samba - Jan 2015 - [SOLVED] (kinda) Re: Can't get idmap_ad to work with winbind (only idmap_rid)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

After a night of sleeping it over, I just started from scratch today.

So I re-did all the client setups, starting with Ubuntu, this time
14.04, not 12.04 as when I first tried. Again I did what it says in
the Wiki and - bingo! It works as advertised, Unix uid/gid, home
directory and login shell information come from the directory now.
Even PAM login works, although I don't need that for now.
I wonder where I screwed up the first time. The steps aren't that
complicated after all. Well...

So the problem is not in the AD setup.

But when I take the "known good" smb.conf to a fresh FreeBSD client
installed from scratch, adjusting the netbios name and then doing the
join, the behavior stays the same: backend rid works, ad does not.

There seems to be a problem with FreeBSD as a member server after all.

And I will check with Ubuntu 12.04 again.

On 27.01.2015 16:48, Rowland Penny wrote:
> OK, you posted 'I followed the instructions for RFC 2307 and
> decided to use RID+100000 for the default users/groups and 102XXX
> for my additional groups/users' What do you mean by 'default
> users/groups'
The ones you get after the provisioning step is done.
> and 'additional groups/users' ?
The ones that I add later.
> You really only need to give Domain Users and Domain Admins a 
> 'gidNumber' attribute, you then give your users a
'uidNumber'
> attribute.
At one point I thought that this might be the problem - so long as
there's only even one single group/user that doesn't have a [gu]idNumber
set, it wouldn't work. That assumption was wrong, obviously. But it
didn't hurt either with the hunt for the problem at hand.

I won't do that in the production environment. So only groups/users that
are relevant for what's shared on the member server (ACLs) will get the
[gu]idNumber.
> Why  did you choose the numbers that you have ? you can start both 
> 'uidNumber' & 'gidNumber' from 10000, this is what
windows
> expects, there doesn't need to be any link between RID and
> uidNumber/gidNumber.
The highest uid in use on the BSD is for the 'nobody' user (65534). It
might be a while before the AD user/group count gets to that, but I
wanted to play it safe here and started beyond that. msSFU30MaxUidNumber
and msSFU30MaxGidNumber are set accordingly.
> I think your problem is that you have given your users/groups
> numbers that are outside the ranges you have set in AD.
No, it's not. (Since it works on Ubuntu now.)

Sorry for the interruption - move along!


Cheers,
Andreas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUyT7lAAoJEMs6lqj1bb0REyQH/2+M8/DexlLWiO6miBL0cO7U
yRZLjxagy7EG//av3vwv9+4xPqG0RwUdbDwjuKsAvPTiEmft+a5nPfoW2U/988HO
zwwuOV3jqQ48wgvyYvdlR9tWLsR6u1cwL9wqrUmsLn8ZvC+XGBJ80UKlvws2GH7m
mxGaZay1Blua2wfiwJDyvN/ScdwXvU178XbHIipC1nhVwY/9+oNzXVLeINQtwTPD
Qs4i0hVkryqJl8evuOQcMWUrXWVqHhOutKXWwSpwVCBTEdfHW5CfjcKnBIJAU5BQ
T84M40wKHeGl/wGZPIABopOP/prefXS1bfAD35QbtYNProbdHH2ghIXTONBYVUc=371f
-----END PGP SIGNATURE-----

On 28/01/15 19:56, "Andreas Braml (B?rgerEnergie Berlin)"
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi!
>
> After a night of sleeping it over, I just started from scratch today.
>
> So I re-did all the client setups, starting with Ubuntu, this time
> 14.04, not 12.04 as when I first tried. Again I did what it says in
> the Wiki and - bingo! It works as advertised, Unix uid/gid, home
> directory and login shell information come from the directory now.
> Even PAM login works, although I don't need that for now.
> I wonder where I screwed up the first time. The steps aren't that
> complicated after all. Well...
>
> So the problem is not in the AD setup.
>
> But when I take the "known good" smb.conf to a fresh FreeBSD
client
> installed from scratch, adjusting the netbios name and then doing the
> join, the behavior stays the same: backend rid works, ad does not.
Very strange, but just one thing, you don't actually have to set the 
netbios name in smb.conf. It might help if you post your smb.conf.
>
> There seems to be a problem with FreeBSD as a member server after all.
Possibly
>
> And I will check with Ubuntu 12.04 again.
>
> On 27.01.2015 16:48, Rowland Penny wrote:
>> OK, you posted 'I followed the instructions for RFC 2307 and
>> decided to use RID+100000 for the default users/groups and 102XXX
>> for my additional groups/users' What do you mean by 'default
>> users/groups'
> The ones you get after the provisioning step is done.
you do not need to give these a uidNumber or gidNumber.
>> and 'additional groups/users' ?
> The ones that I add later.
>
>> You really only need to give Domain Users and Domain Admins a
>> 'gidNumber' attribute, you then give your users a
'uidNumber'
>> attribute.
> At one point I thought that this might be the problem - so long as
> there's only even one single group/user that doesn't have a
[gu]idNumber
> set, it wouldn't work. That assumption was wrong, obviously. But it
> didn't hurt either with the hunt for the problem at hand.
If you use the 'ad' backend, winbind will only pull users & groups
that
have a uidNumber or gidNumber, these numbers need to be inside the range 
set in smb.conf, any other users are ignored.
>
> I won't do that in the production environment. So only groups/users
that
> are relevant for what's shared on the member server (ACLs) will get the
> [gu]idNumber.
>
>> Why  did you choose the numbers that you have ? you can start both
>> 'uidNumber' & 'gidNumber' from 10000, this is what
windows
>> expects, there doesn't need to be any link between RID and
>> uidNumber/gidNumber.
> The highest uid in use on the BSD is for the 'nobody' user (65534).
It
> might be a while before the AD user/group count gets to that, but I
> wanted to play it safe here and started beyond that. msSFU30MaxUidNumber
> and msSFU30MaxGidNumber are set accordingly.
Yes, I noticed that about 'nobody' (there was probably a reason for 
this) so my adduser script jumps around 65534.
>> I think your problem is that you have given your users/groups
>> numbers that are outside the ranges you have set in AD.
> No, it's not. (Since it works on Ubuntu now.)
Well it was just a thought, I know I had problems when I first started 
using winbind, I could only get the RID backend to work, until it just 
seemed to click and now I have no problems. :-)

Rowland
> Sorry for the interruption - move along!
>
>
> Cheers,
> Andreas
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBAgAGBQJUyT7lAAoJEMs6lqj1bb0REyQH/2+M8/DexlLWiO6miBL0cO7U
> yRZLjxagy7EG//av3vwv9+4xPqG0RwUdbDwjuKsAvPTiEmft+a5nPfoW2U/988HO
> zwwuOV3jqQ48wgvyYvdlR9tWLsR6u1cwL9wqrUmsLn8ZvC+XGBJ80UKlvws2GH7m
> mxGaZay1Blua2wfiwJDyvN/ScdwXvU178XbHIipC1nhVwY/9+oNzXVLeINQtwTPD
> Qs4i0hVkryqJl8evuOQcMWUrXWVqHhOutKXWwSpwVCBTEdfHW5CfjcKnBIJAU5BQ
> T84M40wKHeGl/wGZPIABopOP/prefXS1bfAD35QbtYNProbdHH2ghIXTONBYVUc> =371f
> -----END PGP SIGNATURE-----

Hi!

Am 28.01.2015 21:21, schrieb Rowland Penny:
> On 28/01/15 19:56, "Andreas Braml (B?rgerEnergie Berlin)" wrote:
>> [...]
>> 
>> But when I take the "known good" smb.conf to a fresh FreeBSD
client
>> installed from scratch, adjusting the netbios name and then doing the
>> join, the behavior stays the same: backend rid works, ad does not.
> 
> Very strange, but just one thing, you don't actually have to set the
> netbios name in smb.conf.
In the known good smb.conf I left it out already. Maybe amend the Wiki 
page
accordingly, i.e. put in a note that you can leave out some parameters, 
as
they are defaults anyway (winbind trusted domains only = no is even
deprecated/ignored?)
> It might help if you post your smb.conf.
Here goes:

[global]
    workgroup = TEST
    security = ADS
    realm = TEST.BUERGER-ENERGIE-BERLIN.DE
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    idmap config *:backend = tdb
    idmap config *:range = 70000-99999
    idmap config TEST:backend = ad
    idmap config TEST:schema_mode = rfc2307
    idmap config TEST:range = 100000-2000000

    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind refresh tickets = yes

[demoshare]
    path = /usr/local/share/test
    read only = no
> 
>> 
>> There seems to be a problem with FreeBSD as a member server after all.
> 
> Possibly
> 
>> 
>> And I will check with Ubuntu 12.04 again.
Which might take a while, figuring our where to put compiled binaries 
etc.
The stock packages are too old (no libnss-winbind for starters) and I 
don't
feel like registering at SerNet.
But I have a hunch that this was why it didn't work back then - me too 
stupid,
not putting libs in the right directory or something like that.
> [...]
>> At one point I thought that this might be the problem - so long as
>> there's only even one single group/user that doesn't have a 
>> [gu]idNumber
>> set, it wouldn't work. That assumption was wrong, obviously. But it
>> didn't hurt either with the hunt for the problem at hand.
> 
> If you use the 'ad' backend, winbind will only pull users &
groups
> that have a uidNumber or gidNumber, these numbers need to be inside
> the range set in smb.conf, any other users are ignored.
Like it say in the manpage. But as I said, at one point I thought that 
this might
be a "all or nothing" which the documentation failes to mention. 
Fortunately this
is not the case, works as advertised.
>> The highest uid in use on the BSD is for the 'nobody' user
(65534). It
>> might be a while before the AD user/group count gets to that, but I
>> wanted to play it safe here and started beyond that. 
>> msSFU30MaxUidNumber
>> and msSFU30MaxGidNumber are set accordingly.
> 
> Yes, I noticed that about 'nobody' (there was probably a reason for
> this) so my adduser script jumps around 65534.
But tools like ADUC don't respect that (?) I plan to delegate some of 
the user/group
administration. The delegees will most likely use the MS tools.
>>> I think your problem is that you have given your users/groups
>>> numbers that are outside the ranges you have set in AD.
>> No, it's not. (Since it works on Ubuntu now.)
> 
> Well it was just a thought, I know I had problems when I first started
> using winbind, I could only get the RID backend to work, until it just
> seemed to click and now I have no problems. :-)
Seems like history repeats itself once more :D


Cheers,
Andreas