Jason Michaelson
2013-Aug-20 21:31 UTC
[Samba] Samba 4.0.9 winbind isn't passing through uid and gid numbers from Win 2003 R2
List, I've seen this problem in the list archives before, but the only
problems I can easily find are using Samba 4 as the DC. In my case, I'm
trying to add a Debian Wheezy member server (running the 4.0.9 packages
from enterprise samba) into an existing AD domain where the DC's are
running Windows Server 2003 R2. Every GID and UID coming back out of getent
passwd is coming out as 4294967295:
user:*:4294967295:4294967295:User:/home/DOMAIN/user:/bin/bash
I know the uid's and gid's are set up properly in Windows as the
following:
net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory
sAMAccountName uidNumber gidNumber -P
shows for instance:
sAMAccountName: user
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=the-four-horsemen,DC=org
uidNumber: 10004
gidNumber: 10004
I can see in the winbindlog the gid at least coming back as the wrong
number:
userinfos: struct wbint_userinfo
acct_name : *
acct_name : 'user'
full_name : *
full_name : 'User'
homedir : *
homedir :
'/home/%D/%U'
shell : *
shell : '/bin/bash'
primary_gid : 0x00000000ffffffff
(4294967295)
user_sid :
S-1-5-21-961088282-1536782563-3813629767-1135
group_sid :
S-1-5-21-961088282-1536782563-3813629767-513
The global portion of my smb.conf file is below. Looking through the log
files, winbindd is built from sources3, while I know the source is showing
the uidNumber and gidNumber in sources4.
I'm a software engineer, so I've got no problems getting down into the
code
and gdb, but if this is a simple misconfiguration on my part that'd be so
much better :)
[global]
server role = member server
winbind enum users = yes
winbind enum groups = yes
log level =14
client NTLMv2 auth = yes
map acl inherit = yes
follow symlinks = yes
workgroup = DOMAIN
server string = %h server
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ads
realm = domain.org
encrypt passwords = yes
idmap cache time = 1800
idmap config FOUR-HORSEMEN:backend = ad
idmap config FOUR-HORSEMEN:schema_mode = rfc2307
idmap config FOUR-HORSEMEN:default = yes
idmap config FOUR-HORSEMEN:range = 10000-20000
idmap config FOUR-HORSEMEN:cache time = 1800
idmap_ldb:user_rfc2307 = yes
template shell = /bin/bash
template homedir = /home/%D/%U
winbind use default domain = yes
winbind offline logon = false
winbind normalize names = yes
winbind refresh tickets = yes
winbind normalize names = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = Yes
winbind cache time = 180
winbind trusted domains only = no
winbind separator = +
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\s
successfully* .
pam password change = yes
steve
2013-Aug-20 21:42 UTC
[Samba] Samba 4.0.9 winbind isn't passing through uid and gid numbers from Win 2003 R2
On Tue, 2013-08-20 at 16:31 -0500, Jason Michaelson wrote:> idmap cache time = 1800 > idmap config FOUR-HORSEMEN:backend = ad > idmap config FOUR-HORSEMEN:schema_mode = rfc2307 > idmap config FOUR-HORSEMEN:default = yes > idmap config FOUR-HORSEMEN:range = 10000-20000 > idmap config FOUR-HORSEMEN:cache time = 1800add this: idmap config *:backend = tdb idmap config *:range = 20001-20100 hth Steve