samba - Apr 2015 - NSLCD works, do I need RFC2307 extensions enabled in AD as well?

On 04/20/2015 02:01 PM, Rowland Penny wrote:
>
> I would suggest you try it on a test set up in a VM and if it works, go
> to production.
>
> Rowland
>
Hi Rowland,

Ok, I think I am pretty close. Still using Samba 3.3.6 since I couldn't 
seem to get Samba 4 to work from backports.

My sticking point right now is that winbind is mapping the wrong UID to 
my test user. I've setup the NIS domain in AD to correspond to my 
smb.conf file and I've *think* i've correctly specified that UIDs should
start at 10000, however when I id a domain user, the mapping starts at 
2000. I assume this means that winbind thinks that the user doesn't 
exist in the domain. Wbinfo -u and wbinfo -g work as expected


  wbinfo -n flyboy
S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1)

root at debian-tester:~# id flyboy
uid=2000(DEBIAN-TESTER\nobody) gid=2006(domain_users) 
groups=2001(DEBIAN-TESTER\none),2006(domain_users),2007(student_terminal_server),2008(all_students_users),2009(mcm_students),2010(students),2011(chromebooks),2012(2020)


root at debian-tester:~# getent passwd flyboy
flyboy:*:2000:2006:flyboy:/home/flyboy:/bin/sh

getent group "domain users"
domain_users:x:2006:gcallison

Here's my smb.conf file

[global]


    workgroup = VANGUARD
    security = ADS
    realm = VANGUARD.MYDOMAIN.ORG
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    idmap config VANGUARD:backend = ad
    idmap config VANGUARD:schema_mode = rfc2307
    idmap config VANGUARD:range = 10000-99999

    log level = 1 idmap:10
    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes
    winbind refresh tickets = Yes
    winbind expand groups = 4
    winbind normalize names = Yes
    domain master = no
    local master = no
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes
[ALLSTUDENTS]

  path = /home/ALLSTUDENTS
      # valid users = %S
       readonly = no
       writable = yes
       printable = no
       create mode = 0700
       directory mode = 0700

I turned up the logs for idmap, here's what I see:

log.winbindd-idmap:  idmap range not specified for domain DEBIAN-TESTER
log.winbindd-idmap:  gid [0] not mapped
log.winbindd-idmap:  idmap backend ad not found
log.winbindd-idmap:  gid [65534] not mapped
log.winbindd-idmap:  Record 
S-1-5-21-2072017671-3909937455-2446232893-501 not found
log.winbindd-idmap:  Record 
S-1-5-21-2072017671-3909937455-2446232893-513 not found
log.winbindd-idmap:  Record 
S-1-5-21-2072017671-3909937455-2446232893-546 not found
log.winbindd-idmap:  Record 
S-1-5-21-2072017671-3909937455-2446232893-501 not found
log.winbindd-idmap:  Record 
S-1-5-21-2072017671-3909937455-2446232893-513 not found
log.winbindd-idmap:  Record 
S-1-5-21-2072017671-3909937455-2446232893-546 not found
log.winbindd-idmap:  uid [0] not mapped


Thanks for all of your help!

John

On 21/04/15 19:53, john_s wrote:
> On 04/20/2015 02:01 PM, Rowland Penny wrote:
>
>>
>> I would suggest you try it on a test set up in a VM and if it works, go
>> to production.
>>
>> Rowland
>>
>
> Hi Rowland,
>
> Ok, I think I am pretty close. Still using Samba 3.3.6 since I 
> couldn't seem to get Samba 4 to work from backports.
>
> My sticking point right now is that winbind is mapping the wrong UID 
> to my test user. I've setup the NIS domain in AD to correspond to my 
> smb.conf file and I've *think* i've correctly specified that UIDs 
> should start at 10000, however when I id a domain user, the mapping 
> starts at 2000. I assume this means that winbind thinks that the user 
> doesn't exist in the domain. Wbinfo -u and wbinfo -g work as expected
>
>
>  wbinfo -n flyboy
> S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1)
>
> root at debian-tester:~# id flyboy
> uid=2000(DEBIAN-TESTER\nobody) gid=2006(domain_users) 
>
groups=2001(DEBIAN-TESTER\none),2006(domain_users),2007(student_terminal_server),2008(all_students_users),2009(mcm_students),2010(students),2011(chromebooks),2012(2020)
>
>
> root at debian-tester:~# getent passwd flyboy
> flyboy:*:2000:2006:flyboy:/home/flyboy:/bin/sh
>
> getent group "domain users"
> domain_users:x:2006:gcallison
>
> Here's my smb.conf file
>
> [global]
>
>
>    workgroup = VANGUARD
>    security = ADS
>    realm = VANGUARD.MYDOMAIN.ORG
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>
>    idmap config *:backend = tdb
>    idmap config *:range = 2000-9999
>    idmap config VANGUARD:backend = ad
>    idmap config VANGUARD:schema_mode = rfc2307
>    idmap config VANGUARD:range = 10000-99999
>
>    log level = 1 idmap:10
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
>    winbind refresh tickets = Yes
>    winbind expand groups = 4
>    winbind normalize names = Yes
>    domain master = no
>    local master = no
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
> [ALLSTUDENTS]
>
>  path = /home/ALLSTUDENTS
>      # valid users = %S
>       readonly = no
>       writable = yes
>       printable = no
>       create mode = 0700
>       directory mode = 0700
>
> I turned up the logs for idmap, here's what I see:
>
> log.winbindd-idmap:  idmap range not specified for domain DEBIAN-TESTER
> log.winbindd-idmap:  gid [0] not mapped
> log.winbindd-idmap:  idmap backend ad not found
> log.winbindd-idmap:  gid [65534] not mapped
> log.winbindd-idmap:  Record 
> S-1-5-21-2072017671-3909937455-2446232893-501 not found
> log.winbindd-idmap:  Record 
> S-1-5-21-2072017671-3909937455-2446232893-513 not found
> log.winbindd-idmap:  Record 
> S-1-5-21-2072017671-3909937455-2446232893-546 not found
> log.winbindd-idmap:  Record 
> S-1-5-21-2072017671-3909937455-2446232893-501 not found
> log.winbindd-idmap:  Record 
> S-1-5-21-2072017671-3909937455-2446232893-513 not found
> log.winbindd-idmap:  Record 
> S-1-5-21-2072017671-3909937455-2446232893-546 not found
> log.winbindd-idmap:  uid [0] not mapped
>
>
> Thanks for all of your help!
>
> John
>
If you are using the winbind 'ad' backend, your users need to have a 
'uidNumber' attribute containing a number that is inside the range you 
set for the domain in smb.conf. If this number is not there, or it is 
either too small or too large, the user will be ignored as a domain user 
and the other range will be used. It sounds like you need to check just 
what 'uidNumbers' you have in smb.conf, either that or you need to use 
the 'rid' backend, see the member server page on the wiki:

  https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

Rowland

On 21/04/15 20:53, john_s wrote:
>
>
> Here's my smb.conf file
>
> [global]
>
>
>    workgroup = VANGUARD
>
> log.winbindd-idmap:  idmap range not specified for domain DEBIAN-TESTER
Which is it that you want? VANGUARD or DEBIAN-TESTER?

On Tue, Apr 21, 2015 at 12:06 PM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:

>> Here's my smb.conf file
>>
>> [global]
>>
>>
>>    workgroup = VANGUARD
>>    security = ADS
>>    realm = VANGUARD.MYDOMAIN.ORG
>>    dedicated keytab file = /etc/krb5.keytab
>>    kerberos method = secrets and keytab
>>
>>    idmap config *:backend = tdb
>>    idmap config *:range = 2000-9999
>>    idmap config VANGUARD:backend = ad
>>    idmap config VANGUARD:schema_mode = rfc2307
>>    idmap config VANGUARD:range = 10000-99999
>>
> 'uidNumber' attribute containing a number that is inside the range
you set
> for the domain in smb.conf. If this number is not there, or it is either
too
> small or too large, the user will be ignored as a domain user and the other
> range will be used. It sounds like you need to check just what
'uidNumbers'
> you have in smb.conf, either that or you need to use the 'rid'
backend, see
> the member server page on the wiki:
Hello Rowland,

You can see the extract from my smb.conf file above, it's basically
the one on the page you recommended:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Set_up_a_basic_smb.conf

In AD the user flyboy has the following Unix Attributes:
NIS Domain: vanguard
UID: 10000
login shell: /bin/sh
Home Directory: /home/flyboy
Primary Group name/GID: Domain Users

However I now realize that using the idmap = AD method breaks logins
for ssh users logging in with the UPN name, even though it appears to
work for clients using smbclient. E.g. when nsswitch uses winbind upn
names are not supported for ssh

E.g. ssh flyboy at mydomain.org@debian-tester

doesn't work

but smbclient \\\\debian-tester\ALLSTUDENTS -Uflyboy at mydomain.org works

My Goal: I need clients to be able to reach linux shares via SSH and
SMB using UPN names. These users need to have consistent UID/GID
mappings. NSLCD appears to give me UID/GID info from AD and allows
logon via UPN over ssh, but I don't know how to make Samba/winbind map
UID/GID's against the info returned by NSLCD/AD. The configuration
method outlined at
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Set_up_a_basic_smb.conf
appears to break logons via ssh for UPN names.

So here's a refactoring of my orignal question:  can winbind reference
UID/GID information returned by NSLCD from AD? If so how? If not what
is the purpose of this page
https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd

Thanks for sticking with me!

John