samba - Oct 2010 - Winbind on Samba 3.5.5 (centos5)

Folks,

Having some fun with winbind on Samba 3.5.5 on RHEL5 and/or Centos5.
I?ve got it working so ssh logins work correctly and file permissions
are seemingly correct with created files etc. Backend authentication
is from a Win2K3R2 box running RFC2372 extensions (ie not SFU) and all
UIDs etc are assigned for the users who need them.

However, wbinfo returns some interesting things. We?re in a reasonably
sized AD forest and there seems to be some ID mashing going on. If I
do wbinfo ?u it will sniff out the entire forest and return anything
its allowed to as well as the local domain, obviously this can be
filtered by using --domain=DOMAIN which sometimes works well, groups
also.

Things that don?t work:

wbinfo -i returns ?could not get info for user?
wbinfo -r returns ?could not get groups for user?
wbinfo -Y returns ?could not convert sid?
wbinfo --user-sidinfo returns ?couldn?t get info for user?
wbinfo --user-sids also returns failure.

Things that do:

wbinfo -S my-username-SID correctly returns my UID of 666
wbinfo -s my-username-SID correctly returns DOMAIN+Username
getent group
getent passwd

Wish I could remember what I changed, but at some point wbinfo -u
username DID work but returned a UID of 147, no idea where it got that
from as I even deleted the idmap cache files etc. Also if I browse to
a share and create a file it ends up with the UID/GID of a user in a
completely different domain!

Current smb.conf:

[global]

??????? workgroup = CAM
?? ?????realm = CAM.CW.LOCAL
??????? server string = test-samba server (CentOS 5)
??????? interfaces = 127.0.0.1, eth0
??????? bind interfaces only = Yes
??????? security = ADS
??????? map to guest = Bad User
??????? password server = 172.31.134.30
??????? log level = 100
??????? log file = /var/log/samba/%m.log
??????? printcap name = cups
??????? wins server = 172.31.134.30
??????? idmap uid = 10000-20000
??????? idmap gid = 10000-20000
??????? template shell = /bin/bash
??????? winbind separator = +
??????? winbind cache time = 5
??????? winbind use default domain = Yes
??????? winbind trusted domains only = Yes
??????? idmap config CAM: range = 100-9999
??????? idmap config CAM: backend = ad
??????? idmap config CAM: schema_mode = rfc2307
??????? idmap config CAM: default = yes

[homes]
??????? comment = Home Directories
??????? read only = No
??????? create mask = 0664
??????? directory mask = 0775
??????? browseable = No

[docs]
??????? path = /usr/share/doc/samba3/htmldocs
??????? guest ok = Yes

Anyone? Kerberos seems to be acting ok too, otherwise SSH logins wouldn't
work?

-- 
adrian/witchy
Owner of Binary Dinosaurs, the UK's biggest home computer collection?
www.binarydinosaurs.co.uk

W dniu 19.10.2010 16:50, Adrian Graham pisze:
> Folks,
>
> Having some fun with winbind on Samba 3.5.5 on RHEL5 and/or Centos5.
> I?ve got it working so ssh logins work correctly and file permissions
> are seemingly correct with created files etc. Backend authentication
> is from a Win2K3R2 box running RFC2372 extensions (ie not SFU) and all
> UIDs etc are assigned for the users who need them.
>
> However, wbinfo returns some interesting things. We?re in a reasonably
> sized AD forest and there seems to be some ID mashing going on. If I
> do wbinfo ?u it will sniff out the entire forest and return anything
> its allowed to as well as the local domain, obviously this can be
> filtered by using --domain=DOMAIN which sometimes works well, groups
> also.
>
> Things that don?t work:
>
> wbinfo -i returns ?could not get info for user?
> wbinfo -r returns ?could not get groups for user?
> wbinfo -Y returns ?could not convert sid?
> wbinfo --user-sidinfo returns ?couldn?t get info for user?
> wbinfo --user-sids also returns failure.
>
> Things that do:
>
> wbinfo -S my-username-SID correctly returns my UID of 666
> wbinfo -s my-username-SID correctly returns DOMAIN+Username
> getent group
> getent passwd
>
> Wish I could remember what I changed, but at some point wbinfo -u
> username DID work but returned a UID of 147, no idea where it got that
> from as I even deleted the idmap cache files etc. Also if I browse to
> a share and create a file it ends up with the UID/GID of a user in a
> completely different domain!
>
> Current smb.conf:
>
> [global]
>
>         workgroup = CAM
>         realm = CAM.CW.LOCAL
>         server string = test-samba server (CentOS 5)
>         interfaces = 127.0.0.1, eth0
>         bind interfaces only = Yes
>         security = ADS
>         map to guest = Bad User
>         password server = 172.31.134.30
>         log level = 100
>         log file = /var/log/samba/%m.log
>         printcap name = cups
>         wins server = 172.31.134.30
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         template shell = /bin/bash
>         winbind separator = +
>         winbind cache time = 5
>         winbind use default domain = Yes
>         winbind trusted domains only = Yes
>         idmap config CAM: range = 100-9999
>         idmap config CAM: backend = ad
>         idmap config CAM: schema_mode = rfc2307
>         idmap config CAM: default = yes
>
> [homes]
>         comment = Home Directories
>         read only = No
>         create mask = 0664
>         directory mask = 0775
>         browseable = No
>
> [docs]
>         path = /usr/share/doc/samba3/htmldocs
>         guest ok = Yes
>
> Anyone? Kerberos seems to be acting ok too, otherwise SSH logins
wouldn't work?
>
Winbind in samba 3.5 is something broken. I try samba 3.5.3, 3.5.4 and
the latest 3.5.6 and i have problems. For example: I connect to samba
share (samba are member of AD) from Windows 7 x86_64 and when i create
file, root is the owner, but it shuld be me (user, that connect to this
share).

For me it is messy. Again i switch back to samba 3.4.9 to use winbind

Samba 3.5.6 have broken acls to - when i try to change and populate acl
trough the directories i have error: bad argument and operation stopped.
So many hours spend with it.

I.Piasecki

--