? and as you have 'unix_primary_group = yes', have you given your > users a gidNumber attribute containing the Unix ID (gidNumber) of the > group that you want to use for each user ? > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >