samba - May 2016 - Winbind on AD DC not honoring rfc2307 gid entries

Hi,

I have a somewhat complicated Samba AD DC setup with four remote site AD
DCs (connected via VPN).  These DCs also act as file servers (yes, I read
the warning in the documentation, but we don't have the resources to add
separate file servers at each site and we would like each server to be a DC
because of the sometimes flaky VPN connections).  We have some notebook
"workstations" that travel between sites and have to be able to access
the
files on the file server (which is the DC) and occasionally login to the DC
directly.  The main issue that I'm having (there are plenty of little
naggers too) is that the winbind nss on the DCs won't honor the rfc2307
entries consistently.  One of the DCs (the newest one) is honoring the
rfc2307 gid map entries, but the other ones are not.  None of them seem to
honor the rfc2307 login shell entries, but I've found adding the template
shell = configuration option does allow the login shell to be set (although
for all users as opposed to the per user rfc2307 entries).  The smb.conf
configurations are identical except for the netbios names, interfaces, and
tls key filenames.  It seems like there is something hardcoded into the DCs
that wants to make the Domain Users group map to the standard unix
"users:x:100:" group and it also wants to map the administrator user
account to "root:x:0:..."  Any ideas about what can be done to get
this to
work?

# getent group (on DC3)
...
DCS\domain admins:x:2000:        <---- Correct (rfc2307 entry mapped)
DCS\domain users:x:2001:           <---- Correct (rfc2307 entry mapped)
DCS\domain guests:x:2002:         <---- Correct (rfc2307 entry mapped)
DCS\domain computers:x:3000038:
DCS\domain controllers:x:3000039:
...

# getent group (on DC1)
...
DCS\domain admins:x:3000008:  <---- Incorrect (rfc2307 entry not mapped)
DCS\domain users:x:100:             <---- Incorrect (rfc2307 entry not
mapped)
DCS\domain guests:x:2002:         <---- Correct (rfc2307 entry mapped)
DCS\domain computers:x:3000038:
DCS\domain controllers:x:3000039:
...

# getent group (on DC2)
...
DCS\domain admins:x:2000:        <---- Correct (rfc2307 entry mapped)
DCS\domain users:x:100:             <---- Incorrect (rfc2307 entry not
mapped)
DCS\domain guests:x:2002:         <---- Correct (rfc2307 entry mapped)
DCS\domain computers:x:3000034:
DCS\domain controllers:x:3000035:
...

# getent group 2001 (on DC3)
DCS\domain users:x:2001:

# getent group 2001 (on DC1 and DC2)     <---- So somehow, winbind knows
the 2001 rfc2307 entry, but maps it incorrectly
DCS\domain users:x:100:

# testparm
[global]
       workgroup = DCS
       realm = DCS.DATACONTROLSYSTEMS.COM
       interfaces = 192.168.8.5 127.0.0.1
       bind interfaces only = Yes
       server role = active directory domain controller
       passdb backend = samba_dsdb
       printcap name = /dev/null
       template shell = /bin/bash
       winbind enum users = Yes
       winbind enum groups = Yes
       winbind use default domain = Yes
       server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
       tls keyfile = /var/lib/samba/private/tls/dcss501_key.pem
       tls certfile = /var/lib/samba/private/tls/dcss501_cert.pem
       tls cafile        rpc_server:tcpip = no
       rpc_daemon:spoolssd = embedded
       rpc_server:spoolss = embedded
       rpc_server:winreg = embedded
       rpc_server:ntsvcs = embedded
       rpc_server:eventlog = embedded
       rpc_server:srvsvc = embedded
       rpc_server:svcctl = embedded
       rpc_server:default = external
       winbindd:use external pipes = true
       idmap_ldb:use rfc2307 = yes
       idmap config * : backend = tdb
       printing = bsd
       map archive = No
       map readonly = no
       store dos attributes = Yes
       vfs objects = dfs_samba4 acl_xattr
[shares]...

Thanks for the help.

Mike E.

On 27/05/16 17:44, Data Control Systems - Mike Elkevizth
wrote:
> Hi,
>
> I have a somewhat complicated Samba AD DC setup with four remote site AD
> DCs (connected via VPN).  These DCs also act as file servers (yes, I read
> the warning in the documentation, but we don't have the resources to
add
> separate file servers at each site and we would like each server to be a DC
> because of the sometimes flaky VPN connections).  We have some notebook
> "workstations" that travel between sites and have to be able to
access the
> files on the file server (which is the DC) and occasionally login to the DC
> directly.  The main issue that I'm having (there are plenty of little
> naggers too) is that the winbind nss on the DCs won't honor the rfc2307
> entries consistently.  One of the DCs (the newest one) is honoring the
> rfc2307 gid map entries, but the other ones are not.  None of them seem to
> honor the rfc2307 login shell entries, but I've found adding the
template
> shell = configuration option does allow the login shell to be set (although
> for all users as opposed to the per user rfc2307 entries).  The smb.conf
> configurations are identical except for the netbios names, interfaces, and
> tls key filenames.  It seems like there is something hardcoded into the DCs
> that wants to make the Domain Users group map to the standard unix
> "users:x:100:" group and it also wants to map the administrator
user
> account to "root:x:0:..."  Any ideas about what can be done to
get this to
> work?
>
> # getent group (on DC3)
> ...
> DCS\domain admins:x:2000:        <---- Correct (rfc2307 entry mapped)
> DCS\domain users:x:2001:           <---- Correct (rfc2307 entry mapped)
> DCS\domain guests:x:2002:         <---- Correct (rfc2307 entry mapped)
> DCS\domain computers:x:3000038:
> DCS\domain controllers:x:3000039:
> ...
>
> # getent group (on DC1)
> ...
> DCS\domain admins:x:3000008:  <---- Incorrect (rfc2307 entry not mapped)
> DCS\domain users:x:100:             <---- Incorrect (rfc2307 entry not
> mapped)
> DCS\domain guests:x:2002:         <---- Correct (rfc2307 entry mapped)
> DCS\domain computers:x:3000038:
> DCS\domain controllers:x:3000039:
> ...
>
> # getent group (on DC2)
> ...
> DCS\domain admins:x:2000:        <---- Correct (rfc2307 entry mapped)
> DCS\domain users:x:100:             <---- Incorrect (rfc2307 entry not
> mapped)
> DCS\domain guests:x:2002:         <---- Correct (rfc2307 entry mapped)
> DCS\domain computers:x:3000034:
> DCS\domain controllers:x:3000035:
> ...
>
> # getent group 2001 (on DC3)
> DCS\domain users:x:2001:
>
> # getent group 2001 (on DC1 and DC2)     <---- So somehow, winbind knows
> the 2001 rfc2307 entry, but maps it incorrectly
> DCS\domain users:x:100:
>
> # testparm
> [global]
>         workgroup = DCS
>         realm = DCS.DATACONTROLSYSTEMS.COM
>         interfaces = 192.168.8.5 127.0.0.1
>         bind interfaces only = Yes
>         server role = active directory domain controller
>         passdb backend = samba_dsdb
>         printcap name = /dev/null
>         template shell = /bin/bash
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind use default domain = Yes
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>         tls keyfile = /var/lib/samba/private/tls/dcss501_key.pem
>         tls certfile = /var/lib/samba/private/tls/dcss501_cert.pem
>         tls cafile >         rpc_server:tcpip = no
>         rpc_daemon:spoolssd = embedded
>         rpc_server:spoolss = embedded
>         rpc_server:winreg = embedded
>         rpc_server:ntsvcs = embedded
>         rpc_server:eventlog = embedded
>         rpc_server:srvsvc = embedded
>         rpc_server:svcctl = embedded
>         rpc_server:default = external
>         winbindd:use external pipes = true
>         idmap_ldb:use rfc2307 = yes
>         idmap config * : backend = tdb
>         printing = bsd
>         map archive = No
>         map readonly = no
>         store dos attributes = Yes
>         vfs objects = dfs_samba4 acl_xattr
> [shares]...
>
> Thanks for the help.
>
> Mike E.
This comes up from time to time, firstly on a DC you only get 
'uidNumber' & 'gidNumber' attributes from winbindd, all
other rfc2307
attributes are ignored, this is one of the reasons why the use of a DC 
as a fileserver is discouraged.

One other difference is that a DC uses 'idmap.ldb' to store the 
'xidNumber' attributes that are used if no 'uidNumber' &
'gidNumber'
attributes are found. There is however a 'gotcha' here, if a group (or 
user) is given a 'xidNumber' before it is given a 'gidNumber',
the
'xidNumber' will take precedence. There is also yet another
'gotcha'
with 'idmap.ldb', you are not bound to get the same 'xidNumber'
on
different DCs for the same group, 'idmap.ldb' is not replicated between
DCs.

Try running 'net cache flush' on each DC, this should clear out the 
winbindd cache and then winbindd will then obtain the 'uidNumber' & 
'gidNumber' attributes from AD. If this fails, then open
'idmap.ldb' in
ldbedit, search for group SIDs and delete them, run 'net cache flush'
again.

I would not advise changing the 'Administrator' to 'root'
mapping, the
DC sort of depends on it.

Rowland

Hi Rowland,

Thanks for the great description of what's going on.  Running 'net cache
flush' on each DC did the trick.  I'm a little nervous about this
happening
again, because all was working fine for a while.  I'm thinking about
creating a cron job to run 'net cache flush' on each DC at regular
intervals.  Would there be any problem with this approach?

Also, your description of how winbind is working was excellent.  Any chance
it can be added to the Samba wiki page?  It's much more insightful than the
"Additionally using distinct file servers avoids the idiosyncrasies in the
winbindd configuration on the Active Directory Domain Controller." which is
currently there.

Thanks again for the help,

Mike E.


On Fri, May 27, 2016 at 1:10 PM, Rowland penny <rpenny at samba.org>
wrote:
> On 27/05/16 17:44, Data Control Systems - Mike Elkevizth wrote:
>
>> Hi,
>>
>> I have a somewhat complicated Samba AD DC setup with four remote site
AD
>> DCs (connected via VPN).  These DCs also act as file servers (yes, I
read
>> the warning in the documentation, but we don't have the resources
to add
>> separate file servers at each site and we would like each server to be
a
>> DC
>> because of the sometimes flaky VPN connections).  We have some notebook
>> "workstations" that travel between sites and have to be able
to access the
>> files on the file server (which is the DC) and occasionally login to
the
>> DC
>> directly.  The main issue that I'm having (there are plenty of
little
>> naggers too) is that the winbind nss on the DCs won't honor the
rfc2307
>> entries consistently.  One of the DCs (the newest one) is honoring the
>> rfc2307 gid map entries, but the other ones are not.  None of them seem
to
>> honor the rfc2307 login shell entries, but I've found adding the
template
>> shell = configuration option does allow the login shell to be set
>> (although
>> for all users as opposed to the per user rfc2307 entries).  The
smb.conf
>> configurations are identical except for the netbios names, interfaces,
and
>> tls key filenames.  It seems like there is something hardcoded into the
>> DCs
>> that wants to make the Domain Users group map to the standard unix
>> "users:x:100:" group and it also wants to map the
administrator user
>> account to "root:x:0:..."  Any ideas about what can be done
to get this to
>> work?
>>
>> # getent group (on DC3)
>> ...
>> DCS\domain admins:x:2000:        <---- Correct (rfc2307 entry
mapped)
>> DCS\domain users:x:2001:           <---- Correct (rfc2307 entry
mapped)
>> DCS\domain guests:x:2002:         <---- Correct (rfc2307 entry
mapped)
>> DCS\domain computers:x:3000038:
>> DCS\domain controllers:x:3000039:
>> ...
>>
>> # getent group (on DC1)
>> ...
>> DCS\domain admins:x:3000008:  <---- Incorrect (rfc2307 entry not
mapped)
>> DCS\domain users:x:100:             <---- Incorrect (rfc2307 entry
not
>> mapped)
>> DCS\domain guests:x:2002:         <---- Correct (rfc2307 entry
mapped)
>> DCS\domain computers:x:3000038:
>> DCS\domain controllers:x:3000039:
>> ...
>>
>> # getent group (on DC2)
>> ...
>> DCS\domain admins:x:2000:        <---- Correct (rfc2307 entry
mapped)
>> DCS\domain users:x:100:             <---- Incorrect (rfc2307 entry
not
>> mapped)
>> DCS\domain guests:x:2002:         <---- Correct (rfc2307 entry
mapped)
>> DCS\domain computers:x:3000034:
>> DCS\domain controllers:x:3000035:
>> ...
>>
>> # getent group 2001 (on DC3)
>> DCS\domain users:x:2001:
>>
>> # getent group 2001 (on DC1 and DC2)     <---- So somehow, winbind
knows
>> the 2001 rfc2307 entry, but maps it incorrectly
>> DCS\domain users:x:100:
>>
>> # testparm
>> [global]
>>         workgroup = DCS
>>         realm = DCS.DATACONTROLSYSTEMS.COM
>>         interfaces = 192.168.8.5 127.0.0.1
>>         bind interfaces only = Yes
>>         server role = active directory domain controller
>>         passdb backend = samba_dsdb
>>         printcap name = /dev/null
>>         template shell = /bin/bash
>>         winbind enum users = Yes
>>         winbind enum groups = Yes
>>         winbind use default domain = Yes
>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl,
>> winbindd, ntp_signd, kcc, dnsupdate
>>         tls keyfile = /var/lib/samba/private/tls/dcss501_key.pem
>>         tls certfile = /var/lib/samba/private/tls/dcss501_cert.pem
>>         tls cafile >>         rpc_server:tcpip = no
>>         rpc_daemon:spoolssd = embedded
>>         rpc_server:spoolss = embedded
>>         rpc_server:winreg = embedded
>>         rpc_server:ntsvcs = embedded
>>         rpc_server:eventlog = embedded
>>         rpc_server:srvsvc = embedded
>>         rpc_server:svcctl = embedded
>>         rpc_server:default = external
>>         winbindd:use external pipes = true
>>         idmap_ldb:use rfc2307 = yes
>>         idmap config * : backend = tdb
>>         printing = bsd
>>         map archive = No
>>         map readonly = no
>>         store dos attributes = Yes
>>         vfs objects = dfs_samba4 acl_xattr
>> [shares]...
>>
>> Thanks for the help.
>>
>> Mike E.
>>
>
> This comes up from time to time, firstly on a DC you only get
'uidNumber'
> & 'gidNumber' attributes from winbindd, all other rfc2307
attributes are
> ignored, this is one of the reasons why the use of a DC as a fileserver is
> discouraged.
>
> One other difference is that a DC uses 'idmap.ldb' to store the
> 'xidNumber' attributes that are used if no 'uidNumber'
& 'gidNumber'
> attributes are found. There is however a 'gotcha' here, if a group
(or
> user) is given a 'xidNumber' before it is given a
'gidNumber', the
> 'xidNumber' will take precedence. There is also yet another
'gotcha' with
> 'idmap.ldb', you are not bound to get the same 'xidNumber'
on different DCs
> for the same group, 'idmap.ldb' is not replicated between DCs.
>
> Try running 'net cache flush' on each DC, this should clear out the
> winbindd cache and then winbindd will then obtain the 'uidNumber'
&
> 'gidNumber' attributes from AD. If this fails, then open
'idmap.ldb' in
> ldbedit, search for group SIDs and delete them, run 'net cache
flush' again.
>
> I would not advise changing the 'Administrator' to 'root'
mapping, the DC
> sort of depends on it.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>