john_s
2015-Apr-21 18:53 UTC
[Samba] NSLCD works, do I need RFC2307 extensions enabled in AD as well?
On 04/20/2015 02:01 PM, Rowland Penny wrote:> > I would suggest you try it on a test set up in a VM and if it works, go > to production. > > Rowland >Hi Rowland, Ok, I think I am pretty close. Still using Samba 3.3.6 since I couldn't seem to get Samba 4 to work from backports. My sticking point right now is that winbind is mapping the wrong UID to my test user. I've setup the NIS domain in AD to correspond to my smb.conf file and I've *think* i've correctly specified that UIDs should start at 10000, however when I id a domain user, the mapping starts at 2000. I assume this means that winbind thinks that the user doesn't exist in the domain. Wbinfo -u and wbinfo -g work as expected wbinfo -n flyboy S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1) root at debian-tester:~# id flyboy uid=2000(DEBIAN-TESTER\nobody) gid=2006(domain_users) groups=2001(DEBIAN-TESTER\none),2006(domain_users),2007(student_terminal_server),2008(all_students_users),2009(mcm_students),2010(students),2011(chromebooks),2012(2020) root at debian-tester:~# getent passwd flyboy flyboy:*:2000:2006:flyboy:/home/flyboy:/bin/sh getent group "domain users" domain_users:x:2006:gcallison Here's my smb.conf file [global] workgroup = VANGUARD security = ADS realm = VANGUARD.MYDOMAIN.ORG dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config VANGUARD:backend = ad idmap config VANGUARD:schema_mode = rfc2307 idmap config VANGUARD:range = 10000-99999 log level = 1 idmap:10 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes winbind expand groups = 4 winbind normalize names = Yes domain master = no local master = no vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes [ALLSTUDENTS] path = /home/ALLSTUDENTS # valid users = %S readonly = no writable = yes printable = no create mode = 0700 directory mode = 0700 I turned up the logs for idmap, here's what I see: log.winbindd-idmap: idmap range not specified for domain DEBIAN-TESTER log.winbindd-idmap: gid [0] not mapped log.winbindd-idmap: idmap backend ad not found log.winbindd-idmap: gid [65534] not mapped log.winbindd-idmap: Record S-1-5-21-2072017671-3909937455-2446232893-501 not found log.winbindd-idmap: Record S-1-5-21-2072017671-3909937455-2446232893-513 not found log.winbindd-idmap: Record S-1-5-21-2072017671-3909937455-2446232893-546 not found log.winbindd-idmap: Record S-1-5-21-2072017671-3909937455-2446232893-501 not found log.winbindd-idmap: Record S-1-5-21-2072017671-3909937455-2446232893-513 not found log.winbindd-idmap: Record S-1-5-21-2072017671-3909937455-2446232893-546 not found log.winbindd-idmap: uid [0] not mapped Thanks for all of your help! John
Rowland Penny
2015-Apr-21 19:06 UTC
[Samba] NSLCD works, do I need RFC2307 extensions enabled in AD as well?
On 21/04/15 19:53, john_s wrote:> On 04/20/2015 02:01 PM, Rowland Penny wrote: > >> >> I would suggest you try it on a test set up in a VM and if it works, go >> to production. >> >> Rowland >> > > Hi Rowland, > > Ok, I think I am pretty close. Still using Samba 3.3.6 since I > couldn't seem to get Samba 4 to work from backports. > > My sticking point right now is that winbind is mapping the wrong UID > to my test user. I've setup the NIS domain in AD to correspond to my > smb.conf file and I've *think* i've correctly specified that UIDs > should start at 10000, however when I id a domain user, the mapping > starts at 2000. I assume this means that winbind thinks that the user > doesn't exist in the domain. Wbinfo -u and wbinfo -g work as expected > > > wbinfo -n flyboy > S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1) > > root at debian-tester:~# id flyboy > uid=2000(DEBIAN-TESTER\nobody) gid=2006(domain_users) > groups=2001(DEBIAN-TESTER\none),2006(domain_users),2007(student_terminal_server),2008(all_students_users),2009(mcm_students),2010(students),2011(chromebooks),2012(2020) > > > root at debian-tester:~# getent passwd flyboy > flyboy:*:2000:2006:flyboy:/home/flyboy:/bin/sh > > getent group "domain users" > domain_users:x:2006:gcallison > > Here's my smb.conf file > > [global] > > > workgroup = VANGUARD > security = ADS > realm = VANGUARD.MYDOMAIN.ORG > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config VANGUARD:backend = ad > idmap config VANGUARD:schema_mode = rfc2307 > idmap config VANGUARD:range = 10000-99999 > > log level = 1 idmap:10 > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > winbind expand groups = 4 > winbind normalize names = Yes > domain master = no > local master = no > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > [ALLSTUDENTS] > > path = /home/ALLSTUDENTS > # valid users = %S > readonly = no > writable = yes > printable = no > create mode = 0700 > directory mode = 0700 > > I turned up the logs for idmap, here's what I see: > > log.winbindd-idmap: idmap range not specified for domain DEBIAN-TESTER > log.winbindd-idmap: gid [0] not mapped > log.winbindd-idmap: idmap backend ad not found > log.winbindd-idmap: gid [65534] not mapped > log.winbindd-idmap: Record > S-1-5-21-2072017671-3909937455-2446232893-501 not found > log.winbindd-idmap: Record > S-1-5-21-2072017671-3909937455-2446232893-513 not found > log.winbindd-idmap: Record > S-1-5-21-2072017671-3909937455-2446232893-546 not found > log.winbindd-idmap: Record > S-1-5-21-2072017671-3909937455-2446232893-501 not found > log.winbindd-idmap: Record > S-1-5-21-2072017671-3909937455-2446232893-513 not found > log.winbindd-idmap: Record > S-1-5-21-2072017671-3909937455-2446232893-546 not found > log.winbindd-idmap: uid [0] not mapped > > > Thanks for all of your help! > > John >If you are using the winbind 'ad' backend, your users need to have a 'uidNumber' attribute containing a number that is inside the range you set for the domain in smb.conf. If this number is not there, or it is either too small or too large, the user will be ignored as a domain user and the other range will be used. It sounds like you need to check just what 'uidNumbers' you have in smb.conf, either that or you need to use the 'rid' backend, see the member server page on the wiki: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server Rowland
buhorojo
2015-Apr-21 19:10 UTC
[Samba] NSLCD works, do I need RFC2307 extensions enabled in AD as well?
On 21/04/15 20:53, john_s wrote:> > > Here's my smb.conf file > > [global] > > > workgroup = VANGUARD > > log.winbindd-idmap: idmap range not specified for domain DEBIAN-TESTERWhich is it that you want? VANGUARD or DEBIAN-TESTER?
john
2015-Apr-21 23:19 UTC
[Samba] NSLCD works, do I need RFC2307 extensions enabled in AD as well?
On Tue, Apr 21, 2015 at 12:06 PM, Rowland Penny <rowlandpenny at googlemail.com> wrote:>> Here's my smb.conf file >> >> [global] >> >> >> workgroup = VANGUARD >> security = ADS >> realm = VANGUARD.MYDOMAIN.ORG >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> idmap config VANGUARD:backend = ad >> idmap config VANGUARD:schema_mode = rfc2307 >> idmap config VANGUARD:range = 10000-99999 >>> 'uidNumber' attribute containing a number that is inside the range you set > for the domain in smb.conf. If this number is not there, or it is either too > small or too large, the user will be ignored as a domain user and the other > range will be used. It sounds like you need to check just what 'uidNumbers' > you have in smb.conf, either that or you need to use the 'rid' backend, see > the member server page on the wiki:Hello Rowland, You can see the extract from my smb.conf file above, it's basically the one on the page you recommended: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Set_up_a_basic_smb.conf In AD the user flyboy has the following Unix Attributes: NIS Domain: vanguard UID: 10000 login shell: /bin/sh Home Directory: /home/flyboy Primary Group name/GID: Domain Users However I now realize that using the idmap = AD method breaks logins for ssh users logging in with the UPN name, even though it appears to work for clients using smbclient. E.g. when nsswitch uses winbind upn names are not supported for ssh E.g. ssh flyboy at mydomain.org@debian-tester doesn't work but smbclient \\\\debian-tester\ALLSTUDENTS -Uflyboy at mydomain.org works My Goal: I need clients to be able to reach linux shares via SSH and SMB using UPN names. These users need to have consistent UID/GID mappings. NSLCD appears to give me UID/GID info from AD and allows logon via UPN over ssh, but I don't know how to make Samba/winbind map UID/GID's against the info returned by NSLCD/AD. The configuration method outlined at https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Set_up_a_basic_smb.conf appears to break logons via ssh for UPN names. So here's a refactoring of my orignal question: can winbind reference UID/GID information returned by NSLCD from AD? If so how? If not what is the purpose of this page https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd Thanks for sticking with me! John
Maybe Matching Threads
- NSLCD works, do I need RFC2307 extensions enabled in AD as well?
- NSLCD works, do I need RFC2307 extensions enabled in AD as well?
- NSLCD works, do I need RFC2307 extensions enabled in AD as well?
- Is there a simple way to let particular windows users have read/write on ALL samba shares?
- Why won't %username% variable work when adding users to samba share?