samba - Apr 2015 - Samba as AD member can not validate domain user

Cit?ju Rowland Penny <rowlandpenny at googlemail.com>:
>> getent passwd shows list of local users, freezes for a while and exits;
>
> This is possibly because you may have (somehow) the same username in  
> AD and /etc/passwd
even with the "problematic" user removed behaviour is the same (with  
net ads leave, remove krb5 keytab and join +restart)
>
>> id user shows user info if it exists locally.
>
> On an AD joined machine id should show user info if the user exists  
> in AD and has the required rfc2307 attributes.
I re-checked what I have on AD DC:
1. getent passwd shows local + AD users (AD users having uids in the  
range of 30000XX)
2. getent group shows local + AD grous, AD groups having gids in the  
range of 30000XX, just Domain Users having gid 100
3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)' objectSID
gidNumber
gives onlyObjectSID without gidNumber;

CFG files from fileserver:
===========krb5.conf
[libdefaults]
default = INTERNAL.DOMAIN.LV
dns_lookup_realm = false
dns_lookup_kdc = true

==========nsswitch.conf
passwd:         compat winbind
group:          compat winbind
shadow:         compat files

hosts:          files dns
networks:       files

services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
bootparams:     files

automount:      files
aliases:        files nisplus
publickey:      nisplus
============SMB.conf on fileserver
[global]
         security = ADS
         workgroup = INTERNAL
         acl group control = yes
         inherit acls = Yes
         map acl inherit = Yes
         realm = INTERNAL.DOMAIN.LV
         kerberos method = secrets and keytab
         idmap config internal:backend = ad
         idmap config internal:range = 10000-3001000
         idmap config internal:schema_mode = rfc2307
         idmap config *:range = 2000-9999
         idmap config *:backend = tdb
         dedicated keytab file = /etc/krb5.keytab
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind separator = \
         winbind refresh tickets = Yes
         winbind nss info = rfc2307
         winbind use default domain = yes
         winbind trusted domains only = yes
         utmp = yes
         wins server = sambadc.DOMAIN.lv
         wins support = yes
         dns proxy = no
         wins proxy = no
         wtmp directory = /var/log/wtmp
         preferred master = no
         log level = 4
         bind interfaces only = Yes
         interfaces = lo, eth1
         netbios name = FS2
         os level = 33
=====================smb.conf on AD DC
[global]
         wins support = yes
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,  
drepl, winbind, ntp_signd, kcc, dnsupdate
         winbind trusted domains only = yes
         os level = 65
         workgroup = INTERNAL
         realm = INTERNAL.DOMAIN.LV
         name resolve order = bcast wins host
         log level = 4
         idmap_ldb:use rfc2307 = yes
         preferred master = Yes
         map to guest = Bad Password
         security = user
         server role = active directory domain controller
         domain logons = Yes
         kerberos method = secrets and keytab
         server string = Samba AD DC Server %v
         domain master = Yes
         winbind use default domain = yes
         utmp = yes
         max log size = 5000
         netbios name = SAMBADC
         local master = Yes
         wtmp directory = /var/log/wtmp

I feel lost and I do not understand what else to read or how to detect  
what is wrong with cfg.

Janis

On 06/04/15 10:09, jd at ionica.lv wrote:
>
> Cit?ju Rowland Penny <rowlandpenny at googlemail.com>:
>
>>> getent passwd shows list of local users, freezes for a while and
exits;
>>
>> This is possibly because you may have (somehow) the same username in 
>> AD and /etc/passwd
>
> even with the "problematic" user removed behaviour is the same
(with
> net ads leave, remove krb5 keytab and join +restart)
>>
>>> id user shows user info if it exists locally.
>>
>> On an AD joined machine id should show user info if the user exists 
>> in AD and has the required rfc2307 attributes.
>
> I re-checked what I have on AD DC:
> 1. getent passwd shows local + AD users (AD users having uids in the 
> range of 30000XX)
> 2. getent group shows local + AD grous, AD groups having gids in the 
> range of 30000XX, just Domain Users having gid 100
> 3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)'
objectSID
> gidNumber
> gives onlyObjectSID without gidNumber;
>
> CFG files from fileserver:
> ===========> krb5.conf
> [libdefaults]
> default = INTERNAL.DOMAIN.LV
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> ==========> nsswitch.conf
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat files
>
> hosts:          files dns
> networks:       files
>
> services:       files
> protocols:      files
> rpc:            files
> ethers:         files
> netmasks:       files
> netgroup:       files
> bootparams:     files
>
> automount:      files
> aliases:        files nisplus
> publickey:      nisplus
> ============> SMB.conf on fileserver
> [global]
>         security = ADS
>         workgroup = INTERNAL
>         acl group control = yes
>         inherit acls = Yes
>         map acl inherit = Yes
>         realm = INTERNAL.DOMAIN.LV
>         kerberos method = secrets and keytab
>         idmap config internal:backend = ad
>         idmap config internal:range = 10000-3001000
>         idmap config internal:schema_mode = rfc2307
>         idmap config *:range = 2000-9999
>         idmap config *:backend = tdb
>         dedicated keytab file = /etc/krb5.keytab
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind separator = \
>         winbind refresh tickets = Yes
>         winbind nss info = rfc2307
>         winbind use default domain = yes
>         winbind trusted domains only = yes
>         utmp = yes
>         wins server = sambadc.DOMAIN.lv
>         wins support = yes
>         dns proxy = no
>         wins proxy = no
>         wtmp directory = /var/log/wtmp
>         preferred master = no
>         log level = 4
>         bind interfaces only = Yes
>         interfaces = lo, eth1
>         netbios name = FS2
>         os level = 33
> =====================> smb.conf on AD DC
> [global]
>         wins support = yes
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbind, ntp_signd, kcc, dnsupdate
>         winbind trusted domains only = yes
>         os level = 65
>         workgroup = INTERNAL
>         realm = INTERNAL.DOMAIN.LV
>         name resolve order = bcast wins host
>         log level = 4
>         idmap_ldb:use rfc2307 = yes
>         preferred master = Yes
>         map to guest = Bad Password
>         security = user
>         server role = active directory domain controller
>         domain logons = Yes
>         kerberos method = secrets and keytab
>         server string = Samba AD DC Server %v
>         domain master = Yes
>         winbind use default domain = yes
>         utmp = yes
>         max log size = 5000
>         netbios name = SAMBADC
>         local master = Yes
>         wtmp directory = /var/log/wtmp
>
> I feel lost and I do not understand what else to read or how to detect 
> what is wrong with cfg.
>
> Janis
>
Firstly, please put the smb.conf on the AD DC back to what it was just 
after the provision. You do not need the extra lines you have added.

You have posted what is probably your problem:

3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)' objectSID 
gidNumber
gives onlyObjectSID without gidNumber;

You are using the winbind 'ad' backend on the member server, for this to
work, your users need a 'uidNumber' attribute and 'Domain Users'
(at
least) *NEEDS* a 'gidNumber'

If you use the 'ad' backend, then giving your users a
'uidNumber' is not
enough, you must give their primarygroup (Domain Users) a 'gidNumber' 
attribute.

Rowland

Cit?ju Rowland Penny <rowlandpenny at googlemail.com>:
>> CFG files from fileserver:
>> ===========>> krb5.conf
>> [libdefaults]
>> default = INTERNAL.DOMAIN.LV
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> ==========>> nsswitch.conf
>> passwd:         compat winbind
>> group:          compat winbind
>> shadow:         compat files
>>
>> hosts:          files dns
>> networks:       files
>>
>> services:       files
>> protocols:      files
>> rpc:            files
>> ethers:         files
>> netmasks:       files
>> netgroup:       files
>> bootparams:     files
>>
>> automount:      files
>> aliases:        files nisplus
>> publickey:      nisplus
>> ============>> SMB.conf on fileserver
>> [global]
>>        security = ADS
>>        workgroup = INTERNAL
>>        acl group control = yes
>>        inherit acls = Yes
>>        map acl inherit = Yes
>>        realm = INTERNAL.DOMAIN.LV
>>        kerberos method = secrets and keytab
>>        idmap config internal:backend = ad
>>        idmap config internal:range = 10000-3001000
>>        idmap config internal:schema_mode = rfc2307
>>        idmap config *:range = 2000-9999
>>        idmap config *:backend = tdb
>>        dedicated keytab file = /etc/krb5.keytab
>>        winbind enum users = Yes
>>        winbind enum groups = Yes
>>        winbind separator = \
>>        winbind refresh tickets = Yes
>>        winbind nss info = rfc2307
>>        winbind use default domain = yes
>>        winbind trusted domains only = yes
>>        utmp = yes
>>        wins server = sambadc.DOMAIN.lv
>>        wins support = yes
>>        dns proxy = no
>>        wins proxy = no
>>        wtmp directory = /var/log/wtmp
>>        preferred master = no
>>        log level = 4
>>        bind interfaces only = Yes
>>        interfaces = lo, eth1
>>        netbios name = FS2
>>        os level = 33
>> =====================> Firstly, please put the smb.conf on the AD DC
back to what it was
> just after the provision. You do not need the extra lines you have  
> added.
now smb.conf is rather short:
[global]
         workgroup = INTERNAL
         realm = INTERNAL.DOMAIN.LV
         netbios name = SAMBADC
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,  
drepl, winbindd, ntp_signd, kcc, dnsupdate
         idmap_ldb:use rfc2307 = yes
         log level = 4

[netlogon]
         path = /var/lib/samba/sysvol/internal.domain.lv/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No
> You have posted what is probably your problem:
>
> 3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)'
objectSID
> gidNumber
> gives onlyObjectSID without gidNumber;
>
> You are using the winbind 'ad' backend on the member server, for  
> this to work, your users need a 'uidNumber' attribute and
'Domain
> Users' (at least) *NEEDS* a 'gidNumber'
after assigning UNIX attributes to users and domain groups all of them have
uidNUmbers and gidNumbers starting from 10000,
ldbsearch gives:
dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv
objectSid: S-1-5-21-216404829-505555237-127066545-513
gidNumber: 10000
> If you use the 'ad' backend, then giving your users a
'uidNumber' is
> not enough, you must give their primarygroup (Domain Users) a  
> 'gidNumber' attribute.
all of the AD users are members of the Domain Users group now.

Now on DC getent passwd gives just list of local users;
getent passwd INTERNAL\\username gives domain user info with uid/gid  
100xx:10000

still no changes on fileserver, getent passwd INTERNAL\\username  
finishes without any msg;
in log.winbindd there is notion:
2015/04/06 21:42:37.714639,  3]  
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
   getpwnam INTERNAL\username


joining to the AD DC ends with joined server and such messages:
DNS Update for mail.domain.lv failed: ERROR_DNS_INVALID_MESSAGE
DNS update failed: NT_STATUS_UNSUCCESSFUL

(mail.domain.lv being the hostname of the server where samba  
fileserver with netbios name FS2 resides)

I do not see anything in capital letters in the logs

Janis