Sven Schumacher
2015-Jan-05 10:31 UTC
[Samba] winbind backends ad and rfc2307 both with errors...
Hello,
I just set up a samba server (version 2:4.1.13+dfsg-4) on Debian 7.7,
being a member server of a Win2k8-Domain (before that, that server was
an old SuSE (10.4)-Samba with own user-management (standalone-server).
I would like to use winbind with the idmap backend "ad" or
"rfc2307"
instead.
When using rfc2307 (like in my conf specified), I can do successfully:
wbinfo -u
wbinfo -g
and even "getent passwd" shows the users. Only "getent
group" doesn't
list any domain-based group (but uid and gid-Values are looking like
being served from tdb instead of ad).
wbinfo -i $USER gives uid and gid values coming from the tdb-Database
(70000...),too.
wbinfo --group-info $GROUP gives the right members of the group, but the
wrong gid (coming from tdb, too).
When I use the backend "ad" wbinfo -u and wbinfo -g work without
failure, too. But "getent passwd" and "getent group"
didn't show any
domain-based entry.
Calling "wbinfo -i $USER" tells me:
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user $USER
wbinfo --group-info $GROUP
works fine and has the correct information.
In the winbind-logfiles (using -d 10 for debugging):
2015/01/05 10:51:48.578960, 10, pid=18923, effective(0, 0), real(0, 0),
class=idmap] ../source3/winbindd/idmap.c:377(idmap_find_domain)
idmap_find_domain called for domain 'LUH-TFD'
[2015/01/05 10:51:48.579001, 10, pid=18923, effective(0, 0), real(0, 0),
class=idmap] ../source3/winbindd/idmap_ad.c:64(ad_idmap_cached_connection)
ad_idmap_cached_connection: called for domain 'LUH-TFD'
[2015/01/05 10:51:48.579034, 7, pid=18923, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_ads.c:61(ads_cached_connection_reuse)
Current tickets expire in 35972 seconds (at 1420487480, time is now
1420451508)
[2015/01/05 10:51:48.579085, 10, pid=18923, effective(0, 0), real(0, 0),
class=idmap] ../source3/winbindd/idmap_ad.c:452(idmap_ad_sids_to_unixids)
Filter:
[(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\AD\A7\D8\C3\A75a\80a<\EF\1A\80\04\00\00)))]
[2015/01/05 10:51:48.579963, 5, pid=18923, effective(0, 0), real(0, 0)]
../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal)
Search for
(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\AD\A7\D8\C3\A75a\80a<\EF\1A\80\04\00\00)))
in <dc=LUH-TFD,dc=LOCAL> gave 1 replies
[2015/01/05 10:51:48.580034, 10, pid=18923, effective(0, 0), real(0, 0),
class=idmap] ../source3/winbindd/idmap_ad.c:539(idmap_ad_sids_to_unixids)
Mapped S-1-5-21-3285755821-2153854375-451886177-1152 -> 516 (1)
[2015/01/05 10:51:48.580078, 10, pid=18923, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual_srv.c:194(_wbint_Sids2UnixIDs)
sids_to_unixids returned NT_STATUS_OK
[2015/01/05 10:51:48.580112, 1, pid=18923, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:333(ndr_print_function_debug)
wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
out: struct wbint_Sids2UnixIDs
ids : *
ids: struct wbint_TransIDArray
num_ids : 0x00000001 (1)
ids: ARRAY(1)
ids: struct wbint_TransID
type : ID_TYPE_UID (1)
domain_index : 0x00000000 (0)
rid : 0x00000480 (1152)
xid: struct unixid
id : 0x00000204 (516)
type : ID_TYPE_UID (1)
result : NT_STATUS_OK
[2015/01/05 10:51:48.580343, 4, pid=18923, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:1346(child_handler)
Finished processing child request 59
[2015/01/05 10:51:48.580402, 10, pid=18923, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:1363(child_handler)
Writing 3528 bytes to parent
[2015/01/05 10:51:48.582682, 10, pid=18923, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:71(child_read_request)
Need to read 110 extra bytes
[2015/01/05 10:51:48.582753, 4, pid=18923, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:1338(child_handler)
child daemon request 59
[2015/01/05 10:51:48.582801, 10, pid=18923, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:458(child_process_request)
child_process_request: request fn NDRCMD
Summary:
So, by using backend ad winbind is able to fetch the uid, but reports
errors (and getent passwd, getent group fails), fetching gid works
without error.
By using backend rfc2307 winbind is able to fetch user and group-lists
using wbinfo and getent passwd/group but has wrong uid and gid.
Any suggestions for possible solutions?
Even stripping down my config to mention only the main domain (instead
of the trusted ones, too) doesn't solves the problem.
My config (smb.conf) for winbind (anything obvious wrong here?):
[global]
workgroup = LUH-TFD
realm = LUH-TFD.LOCAL
follow symlinks = yes
security = ADS
printing = cups
printcap name = cups
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
idmap config * : backend = tdb
idmap config * : range = 70000-80000
idmap config LUH-TFD : range = 500-69999
idmap config LUH-TFD : backend = rfc2307
idmap config LUH-TFD : ldap_server = ad
idmap config POOL : range = 500-69999
idmap config POOL : backend = rfc2307
idmap config POOL : ldap_server = ad
idmap config WINPOOL : range = 500-69999
idmap config WINPOOL : backend = rfc2307
idmap config WINPOOL : ldap_server = ad
# idmap config WINPOOL : range = 500-69999
# idmap config WINPOOL : backend = ad
# idmap config WINPOOL : schema_mode = rfc2307
# idmap config LUH-TFD : range = 500-69999
# idmap config LUH-TFD : backend = ad
# idmap config LUH-TFD : schema_mode = rfc2307
# idmap config POOL : range = 500-69999
# idmap config POOL : backend = ad
# idmap config POOL : schema_mode = rfc2307
template shell = /bin/false
template homedir = /home/%U
winbind offline logon = yes
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
map untrusted to domain = no
obey pam restrictions = no
client use spnego = yes
client ntlmv2 auth = yes
allow trusted domains = yes
winbind normalize names = yes
winbind use default domain = yes
winbind refresh tickets = yes
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind trusted domains only = no
my /etc/krb5.conf:
[libdefaults]
default_realm = LUH-TFD.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
renew_lifetime = 7d
ticket_lifetime = 24h
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = true
}
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
POOL.LUH-TFD.LOCAL = {
kdc = winad2.tfd.uni-hannover.de:88
admin_server = winad2.tfd.uni-hannover.de:749
default_domain = pool.luh-tfd.local
}
LUH-TFD.LOCAL = {
kdc = winad1.tfd.uni-hannover.de:88
admin_server = winad1.tfd.uni-hannover.de:749
default_domain = luh-tfd.local
}
WINPOOL.TFD.UNI-HANNOVER.DE = {
kdc = aias.winpool.tfd.uni-hannover.de:88
admin_server = aias.winpool.tfd.uni-hannover.de:749
default_domain = winpool.tfd.uni-hannover.de
}
[domain_realm]
.luh-tfd.local = LUH-TFD.LOCAL
luh-tfd.local = LUH-TFD.LOCAL
.winpool.tfd.uni-hannover.de = WINPOOL.TFD.UNI-HANNOVER.DE
winpool.tfd.uni-hannover.de = WINPOOL.TFD.UNI-HANNOVER.DE
.pool.luh-tfd.local = POOL.LUH-TFD.LOCAL
pool.luh-tfd.local = POOL.LUH-TFD.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = true
my /etc/nsswitch.conf:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
sudoers: files
L.P.H. van Belle
2015-Jan-05 10:51 UTC
[Samba] winbind backends ad and rfc2307 both with errors...
you have overlapping id's which will not work correctly.> idmap config * : range = 70000-80000> idmap config LUH-TFD : range = 500-69999 > idmap config POOL : range = 500-69999 > idmap config WINPOOL : range = 500-69999Each range should not overlap the other.>-----Oorspronkelijk bericht----- >Van: schumacher at tfd.uni-hannover.de >[mailto:samba-bounces at lists.samba.org] Namens Sven Schumacher >Verzonden: maandag 5 januari 2015 11:31 >Aan: samba at lists.samba.org >Onderwerp: [Samba] winbind backends ad and rfc2307 both with errors... > >Hello, > >I just set up a samba server (version 2:4.1.13+dfsg-4) on Debian 7.7, >being a member server of a Win2k8-Domain (before that, that server was >an old SuSE (10.4)-Samba with own user-management (standalone-server). >I would like to use winbind with the idmap backend "ad" or "rfc2307" >instead. > >When using rfc2307 (like in my conf specified), I can do successfully: >wbinfo -u >wbinfo -g >and even "getent passwd" shows the users. Only "getent group" doesn't >list any domain-based group (but uid and gid-Values are looking like >being served from tdb instead of ad). >wbinfo -i $USER gives uid and gid values coming from the tdb-Database >(70000...),too. >wbinfo --group-info $GROUP gives the right members of the >group, but the >wrong gid (coming from tdb, too). > >When I use the backend "ad" wbinfo -u and wbinfo -g work without >failure, too. But "getent passwd" and "getent group" didn't show any >domain-based entry. >Calling "wbinfo -i $USER" tells me: > >failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND >Could not get info for user $USER > >wbinfo --group-info $GROUP > >works fine and has the correct information. > >In the winbind-logfiles (using -d 10 for debugging): > >2015/01/05 10:51:48.578960, 10, pid=18923, effective(0, 0), >real(0, 0), class=idmap] >../source3/winbindd/idmap.c:377(idmap_find_domain) > idmap_find_domain called for domain 'LUH-TFD' >[2015/01/05 10:51:48.579001, 10, pid=18923, effective(0, 0), >real(0, 0), class=idmap] >../source3/winbindd/idmap_ad.c:64(ad_idmap_cached_connection) > ad_idmap_cached_connection: called for domain 'LUH-TFD' >[2015/01/05 10:51:48.579034, 7, pid=18923, effective(0, 0), >real(0, 0), class=winbind] >../source3/winbindd/winbindd_ads.c:61(ads_cached_connection_reuse) > Current tickets expire in 35972 seconds (at 1420487480, >time is now 1420451508) >[2015/01/05 10:51:48.579085, 10, pid=18923, effective(0, 0), >real(0, 0), class=idmap] >../source3/winbindd/idmap_ad.c:452(idmap_ad_sids_to_unixids) > Filter: >[(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAc >countType=805306370)(sAMAccountType=268435456)(sAMAccountType=5 >36870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\AD\ >A7\D8\C3\A75a\80a<\EF\1A\80\04\00\00)))] >[2015/01/05 10:51:48.579963, 5, pid=18923, effective(0, 0), >real(0, 0)] >../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal) > Search for >(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAcc >ountType=805306370)(sAMAccountType=268435456)(sAMAccountType=53 >6870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\AD\A >7\D8\C3\A75a\80a<\EF\1A\80\04\00\00))) in ><dc=LUH-TFD,dc=LOCAL> gave 1 replies >[2015/01/05 10:51:48.580034, 10, pid=18923, effective(0, 0), >real(0, 0), class=idmap] >../source3/winbindd/idmap_ad.c:539(idmap_ad_sids_to_unixids) > Mapped S-1-5-21-3285755821-2153854375-451886177-1152 -> 516 (1) >[2015/01/05 10:51:48.580078, 10, pid=18923, effective(0, 0), >real(0, 0), class=winbind] >../source3/winbindd/winbindd_dual_srv.c:194(_wbint_Sids2UnixIDs) > sids_to_unixids returned NT_STATUS_OK >[2015/01/05 10:51:48.580112, 1, pid=18923, effective(0, 0), >real(0, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) > wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs > out: struct wbint_Sids2UnixIDs > ids : * > ids: struct wbint_TransIDArray > num_ids : 0x00000001 (1) > ids: ARRAY(1) > ids: struct wbint_TransID > type : >ID_TYPE_UID (1) > domain_index : >0x00000000 (0) > rid : >0x00000480 (1152) > xid: struct unixid > id : >0x00000204 (516) > type : >ID_TYPE_UID (1) > result : NT_STATUS_OK >[2015/01/05 10:51:48.580343, 4, pid=18923, effective(0, 0), >real(0, 0), class=winbind] >../source3/winbindd/winbindd_dual.c:1346(child_handler) > Finished processing child request 59 >[2015/01/05 10:51:48.580402, 10, pid=18923, effective(0, 0), >real(0, 0), class=winbind] >../source3/winbindd/winbindd_dual.c:1363(child_handler) > Writing 3528 bytes to parent >[2015/01/05 10:51:48.582682, 10, pid=18923, effective(0, 0), >real(0, 0), class=winbind] >../source3/winbindd/winbindd_dual.c:71(child_read_request) > Need to read 110 extra bytes >[2015/01/05 10:51:48.582753, 4, pid=18923, effective(0, 0), >real(0, 0), class=winbind] >../source3/winbindd/winbindd_dual.c:1338(child_handler) > child daemon request 59 >[2015/01/05 10:51:48.582801, 10, pid=18923, effective(0, 0), >real(0, 0), class=winbind] >../source3/winbindd/winbindd_dual.c:458(child_process_request) > child_process_request: request fn NDRCMD > > >Summary: >So, by using backend ad winbind is able to fetch the uid, but reports >errors (and getent passwd, getent group fails), fetching gid works >without error. >By using backend rfc2307 winbind is able to fetch user and group-lists >using wbinfo and getent passwd/group but has wrong uid and gid. >Any suggestions for possible solutions? >Even stripping down my config to mention only the main domain (instead >of the trusted ones, too) doesn't solves the problem. > >My config (smb.conf) for winbind (anything obvious wrong here?): > >[global] > workgroup = LUH-TFD > realm = LUH-TFD.LOCAL > follow symlinks = yes > security = ADS > printing = cups > printcap name = cups > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > idmap config * : backend = tdb > idmap config * : range = 70000-80000 > idmap config LUH-TFD : range = 500-69999 > idmap config LUH-TFD : backend = rfc2307 > idmap config LUH-TFD : ldap_server = ad > idmap config POOL : range = 500-69999 > idmap config POOL : backend = rfc2307 > idmap config POOL : ldap_server = ad > idmap config WINPOOL : range = 500-69999 > idmap config WINPOOL : backend = rfc2307 > idmap config WINPOOL : ldap_server = ad ># idmap config WINPOOL : range = 500-69999 ># idmap config WINPOOL : backend = ad ># idmap config WINPOOL : schema_mode = rfc2307 ># idmap config LUH-TFD : range = 500-69999 ># idmap config LUH-TFD : backend = ad ># idmap config LUH-TFD : schema_mode = rfc2307 ># idmap config POOL : range = 500-69999 ># idmap config POOL : backend = ad ># idmap config POOL : schema_mode = rfc2307 > template shell = /bin/false > template homedir = /home/%U > winbind offline logon = yes > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.keytab > map untrusted to domain = no > obey pam restrictions = no > client use spnego = yes > client ntlmv2 auth = yes > allow trusted domains = yes > winbind normalize names = yes > winbind use default domain = yes > winbind refresh tickets = yes > winbind nss info = rfc2307 > winbind enum users = yes > winbind enum groups = yes > winbind nested groups = yes > winbind trusted domains only = no > > > >my /etc/krb5.conf: > >[libdefaults] > default_realm = LUH-TFD.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = false > renew_lifetime = 7d > ticket_lifetime = 24h > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > default_tgs_enctypes = rc4-hmac >aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 > default_tkt_enctypes = rc4-hmac >aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 > permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 >aes128-cts-hmac-sha1-96 >[appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = true > } ># The following libdefaults parameters are only for Heimdal Kerberos. > v4_instance_resolve = false > v4_name_convert = { > host = { > rcmd = host > ftp = ftp > } > plain = { > something = something-else > } > } > fcc-mit-ticketflags = true > >[realms] > POOL.LUH-TFD.LOCAL = { > kdc = winad2.tfd.uni-hannover.de:88 > admin_server = winad2.tfd.uni-hannover.de:749 > default_domain = pool.luh-tfd.local > } > LUH-TFD.LOCAL = { > kdc = winad1.tfd.uni-hannover.de:88 > admin_server = winad1.tfd.uni-hannover.de:749 > default_domain = luh-tfd.local > } > WINPOOL.TFD.UNI-HANNOVER.DE = { > kdc = aias.winpool.tfd.uni-hannover.de:88 > admin_server = aias.winpool.tfd.uni-hannover.de:749 > default_domain = winpool.tfd.uni-hannover.de > } > >[domain_realm] > .luh-tfd.local = LUH-TFD.LOCAL > luh-tfd.local = LUH-TFD.LOCAL > .winpool.tfd.uni-hannover.de = WINPOOL.TFD.UNI-HANNOVER.DE > winpool.tfd.uni-hannover.de = WINPOOL.TFD.UNI-HANNOVER.DE > .pool.luh-tfd.local = POOL.LUH-TFD.LOCAL > pool.luh-tfd.local = POOL.LUH-TFD.LOCAL > >[login] > krb4_convert = true > krb4_get_tickets = true > > >my /etc/nsswitch.conf: > ># /etc/nsswitch.conf ># ># Example configuration of GNU Name Service Switch functionality. ># If you have the `glibc-doc-reference' and `info' packages >installed, try: ># `info libc "Name Service Switch"' for information about this file. > >passwd: compat winbind >group: compat winbind >shadow: compat > >hosts: files dns mdns4 >networks: files > >protocols: db files >services: db files >ethers: db files >rpc: db files > >netgroup: nis >sudoers: files > > > > > > > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2015-Jan-05 11:08 UTC
[Samba] winbind backends ad and rfc2307 both with errors...
On 05/01/15 10:31, Sven Schumacher wrote:> Hello, > > I just set up a samba server (version 2:4.1.13+dfsg-4) on Debian 7.7, > being a member server of a Win2k8-Domain (before that, that server was > an old SuSE (10.4)-Samba with own user-management (standalone-server). > I would like to use winbind with the idmap backend "ad" or "rfc2307" > instead. > > When using rfc2307 (like in my conf specified), I can do successfully: > wbinfo -u > wbinfo -g > and even "getent passwd" shows the users. Only "getent group" doesn't > list any domain-based group (but uid and gid-Values are looking like > being served from tdb instead of ad). > wbinfo -i $USER gives uid and gid values coming from the tdb-Database > (70000...),too. > wbinfo --group-info $GROUP gives the right members of the group, but > the wrong gid (coming from tdb, too). > > When I use the backend "ad" wbinfo -u and wbinfo -g work without > failure, too. But "getent passwd" and "getent group" didn't show any > domain-based entry. > Calling "wbinfo -i $USER" tells me: > > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user $USER > > wbinfo --group-info $GROUP > > works fine and has the correct information. > > In the winbind-logfiles (using -d 10 for debugging): > > 2015/01/05 10:51:48.578960, 10, pid=18923, effective(0, 0), real(0, > 0), class=idmap] ../source3/winbindd/idmap.c:377(idmap_find_domain) > idmap_find_domain called for domain 'LUH-TFD' > [2015/01/05 10:51:48.579001, 10, pid=18923, effective(0, 0), real(0, > 0), class=idmap] > ../source3/winbindd/idmap_ad.c:64(ad_idmap_cached_connection) > ad_idmap_cached_connection: called for domain 'LUH-TFD' > [2015/01/05 10:51:48.579034, 7, pid=18923, effective(0, 0), real(0, > 0), class=winbind] > ../source3/winbindd/winbindd_ads.c:61(ads_cached_connection_reuse) > Current tickets expire in 35972 seconds (at 1420487480, time is now > 1420451508) > [2015/01/05 10:51:48.579085, 10, pid=18923, effective(0, 0), real(0, > 0), class=idmap] > ../source3/winbindd/idmap_ad.c:452(idmap_ad_sids_to_unixids) > Filter: > [(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\AD\A7\D8\C3\A75a\80a<\EF\1A\80\04\00\00)))] > [2015/01/05 10:51:48.579963, 5, pid=18923, effective(0, 0), real(0, > 0)] ../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal) > Search for > (&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\AD\A7\D8\C3\A75a\80a<\EF\1A\80\04\00\00))) > in <dc=LUH-TFD,dc=LOCAL> gave 1 replies > [2015/01/05 10:51:48.580034, 10, pid=18923, effective(0, 0), real(0, > 0), class=idmap] > ../source3/winbindd/idmap_ad.c:539(idmap_ad_sids_to_unixids) > Mapped S-1-5-21-3285755821-2153854375-451886177-1152 -> 516 (1) > [2015/01/05 10:51:48.580078, 10, pid=18923, effective(0, 0), real(0, > 0), class=winbind] > ../source3/winbindd/winbindd_dual_srv.c:194(_wbint_Sids2UnixIDs) > sids_to_unixids returned NT_STATUS_OK > [2015/01/05 10:51:48.580112, 1, pid=18923, effective(0, 0), real(0, > 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) > wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs > out: struct wbint_Sids2UnixIDs > ids : * > ids: struct wbint_TransIDArray > num_ids : 0x00000001 (1) > ids: ARRAY(1) > ids: struct wbint_TransID > type : ID_TYPE_UID (1) > domain_index : 0x00000000 (0) > rid : 0x00000480 > (1152) > xid: struct unixid > id : > 0x00000204 (516) > type : > ID_TYPE_UID (1) > result : NT_STATUS_OK > [2015/01/05 10:51:48.580343, 4, pid=18923, effective(0, 0), real(0, > 0), class=winbind] > ../source3/winbindd/winbindd_dual.c:1346(child_handler) > Finished processing child request 59 > [2015/01/05 10:51:48.580402, 10, pid=18923, effective(0, 0), real(0, > 0), class=winbind] > ../source3/winbindd/winbindd_dual.c:1363(child_handler) > Writing 3528 bytes to parent > [2015/01/05 10:51:48.582682, 10, pid=18923, effective(0, 0), real(0, > 0), class=winbind] > ../source3/winbindd/winbindd_dual.c:71(child_read_request) > Need to read 110 extra bytes > [2015/01/05 10:51:48.582753, 4, pid=18923, effective(0, 0), real(0, > 0), class=winbind] > ../source3/winbindd/winbindd_dual.c:1338(child_handler) > child daemon request 59 > [2015/01/05 10:51:48.582801, 10, pid=18923, effective(0, 0), real(0, > 0), class=winbind] > ../source3/winbindd/winbindd_dual.c:458(child_process_request) > child_process_request: request fn NDRCMD > > > Summary: > So, by using backend ad winbind is able to fetch the uid, but reports > errors (and getent passwd, getent group fails), fetching gid works > without error. > By using backend rfc2307 winbind is able to fetch user and group-lists > using wbinfo and getent passwd/group but has wrong uid and gid. > Any suggestions for possible solutions? > Even stripping down my config to mention only the main domain (instead > of the trusted ones, too) doesn't solves the problem. > > My config (smb.conf) for winbind (anything obvious wrong here?):Quite a lot actually :-) Try changing your smb.conf to this: [global] workgroup = LUH-TFD security = ADS realm = LUH-TFD.LOCAL kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind expand groups = 4 winbind nss info = rfc2307 winbind refresh tickets = yes winbind normalize names = yes winbind offline logon = yes idmap config * : backend = tdb idmap config * : range = 70000-80000 idmap config LUH-TFD : backend = ad idmap config LUH-TFD : range = 500-69999 idmap config LUH-TFD : schema_mode = rfc2307 domain master = no local master = no preferred master = no printcap name = cups printing = cups template shell = /bin/false template homedir = /home/%U vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes OH and you are number 5 this week, please do not use .local as the domain name. Rowland> > [global] > workgroup = LUH-TFD > realm = LUH-TFD.LOCAL > follow symlinks = yes > security = ADS > printing = cups > printcap name = cups > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > idmap config * : backend = tdb > idmap config * : range = 70000-80000 > idmap config LUH-TFD : range = 500-69999 > idmap config LUH-TFD : backend = rfc2307 > idmap config LUH-TFD : ldap_server = ad > idmap config POOL : range = 500-69999 > idmap config POOL : backend = rfc2307 > idmap config POOL : ldap_server = ad > idmap config WINPOOL : range = 500-69999 > idmap config WINPOOL : backend = rfc2307 > idmap config WINPOOL : ldap_server = ad > # idmap config WINPOOL : range = 500-69999 > # idmap config WINPOOL : backend = ad > # idmap config WINPOOL : schema_mode = rfc2307 > # idmap config LUH-TFD : range = 500-69999 > # idmap config LUH-TFD : backend = ad > # idmap config LUH-TFD : schema_mode = rfc2307 > # idmap config POOL : range = 500-69999 > # idmap config POOL : backend = ad > # idmap config POOL : schema_mode = rfc2307 > template shell = /bin/false > template homedir = /home/%U > winbind offline logon = yes > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.keytab > map untrusted to domain = no > obey pam restrictions = no > client use spnego = yes > client ntlmv2 auth = yes > allow trusted domains = yes > winbind normalize names = yes > winbind use default domain = yes > winbind refresh tickets = yes > winbind nss info = rfc2307 > winbind enum users = yes > winbind enum groups = yes > winbind nested groups = yes > winbind trusted domains only = no > > > > my /etc/krb5.conf: > > [libdefaults] > default_realm = LUH-TFD.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = false > renew_lifetime = 7d > ticket_lifetime = 24h > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 > aes128-cts-hmac-sha1-96 > default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 > aes128-cts-hmac-sha1-96 > permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 > aes128-cts-hmac-sha1-96 > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = true > } > # The following libdefaults parameters are only for Heimdal Kerberos. > v4_instance_resolve = false > v4_name_convert = { > host = { > rcmd = host > ftp = ftp > } > plain = { > something = something-else > } > } > fcc-mit-ticketflags = true > > [realms] > POOL.LUH-TFD.LOCAL = { > kdc = winad2.tfd.uni-hannover.de:88 > admin_server = winad2.tfd.uni-hannover.de:749 > default_domain = pool.luh-tfd.local > } > LUH-TFD.LOCAL = { > kdc = winad1.tfd.uni-hannover.de:88 > admin_server = winad1.tfd.uni-hannover.de:749 > default_domain = luh-tfd.local > } > WINPOOL.TFD.UNI-HANNOVER.DE = { > kdc = aias.winpool.tfd.uni-hannover.de:88 > admin_server = aias.winpool.tfd.uni-hannover.de:749 > default_domain = winpool.tfd.uni-hannover.de > } > > [domain_realm] > .luh-tfd.local = LUH-TFD.LOCAL > luh-tfd.local = LUH-TFD.LOCAL > .winpool.tfd.uni-hannover.de = WINPOOL.TFD.UNI-HANNOVER.DE > winpool.tfd.uni-hannover.de = WINPOOL.TFD.UNI-HANNOVER.DE > .pool.luh-tfd.local = POOL.LUH-TFD.LOCAL > pool.luh-tfd.local = POOL.LUH-TFD.LOCAL > > [login] > krb4_convert = true > krb4_get_tickets = true > > > my /etc/nsswitch.conf: > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, > try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat > > hosts: files dns mdns4 > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > sudoers: files > > > > > > > >