Craig Green
2010-May-04 06:59 UTC
[Samba] Query re winbind, primary group enumeration from Active Directory and Services For Unix
Query re winbind, primary group enumeration from Active Directory and Services For Unix I am wondering if anyone can explain to me how the GIDs work when using winbind to extract them from an ADS server. I have Unix servers running AIX 5.3 ML-10, an ADS server running Win 2003-SP2 with SFU 3.5 installed. I have been configuring the Unix servers as domain members and using winbind to extract the user id and primary group form the AD and SFU. This in theory would supply consistent uids and gids for the domian user accounts when logging into the Unix servers. I have been able to compile samba 3.4.7 and with ADS support successfully. I have also used version 3.4.7 from the pware site and get the same issues. I have modified the /usr/security/user file to use WINBIND. I have modified the /usr/lib/security/methods.cfg file to include a stanza for WINBIND. I can obtain a kerberos ticket successfully, (kinit valid-aduser). I can join the domain successfully, (net ads join -Uvalid-ad-user). I can run wbinfo -t, -u, -g, -i, etc succssfully. Using "wbinfo -i valid-ad-user" returns the correct information as stored under the users properties SFU tab. If I change these settings, eg: home directory, primary group name/gid or login shell they are reflected correctly by a subsequent "wbinfo -i". That is, they are correctly extracted/obtained from the ADS server. However when I try to open a telnet session to the Unix server I have a problem if the PGID is not related back to an actual group as stored within the AD. That is, if I set the PGID to 208, which is a valid group id within the group file on the Unix server but is not a valid group id within the AD I cannot telnet to the Unix server. The -i option of wbinfo shows the correct group id. Eg: wbinfo -i valid-ad-user valid-ad-user:*:1009:208::/home/support/abc:/bin/ksh When I try and open a telnet session I get the following error. 3004-010 Failed setting terminal ownership and mode. Browsing the www indicates that this problem is due to an invalid group id. That the id is not stored within the group file. But it is a valid group id. If I change the gid to be 10001 which according to samba is BUILTIN\users EG: wbinfo --gid-info=10001 BUILTIN\users:x:10001 I can open a telnet session without any problems: My understanding from reading the smb.conf man page is that for samba (aka winbind) to extract the home directory, login shell, UID and GID from the ADS server then you need to specify the options "winbind nss info" and either "idmap backend = ad" or "idmap config DOMAIN:backend = ad" as well. I have these entries in the smb.conf file. idmap config ULTRADATA : default = yes idmap config ULTRADATA : backend = ad idmap config ULTRADATA : range = 200-9999 idmap config ULTRADATA : schema_mode = sfu winbind nss info = sfu With these settings the userid that is extracted is the one that gets used when a successful telnet session is made. However the GID appears to be ignored. It looks like the GID must be one that is allocated to a valid group that is on the ADS server. What entries do I need to make in the smb.conf file to have samba/winbind use the group id as stored on the ADS server? I have included what I think is the pertinent info from the global section of the smb.conf file: workgroup = REALMNAME security = ADS realm = REALMNAME.COM.AU encrypt passwords = Yes password server = 172.16.xx.xxx socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 log file = /etc/samba/var/%L-%m.log log level = 5 interfaces = en0 lo0 bind interfaces only = yes name resolve order = host wins bcast keepalive = 30 os level = 0 lm announce = False preferred master = False local master = No domain master = False wins server = 172.16.xx.xxx unix extensions = no auth methods = winbind idmap uid = 10000-200000 idmap gid = 10000-200000 idmap config REALMNAME : default = yes idmap config REALMNAME : backend = ad idmap config REALMNAME : range = 200-9999 idmap config REALMNAME : schema_mode = sfu winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind nss info = sfu Disclaimer Notice This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action or place any reliance on it. If you have received this message in error please notify Ultradata immediately on +61 3 9291 1600. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Ultradata Australia Pty. Ltd. To unsubscribe from receiving commercial electronic messages from Ultradata Australia please email unsubscribe at ultradata.com.au with the subject heading "Unsubscribe".
Possibly Parallel Threads
- AIX 5.3 Active Directory Synchronisation using Winbind
- primary GID based access for user in 16 supplementary groups
- krb5 library issues when Compiling 3.5.2 and 3.4.7 on AIX 5.3
- [SECURITY] Winbind's rfc2307 & SFU nss_info plugin in Samba 3.0.25[a-c] assigns users a primary gid of 0 by default
- [SECURITY] Winbind's rfc2307 & SFU nss_info plugin in Samba 3.0.25[a-c] assigns users a primary gid of 0 by default