samba - Feb 2014 - Samba 4.1.4 and winbind

After the 'you should use winbind saga', I decide that I needed to learn
about using winbind with samba 4 clients.

So I created a VM running ubuntu 12.04 server and installed and compiled 
samba 4 to use as a test client.

created /usr/local/samba/etc/smb.conf

[global]
     workgroup = EXAMPLE
     security = ADS
     realm = EXAMPLE.COM
     encrypt passwords = yes
     server string = %h server (Samba)
     idmap config *:backend = tdb
     idmap config *:range = 70001-80000
     idmap config EXAMPLE:backend = ad
     idmap config EXAMPLE:schema_mode = rfc2307
     idmap config EXAMPLE:range = 1000-40000

     winbind nss info = rfc2307
     winbind trusted domains only = no
     winbind use default domain = yes
     winbind enum users  = yes
     winbind enum groups = yes

     domain master = no
     local master = no
     preferred master = no
     os level = 20
     map to guest = bad user

Set up pam etc and started the three samba daemons, checked they were 
running via 'ps ax'

My domain users uidNumber's start at 10000, so they are within 1000-40000

BUT, getent passwd & group did not return anything, although wbinfo -u &
-g did return the domain users & groups.

Gave it a bit of thought, now I gave Domain Users the gidNumber of '100'
i.e. 'users' on my linux box, so I altered 'idmap config
EXAMPLE:range =
1000-40000' to 'idmap config EXAMPLE:range = 0-40000' and restarted
the
daemons.

Winbind now works, so from this, I summise that a user needs both a 
uidNumber & gidNumber before the ad backend will extract them from AD 
and both need to be inside the range supplied.

This sort of begs the question, if you are using the ad backend and 
presumably have already given your users & groups a uidNumber &/or a 
gidNumber, why does winbind need the range line at all for the domain? 
Shouldn't winbind just extract any and all records, where the object has 
the required RFC2307 attributes?

There is still one problem though, 'getent group' still does not return 
anything, but 'getent group <a group name>' does.

And you wonder why I tell everybody to use that package I cannot name! 
it just works.

Rowland

On Sat, 2014-02-01 at 09:35 +0000, Rowland Penny wrote:
> After the 'you should use winbind saga', I decide that I needed to
learn
> about using winbind with samba 4 clients.
> 
> So I created a VM running ubuntu 12.04 server and installed and compiled 
> samba 4 to use as a test client.
> 
> created /usr/local/samba/etc/smb.conf
> 
> [global]
>      workgroup = EXAMPLE
>      security = ADS
>      realm = EXAMPLE.COM
>      encrypt passwords = yes
>      server string = %h server (Samba)
>      idmap config *:backend = tdb
>      idmap config *:range = 70001-80000
>      idmap config EXAMPLE:backend = ad
>      idmap config EXAMPLE:schema_mode = rfc2307
>      idmap config EXAMPLE:range = 1000-40000
> 
>      winbind nss info = rfc2307
>      winbind trusted domains only = no
>      winbind use default domain = yes
>      winbind enum users  = yes
>      winbind enum groups = yes
> 
>      domain master = no
>      local master = no
>      preferred master = no
>      os level = 20
>      map to guest = bad user
> 
> Set up pam etc and started the three samba daemons, checked they were 
> running via 'ps ax'
> 
> My domain users uidNumber's start at 10000, so they are within
1000-40000
> 
> BUT, getent passwd & group did not return anything, although wbinfo -u
&
> -g did return the domain users & groups.
> 
> Gave it a bit of thought, now I gave Domain Users the gidNumber of
'100'
> i.e. 'users' on my linux box, so I altered 'idmap config
EXAMPLE:range =
> 1000-40000' to 'idmap config EXAMPLE:range = 0-40000' and
restarted the
> daemons.
> 
> Winbind now works, so from this, I summise that a user needs both a 
> uidNumber & gidNumber before the ad backend will extract them from AD 
> and both need to be inside the range supplied.
Hi Rowland
Thanks for the effort and can we confirm this behaviour. You have put
into words what must have been many a confusing 'it still doesn't
work'
many times before. I can't find any reference to winbind needing BOTH
uidNumber and gidNumber to be within the range. For those that have only
included the uidNumber attribute in AD, this will never have getent
return. Both must be specified.
> 
> This sort of begs the question, if you are using the ad backend and 
> presumably have already given your users & groups a uidNumber &/or
a
> gidNumber, why does winbind need the range line at all for the domain? 
> Shouldn't winbind just extract any and all records, where the object
has
> the required RFC2307 attributes?
It doesn't make sense to have to specify the range. A more predictable
behaviour for us would be to simply use whatever the administrator has
specified in AD. Forget the ranges. I think they are there as a
throwback to te days when id mapping was always done outside AD. Now we
have the attributes at our disposable, could we get rid of them?
> 
> There is still one problem though, 'getent group' still does not
return
> anything, but 'getent group <a group name>' does.
We have never got getent group to return with any version of winbind
since 3.5.something.
> 
> And you wonder why I tell everybody to use that package I cannot name! 
> it just works.
We don't wonder. Were it not for you guys, we'd still be struggling to
come to terms with anything 2307ish!

Thanks again for your plain English. I wish that our descriptive powers
were on a par with yours.
Steve pp .
> 
> Rowland
>

On 2014-02-01 22:35, Rowland Penny wrote:
> After the 'you should use winbind saga', I decide that I needed to
> learn about using winbind with samba 4 clients.
> 
> So I created a VM running ubuntu 12.04 server and installed and
> compiled samba 4 to use as a test client.
> 
> created /usr/local/samba/etc/smb.conf
> 
> [global]
>     workgroup = EXAMPLE
>     security = ADS
>     realm = EXAMPLE.COM
>     encrypt passwords = yes
>     server string = %h server (Samba)
>     idmap config *:backend = tdb
>     idmap config *:range = 70001-80000
>     idmap config EXAMPLE:backend = ad
>     idmap config EXAMPLE:schema_mode = rfc2307
>     idmap config EXAMPLE:range = 1000-40000
> 
>     winbind nss info = rfc2307
>     winbind trusted domains only = no
>     winbind use default domain = yes
>     winbind enum users  = yes
>     winbind enum groups = yes
> 
>     domain master = no
>     local master = no
>     preferred master = no
>     os level = 20
>     map to guest = bad user
> 
> Set up pam etc and started the three samba daemons, checked they were
> running via 'ps ax'
> 
> My domain users uidNumber's start at 10000, so they are within 
> 1000-40000
> 
> BUT, getent passwd & group did not return anything, although wbinfo -u
> & -g did return the domain users & groups.
> 
> Gave it a bit of thought, now I gave Domain Users the gidNumber of
> '100' i.e. 'users' on my linux box, so I altered 'idmap
config
> EXAMPLE:range = 1000-40000' to 'idmap config EXAMPLE:range =
0-40000'
> and restarted the daemons.
> 
> Winbind now works, so from this, I summise that a user needs both a
> uidNumber & gidNumber before the ad backend will extract them from AD
> and both need to be inside the range supplied.
> 
> This sort of begs the question, if you are using the ad backend and
> presumably have already given your users & groups a uidNumber &/or
a
> gidNumber, why does winbind need the range line at all for the domain?
> Shouldn't winbind just extract any and all records, where the object
> has the required RFC2307 attributes?
> 
> There is still one problem though, 'getent group' still does not
> return anything, but 'getent group <a group name>' does.
> 
> And you wonder why I tell everybody to use that package I cannot name!
> it just works.
> 
> Rowland
Rowland

I don't have a test system that I can check this on at the moment, but I 
vaguely remember that I found that 'getent group' doesn't return any
of
the AD groups if there is a (and there only needs to be one) group in AD 
that does not have a gidNumber assigned.  Again I vaguely remember that 
the first group that doesn't have a gidNumber assigned is logged 
somewhere (sorry can't remember which log or exactly what the message 
was, grep the logs for the group name) when you do the 'getent group'.  
Give that group a gidNumber and the next time you run 'getent group' the
next group that doesn't have a gidNumber will be logged, etc., 
etc.,..... until all the groups have a gidNumber.  Then 'getent group' 
works.


Mike

Awesome, you have found the same problem than me.

See my post "getent passwd and winbind not work"



-----------------------------------
St?phane PURNELLE                         Admin. Syst?mes et R?seaux 
Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467

samba-bounces at lists.samba.org wrote on 01/02/2014 10:35:14:
> De : Rowland Penny <rowlandpenny at googlemail.com>
> A : sambalist <samba at lists.samba.org>, 
> Date : 01/02/2014 10:35
> Objet : [Samba] Samba 4.1.4 and winbind
> Envoy? par : samba-bounces at lists.samba.org
> 
> 
> After the 'you should use winbind saga', I decide that I needed to
learn
> about using winbind with samba 4 clients.
> 
> So I created a VM running ubuntu 12.04 server and installed and compiled 
> samba 4 to use as a test client.
> 
> created /usr/local/samba/etc/smb.conf
> 
> [global]
>      workgroup = EXAMPLE
>      security = ADS
>      realm = EXAMPLE.COM
>      encrypt passwords = yes
>      server string = %h server (Samba)
>      idmap config *:backend = tdb
>      idmap config *:range = 70001-80000
>      idmap config EXAMPLE:backend = ad
>      idmap config EXAMPLE:schema_mode = rfc2307
>      idmap config EXAMPLE:range = 1000-40000
> 
>      winbind nss info = rfc2307
>      winbind trusted domains only = no
>      winbind use default domain = yes
>      winbind enum users  = yes
>      winbind enum groups = yes
> 
>      domain master = no
>      local master = no
>      preferred master = no
>      os level = 20
>      map to guest = bad user
> 
> Set up pam etc and started the three samba daemons, checked they were 
> running via 'ps ax'
> 
> My domain users uidNumber's start at 10000, so they are within 
1000-40000
> 
> BUT, getent passwd & group did not return anything, although wbinfo -u
&
> -g did return the domain users & groups.
> 
> Gave it a bit of thought, now I gave Domain Users the gidNumber of
'100'
> i.e. 'users' on my linux box, so I altered 'idmap config
EXAMPLE:range =
> 1000-40000' to 'idmap config EXAMPLE:range = 0-40000' and
restarted the
> daemons.
> 
> Winbind now works, so from this, I summise that a user needs both a 
> uidNumber & gidNumber before the ad backend will extract them from AD 
> and both need to be inside the range supplied.
> 
> This sort of begs the question, if you are using the ad backend and 
> presumably have already given your users & groups a uidNumber &/or
a
> gidNumber, why does winbind need the range line at all for the domain? 
> Shouldn't winbind just extract any and all records, where the object
has
> the required RFC2307 attributes?
> 
> There is still one problem though, 'getent group' still does not
return
> anything, but 'getent group <a group name>' does.
> 
> And you wonder why I tell everybody to use that package I cannot name! 
> it just works.
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba