Fred Smith
2015-Apr-23 01:48 UTC
[Samba] RFC2307 attributes not being read by DC2 in 4.2.1
Hi all On latest samba 4.2.1 I have provisioned a new domain on DC1 that successfully reads RFC2307 attributes set on a user account through ADUC. wbinfo (correct uid gets resolved from sid) wbinfo -n fsmith S-1-5-21-1273750850-484487853-1026460749-1120 SID_USER (1) wbinfo -S S-1-5-21-1273750850-484487853-1026460749-1120 1000006 ldbsearch sudo ldbsearch -H '/usr/local/samba/private/sam.ldb' -b 'DC=samdom,DC=example,DC=org' -s sub '(&(objectCategory=Person)(CN=Fred Smith))' # record 1 dn: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org cn: Fred Smith sn: Smith givenName: Fred instanceType: 4 whenCreated: 20150422234928.0Z displayName: Fred Smith uSNCreated: 4558 name: Fred Smith objectGUID: 7b49274a-9ac9-48bd-9af7-e51e8ea17c9a badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 profilePath: %LOGONSERVER%\profiles\%USERNAME% objectSid: S-1-5-21-1273750850-484487853-1026460749-1120 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: fsmith sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=org uid: fsmith uidNumber: 1000006 gidNumber: 50023 loginShell: /bin/false objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user pwdLastSet: 130742201680000000 userAccountControl: 512 msSFU30NisDomain: samdom unixHomeDirectory: /dev/null msSFU30Name: fsmith unixUserPassword: ABCD!efgh12345$67890 userPrincipalName: fsmith at samdom.example.org whenChanged: 20150422234929.0Z uSNChanged: 4565 distinguishedName: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org provision domain command sudo samba-tool domain provision --use-rfc2307 --site="DC1" --interactive Realm: SAMDOM.EXAMPLE.ORG Domain: SAMDOM Server Role: dc DNS backend: BIND9_DLZ DC1 smb.conf cat /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = SAMDOM realm = SAMDOM.EXAMPLE.ORG netbios name = DC1 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes # Disable printing printcap name = /dev/null load printers = no printing = bsd [netlogon] path = /usr/local/samba/var/locks/sysvol/samdom.example.org/scripts read only = No browseable = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No browseable = No But when I join DC2 to the domain and attempt to retrieve RFC2307 attributes they don't get read. wbinfo (wrong uid gets resolved from sid) wbinfo -n fsmith S-1-5-21-1273750850-484487853-1026460749-1120 SID_USER (1) wbinfo -S S-1-5-21-1273750850-484487853-1026460749-1120 3000017 ldbsearch sudo ldbsearch -H '/usr/local/samba/private/sam.ldb' -b 'DC=samdom,DC=example,DC=org' -s sub '(&(objectCategory=Person)(CN=Fred Smith))' # record 1 dn: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user cn: Fred Smith sn: Smith givenName: Fred instanceType: 4 whenCreated: 20150422234928.0Z whenChanged: 20150422234929.0Z displayName: Fred Smith uSNCreated: 4494 uSNChanged: 4494 name: Fred Smith objectGUID: 7b49274a-9ac9-48bd-9af7-e51e8ea17c9a userAccountControl: 512 codePage: 0 countryCode: 0 pwdLastSet: 130742201680000000 primaryGroupID: 513 profilePath: %LOGONSERVER%\profiles\%USERNAME% objectSid: S-1-5-21-1273750850-484487853-1026460749-1120 accountExpires: 9223372036854775807 sAMAccountName: fsmith sAMAccountType: 805306368 userPrincipalName: fsmith at example.org objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=org unixUserPassword: ABCD!efgh12345$67890 uid: fsmith msSFU30Name: fsmith msSFU30NisDomain: samdom uidNumber: 1000006 gidNumber: 50023 unixHomeDirectory: /dev/null loginShell: /bin/false distinguishedName: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org join domain command sudo samba-tool domain join samdom.example.org DC -UAdministrator --realm=samdom.example.org --site=DC2 --dns-backend=BIND9_DLZ DC2 smb.conf cat /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = SAMDOM realm = samdom.example.org netbios name = DC2 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 # Added manually after join domain # Disable printing printcap name = /dev/null load printers = no printing = bsd [netlogon] path = /usr/local/samba/var/locks/sysvol/samdom.example.org/scripts read only = No browseable = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No browseable = No Reading RFC2307 attributes on DC2 worked well using the same configuration on samba 4.1.x. Thanks Fred.
Rowland Penny
2015-Apr-23 08:01 UTC
[Samba] RFC2307 attributes not being read by DC2 in 4.2.1
On 23/04/15 02:48, Fred Smith wrote:> Hi all > > On latest samba 4.2.1 I have provisioned a new domain on DC1 that > successfully reads RFC2307 attributes set on a user account through > ADUC. > > wbinfo (correct uid gets resolved from sid) > > wbinfo -n fsmith > S-1-5-21-1273750850-484487853-1026460749-1120 SID_USER (1) > wbinfo -S S-1-5-21-1273750850-484487853-1026460749-1120 > 1000006 > > > ldbsearch > > sudo ldbsearch -H '/usr/local/samba/private/sam.ldb' -b > 'DC=samdom,DC=example,DC=org' -s sub > '(&(objectCategory=Person)(CN=Fred Smith))' > # record 1 > dn: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org > cn: Fred Smith > sn: Smith > givenName: Fred > instanceType: 4 > whenCreated: 20150422234928.0Z > displayName: Fred Smith > uSNCreated: 4558 > name: Fred Smith > objectGUID: 7b49274a-9ac9-48bd-9af7-e51e8ea17c9a > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > primaryGroupID: 513 > profilePath: %LOGONSERVER%\profiles\%USERNAME% > objectSid: S-1-5-21-1273750850-484487853-1026460749-1120 > accountExpires: 9223372036854775807 > logonCount: 0 > sAMAccountName: fsmith > sAMAccountType: 805306368 > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=org > uid: fsmith > uidNumber: 1000006 > gidNumber: 50023 > loginShell: /bin/false > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > pwdLastSet: 130742201680000000 > userAccountControl: 512 > msSFU30NisDomain: samdom > unixHomeDirectory: /dev/null > msSFU30Name: fsmith > unixUserPassword: ABCD!efgh12345$67890 > userPrincipalName: fsmith at samdom.example.org > whenChanged: 20150422234929.0Z > uSNChanged: 4565 > distinguishedName: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org > > > provision domain command > > sudo samba-tool domain provision --use-rfc2307 --site="DC1" --interactive > > Realm: SAMDOM.EXAMPLE.ORG > Domain: SAMDOM > Server Role: dc > DNS backend: BIND9_DLZ > > > DC1 smb.conf > > cat /usr/local/samba/etc/smb.conf > # Global parameters > [global] > workgroup = SAMDOM > realm = SAMDOM.EXAMPLE.ORG > netbios name = DC1 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > > # Disable printing > printcap name = /dev/null > load printers = no > printing = bsd > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/samdom.example.org/scripts > read only = No > browseable = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > browseable = No > > > > > > > But when I join DC2 to the domain and attempt to retrieve RFC2307 > attributes they don't get read. > > > wbinfo (wrong uid gets resolved from sid) > > wbinfo -n fsmith > S-1-5-21-1273750850-484487853-1026460749-1120 SID_USER (1) > wbinfo -S S-1-5-21-1273750850-484487853-1026460749-1120 > 3000017 > > > ldbsearch > > sudo ldbsearch -H '/usr/local/samba/private/sam.ldb' -b > 'DC=samdom,DC=example,DC=org' -s sub > '(&(objectCategory=Person)(CN=Fred Smith))' > # record 1 > dn: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: Fred Smith > sn: Smith > givenName: Fred > instanceType: 4 > whenCreated: 20150422234928.0Z > whenChanged: 20150422234929.0Z > displayName: Fred Smith > uSNCreated: 4494 > uSNChanged: 4494 > name: Fred Smith > objectGUID: 7b49274a-9ac9-48bd-9af7-e51e8ea17c9a > userAccountControl: 512 > codePage: 0 > countryCode: 0 > pwdLastSet: 130742201680000000 > primaryGroupID: 513 > profilePath: %LOGONSERVER%\profiles\%USERNAME% > objectSid: S-1-5-21-1273750850-484487853-1026460749-1120 > accountExpires: 9223372036854775807 > sAMAccountName: fsmith > sAMAccountType: 805306368 > userPrincipalName: fsmith at example.org > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=org > unixUserPassword: ABCD!efgh12345$67890 > uid: fsmith > msSFU30Name: fsmith > msSFU30NisDomain: samdom > uidNumber: 1000006 > gidNumber: 50023 > unixHomeDirectory: /dev/null > loginShell: /bin/false > distinguishedName: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org > > > join domain command > > sudo samba-tool domain join samdom.example.org DC -UAdministrator > --realm=samdom.example.org --site=DC2 --dns-backend=BIND9_DLZ > > > > DC2 smb.conf > > cat /usr/local/samba/etc/smb.conf > # Global parameters > [global] > workgroup = SAMDOM > realm = samdom.example.org > netbios name = DC2 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 # Added manually after join domain > > # Disable printing > printcap name = /dev/null > load printers = no > printing = bsd > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/samdom.example.org/scripts > read only = No > browseable = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > browseable = No > > Reading RFC2307 attributes on DC2 worked well using the same > configuration on samba 4.1.x. > > Thanks > > Fred.Hmm, you seem to be the second person reporting something similar, have a look here: https://lists.samba.org/archive/samba-technical/2015-April/106942.html Could you try replacing 'winbindd' with 'winbind' in the 'server services' line in your smb.conf files on all DCs, restart samba and run your tests again. If it now works, I think you need to raise a bug report. Rowland
miguelmedalha at sapo.pt
2015-Apr-23 15:06 UTC
[Samba] RFC2307 attributes not being read by DC2 in 4.2.1
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdateSince "winbindd" is included in this line, shouldn't also "-winbind" be there? I think that when you use the normal winbind you must disable the internal one. Could the simultaneous use of both winbinds be the cause of the confusion?
Fred Smith
2015-Apr-27 00:47 UTC
[Samba] RFC2307 attributes not being read by DC2 in 4.2.1
Thanks for your suggestions, I have tried both and neither helped unfortunately: Replacing winbindd with winbind on the existing server services line or adding with"server services = -winbindd +winbind" to smb.conf on all DCs did not solve the issue. Adding "server services = -winbind" did not solve the issue either. On Thu, Apr 23, 2015 at 11:18 AM, Fred Smith <fs582087 at gmail.com> wrote:> Hi all > > On latest samba 4.2.1 I have provisioned a new domain on DC1 that > successfully reads RFC2307 attributes set on a user account through > ADUC. > > wbinfo (correct uid gets resolved from sid) > > wbinfo -n fsmith > S-1-5-21-1273750850-484487853-1026460749-1120 SID_USER (1) > wbinfo -S S-1-5-21-1273750850-484487853-1026460749-1120 > 1000006 > > > ldbsearch > > sudo ldbsearch -H '/usr/local/samba/private/sam.ldb' -b > 'DC=samdom,DC=example,DC=org' -s sub > '(&(objectCategory=Person)(CN=Fred Smith))' > # record 1 > dn: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org > cn: Fred Smith > sn: Smith > givenName: Fred > instanceType: 4 > whenCreated: 20150422234928.0Z > displayName: Fred Smith > uSNCreated: 4558 > name: Fred Smith > objectGUID: 7b49274a-9ac9-48bd-9af7-e51e8ea17c9a > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > primaryGroupID: 513 > profilePath: %LOGONSERVER%\profiles\%USERNAME% > objectSid: S-1-5-21-1273750850-484487853-1026460749-1120 > accountExpires: 9223372036854775807 > logonCount: 0 > sAMAccountName: fsmith > sAMAccountType: 805306368 > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=org > uid: fsmith > uidNumber: 1000006 > gidNumber: 50023 > loginShell: /bin/false > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > pwdLastSet: 130742201680000000 > userAccountControl: 512 > msSFU30NisDomain: samdom > unixHomeDirectory: /dev/null > msSFU30Name: fsmith > unixUserPassword: ABCD!efgh12345$67890 > userPrincipalName: fsmith at samdom.example.org > whenChanged: 20150422234929.0Z > uSNChanged: 4565 > distinguishedName: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org > > > provision domain command > > sudo samba-tool domain provision --use-rfc2307 --site="DC1" --interactive > > Realm: SAMDOM.EXAMPLE.ORG > Domain: SAMDOM > Server Role: dc > DNS backend: BIND9_DLZ > > > DC1 smb.conf > > cat /usr/local/samba/etc/smb.conf > # Global parameters > [global] > workgroup = SAMDOM > realm = SAMDOM.EXAMPLE.ORG > netbios name = DC1 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > > # Disable printing > printcap name = /dev/null > load printers = no > printing = bsd > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/samdom.example.org/scripts > read only = No > browseable = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > browseable = No > > > > > > > But when I join DC2 to the domain and attempt to retrieve RFC2307 > attributes they don't get read. > > > wbinfo (wrong uid gets resolved from sid) > > wbinfo -n fsmith > S-1-5-21-1273750850-484487853-1026460749-1120 SID_USER (1) > wbinfo -S S-1-5-21-1273750850-484487853-1026460749-1120 > 3000017 > > > ldbsearch > > sudo ldbsearch -H '/usr/local/samba/private/sam.ldb' -b > 'DC=samdom,DC=example,DC=org' -s sub > '(&(objectCategory=Person)(CN=Fred Smith))' > # record 1 > dn: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: Fred Smith > sn: Smith > givenName: Fred > instanceType: 4 > whenCreated: 20150422234928.0Z > whenChanged: 20150422234929.0Z > displayName: Fred Smith > uSNCreated: 4494 > uSNChanged: 4494 > name: Fred Smith > objectGUID: 7b49274a-9ac9-48bd-9af7-e51e8ea17c9a > userAccountControl: 512 > codePage: 0 > countryCode: 0 > pwdLastSet: 130742201680000000 > primaryGroupID: 513 > profilePath: %LOGONSERVER%\profiles\%USERNAME% > objectSid: S-1-5-21-1273750850-484487853-1026460749-1120 > accountExpires: 9223372036854775807 > sAMAccountName: fsmith > sAMAccountType: 805306368 > userPrincipalName: fsmith at example.org > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=org > unixUserPassword: ABCD!efgh12345$67890 > uid: fsmith > msSFU30Name: fsmith > msSFU30NisDomain: samdom > uidNumber: 1000006 > gidNumber: 50023 > unixHomeDirectory: /dev/null > loginShell: /bin/false > distinguishedName: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org > > > join domain command > > sudo samba-tool domain join samdom.example.org DC -UAdministrator > --realm=samdom.example.org --site=DC2 --dns-backend=BIND9_DLZ > > > > DC2 smb.conf > > cat /usr/local/samba/etc/smb.conf > # Global parameters > [global] > workgroup = SAMDOM > realm = samdom.example.org > netbios name = DC2 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 # Added manually after join domain > > # Disable printing > printcap name = /dev/null > load printers = no > printing = bsd > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/samdom.example.org/scripts > read only = No > browseable = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > browseable = No > > Reading RFC2307 attributes on DC2 worked well using the same > configuration on samba 4.1.x. > > Thanks > > Fred.