samba - Nov 2015 - How to configure Winbind to use uidNumber and gidNumber

Thank you for this quick answer Louis.

On DC:

On DC I had to add one line to have winbind retrieving uidNumber AD field
rather than having Winbind chosing some random UID for my users.
This line is:

idmap_ldb:use rfc2307 = yes

as explained in https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD

That's a start.

Unfortunately winbind is still giving my users GID number set to 100, which
is "Domain Users" group, when my users have gidNumber attribute set.

Same for shell, in AD loginShell is defined to /bin/bash for all my UNIX
users and winbind gives /bin/false on DC. Perhaps that's what it expected
by that tool but I still found that behaviour very confusing.
Please note I know there is a "template shell" option in smb.conf.
Unfortunately this option is, I think, to set all shell equal to that
template, for all users. That's not what we need. If some user in AD wants
to use CSH, this user must have a shell set to /bin/csh (or wherever it is
installed), if some user has to be set to /bin/false, it must be. And for
most of our users they would receive /bin/bash because it is what we
configure in loginShell by default.

Same for home directories. In AD I set unixHomeDirectory (I also tried with
homeDirectory field) to /home/<username> and in getent passwd
<username> I
get home set to /home/<SAMBA.DOMAIN>/<username>

Anyway getent passwd <username> on DC is now working with users having UID
set to content of uidNumber field.
None of these users can connect on DC (even if uidNumber = 0) and I expect
this behaviour is because they have a shell set to /bin/false.

On member:

my smb.conf (from testparm)
---------------------------------------------------------------------
[global]
        workgroup = SAMBA.DOMAIN
        realm = SAMBA.DOMAIN.TLD
        server string = Samba Server Version %v
        security = ADS
        log file = /var/log/samba/log.%m
        max log size = 2048
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = rfc2307
        winbind normalize names = Yes
        idmap config SAMBA.DOMAIN:range = 10000-2000000000
        idmap config SAMBA.DOMAIN:schema_mode = rfc2307
        idmap config SAMBA.DOMAIN:backend = ad
        idmap config *:range = 2000-9999
        idmap config * : backend = ad
        cups options = raw

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        print ok = Yes
        browseable = No
---------------------------------------------------------------------

nsswitch.conf:
passwd:     files  winbind
shadow:     files  winbind
group:      files  winbind

and pam.d files are  both configured:
---------------------------------------------------------------------
grep winb /etc/pam.d/*
/etc/pam.d/fingerprint-auth:account     [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/fingerprint-auth:session     optional      pam_winbind.so
/etc/pam.d/fingerprint-auth-ac:account     [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/fingerprint-auth-ac:session     optional      pam_winbind.so
/etc/pam.d/password-auth:auth        sufficient    pam_winbind.so
use_first_pass
/etc/pam.d/password-auth:account     [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/password-auth:password    sufficient    pam_winbind.so
use_authtok
/etc/pam.d/password-auth:session     optional      pam_winbind.so
/etc/pam.d/password-auth-ac:auth        sufficient    pam_winbind.so
use_first_pass
/etc/pam.d/password-auth-ac:account     [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/password-auth-ac:password    sufficient    pam_winbind.so
use_authtok
/etc/pam.d/password-auth-ac:session     optional      pam_winbind.so
/etc/pam.d/smartcard-auth:account     [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/smartcard-auth:session     optional      pam_winbind.so
/etc/pam.d/smartcard-auth-ac:account     [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/smartcard-auth-ac:session     optional      pam_winbind.so
/etc/pam.d/system-auth:auth        sufficient    pam_winbind.so
use_first_pass
/etc/pam.d/system-auth:account     [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/system-auth:password    sufficient    pam_winbind.so use_authtok
/etc/pam.d/system-auth:session     optional      pam_winbind.so
/etc/pam.d/system-auth-ac:auth        sufficient    pam_winbind.so
use_first_pass
/etc/pam.d/system-auth-ac:account     [default=bad success=ok
user_unknown=ignore] pam_winbind.so
/etc/pam.d/system-auth-ac:password    sufficient    pam_winbind.so
use_authtok
/etc/pam.d/system-auth-ac:session     optional      pam_winbind.so
---------------------------------------------------------------------

Here are the logs generated during getent passwd commands, extracted from
log.winbindd on member server (with log level = 3 winbind:9)

getent passwd <username>
---------------------------------------------------------------------
[2015/11/10 13:16:37.550045,  6]
../source3/winbindd/winbindd.c:871(new_connection)
  accepted socket 22
[2015/11/10 13:16:37.550141,  3]
../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
  [ 2906]: request interface version
[2015/11/10 13:16:37.550294,  3]
../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
  [ 2906]: request location of privileged pipe
[2015/11/10 13:16:37.550440,  6]
../source3/winbindd/winbindd.c:871(new_connection)
  accepted socket 28
[2015/11/10 13:16:37.550478,  6]
../source3/winbindd/winbindd.c:919(winbind_client_request_read)
  closing socket 22, client exited
[2015/11/10 13:16:37.550506,  3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
  getpwnam stephane.morin
[2015/11/10 13:16:37.550633,  7]
../source3/winbindd/winbindd_ads.c:61(ads_cached_connection_reuse)
  Current tickets expire in 34856 seconds (at 1447192653, time is now
1447157797)
[2015/11/10 13:16:41.259064,  5]
../source3/winbindd/winbindd_cache.c:1272(resolve_alias_to_username)
  resolve_alias_to_username: backend query returned NT_STATUS_OK
[2015/11/10 13:16:41.281997,  5]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
  Could not convert sid S-1-5-21-569364669-4183652282-291509484-43151:
NT_STATUS_NONE_MAPPED
[2015/11/10 13:16:41.282169,  6]
../source3/winbindd/winbindd.c:919(winbind_client_request_read)
  closing socket 28, client exited


getent passwd SAMBA.DOMAIN\\<username>
---------------------------------------------------------------------
[2015/11/10 13:16:50.109816,  6]
../source3/winbindd/winbindd.c:871(new_connection)
  accepted socket 22
[2015/11/10 13:16:50.109924,  3]
../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
  [ 2907]: request interface version
[2015/11/10 13:16:50.109977,  3]
../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
  [ 2907]: request location of privileged pipe
[2015/11/10 13:16:50.110069,  6]
../source3/winbindd/winbindd.c:871(new_connection)
  accepted socket 28
[2015/11/10 13:16:50.110130,  6]
../source3/winbindd/winbindd.c:919(winbind_client_request_read)
  closing socket 22, client exited
[2015/11/10 13:16:50.110162,  3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
  getpwnam ad.dgfip\stephane.morin
[2015/11/10 13:16:50.110403,  5]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
  Could not convert sid S-1-5-21-569364669-4183652282-291509484-43151:
NT_STATUS_NONE_MAPPED
[2015/11/10 13:16:50.110552,  6]
../source3/winbindd/winbindd.c:919(winbind_client_request_read)
  closing socket 28, client exited
---------------------------------------------------------------------

And wbinfo -i <username> does not work:
wbinfo -i administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user administrator
Same behaviour for others users.

---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------

Now wbinfo:
-------------------------------------------------
wbinfo -u
-------------------------------------------------
On DCs:
wbinfo -u on DCs does not show anything. It just gives up after few seconds
(around 10s on both DCs tested).

On member:
wbinfo -u | wc -l
49504

when
ldbsearch -H $sam objectcategory=person | tail -3
# returned 49507 records
# 49504 entries
# 3 referrals

So wbinfo -u returns all users on this member server.


-------------------------------------------------
wbinfo -i <username>
-------------------------------------------------
On DCs:
wbinfo -i administrator
SAMBA.DOMAIN\administrator:*:0:100::/home/SAMBA.DOMAIN/administrator:/bin/false
wbinfo -i mathias
SAMBA.DOMAIN\mathias:*:0:100:mathias
dufresne:/home/SAMBA.DOMAIN/mathias:/bin/false
wbinfo -i <username>
SAMBA.DOMAIN\<username>:*:1013569430:100:<username>:/home/SAMBA.DOMAIN/<username>:/bin/false

On member:
wbinfo -i administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user administrator
 wbinfo -i mathias
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user mathias
wbinfo -i <username>
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user <username>

On member I was using Samba packages from Centos 7 (it's a Centos 7) with
version 4.1.12-24.el7_1.
I switched to version 4.3.1 (the one I'm using for DCs) and result are the
same.

I'm facing a real lack of knowledge and I didn't yet find what to read
to
fill these lacks.

Cheers,

mathias


2015-11-10 10:02 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>:
> Really....  here are your pointers..
>
> First choose, since your not telling..  ADDC or Member server?
>
> ADDC >
>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>
> Member >
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
> ID Mapping =>  https://wiki.samba.org/index.php/Identity_Mapping_(idmap)
>
> And when all configured, assigned if needed uid/gids..
>
> Type :
>
> getent passwd username    ( DONT TEST WITH ADMINISTRATOR )
> getent group "groupname"  ( groups with spaces use the ")
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias
> dufresne
> > Verzonden: dinsdag 10 november 2015 9:49
> > Aan: samba
> > Onderwerp: [Samba] [samba] How to configure Winbind to use uidNumber
and
> > gidNumber
> >
> > Hi all,
> >
> > How can we configure winbind to retrieve uidNumber and gidNumber
declared
> > in AD?
> >
> > Thanks and regards,
> >
> > mathias
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 10/11/15 13:42, mathias dufresne wrote:
> Thank you for this quick answer Louis.
>
> On DC:
>
> On DC I had to add one line to have winbind retrieving uidNumber AD field
> rather than having Winbind chosing some random UID for my users.
> This line is:
>
> idmap_ldb:use rfc2307 = yes
>
> as explained in https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>
> That's a start.
>
> Unfortunately winbind is still giving my users GID number set to 100, which
> is "Domain Users" group, when my users have gidNumber attribute
set.
unfortunately the contents of the 'gidNumber' attribute is not used for 
the users GID, you need to give 'Domain Users' a gidNumber and this is 
what will be used.
>
> Same for shell, in AD loginShell is defined to /bin/bash for all my UNIX
> users and winbind gives /bin/false on DC. Perhaps that's what it
expected
> by that tool but I still found that behaviour very confusing.
> Please note I know there is a "template shell" option in
smb.conf.
> Unfortunately this option is, I think, to set all shell equal to that
> template, for all users. That's not what we need. If some user in AD
wants
> to use CSH, this user must have a shell set to /bin/csh (or wherever it is
> installed), if some user has to be set to /bin/false, it must be. And for
> most of our users they would receive /bin/bash because it is what we
> configure in loginShell by default.
You can only use the 'template' lines on the DC, if you need to have 
different home dirs or shells, use a member server.
>
> Same for home directories. In AD I set unixHomeDirectory (I also tried with
> homeDirectory field) to /home/<username> and in getent passwd
<username> I
> get home set to /home/<SAMBA.DOMAIN>/<username>
>
> Anyway getent passwd <username> on DC is now working with users
having UID
> set to content of uidNumber field.
> None of these users can connect on DC (even if uidNumber = 0) and I expect
> this behaviour is because they have a shell set to /bin/false.
Correct, if you want to login to the DC, use 'template shell =
/bin/bash'

Rowland
> On member:
>
> my smb.conf (from testparm)
> ---------------------------------------------------------------------
> [global]
>          workgroup = SAMBA.DOMAIN
>          realm = SAMBA.DOMAIN.TLD
>          server string = Samba Server Version %v
>          security = ADS
>          log file = /var/log/samba/log.%m
>          max log size = 2048
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          winbind nss info = rfc2307
>          winbind normalize names = Yes
>          idmap config SAMBA.DOMAIN:range = 10000-2000000000
>          idmap config SAMBA.DOMAIN:schema_mode = rfc2307
>          idmap config SAMBA.DOMAIN:backend = ad
>          idmap config *:range = 2000-9999
>          idmap config * : backend = ad
>          cups options = raw
>
> [homes]
>          comment = Home Directories
>          read only = No
>          browseable = No
>
> [printers]
>          comment = All Printers
>          path = /var/spool/samba
>          printable = Yes
>          print ok = Yes
>          browseable = No
> ---------------------------------------------------------------------
>
> nsswitch.conf:
> passwd:     files  winbind
> shadow:     files  winbind
> group:      files  winbind
>
> and pam.d files are  both configured:
> ---------------------------------------------------------------------
> grep winb /etc/pam.d/*
> /etc/pam.d/fingerprint-auth:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/fingerprint-auth:session     optional      pam_winbind.so
> /etc/pam.d/fingerprint-auth-ac:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/fingerprint-auth-ac:session     optional      pam_winbind.so
> /etc/pam.d/password-auth:auth        sufficient    pam_winbind.so
> use_first_pass
> /etc/pam.d/password-auth:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/password-auth:password    sufficient    pam_winbind.so
> use_authtok
> /etc/pam.d/password-auth:session     optional      pam_winbind.so
> /etc/pam.d/password-auth-ac:auth        sufficient    pam_winbind.so
> use_first_pass
> /etc/pam.d/password-auth-ac:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/password-auth-ac:password    sufficient    pam_winbind.so
> use_authtok
> /etc/pam.d/password-auth-ac:session     optional      pam_winbind.so
> /etc/pam.d/smartcard-auth:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/smartcard-auth:session     optional      pam_winbind.so
> /etc/pam.d/smartcard-auth-ac:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/smartcard-auth-ac:session     optional      pam_winbind.so
> /etc/pam.d/system-auth:auth        sufficient    pam_winbind.so
> use_first_pass
> /etc/pam.d/system-auth:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/system-auth:password    sufficient    pam_winbind.so use_authtok
> /etc/pam.d/system-auth:session     optional      pam_winbind.so
> /etc/pam.d/system-auth-ac:auth        sufficient    pam_winbind.so
> use_first_pass
> /etc/pam.d/system-auth-ac:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so
> /etc/pam.d/system-auth-ac:password    sufficient    pam_winbind.so
> use_authtok
> /etc/pam.d/system-auth-ac:session     optional      pam_winbind.so
> ---------------------------------------------------------------------
>
> Here are the logs generated during getent passwd commands, extracted from
> log.winbindd on member server (with log level = 3 winbind:9)
>
> getent passwd <username>
> ---------------------------------------------------------------------
> [2015/11/10 13:16:37.550045,  6]
> ../source3/winbindd/winbindd.c:871(new_connection)
>    accepted socket 22
> [2015/11/10 13:16:37.550141,  3]
> ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
>    [ 2906]: request interface version
> [2015/11/10 13:16:37.550294,  3]
> ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
>    [ 2906]: request location of privileged pipe
> [2015/11/10 13:16:37.550440,  6]
> ../source3/winbindd/winbindd.c:871(new_connection)
>    accepted socket 28
> [2015/11/10 13:16:37.550478,  6]
> ../source3/winbindd/winbindd.c:919(winbind_client_request_read)
>    closing socket 22, client exited
> [2015/11/10 13:16:37.550506,  3]
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>    getpwnam stephane.morin
> [2015/11/10 13:16:37.550633,  7]
> ../source3/winbindd/winbindd_ads.c:61(ads_cached_connection_reuse)
>    Current tickets expire in 34856 seconds (at 1447192653, time is now
> 1447157797)
> [2015/11/10 13:16:41.259064,  5]
> ../source3/winbindd/winbindd_cache.c:1272(resolve_alias_to_username)
>    resolve_alias_to_username: backend query returned NT_STATUS_OK
> [2015/11/10 13:16:41.281997,  5]
> ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>    Could not convert sid S-1-5-21-569364669-4183652282-291509484-43151:
> NT_STATUS_NONE_MAPPED
> [2015/11/10 13:16:41.282169,  6]
> ../source3/winbindd/winbindd.c:919(winbind_client_request_read)
>    closing socket 28, client exited
>
>
> getent passwd SAMBA.DOMAIN\\<username>
> ---------------------------------------------------------------------
> [2015/11/10 13:16:50.109816,  6]
> ../source3/winbindd/winbindd.c:871(new_connection)
>    accepted socket 22
> [2015/11/10 13:16:50.109924,  3]
> ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
>    [ 2907]: request interface version
> [2015/11/10 13:16:50.109977,  3]
> ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
>    [ 2907]: request location of privileged pipe
> [2015/11/10 13:16:50.110069,  6]
> ../source3/winbindd/winbindd.c:871(new_connection)
>    accepted socket 28
> [2015/11/10 13:16:50.110130,  6]
> ../source3/winbindd/winbindd.c:919(winbind_client_request_read)
>    closing socket 22, client exited
> [2015/11/10 13:16:50.110162,  3]
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>    getpwnam ad.dgfip\stephane.morin
> [2015/11/10 13:16:50.110403,  5]
> ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>    Could not convert sid S-1-5-21-569364669-4183652282-291509484-43151:
> NT_STATUS_NONE_MAPPED
> [2015/11/10 13:16:50.110552,  6]
> ../source3/winbindd/winbindd.c:919(winbind_client_request_read)
>    closing socket 28, client exited
> ---------------------------------------------------------------------
>
> And wbinfo -i <username> does not work:
> wbinfo -i administrator
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user administrator
> Same behaviour for others users.
>
>
---------------------------------------------------------------------------------------------------
>
---------------------------------------------------------------------------------------------------
>
> Now wbinfo:
> -------------------------------------------------
> wbinfo -u
> -------------------------------------------------
> On DCs:
> wbinfo -u on DCs does not show anything. It just gives up after few seconds
> (around 10s on both DCs tested).
>
> On member:
> wbinfo -u | wc -l
> 49504
>
> when
> ldbsearch -H $sam objectcategory=person | tail -3
> # returned 49507 records
> # 49504 entries
> # 3 referrals
>
> So wbinfo -u returns all users on this member server.
>
>
> -------------------------------------------------
> wbinfo -i <username>
> -------------------------------------------------
> On DCs:
> wbinfo -i administrator
>
SAMBA.DOMAIN\administrator:*:0:100::/home/SAMBA.DOMAIN/administrator:/bin/false
> wbinfo -i mathias
> SAMBA.DOMAIN\mathias:*:0:100:mathias
> dufresne:/home/SAMBA.DOMAIN/mathias:/bin/false
> wbinfo -i <username>
>
SAMBA.DOMAIN\<username>:*:1013569430:100:<username>:/home/SAMBA.DOMAIN/<username>:/bin/false
>
> On member:
> wbinfo -i administrator
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user administrator
>   wbinfo -i mathias
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user mathias
> wbinfo -i <username>
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user <username>
>
> On member I was using Samba packages from Centos 7 (it's a Centos 7)
with
> version 4.1.12-24.el7_1.
> I switched to version 4.3.1 (the one I'm using for DCs) and result are
the
> same.
>
> I'm facing a real lack of knowledge and I didn't yet find what to
read to
> fill these lacks.
>
> Cheers,
>
> mathias
>
>

On 2015-11-10 at 13:57 +0000, Rowland Penny wrote:
> On 10/11/15 13:42, mathias dufresne wrote:
> >Thank you for this quick answer Louis.
> >
> >On DC:
> >
> >On DC I had to add one line to have winbind retrieving uidNumber AD
field
> >rather than having Winbind chosing some random UID for my users.
> >This line is:
> >
> >idmap_ldb:use rfc2307 = yes
> >
> >as explained in
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
> >
> >That's a start.
> >
> >Unfortunately winbind is still giving my users GID number set to 100,
which
> >is "Domain Users" group, when my users have gidNumber
attribute set.
> 
> unfortunately the contents of the 'gidNumber' attribute is not used
for the
> users GID, you need to give 'Domain Users' a gidNumber and this is
what will
> be used.
That is not unfortunate, but the right thing to do (imho),
because the domain users group (or whatever the primary AD
level group is for the user) is what will appear in the access
token when the user accesses a file server.

We can think about making the use of the gidNumber attribute
a configurable option (at least for the start in the domain
member case with idmap_ad). But again, the right thing to do
is use the SID-level primary group for primary gid of the unix
user.

> >Same for shell, in AD loginShell is defined to /bin/bash for all my
UNIX
> >users and winbind gives /bin/false on DC. Perhaps that's what it
expected
> >by that tool but I still found that behaviour very confusing.
> >Please note I know there is a "template shell" option in
smb.conf.
> >Unfortunately this option is, I think, to set all shell equal to that
> >template, for all users. That's not what we need. If some user in
AD wants
> >to use CSH, this user must have a shell set to /bin/csh (or wherever it
is
> >installed), if some user has to be set to /bin/false, it must be. And
for
> >most of our users they would receive /bin/bash because it is what we
> >configure in loginShell by default.
> 
> You can only use the 'template' lines on the DC, if you need to
have
> different home dirs or shells, use a member server.
As discussed elsewhere, we should add the feature to use the AD
attributes (configurably).  Someone has to find the time to
implement the changes.

Cheers - Michael

> >Same for home directories. In AD I set unixHomeDirectory (I also tried
with
> >homeDirectory field) to /home/<username> and in getent passwd
<username> I
> >get home set to /home/<SAMBA.DOMAIN>/<username>
> >
> >Anyway getent passwd <username> on DC is now working with users
having UID
> >set to content of uidNumber field.
> >None of these users can connect on DC (even if uidNumber = 0) and I
expect
> >this behaviour is because they have a shell set to /bin/false.
> 
> Correct, if you want to login to the DC, use 'template shell =
/bin/bash'
> 
> Rowland
> 
> >On member:
> >
> >my smb.conf (from testparm)
> >---------------------------------------------------------------------
> >[global]
> >         workgroup = SAMBA.DOMAIN
> >         realm = SAMBA.DOMAIN.TLD
> >         server string = Samba Server Version %v
> >         security = ADS
> >         log file = /var/log/samba/log.%m
> >         max log size = 2048
> >         winbind enum users = Yes
> >         winbind enum groups = Yes
> >         winbind use default domain = Yes
> >         winbind nss info = rfc2307
> >         winbind normalize names = Yes
> >         idmap config SAMBA.DOMAIN:range = 10000-2000000000
> >         idmap config SAMBA.DOMAIN:schema_mode = rfc2307
> >         idmap config SAMBA.DOMAIN:backend = ad
> >         idmap config *:range = 2000-9999
> >         idmap config * : backend = ad
> >         cups options = raw
> >
> >[homes]
> >         comment = Home Directories
> >         read only = No
> >         browseable = No
> >
> >[printers]
> >         comment = All Printers
> >         path = /var/spool/samba
> >         printable = Yes
> >         print ok = Yes
> >         browseable = No
> >---------------------------------------------------------------------
> >
> >nsswitch.conf:
> >passwd:     files  winbind
> >shadow:     files  winbind
> >group:      files  winbind
> >
> >and pam.d files are  both configured:
> >---------------------------------------------------------------------
> >grep winb /etc/pam.d/*
> >/etc/pam.d/fingerprint-auth:account     [default=bad success=ok
> >user_unknown=ignore] pam_winbind.so
> >/etc/pam.d/fingerprint-auth:session     optional      pam_winbind.so
> >/etc/pam.d/fingerprint-auth-ac:account     [default=bad success=ok
> >user_unknown=ignore] pam_winbind.so
> >/etc/pam.d/fingerprint-auth-ac:session     optional      pam_winbind.so
> >/etc/pam.d/password-auth:auth        sufficient    pam_winbind.so
> >use_first_pass
> >/etc/pam.d/password-auth:account     [default=bad success=ok
> >user_unknown=ignore] pam_winbind.so
> >/etc/pam.d/password-auth:password    sufficient    pam_winbind.so
> >use_authtok
> >/etc/pam.d/password-auth:session     optional      pam_winbind.so
> >/etc/pam.d/password-auth-ac:auth        sufficient    pam_winbind.so
> >use_first_pass
> >/etc/pam.d/password-auth-ac:account     [default=bad success=ok
> >user_unknown=ignore] pam_winbind.so
> >/etc/pam.d/password-auth-ac:password    sufficient    pam_winbind.so
> >use_authtok
> >/etc/pam.d/password-auth-ac:session     optional      pam_winbind.so
> >/etc/pam.d/smartcard-auth:account     [default=bad success=ok
> >user_unknown=ignore] pam_winbind.so
> >/etc/pam.d/smartcard-auth:session     optional      pam_winbind.so
> >/etc/pam.d/smartcard-auth-ac:account     [default=bad success=ok
> >user_unknown=ignore] pam_winbind.so
> >/etc/pam.d/smartcard-auth-ac:session     optional      pam_winbind.so
> >/etc/pam.d/system-auth:auth        sufficient    pam_winbind.so
> >use_first_pass
> >/etc/pam.d/system-auth:account     [default=bad success=ok
> >user_unknown=ignore] pam_winbind.so
> >/etc/pam.d/system-auth:password    sufficient    pam_winbind.so
use_authtok
> >/etc/pam.d/system-auth:session     optional      pam_winbind.so
> >/etc/pam.d/system-auth-ac:auth        sufficient    pam_winbind.so
> >use_first_pass
> >/etc/pam.d/system-auth-ac:account     [default=bad success=ok
> >user_unknown=ignore] pam_winbind.so
> >/etc/pam.d/system-auth-ac:password    sufficient    pam_winbind.so
> >use_authtok
> >/etc/pam.d/system-auth-ac:session     optional      pam_winbind.so
> >---------------------------------------------------------------------
> >
> >Here are the logs generated during getent passwd commands, extracted
from
> >log.winbindd on member server (with log level = 3 winbind:9)
> >
> >getent passwd <username>
> >---------------------------------------------------------------------
> >[2015/11/10 13:16:37.550045,  6]
> >../source3/winbindd/winbindd.c:871(new_connection)
> >   accepted socket 22
> >[2015/11/10 13:16:37.550141,  3]
> >../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
> >   [ 2906]: request interface version
> >[2015/11/10 13:16:37.550294,  3]
> >../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
> >   [ 2906]: request location of privileged pipe
> >[2015/11/10 13:16:37.550440,  6]
> >../source3/winbindd/winbindd.c:871(new_connection)
> >   accepted socket 28
> >[2015/11/10 13:16:37.550478,  6]
> >../source3/winbindd/winbindd.c:919(winbind_client_request_read)
> >   closing socket 22, client exited
> >[2015/11/10 13:16:37.550506,  3]
> >../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> >   getpwnam stephane.morin
> >[2015/11/10 13:16:37.550633,  7]
> >../source3/winbindd/winbindd_ads.c:61(ads_cached_connection_reuse)
> >   Current tickets expire in 34856 seconds (at 1447192653, time is now
> >1447157797)
> >[2015/11/10 13:16:41.259064,  5]
> >../source3/winbindd/winbindd_cache.c:1272(resolve_alias_to_username)
> >   resolve_alias_to_username: backend query returned NT_STATUS_OK
> >[2015/11/10 13:16:41.281997,  5]
> >../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
> >   Could not convert sid S-1-5-21-569364669-4183652282-291509484-43151:
> >NT_STATUS_NONE_MAPPED
> >[2015/11/10 13:16:41.282169,  6]
> >../source3/winbindd/winbindd.c:919(winbind_client_request_read)
> >   closing socket 28, client exited
> >
> >
> >getent passwd SAMBA.DOMAIN\\<username>
> >---------------------------------------------------------------------
> >[2015/11/10 13:16:50.109816,  6]
> >../source3/winbindd/winbindd.c:871(new_connection)
> >   accepted socket 22
> >[2015/11/10 13:16:50.109924,  3]
> >../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
> >   [ 2907]: request interface version
> >[2015/11/10 13:16:50.109977,  3]
> >../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
> >   [ 2907]: request location of privileged pipe
> >[2015/11/10 13:16:50.110069,  6]
> >../source3/winbindd/winbindd.c:871(new_connection)
> >   accepted socket 28
> >[2015/11/10 13:16:50.110130,  6]
> >../source3/winbindd/winbindd.c:919(winbind_client_request_read)
> >   closing socket 22, client exited
> >[2015/11/10 13:16:50.110162,  3]
> >../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> >   getpwnam ad.dgfip\stephane.morin
> >[2015/11/10 13:16:50.110403,  5]
> >../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
> >   Could not convert sid S-1-5-21-569364669-4183652282-291509484-43151:
> >NT_STATUS_NONE_MAPPED
> >[2015/11/10 13:16:50.110552,  6]
> >../source3/winbindd/winbindd.c:919(winbind_client_request_read)
> >   closing socket 28, client exited
> >---------------------------------------------------------------------
> >
> >And wbinfo -i <username> does not work:
> >wbinfo -i administrator
> >failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> >Could not get info for user administrator
> >Same behaviour for others users.
> >
>
>---------------------------------------------------------------------------------------------------
>
>---------------------------------------------------------------------------------------------------
> >
> >Now wbinfo:
> >-------------------------------------------------
> >wbinfo -u
> >-------------------------------------------------
> >On DCs:
> >wbinfo -u on DCs does not show anything. It just gives up after few
seconds
> >(around 10s on both DCs tested).
> >
> >On member:
> >wbinfo -u | wc -l
> >49504
> >
> >when
> >ldbsearch -H $sam objectcategory=person | tail -3
> ># returned 49507 records
> ># 49504 entries
> ># 3 referrals
> >
> >So wbinfo -u returns all users on this member server.
> >
> >
> >-------------------------------------------------
> >wbinfo -i <username>
> >-------------------------------------------------
> >On DCs:
> >wbinfo -i administrator
>
>SAMBA.DOMAIN\administrator:*:0:100::/home/SAMBA.DOMAIN/administrator:/bin/false
> >wbinfo -i mathias
> >SAMBA.DOMAIN\mathias:*:0:100:mathias
> >dufresne:/home/SAMBA.DOMAIN/mathias:/bin/false
> >wbinfo -i <username>
>
>SAMBA.DOMAIN\<username>:*:1013569430:100:<username>:/home/SAMBA.DOMAIN/<username>:/bin/false
> >
> >On member:
> >wbinfo -i administrator
> >failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> >Could not get info for user administrator
> >  wbinfo -i mathias
> >failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> >Could not get info for user mathias
> >wbinfo -i <username>
> >failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> >Could not get info for user <username>
> >
> >On member I was using Samba packages from Centos 7 (it's a Centos
7) with
> >version 4.1.12-24.el7_1.
> >I switched to version 4.3.1 (the one I'm using for DCs) and result
are the
> >same.
> >
> >I'm facing a real lack of knowledge and I didn't yet find what
to read to
> >fill these lacks.
> >
> >Cheers,
> >
> >mathias
> >
> >
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20151111/5b0f776a/signature.sig>