Raphaël RIGNIER
2016-Jul-04 17:35 UTC
[Samba] winbind idmap_ad rfc2037 can't read UIdnumber
Hi samba team ! I try to resolve for hours a problem I have with a Linux Host (Samba 4.3.9 ubutnu 16.04) as AD member.DCs are Windows 2008 R2, One is 2012 R2. Forest level is 2003 R2. my smb.conf : [GLOBAL] netbios name = CR-DEV-01 security = ADS workgroup = ADDOMAIN realm = ADDOMAIN.COM idmap config *:backend = tdb idmap config *:range = 2000-9998 idmap config ADDOMAIN:backend = ad idmap config ADDOMAIN:schema_mode = rfc2307 idmap config ADDOMAIN:range = 9999-999999 winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes 9999 start range is "Domain's user" GidNumber. To have a default primary group. Shared uid and gid starts with 10000. The test for groups : -------------- # net ads search '(SamAccountName=info2)' samaccountname gidnumber -P Got 1 replies sAMAccountName: info2 gidNumber: 10002 ------------------ # getent group info2 info2:x:10002: ------------------ All is OK For the User, it is not working as expected : ------------- # net ads search '(SamAccountName=b.btstest)' samaccountName uinumber gidnumber gecos -P Got 1 replies sAMAccountName: b.btstest -------------------------------- No uidnumber,gidnumber,gecos ? Same search with admin account : ------------------------ net ads search '(SamAccountName=b.btstest)' samaccountName uinumber gidnumber gecos -U administrator Enter administrator's password: Got 1 replies sAMAccountName: b.btstest uidNumber: 13367 gidNumber: 10002 gecos: BTSTEST B --------------- ----- #getent passwd b.btstest (no output) ------ Winbind output ------ getpwnam b.btstest Could not convert sid S-1-5-21-4272071638-3509717963-3151537417-7471: NT_STATUS_NONE_MAPPED ---------- This is the same for all mapped AD users (3042 users). Does Winbind makes queries on DCs with machine account ? Does that mean bad AD schema ? Strange behavior. Thanks for help.
On 04/07/16 18:35, Raphaël RIGNIER wrote:> Hi samba team ! > > I try to resolve for hours a problem I have with a Linux Host (Samba > 4.3.9 ubutnu 16.04) as AD member.DCs are Windows 2008 R2, One is 2012 > R2. Forest level is 2003 R2. > > my smb.conf : > [GLOBAL] > netbios name = CR-DEV-01 > security = ADS > workgroup = ADDOMAIN > realm = ADDOMAIN.COM > > > idmap config *:backend = tdb > idmap config *:range = 2000-9998 > > idmap config ADDOMAIN:backend = ad > idmap config ADDOMAIN:schema_mode = rfc2307 > idmap config ADDOMAIN:range = 9999-999999 > > winbind nss info = rfc2307 > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > > 9999 start range is "Domain's user" GidNumber. To have a default > primary group. > Shared uid and gid starts with 10000. > > The test for groups : > -------------- > # net ads search '(SamAccountName=info2)' samaccountname gidnumber -P > Got 1 replies > > sAMAccountName: info2 > gidNumber: 10002 > ------------------ > # getent group info2 > info2:x:10002: > ------------------ > All is OK > > > > For the User, it is not working as expected : > ------------- > # net ads search '(SamAccountName=b.btstest)' samaccountName uinumber > gidnumber gecos -P > Got 1 replies > > sAMAccountName: b.btstest > -------------------------------- > No uidnumber,gidnumber,gecos ? > > Same search with admin account : > ------------------------ > net ads search '(SamAccountName=b.btstest)' samaccountName uinumber > gidnumber gecos -U administrator > Enter administrator's password: > Got 1 replies > > sAMAccountName: b.btstest > uidNumber: 13367 > gidNumber: 10002 > gecos: BTSTEST B > --------------- > > ----- > #getent passwd b.btstest (no output) > ------ > Winbind output > ------ > getpwnam b.btstest > Could not convert sid S-1-5-21-4272071638-3509717963-3151537417-7471: > NT_STATUS_NONE_MAPPED > ---------- > This is the same for all mapped AD users (3042 users). > > Does Winbind makes queries on DCs with machine account ? > Does that mean bad AD schema ? > > Strange behavior. > > Thanks for help. >What 'libpam-*' packages do you have installed ? What have you got in /etc/nsswitch.conf Rowland
Raphaël RIGNIER
2016-Jul-05 07:33 UTC
[Samba] winbind idmap_ad rfc2037 can't read UIdnumber
Le 04/07/2016 à 20:09, Rowland penny a écrit :> On 04/07/16 18:35, Raphaël RIGNIER wrote: >> Hi samba team ! >> >> I try to resolve for hours a problem I have with a Linux Host (Samba >> 4.3.9 ubutnu 16.04) as AD member.DCs are Windows 2008 R2, One is 2012 >> R2. Forest level is 2003 R2. >> >> my smb.conf : >> [GLOBAL] >> netbios name = CR-DEV-01 >> security = ADS >> workgroup = ADDOMAIN >> realm = ADDOMAIN.COM >> >> >> idmap config *:backend = tdb >> idmap config *:range = 2000-9998 >> >> idmap config ADDOMAIN:backend = ad >> idmap config ADDOMAIN:schema_mode = rfc2307 >> idmap config ADDOMAIN:range = 9999-999999 >> >> winbind nss info = rfc2307 >> winbind enum users = yes >> winbind enum groups = yes >> winbind use default domain = yes >> >> 9999 start range is "Domain's user" GidNumber. To have a default >> primary group. >> Shared uid and gid starts with 10000. >> >> The test for groups : >> -------------- >> # net ads search '(SamAccountName=info2)' samaccountname gidnumber -P >> Got 1 replies >> >> sAMAccountName: info2 >> gidNumber: 10002 >> ------------------ >> # getent group info2 >> info2:x:10002: >> ------------------ >> All is OK >> >> >> >> For the User, it is not working as expected : >> ------------- >> # net ads search '(SamAccountName=b.btstest)' samaccountName >> uinumber gidnumber gecos -P >> Got 1 replies >> >> sAMAccountName: b.btstest >> -------------------------------- >> No uidnumber,gidnumber,gecos ? >> >> Same search with admin account : >> ------------------------ >> net ads search '(SamAccountName=b.btstest)' samaccountName uinumber >> gidnumber gecos -U administrator >> Enter administrator's password: >> Got 1 replies >> >> sAMAccountName: b.btstest >> uidNumber: 13367 >> gidNumber: 10002 >> gecos: BTSTEST B >> --------------- >> >> ----- >> #getent passwd b.btstest (no output) >> ------ >> Winbind output >> ------ >> getpwnam b.btstest >> Could not convert sid S-1-5-21-4272071638-3509717963-3151537417-7471: >> NT_STATUS_NONE_MAPPED >> ---------- >> This is the same for all mapped AD users (3042 users). >> >> Does Winbind makes queries on DCs with machine account ? >> Does that mean bad AD schema ? >> >> Strange behavior. >> >> Thanks for help. >> > > What 'libpam-*' packages do you have installed ? > > What have you got in /etc/nsswitch.conf > > Rowland > >AFAIK, libpam is not used at this stage of test. Only libnss_winbind should be used. Here is the libpam list : ii libpam-cap:amd64 1:2.24-12 ii libpam-ck-connector:amd64 0.4.6-5 ii libpam-gnome-keyring:amd64 3.18.3-0ubuntu2 ii libpam-krb5:amd64 4.7-2 ii libpam-modules:amd64 1.1.8-3.2ubuntu2 ii libpam-modules-bin 1.1.8-3.2ubuntu2 ii libpam-runtime 1.1.8-3.2ubuntu2 ii libpam-systemd:amd64 229-4ubuntu6 ii libpam-winbind:amd64 2:4.3.9+dfsg-0ubuntu0.16.04.2 ii libpam0g:amd64 1.1.8-3.2ubuntu2 pam_krb5 (my old auth method) is disabled via pam-update-auth my /etc/nsswitch.conf passwd: compat winbind group: compat winbind #passwd: compat ldap #group: compat ldap shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis