samba - Jan 2015 - Can't get idmap_ad to work with winbind (only idmap_rid)

Hi!

With the end of support for Win XP from many application vendors, we 
finally decided to go AD with our small domain that right now consists 
of two XP desktop clients and one Samba PDC (3.6 from official Ubuntu 
12.04 packages) that's also offering some file shares and a printer 
share. Since there already is one FreeBSD server for backup/mirroring, I 
decided to go all FreeBSD in the process. The final setup would consist 
of:

Realm/Domain TEST.BUERGER-ENERGIE-BERLIN.DE
FreeBSD 10.1-RELEASE AD DC with Samba 4 from ports (4.1.16 right now), 
single domain forest
FreeBSD 10.1-RELEASE AD Member Server with Samba 4 from ports
2 Win 7 Professional SP1 desktop clients

I installed everything in a Virtualbox host-only network with a layout 
identical to what the actual network will be.

For the setup, I followed the Wiki at http://wiki.samba.org for the AD 
DC and AD Member server setup. I followed the instructions for RFC 2307 
and decided to use RID+100000 for the default users/groups and 102XXX 
for my additional groups/users. I set the corresponding GID/UID in the 
UNIX attributes via ADUC from one of the Win 7 clients. And it works! 
Well, mostly...

The problem is that on the AD member server, I can't use the ad backend 
with winbind. The rid backend works, though. This doesn't seem to be a 
problem with FreeBSD, as I can reproduce that error on member servers 
running Ubuntu 12.04 with Samba 3.6. or Ubuntu 14.04 with Samba 4.

The behavior I get is as follows:

When I set

    idmap config *:backend = tdb
    idmap config *:range = 70000-99999
    idmap config TEST:backend = ad
    idmap config TEST:schema_mode = rfc2307
    idmap config TEST:range = 100000-2000000
    winbind nss info = rfc2307

in the AD member server's smb.conf, getent passwd gives me

administrator:*:70000:70017:Administrator:/home/TEST/administrator:/bin/false
test:*:70003:70004:Test User:/home/TEST/test:/bin/false
krbtgt:*:70001:70004:krbtgt:/home/TEST/krbtgt:/bin/false
guest:*:70002:70005:Guest:/home/TEST/guest:/bin/false

So the TEST:range is ignored, *:range is used instead. User Shell, Home 
Dir and the UID (102000 for the test user) from the UNIX attributes in 
AD are ignored.

When I set

    idmap config *:backend = tdb
    idmap config *:range = 70000-99999
    idmap config TEST:backend = rid
    idmap config TEST:range = 100000-2000000
    winbind nss info = rfc2307

instead, getent passwd gives me

administrator:*:100500:100512:Administrator:/home/TEST/administrator:/bin/false
test:*:101105:100513:Test User:/home/TEST/test:/bin/false
krbtgt:*:100502:100513:krbtgt:/home/TEST/krbtgt:/bin/false
guest:*:100501:100514:Guest:/home/TEST/guest:/bin/false

So the TEST:range is respected now. But User Shell and Home Dir from the 
UNIX attributes in the AD are still ignored.

There's log entries in the AD member server's log.winbindd stating 
"Added (BUILTIN|BSDMEM|TEST.BUERGER-ENERGIE-BERLIN.DE) ...". My 
log.winbindd-dc-connect is completely empty, though! Is this a first 
clue?

It would be no problem to go with the RID backend for now. But as I 
understand, this might give trouble should I ever trust domains from 
another forest in the future. With a big warning in our documentation, I 
could live with that. But I'd prefer to get the ad backend working from 
the start.

What's going on here? Any clues? I searched the list archives and the 
WWW with ixquick, but found no solution for my problem.

The AD DC I provisioned with

# samba-tool domain provision --use-rfc2307 --interactive --option 
"nsupdate command = /usr/local/bin/samba-nsupdate -g"

The --option I appended because the message from the ports install told 
me to add this to my smb.conf.

In the following  interactive setup, I went with the defaults, adding 
only the dns forwarder.

 From this I got:

# AD DC smb.conf
[global]
    workgroup = TEST
    realm = TEST.BUERGER-ENERGIE-BERLIN.DE
    netbios name = BSDSRV
    server role = active directory domain controller
    dns forwarder = 62.109.121.2
    idmap_ldb:use rfc2307 = yes

    nsupdate command = /usr/local/bin/samba-nsupdate -g

[netlogon]
    path = /var/db/samba4/sysvol/test.buerger-energie-berlin.de/scripts
    read only = No

[sysvol]
    path = /var/db/samba4/sysvol
    read only = No
# END AD DC smb.conf

On the AD member server, I edited my smb4.conf as follows

# AD Member Server smb.conf
[global]

    netbios name = BSDMEM
    workgroup = TEST
    security = ADS
    realm = TEST.BUERGER-ENERGIE-BERLIN.DE
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    idmap config *:backend = tdb
    idmap config *:range = 70000-99999
    idmap config TEST:backend = ad
    idmap config TEST:schema_mode = rfc2307
    idmap config TEST:range = 100000-2000000

    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind refresh tickets = yes

    nsupdate command = /usr/local/bin/samba-nsupdate -g

    load printers = no

    log level = winbind:2
# END AD Member Server smb.conf

Any help would be greatly appreciated!


Cheers,
Andreas

On 27/01/15 05:44, a.braml at buerger-energie-berlin.de
wrote:
> Hi!
>
> With the end of support for Win XP from many application vendors, we 
> finally decided to go AD with our small domain that right now consists 
> of two XP desktop clients and one Samba PDC (3.6 from official Ubuntu 
> 12.04 packages) that's also offering some file shares and a printer 
> share. Since there already is one FreeBSD server for backup/mirroring, 
> I decided to go all FreeBSD in the process. The final setup would 
> consist of:
>
> Realm/Domain TEST.BUERGER-ENERGIE-BERLIN.DE
> FreeBSD 10.1-RELEASE AD DC with Samba 4 from ports (4.1.16 right now), 
> single domain forest
> FreeBSD 10.1-RELEASE AD Member Server with Samba 4 from ports
> 2 Win 7 Professional SP1 desktop clients
>
> I installed everything in a Virtualbox host-only network with a layout 
> identical to what the actual network will be.
>
> For the setup, I followed the Wiki at http://wiki.samba.org for the AD 
> DC and AD Member server setup. I followed the instructions for RFC 
> 2307 and decided to use RID+100000 for the default users/groups and 
> 102XXX for my additional groups/users. I set the corresponding GID/UID 
> in the UNIX attributes via ADUC from one of the Win 7 clients. And it 
> works! Well, mostly...
>
> The problem is that on the AD member server, I can't use the ad 
> backend with winbind. The rid backend works, though. This doesn't seem 
> to be a problem with FreeBSD, as I can reproduce that error on member 
> servers running Ubuntu 12.04 with Samba 3.6. or Ubuntu 14.04 with 
> Samba 4.
>
> The behavior I get is as follows:
>
> When I set
>
>    idmap config *:backend = tdb
>    idmap config *:range = 70000-99999
>    idmap config TEST:backend = ad
>    idmap config TEST:schema_mode = rfc2307
>    idmap config TEST:range = 100000-2000000
>    winbind nss info = rfc2307
>
> in the AD member server's smb.conf, getent passwd gives me
>
>
administrator:*:70000:70017:Administrator:/home/TEST/administrator:/bin/false
>
> test:*:70003:70004:Test User:/home/TEST/test:/bin/false
> krbtgt:*:70001:70004:krbtgt:/home/TEST/krbtgt:/bin/false
> guest:*:70002:70005:Guest:/home/TEST/guest:/bin/false
>
> So the TEST:range is ignored, *:range is used instead. User Shell, 
> Home Dir and the UID (102000 for the test user) from the UNIX 
> attributes in AD are ignored.
>
> When I set
>
>    idmap config *:backend = tdb
>    idmap config *:range = 70000-99999
>    idmap config TEST:backend = rid
>    idmap config TEST:range = 100000-2000000
>    winbind nss info = rfc2307
>
> instead, getent passwd gives me
>
>
administrator:*:100500:100512:Administrator:/home/TEST/administrator:/bin/false
>
> test:*:101105:100513:Test User:/home/TEST/test:/bin/false
> krbtgt:*:100502:100513:krbtgt:/home/TEST/krbtgt:/bin/false
> guest:*:100501:100514:Guest:/home/TEST/guest:/bin/false
>
> So the TEST:range is respected now. But User Shell and Home Dir from 
> the UNIX attributes in the AD are still ignored.
>
> There's log entries in the AD member server's log.winbindd stating 
> "Added (BUILTIN|BSDMEM|TEST.BUERGER-ENERGIE-BERLIN.DE) ...". My 
> log.winbindd-dc-connect is completely empty, though! Is this a first 
> clue?
>
> It would be no problem to go with the RID backend for now. But as I 
> understand, this might give trouble should I ever trust domains from 
> another forest in the future. With a big warning in our documentation, 
> I could live with that. But I'd prefer to get the ad backend working 
> from the start.
>
> What's going on here? Any clues? I searched the list archives and the 
> WWW with ixquick, but found no solution for my problem.
>
> The AD DC I provisioned with
>
> # samba-tool domain provision --use-rfc2307 --interactive --option 
> "nsupdate command = /usr/local/bin/samba-nsupdate -g"
>
> The --option I appended because the message from the ports install 
> told me to add this to my smb.conf.
>
> In the following  interactive setup, I went with the defaults, adding 
> only the dns forwarder.
>
> From this I got:
>
> # AD DC smb.conf
> [global]
>    workgroup = TEST
>    realm = TEST.BUERGER-ENERGIE-BERLIN.DE
>    netbios name = BSDSRV
>    server role = active directory domain controller
>    dns forwarder = 62.109.121.2
>    idmap_ldb:use rfc2307 = yes
>
>    nsupdate command = /usr/local/bin/samba-nsupdate -g
>
> [netlogon]
>    path = /var/db/samba4/sysvol/test.buerger-energie-berlin.de/scripts
>    read only = No
>
> [sysvol]
>    path = /var/db/samba4/sysvol
>    read only = No
> # END AD DC smb.conf
>
> On the AD member server, I edited my smb4.conf as follows
>
> # AD Member Server smb.conf
> [global]
>
>    netbios name = BSDMEM
>    workgroup = TEST
>    security = ADS
>    realm = TEST.BUERGER-ENERGIE-BERLIN.DE
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>
>    idmap config *:backend = tdb
>    idmap config *:range = 70000-99999
>    idmap config TEST:backend = ad
>    idmap config TEST:schema_mode = rfc2307
>    idmap config TEST:range = 100000-2000000
>
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind refresh tickets = yes
>
>    nsupdate command = /usr/local/bin/samba-nsupdate -g
>
>    load printers = no
>
>    log level = winbind:2
> # END AD Member Server smb.conf
>
> Any help would be greatly appreciated!
>
>
> Cheers,
> Andreas
Have you actually set any 'uidNumber' & 'gidNumber'
attributes in AD ?
If you use the 'ad' backend they are mandatory, with the 'rid'
backend,
winbind doesn't need them.

Rowland

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

thanks for your fast reply. It's always Rowland ;)

On 27.01.2015 10:04, Rowland Penny wrote:
> On 27/01/15 05:44, a.braml at buerger-energie-berlin.de wrote:
>> Hi!
>> 
>> With the end of support for Win XP from many application
>> vendors, we finally decided to go AD with our small domain that
>> right now consists of two XP desktop clients and one Samba PDC
>> (3.6 from official Ubuntu 12.04 packages) that's also offering
>> some file shares and a printer share. Since there already is one
>> FreeBSD server for backup/mirroring, I decided to go all FreeBSD
>> in the process. The final setup would consist of:
>> 
>> Realm/Domain TEST.BUERGER-ENERGIE-BERLIN.DE FreeBSD 10.1-RELEASE 
>> AD DC with Samba 4 from ports (4.1.16 right now), single domain 
>> forest FreeBSD 10.1-RELEASE AD Member Server with Samba 4 from 
>> ports 2 Win 7 Professional SP1 desktop clients
>> 
>> I installed everything in a Virtualbox host-only network with a 
>> layout identical to what the actual network will be.
>> 
>> For the setup, I followed the Wiki at http://wiki.samba.org for 
>> the AD DC and AD Member server setup. I followed the
>> instructions for RFC 2307 and decided to use RID+100000 for the
>> default users/groups and 102XXX for my additional groups/users. I
>> set the corresponding GID/UID in the UNIX attributes via ADUC
>> from one of the Win 7 clients. And it works! Well, mostly...
>> 
>> The problem is that on the AD member server, I can't use the ad 
>> backend with winbind. The rid backend works, though. This
>> doesn't seem to be a problem with FreeBSD, as I can reproduce
>> that error on member servers running Ubuntu 12.04 with Samba 3.6.
>> or Ubuntu 14.04 with Samba 4.
>> 
>> The behavior I get is as follows:
>> 
>> When I set
>> 
>> idmap config *:backend = tdb idmap config *:range = 70000-99999 
>> idmap config TEST:backend = ad idmap config TEST:schema_mode = 
>> rfc2307 idmap config TEST:range = 100000-2000000 winbind nss
>> info = rfc2307
>> 
>> in the AD member server's smb.conf, getent passwd gives me
>> 
>>
administrator:*:70000:70017:Administrator:/home/TEST/administrator:/bin/false
>>
>>
>>
>> 
test:*:70003:70004:Test User:/home/TEST/test:/bin/false
>> krbtgt:*:70001:70004:krbtgt:/home/TEST/krbtgt:/bin/false 
>> guest:*:70002:70005:Guest:/home/TEST/guest:/bin/false
>> 
>> So the TEST:range is ignored, *:range is used instead. User 
>> Shell, Home Dir and the UID (102000 for the test user) from the 
>> UNIX attributes in AD are ignored.
>> 
>> When I set
>> 
>> idmap config *:backend = tdb idmap config *:range = 70000-99999 
>> idmap config TEST:backend = rid idmap config TEST:range = 
>> 100000-2000000 winbind nss info = rfc2307
>> 
>> instead, getent passwd gives me
>> 
>>
administrator:*:100500:100512:Administrator:/home/TEST/administrator:/bin/false
>>
>>
>>
>> 
test:*:101105:100513:Test
User:/home/TEST/test:/bin/false
>> krbtgt:*:100502:100513:krbtgt:/home/TEST/krbtgt:/bin/false 
>> guest:*:100501:100514:Guest:/home/TEST/guest:/bin/false
>> 
>> So the TEST:range is respected now. But User Shell and Home Dir 
>> from the UNIX attributes in the AD are still ignored.
>> 
>> There's log entries in the AD member server's log.winbindd 
>> stating "Added (BUILTIN|BSDMEM|TEST.BUERGER-ENERGIE-BERLIN.DE) 
>> ...". My log.winbindd-dc-connect is completely empty, though! Is 
>> this a first clue?
>> 
>> It would be no problem to go with the RID backend for now. But
>> as I understand, this might give trouble should I ever trust
>> domains from another forest in the future. With a big warning in
>> our documentation, I could live with that. But I'd prefer to get
>> the ad backend working from the start.
>> 
>> What's going on here? Any clues? I searched the list archives
>> and the WWW with ixquick, but found no solution for my problem.
>> 
>> The AD DC I provisioned with
>> 
>> # samba-tool domain provision --use-rfc2307 --interactive 
>> --option "nsupdate command = /usr/local/bin/samba-nsupdate
-g"
>> 
>> The --option I appended because the message from the ports 
>> install told me to add this to my smb.conf.
>> 
>> In the following  interactive setup, I went with the defaults, 
>> adding only the dns forwarder.
>> 
>> From this I got:
>> 
>> # AD DC smb.conf [global] workgroup = TEST realm = 
>> TEST.BUERGER-ENERGIE-BERLIN.DE netbios name = BSDSRV server role 
>> = active directory domain controller dns forwarder = 62.109.121.2
>> idmap_ldb:use rfc2307 = yes
>> 
>> nsupdate command = /usr/local/bin/samba-nsupdate -g
>> 
>> [netlogon] path = 
>> /var/db/samba4/sysvol/test.buerger-energie-berlin.de/scripts
>> read only = No
>> 
>> [sysvol] path = /var/db/samba4/sysvol read only = No # END AD DC 
>> smb.conf
>> 
>> On the AD member server, I edited my smb4.conf as follows
>> 
>> # AD Member Server smb.conf [global]
>> 
>> netbios name = BSDMEM workgroup = TEST security = ADS realm = 
>> TEST.BUERGER-ENERGIE-BERLIN.DE dedicated keytab file = 
>> /etc/krb5.keytab kerberos method = secrets and keytab
>> 
>> idmap config *:backend = tdb idmap config *:range = 70000-99999 
>> idmap config TEST:backend = ad idmap config TEST:schema_mode = 
>> rfc2307 idmap config TEST:range = 100000-2000000
>> 
>> winbind nss info = rfc2307 winbind trusted domains only = no 
>> winbind use default domain = yes winbind enum users = yes
>> winbind enum groups = yes winbind refresh tickets = yes
>> 
>> nsupdate command = /usr/local/bin/samba-nsupdate -g
>> 
>> load printers = no
>> 
>> log level = winbind:2 # END AD Member Server smb.conf
>> 
>> Any help would be greatly appreciated!
>> 
>> 
>> Cheers, Andreas
> 
> Have you actually set any 'uidNumber' & 'gidNumber'
attributes in
> AD ?
Yes, as I said: set them with ADUC, I even checked on the attributes
with ADSI Edit (never trust a GUI by MS that feigns compatibility with
the Unix world). uidNumber and gidNumber are there and in the range I
reserved in the smb.conf. Still, they're ignored by winbind and I
can't figure out why.

What to check next? Which logs might give a clue here?


Cheers,
Andreas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUx6suAAoJEMs6lqj1bb0RbgUH/ipIkLEYzpWT2JLzSJTyIuPu
8f0QZZuNKifps+RI2qkeX/7lynsBuAnxbsn7veVZcRDh3zrJWeSsF6Xc2UyNDRIS
0zsqTWTOIriimJaunJOzkbsQWXTSoSepIIpxl5+GRr4X/hXEVsr5gPX4l7KfVN5e
8RyL0xTc/JrgUEPMU05jrQ/wuJMLM66S4viqSpVHDNxR0rInS54n2JZuUh2b0kw2
JO+JUl+KaBdkzOMvaYqpMtx6XNAW/z13uy1WVWMhPvXlyD+d6DWOd7OwQADRRj23
veuK1/d9yxb2BSMfOm/ethXV0aGKwmcgHmRU/lSd52/cbOZ3EKvkr/wf0NolVAQ=q2D7
-----END PGP SIGNATURE-----