Well, seems like I hit every mudhole that could be on the way ...
root at samba4:/# getent passwd | grep mgr
mgr:*:10000:10000:Lars LH. Hanke:/home/AD/mgr:/bin/bash
root at samba4:/# ldapsearch -LLL -D
"CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -x -W
'(uid=mgr)'
uid uidNumber gidNumber sAMAccountName name gecos
Enter LDAP Password:
dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de
name: Lars LH. Hanke
sAMAccountName: mgr
uid: mgr
uidNumber: 1001
gidNumber: 1001
gecos: Dr. Lars Hanke
root at samba4:/# grep mgr /etc/passwd
root at samba4:/#
So although proper POSIX information is in the AD, and no local
information present, winbind rolls dice for POSIX attributes. The
situation seems similar to that of Rowland and Derek Werthmuller last
December. There finally, Rowland suggested to use sssd.
My smb.conf:
[global]
workgroup = AD
realm = AD.MICROSULT.DE
security = ADS
restrict anonymous = 2
kerberos method = system keytab
os level = 0
local master = No
domain master = No
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config * : range = 10000-20000
idmap config AD: backend = ad
idmap config AD: range = 1001 - 2000
idmap config * : backend = tdb
Interestingly the bahaviour is no different, if I simply put idmap uid
and idmap gid lines instead of the more detailed config.
And, if you doubt that I'm querying the right LDAP:
root at samba4:/# cat /etc/ldap/ldap.conf
BASE DC=ad,DC=microsult,DC=de
URI ldap://samba.ad.microsult.de:3268
TLS_CACERT /etc/certs/cacert.pem
BTW: administrator neither maps to 0!
Moreover, I largely folled the Debian Wiki
https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory. In their
setup uids get prefixed by %D+. Unsure which I like better, but it's a
least an observation.
samba4 runs vanilla Debian Wheezy, i.e. samba 3.6.6. If this is a
_known_ issue with that version, I readily update to backports 4.1.7.
Otherwise, I have some reasons to explore the old version for a while.
Thanks for your help,
- lars.
On Sun, 2014-06-29 at 13:01 +0200, Lars Hanke wrote:> Well, seems like I hit every mudhole that could be on the way ... > > root at samba4:/# getent passwd | grep mgr > mgr:*:10000:10000:Lars LH. Hanke:/home/AD/mgr:/bin/bash > root at samba4:/# ldapsearch -LLL -D > "CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -x -W '(uid=mgr)' > uid uidNumber gidNumber sAMAccountName name gecos > Enter LDAP Password: > dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de > name: Lars LH. Hanke > sAMAccountName: mgr > uid: mgr > uidNumber: 1001 > gidNumber: 1001 > gecos: Dr. Lars Hanke > > root at samba4:/# grep mgr /etc/passwd > root at samba4:/# > > So although proper POSIX information is in the AD, and no local > information present, winbind rolls dice for POSIX attributes.lol! Do you have any local cache? nscd is often a culprit here. flush the winbind tdb too: net cache flush check that winbind registers on the DC when you start it.> The > situation seems similar to that of Rowland and Derek Werthmuller last > December. There finally, Rowland suggested to use sssd. >OK, make a decision. If it doesn't work this time, try the latter.> My smb.conf: > > [global] > workgroup = AD > realm = AD.MICROSULT.DE > security = ADS > restrict anonymous = 2 > kerberos method = system keytab > os level = 0 > local master = No > domain master = No > template shell = /bin/bash > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > idmap config * : range = 10000-20000 > idmap config AD: backend = ad > idmap config AD: range = 1001 - 2000idmap config AD: range = 1000-2000 #lose the spaces and change the range just to be sure> > idmap config * : backend = tdb> Interestingly the bahaviour is no different, if I simply put idmap uid > and idmap gid lines instead of the more detailed config. > > And, if you doubt that I'm querying the right LDAP: > > root at samba4:/# cat /etc/ldap/ldap.conf > BASE DC=ad,DC=microsult,DC=de > URI ldap://samba.ad.microsult.de:3268 > TLS_CACERT /etc/certs/cacert.pem > > BTW: administrator neither maps to 0!It only maps to 0 is if you configure it to do so.
On 29/06/14 12:01, Lars Hanke wrote:> Well, seems like I hit every mudhole that could be on the way ... > > root at samba4:/# getent passwd | grep mgr > mgr:*:10000:10000:Lars LH. Hanke:/home/AD/mgr:/bin/bash > root at samba4:/# ldapsearch -LLL -D > "CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -x -W '(uid=mgr)' > uid uidNumber gidNumber sAMAccountName name gecos > Enter LDAP Password: > dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de > name: Lars LH. Hanke > sAMAccountName: mgr > uid: mgr > uidNumber: 1001 > gidNumber: 1001 > gecos: Dr. Lars Hanke > > root at samba4:/# grep mgr /etc/passwd > root at samba4:/# > > So although proper POSIX information is in the AD, and no local > information present, winbind rolls dice for POSIX attributes. The > situation seems similar to that of Rowland and Derek Werthmuller last > December. There finally, Rowland suggested to use sssd. > > My smb.conf: > > [global] > workgroup = AD > realm = AD.MICROSULT.DE > security = ADS > restrict anonymous = 2 > kerberos method = system keytab > os level = 0 > local master = No > domain master = No > template shell = /bin/bash > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > idmap config * : range = 10000-20000 > idmap config AD: backend = ad > idmap config AD: range = 1001 - 2000 > idmap config * : backend = tdb > > Interestingly the bahaviour is no different, if I simply put idmap uid > and idmap gid lines instead of the more detailed config. > > And, if you doubt that I'm querying the right LDAP: > > root at samba4:/# cat /etc/ldap/ldap.conf > BASE DC=ad,DC=microsult,DC=de > URI ldap://samba.ad.microsult.de:3268 > TLS_CACERT /etc/certs/cacert.pem > > BTW: administrator neither maps to 0! > > Moreover, I largely folled the Debian Wiki > https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory. In > their setup uids get prefixed by %D+. Unsure which I like better, but > it's a least an observation. > > samba4 runs vanilla Debian Wheezy, i.e. samba 3.6.6. If this is a > _known_ issue with that version, I readily update to backports 4.1.7. > Otherwise, I have some reasons to explore the old version for a while. > > Thanks for your help, > - lars.Hi, this is a working samba 3.6 samba.conf: [global] workgroup = EXAMPLE realm = EXAMPLE.COM security = ADS client signing = yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab os level = 20 local master = no domain master = no preferred master = no server string = Samba 3 Client %h winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind expand groups = 4 winbind nss info = rfc2307 winbind refresh tickets = Yes winbind normalize names = Yes idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config HOME : backend = ad idmap config HOME : range = 10000-999999 idmap config HOME:schema_mode = rfc2307 printcap name = cups cups options = raw usershare allow guests = yes map to guest = bad user username map = /etc/samba/smbmap and there is at least one line in there that you do not have: winbind nss info = rfc2307 Try adding at least that one line and then report back ;-) Rowland