Simone Rossetto
2016-Mar-24 09:37 UTC
[Samba] Winbind doesn't honor rfc2307 data set in AD (Samba 4.3.6 on Debian jessie)
Hi all, I've just installed Samba 4.3.6 on Debian jessie amd64 (as described in the wiki [1]) and everything seems to work properly except for rfc2307 data that winbind doesn't retrieve from AD backend, shell is always "/bin/false", homedir is always "/home/DOMAIN/username" and "getent passwd" also lists user without unix attributes. I have configured idmap_ad as described here [2] with rfc2307. Hereafter my configuration: # cat /etc/samba/smb.conf [global] log level = 5 workgroup = VBOX realm = VBOX.LOCAL netbios name = ARTURO interfaces = lo eth1 bind interfaces only = Yes server role = active directory domain controller idmap_ldb:use rfc2307 = yes allow dns updates = nonsecure dns forwarder = 192.168.0.1 idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config VBOX:backend = ad idmap config VBOX:schema_mode = rfc2307 idmap config VBOX:range = 10000-99999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes [...] # cat /etc/nsswitch.conf passwd: compat winbind group: compat winbind [...] # getent passwd [...] VBOX\administrator:*:0:100::/home/VBOX/administrator:/bin/false VBOX\krbtgt:*:3000017:100::/home/VBOX/krbtgt:/bin/false VBOX\simone:*:10000:100:Simone Rossetto:/home/VBOX/simone:/bin/false VBOX\guest:*:3000011:100::/home/VBOX/guest:/bin/false VBOX\dhcp:*:3000044:100::/home/VBOX/dhcp:/bin/false # getent group [...] VBOX\domain admins:x:3000008: VBOX\domain users:x:100: VBOX\domain guests:x:3000012: [...] The user VBOX\dhcp has no unix attribute set but it is still listed with an uid-number outside "valid" range: # ldbsearch -H /var/lib/samba/private/sam.ldb cn=dhcp dn: CN=dhcp,CN=Users,DC=vbox,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: dhcp description: Unprivileged user for DNS updates via DHCP server instanceType: 4 whenCreated: 20160322092859.0Z uSNCreated: 3788 name: dhcp objectGUID: f3db65e5-324e-4a7b-b2a7-0680cc15ea03 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-1467633039-1902955928-3249331824-1104 logonCount: 0 sAMAccountName: dhcp sAMAccountType: 805306368 userPrincipalName: dhcp at vbox.local objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=vbox,DC=local pwdLastSet: 131031125390000000 userAccountControl: 66048 accountExpires: 0 whenChanged: 20160322092935.0Z uSNChanged: 3791 memberOf: CN=DnsAdmins,CN=Users,DC=vbox,DC=local distinguishedName: CN=dhcp,CN=Users,DC=vbox,DC=local While user VBOX\simone has both shell and homedir but they are not retrieved: # ldbsearch -H /var/lib/samba/private/sam.ldb cn=simone dn: CN=simone,CN=Users,DC=vbox,DC=local cn: simone sn: Rossetto givenName: Simone [...] uidNumber: 10000 gecos: Simone Rossetto,,, objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user [...] msSFU30NisDomain: vbox msSFU30Name: simone unixUserPassword: ABCD!efgh12345$67890 uid: simone lockoutTime: 0 loginShell: /bin/bash gidNumber: 100 unixHomeDirectory: /home/simone What have I misconfigured? Thanks, bye Simone [1] https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller [2] https://wiki.samba.org/index.php/Idmap_config_ad [3] https://lists.samba.org/archive/samba/2015-December/196378.html
Rowland penny
2016-Mar-24 10:26 UTC
[Samba] Winbind doesn't honor rfc2307 data set in AD (Samba 4.3.6 on Debian jessie)
On 24/03/16 09:37, Simone Rossetto wrote:> Hi all, I've just installed Samba 4.3.6 on Debian jessie amd64 (as > described in the wiki [1]) and everything seems to work properly > except for rfc2307 data that winbind doesn't retrieve from AD backend, > shell is always "/bin/false", homedir is always > "/home/DOMAIN/username" and "getent passwd" also lists user without > unix attributes. > I have configured idmap_ad as described here [2] with rfc2307. > > Hereafter my configuration: > > # cat /etc/samba/smb.conf > [global] > log level = 5 > workgroup = VBOX > realm = VBOX.LOCAL > netbios name = ARTURO > interfaces = lo eth1 > bind interfaces only = Yes > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > > allow dns updates = nonsecure > dns forwarder = 192.168.0.1 > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > idmap config VBOX:backend = ad > idmap config VBOX:schema_mode = rfc2307 > idmap config VBOX:range = 10000-99999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > [...] > > # cat /etc/nsswitch.conf > passwd: compat winbind > group: compat winbind > [...] > > # getent passwd > [...] > VBOX\administrator:*:0:100::/home/VBOX/administrator:/bin/false > VBOX\krbtgt:*:3000017:100::/home/VBOX/krbtgt:/bin/false > VBOX\simone:*:10000:100:Simone Rossetto:/home/VBOX/simone:/bin/false > VBOX\guest:*:3000011:100::/home/VBOX/guest:/bin/false > VBOX\dhcp:*:3000044:100::/home/VBOX/dhcp:/bin/false > > # getent group > [...] > VBOX\domain admins:x:3000008: > VBOX\domain users:x:100: > VBOX\domain guests:x:3000012: > [...] > > > The user VBOX\dhcp has no unix attribute set but it is still listed > with an uid-number outside "valid" range: > > # ldbsearch -H /var/lib/samba/private/sam.ldb cn=dhcp > dn: CN=dhcp,CN=Users,DC=vbox,DC=local > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: dhcp > description: Unprivileged user for DNS updates via DHCP server > instanceType: 4 > whenCreated: 20160322092859.0Z > uSNCreated: 3788 > name: dhcp > objectGUID: f3db65e5-324e-4a7b-b2a7-0680cc15ea03 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-1467633039-1902955928-3249331824-1104 > logonCount: 0 > sAMAccountName: dhcp > sAMAccountType: 805306368 > userPrincipalName: dhcp at vbox.local > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=vbox,DC=local > pwdLastSet: 131031125390000000 > userAccountControl: 66048 > accountExpires: 0 > whenChanged: 20160322092935.0Z > uSNChanged: 3791 > memberOf: CN=DnsAdmins,CN=Users,DC=vbox,DC=local > distinguishedName: CN=dhcp,CN=Users,DC=vbox,DC=local > > > While user VBOX\simone has both shell and homedir but they are not retrieved: > > # ldbsearch -H /var/lib/samba/private/sam.ldb cn=simone > dn: CN=simone,CN=Users,DC=vbox,DC=local > cn: simone > sn: Rossetto > givenName: Simone > [...] > uidNumber: 10000 > gecos: Simone Rossetto,,, > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > [...] > msSFU30NisDomain: vbox > msSFU30Name: simone > unixUserPassword: ABCD!efgh12345$67890 > uid: simone > lockoutTime: 0 > loginShell: /bin/bash > gidNumber: 100 > unixHomeDirectory: /home/simone > > > What have I misconfigured? > >You are hitting one of the problems with using a DC as a fileserver, you only get uidNumber & gidNumber attributes from AD.If these are found in AD, they are used, if they aren't, then idmap will create one using the '3000000' base. You can set, per domain, home directories & loginshell with 'template homedir' & 'template shell' i.e. template homedir = /home/%U template shell = /bin/bash Rowland
Simone Rossetto
2016-Mar-24 11:24 UTC
[Samba] Winbind doesn't honor rfc2307 data set in AD (Samba 4.3.6 on Debian jessie)
Hi Rowland,> You are hitting one of the problems with using a DC as a fileserver, you > only get uidNumber & gidNumber attributes from AD.You means that there is no way to use loginshell and homedir from AD in the DC? While in other domain members it will work? Thanks Simone