Raphaël RIGNIER
2016-Jul-05 07:33 UTC
[Samba] winbind idmap_ad rfc2037 can't read UIdnumber
Le 04/07/2016 à 20:09, Rowland penny a écrit :> On 04/07/16 18:35, Raphaël RIGNIER wrote: >> Hi samba team ! >> >> I try to resolve for hours a problem I have with a Linux Host (Samba >> 4.3.9 ubutnu 16.04) as AD member.DCs are Windows 2008 R2, One is 2012 >> R2. Forest level is 2003 R2. >> >> my smb.conf : >> [GLOBAL] >> netbios name = CR-DEV-01 >> security = ADS >> workgroup = ADDOMAIN >> realm = ADDOMAIN.COM >> >> >> idmap config *:backend = tdb >> idmap config *:range = 2000-9998 >> >> idmap config ADDOMAIN:backend = ad >> idmap config ADDOMAIN:schema_mode = rfc2307 >> idmap config ADDOMAIN:range = 9999-999999 >> >> winbind nss info = rfc2307 >> winbind enum users = yes >> winbind enum groups = yes >> winbind use default domain = yes >> >> 9999 start range is "Domain's user" GidNumber. To have a default >> primary group. >> Shared uid and gid starts with 10000. >> >> The test for groups : >> -------------- >> # net ads search '(SamAccountName=info2)' samaccountname gidnumber -P >> Got 1 replies >> >> sAMAccountName: info2 >> gidNumber: 10002 >> ------------------ >> # getent group info2 >> info2:x:10002: >> ------------------ >> All is OK >> >> >> >> For the User, it is not working as expected : >> ------------- >> # net ads search '(SamAccountName=b.btstest)' samaccountName >> uinumber gidnumber gecos -P >> Got 1 replies >> >> sAMAccountName: b.btstest >> -------------------------------- >> No uidnumber,gidnumber,gecos ? >> >> Same search with admin account : >> ------------------------ >> net ads search '(SamAccountName=b.btstest)' samaccountName uinumber >> gidnumber gecos -U administrator >> Enter administrator's password: >> Got 1 replies >> >> sAMAccountName: b.btstest >> uidNumber: 13367 >> gidNumber: 10002 >> gecos: BTSTEST B >> --------------- >> >> ----- >> #getent passwd b.btstest (no output) >> ------ >> Winbind output >> ------ >> getpwnam b.btstest >> Could not convert sid S-1-5-21-4272071638-3509717963-3151537417-7471: >> NT_STATUS_NONE_MAPPED >> ---------- >> This is the same for all mapped AD users (3042 users). >> >> Does Winbind makes queries on DCs with machine account ? >> Does that mean bad AD schema ? >> >> Strange behavior. >> >> Thanks for help. >> > > What 'libpam-*' packages do you have installed ? > > What have you got in /etc/nsswitch.conf > > Rowland > >AFAIK, libpam is not used at this stage of test. Only libnss_winbind should be used. Here is the libpam list : ii libpam-cap:amd64 1:2.24-12 ii libpam-ck-connector:amd64 0.4.6-5 ii libpam-gnome-keyring:amd64 3.18.3-0ubuntu2 ii libpam-krb5:amd64 4.7-2 ii libpam-modules:amd64 1.1.8-3.2ubuntu2 ii libpam-modules-bin 1.1.8-3.2ubuntu2 ii libpam-runtime 1.1.8-3.2ubuntu2 ii libpam-systemd:amd64 229-4ubuntu6 ii libpam-winbind:amd64 2:4.3.9+dfsg-0ubuntu0.16.04.2 ii libpam0g:amd64 1.1.8-3.2ubuntu2 pam_krb5 (my old auth method) is disabled via pam-update-auth my /etc/nsswitch.conf passwd: compat winbind group: compat winbind #passwd: compat ldap #group: compat ldap shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
Raphaël RIGNIER
2016-Jul-05 14:11 UTC
[Samba] winbind idmap_ad rfc2037 can't read UIdnumber
Le 05/07/2016 à 09:33, Raphaël RIGNIER a écrit :> Le 04/07/2016 à 20:09, Rowland penny a écrit : >> On 04/07/16 18:35, Raphaël RIGNIER wrote: >>> Hi samba team ! >>> >>> I try to resolve for hours a problem I have with a Linux Host (Samba >>> 4.3.9 ubutnu 16.04) as AD member.DCs are Windows 2008 R2, One is >>> 2012 R2. Forest level is 2003 R2. >>> >>> my smb.conf : >>> [GLOBAL] >>> netbios name = CR-DEV-01 >>> security = ADS >>> workgroup = ADDOMAIN >>> realm = ADDOMAIN.COM >>> >>> >>> idmap config *:backend = tdb >>> idmap config *:range = 2000-9998 >>> >>> idmap config ADDOMAIN:backend = ad >>> idmap config ADDOMAIN:schema_mode = rfc2307 >>> idmap config ADDOMAIN:range = 9999-999999 >>> >>> winbind nss info = rfc2307 >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind use default domain = yes >>> >>> 9999 start range is "Domain's user" GidNumber. To have a default >>> primary group. >>> Shared uid and gid starts with 10000. >>> >>> The test for groups : >>> -------------- >>> # net ads search '(SamAccountName=info2)' samaccountname gidnumber -P >>> Got 1 replies >>> >>> sAMAccountName: info2 >>> gidNumber: 10002 >>> ------------------ >>> # getent group info2 >>> info2:x:10002: >>> ------------------ >>> All is OK >>> >>> >>> >>> For the User, it is not working as expected : >>> ------------- >>> # net ads search '(SamAccountName=b.btstest)' samaccountName >>> uinumber gidnumber gecos -P >>> Got 1 replies >>> >>> sAMAccountName: b.btstest >>> -------------------------------- >>> No uidnumber,gidnumber,gecos ? >>> >>> Same search with admin account : >>> ------------------------ >>> net ads search '(SamAccountName=b.btstest)' samaccountName uinumber >>> gidnumber gecos -U administrator >>> Enter administrator's password: >>> Got 1 replies >>> >>> sAMAccountName: b.btstest >>> uidNumber: 13367 >>> gidNumber: 10002 >>> gecos: BTSTEST B >>> --------------- >>> >>> ----- >>> #getent passwd b.btstest (no output) >>> ------ >>> Winbind output >>> ------ >>> getpwnam b.btstest >>> Could not convert sid >>> S-1-5-21-4272071638-3509717963-3151537417-7471: NT_STATUS_NONE_MAPPED >>> ---------- >>> This is the same for all mapped AD users (3042 users). >>> >>> Does Winbind makes queries on DCs with machine account ? >>> Does that mean bad AD schema ? >>> >>> Strange behavior. >>> >>> Thanks for help. >>> >> >> What 'libpam-*' packages do you have installed ? >> >> What have you got in /etc/nsswitch.conf >> >> Rowland >> >> > AFAIK, libpam is not used at this stage of test. Only libnss_winbind > should be used. > Here is the libpam list : > > ii libpam-cap:amd64 1:2.24-12 > ii libpam-ck-connector:amd64 0.4.6-5 > ii libpam-gnome-keyring:amd64 3.18.3-0ubuntu2 > ii libpam-krb5:amd64 4.7-2 > ii libpam-modules:amd64 1.1.8-3.2ubuntu2 > ii libpam-modules-bin 1.1.8-3.2ubuntu2 > ii libpam-runtime 1.1.8-3.2ubuntu2 > ii libpam-systemd:amd64 229-4ubuntu6 > ii libpam-winbind:amd64 2:4.3.9+dfsg-0ubuntu0.16.04.2 > ii libpam0g:amd64 1.1.8-3.2ubuntu2 > > pam_krb5 (my old auth method) is disabled via pam-update-auth > > my /etc/nsswitch.conf > passwd: compat winbind > group: compat winbind > #passwd: compat ldap > #group: compat ldap > shadow: compat > > hosts: files mdns4_minimal [NOTFOUND=return] dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > >I have checked PosixGroup and PosixAccount schema rights on the DC and those are the same. Rejoin of llinux host did nothing. Still investigating.
mathias dufresne
2016-Jul-05 14:26 UTC
[Samba] winbind idmap_ad rfc2037 can't read UIdnumber
A dumb question: can you perform ldapsearch on same object(s) with same account (the one not working when used with net command)? 2016-07-05 16:11 GMT+02:00 Raphaël RIGNIER <r.rignier at leschartreux.net>:> Le 05/07/2016 à 09:33, Raphaël RIGNIER a écrit : > >> Le 04/07/2016 à 20:09, Rowland penny a écrit : >> >>> On 04/07/16 18:35, Raphaël RIGNIER wrote: >>> >>>> Hi samba team ! >>>> >>>> I try to resolve for hours a problem I have with a Linux Host (Samba >>>> 4.3.9 ubutnu 16.04) as AD member.DCs are Windows 2008 R2, One is 2012 R2. >>>> Forest level is 2003 R2. >>>> >>>> my smb.conf : >>>> [GLOBAL] >>>> netbios name = CR-DEV-01 >>>> security = ADS >>>> workgroup = ADDOMAIN >>>> realm = ADDOMAIN.COM >>>> >>>> >>>> idmap config *:backend = tdb >>>> idmap config *:range = 2000-9998 >>>> >>>> idmap config ADDOMAIN:backend = ad >>>> idmap config ADDOMAIN:schema_mode = rfc2307 >>>> idmap config ADDOMAIN:range = 9999-999999 >>>> >>>> winbind nss info = rfc2307 >>>> winbind enum users = yes >>>> winbind enum groups = yes >>>> winbind use default domain = yes >>>> >>>> 9999 start range is "Domain's user" GidNumber. To have a default >>>> primary group. >>>> Shared uid and gid starts with 10000. >>>> >>>> The test for groups : >>>> -------------- >>>> # net ads search '(SamAccountName=info2)' samaccountname gidnumber -P >>>> Got 1 replies >>>> >>>> sAMAccountName: info2 >>>> gidNumber: 10002 >>>> ------------------ >>>> # getent group info2 >>>> info2:x:10002: >>>> ------------------ >>>> All is OK >>>> >>>> >>>> >>>> For the User, it is not working as expected : >>>> ------------- >>>> # net ads search '(SamAccountName=b.btstest)' samaccountName uinumber >>>> gidnumber gecos -P >>>> Got 1 replies >>>> >>>> sAMAccountName: b.btstest >>>> -------------------------------- >>>> No uidnumber,gidnumber,gecos ? >>>> >>>> Same search with admin account : >>>> ------------------------ >>>> net ads search '(SamAccountName=b.btstest)' samaccountName uinumber >>>> gidnumber gecos -U administrator >>>> Enter administrator's password: >>>> Got 1 replies >>>> >>>> sAMAccountName: b.btstest >>>> uidNumber: 13367 >>>> gidNumber: 10002 >>>> gecos: BTSTEST B >>>> --------------- >>>> >>>> ----- >>>> #getent passwd b.btstest (no output) >>>> ------ >>>> Winbind output >>>> ------ >>>> getpwnam b.btstest >>>> Could not convert sid S-1-5-21-4272071638-3509717963-3151537417-7471: >>>> NT_STATUS_NONE_MAPPED >>>> ---------- >>>> This is the same for all mapped AD users (3042 users). >>>> >>>> Does Winbind makes queries on DCs with machine account ? >>>> Does that mean bad AD schema ? >>>> >>>> Strange behavior. >>>> >>>> Thanks for help. >>>> >>>> >>> What 'libpam-*' packages do you have installed ? >>> >>> What have you got in /etc/nsswitch.conf >>> >>> Rowland >>> >>> >>> AFAIK, libpam is not used at this stage of test. Only libnss_winbind >> should be used. >> Here is the libpam list : >> >> ii libpam-cap:amd64 1:2.24-12 >> ii libpam-ck-connector:amd64 0.4.6-5 >> ii libpam-gnome-keyring:amd64 3.18.3-0ubuntu2 >> ii libpam-krb5:amd64 4.7-2 >> ii libpam-modules:amd64 1.1.8-3.2ubuntu2 >> ii libpam-modules-bin 1.1.8-3.2ubuntu2 >> ii libpam-runtime 1.1.8-3.2ubuntu2 >> ii libpam-systemd:amd64 229-4ubuntu6 >> ii libpam-winbind:amd64 2:4.3.9+dfsg-0ubuntu0.16.04.2 >> ii libpam0g:amd64 1.1.8-3.2ubuntu2 >> >> pam_krb5 (my old auth method) is disabled via pam-update-auth >> >> my /etc/nsswitch.conf >> passwd: compat winbind >> group: compat winbind >> #passwd: compat ldap >> #group: compat ldap >> shadow: compat >> >> hosts: files mdns4_minimal [NOTFOUND=return] dns >> networks: files >> >> protocols: db files >> services: db files >> ethers: db files >> rpc: db files >> >> netgroup: nis >> >> >> I have checked PosixGroup and PosixAccount schema rights on the DC and > those are the same. > > Rejoin of llinux host did nothing. Still investigating. > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 05/07/16 08:33, Raphaël RIGNIER wrote:> Le 04/07/2016 à 20:09, Rowland penny a écrit : >> On 04/07/16 18:35, Raphaël RIGNIER wrote: >>> Hi samba team ! >>> >>> I try to resolve for hours a problem I have with a Linux Host (Samba >>> 4.3.9 ubutnu 16.04) as AD member.DCs are Windows 2008 R2, One is >>> 2012 R2. Forest level is 2003 R2. >>> >>> my smb.conf : >>> [GLOBAL] >>> netbios name = CR-DEV-01 >>> security = ADS >>> workgroup = ADDOMAIN >>> realm = ADDOMAIN.COM >>> >>> >>> idmap config *:backend = tdb >>> idmap config *:range = 2000-9998 >>> >>> idmap config ADDOMAIN:backend = ad >>> idmap config ADDOMAIN:schema_mode = rfc2307 >>> idmap config ADDOMAIN:range = 9999-999999 >>> >>> winbind nss info = rfc2307 >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind use default domain = yes >>> >>> 9999 start range is "Domain's user" GidNumber. To have a default >>> primary group. >>> Shared uid and gid starts with 10000. >>> >>> The test for groups : >>> -------------- >>> # net ads search '(SamAccountName=info2)' samaccountname gidnumber -P >>> Got 1 replies >>> >>> sAMAccountName: info2 >>> gidNumber: 10002 >>> ------------------ >>> # getent group info2 >>> info2:x:10002: >>> ------------------ >>> All is OK >>> >>> >>> >>> For the User, it is not working as expected : >>> ------------- >>> # net ads search '(SamAccountName=b.btstest)' samaccountName >>> uinumber gidnumber gecos -P >>> Got 1 replies >>> >>> sAMAccountName: b.btstest >>> -------------------------------- >>> No uidnumber,gidnumber,gecos ? >>> >>> Same search with admin account : >>> ------------------------ >>> net ads search '(SamAccountName=b.btstest)' samaccountName uinumber >>> gidnumber gecos -U administrator >>> Enter administrator's password: >>> Got 1 replies >>> >>> sAMAccountName: b.btstest >>> uidNumber: 13367 >>> gidNumber: 10002 >>> gecos: BTSTEST B >>> --------------- >>> >>> ----- >>> #getent passwd b.btstest (no output) >>> ------ >>> Winbind output >>> ------ >>> getpwnam b.btstest >>> Could not convert sid >>> S-1-5-21-4272071638-3509717963-3151537417-7471: NT_STATUS_NONE_MAPPED >>> ---------- >>> This is the same for all mapped AD users (3042 users). >>> >>> Does Winbind makes queries on DCs with machine account ? >>> Does that mean bad AD schema ? >>> >>> Strange behavior. >>> >>> Thanks for help. >>> >> >> What 'libpam-*' packages do you have installed ? >> >> What have you got in /etc/nsswitch.conf >> >> Rowland >> >> > AFAIK, libpam is not used at this stage of test. Only libnss_winbind > should be used. > Here is the libpam list : > > ii libpam-cap:amd64 1:2.24-12 > ii libpam-ck-connector:amd64 0.4.6-5 > ii libpam-gnome-keyring:amd64 3.18.3-0ubuntu2 > ii libpam-krb5:amd64 4.7-2 > ii libpam-modules:amd64 1.1.8-3.2ubuntu2 > ii libpam-modules-bin 1.1.8-3.2ubuntu2 > ii libpam-runtime 1.1.8-3.2ubuntu2 > ii libpam-systemd:amd64 229-4ubuntu6 > ii libpam-winbind:amd64 2:4.3.9+dfsg-0ubuntu0.16.04.2 > ii libpam0g:amd64 1.1.8-3.2ubuntu2 > > pam_krb5 (my old auth method) is disabled via pam-update-auth > > my /etc/nsswitch.conf > passwd: compat winbind > group: compat winbind > #passwd: compat ldap > #group: compat ldap > shadow: compat > > hosts: files mdns4_minimal [NOTFOUND=return] dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > >OK, everything looks correct there, but I have had a second thought, you posted: net ads search '(SamAccountName=b.btstest)' samaccountName uinumber gidnumber gecos -U administrator Enter administrator's password: Got 1 replies sAMAccountName: b.btstest uidNumber: 13367 gidNumber: 10002 gecos: BTSTEST B --------------- ----- #getent passwd b.btstest (no output) ------ You also posted: # net ads search '(SamAccountName=info2)' samaccountname gidnumber -P Got 1 replies sAMAccountName: info2 gidNumber: 10002 ------------------ # getent group info2 info2:x:10002: Now if I do something similar: net ads search '(SamAccountName=rowland)' samaccountName uidnumber gidnumber gecos -U administrator Enter administrator's password: Got 1 replies sAMAccountName: rowland uidNumber: 10000 gidNumber: 10000 gecos: Rowland Penny rowland at devstation:~/programming/git/samba-master$ getent group 10000 domain_users:x:10000 Have you changed the 'primaryGroupID' attribute for the users ? Rowland
Raphaël RIGNIER
2016-Jul-05 16:56 UTC
[Samba] winbind idmap_ad rfc2037 can't read UIdnumber
Le 05/07/2016 à 17:07, Rowland penny a écrit :> On 05/07/16 08:33, Raphaël RIGNIER wrote: >> Le 04/07/2016 à 20:09, Rowland penny a écrit : >>> On 04/07/16 18:35, Raphaël RIGNIER wrote: >>>> Hi samba team ! >>>> >>>> I try to resolve for hours a problem I have with a Linux Host >>>> (Samba 4.3.9 ubutnu 16.04) as AD member.DCs are Windows 2008 R2, >>>> One is 2012 R2. Forest level is 2003 R2. >>>> >>>> my smb.conf : >>>> [GLOBAL] >>>> netbios name = CR-DEV-01 >>>> security = ADS >>>> workgroup = ADDOMAIN >>>> realm = ADDOMAIN.COM >>>> >>>> >>>> idmap config *:backend = tdb >>>> idmap config *:range = 2000-9998 >>>> >>>> idmap config ADDOMAIN:backend = ad >>>> idmap config ADDOMAIN:schema_mode = rfc2307 >>>> idmap config ADDOMAIN:range = 9999-999999 >>>> >>>> winbind nss info = rfc2307 >>>> winbind enum users = yes >>>> winbind enum groups = yes >>>> winbind use default domain = yes >>>> >>>> 9999 start range is "Domain's user" GidNumber. To have a default >>>> primary group. >>>> Shared uid and gid starts with 10000. >>>> >>>> The test for groups : >>>> -------------- >>>> # net ads search '(SamAccountName=info2)' samaccountname gidnumber -P >>>> Got 1 replies >>>> >>>> sAMAccountName: info2 >>>> gidNumber: 10002 >>>> ------------------ >>>> # getent group info2 >>>> info2:x:10002: >>>> ------------------ >>>> All is OK >>>> >>>> >>>> >>>> For the User, it is not working as expected : >>>> ------------- >>>> # net ads search '(SamAccountName=b.btstest)' samaccountName >>>> uinumber gidnumber gecos -P >>>> Got 1 replies >>>> >>>> sAMAccountName: b.btstest >>>> -------------------------------- >>>> No uidnumber,gidnumber,gecos ? >>>> >>>> Same search with admin account : >>>> ------------------------ >>>> net ads search '(SamAccountName=b.btstest)' samaccountName >>>> uinumber gidnumber gecos -U administrator >>>> Enter administrator's password: >>>> Got 1 replies >>>> >>>> sAMAccountName: b.btstest >>>> uidNumber: 13367 >>>> gidNumber: 10002 >>>> gecos: BTSTEST B >>>> --------------- >>>> >>>> ----- >>>> #getent passwd b.btstest (no output) >>>> ------ >>>> Winbind output >>>> ------ >>>> getpwnam b.btstest >>>> Could not convert sid >>>> S-1-5-21-4272071638-3509717963-3151537417-7471: NT_STATUS_NONE_MAPPED >>>> ---------- >>>> This is the same for all mapped AD users (3042 users). >>>> >>>> Does Winbind makes queries on DCs with machine account ? >>>> Does that mean bad AD schema ? >>>> >>>> Strange behavior. >>>> >>>> Thanks for help. >>>> >>> >>> What 'libpam-*' packages do you have installed ? >>> >>> What have you got in /etc/nsswitch.conf >>> >>> Rowland >>> >>> >> AFAIK, libpam is not used at this stage of test. Only libnss_winbind >> should be used. >> Here is the libpam list : >> >> ii libpam-cap:amd64 1:2.24-12 >> ii libpam-ck-connector:amd64 0.4.6-5 >> ii libpam-gnome-keyring:amd64 3.18.3-0ubuntu2 >> ii libpam-krb5:amd64 4.7-2 >> ii libpam-modules:amd64 1.1.8-3.2ubuntu2 >> ii libpam-modules-bin 1.1.8-3.2ubuntu2 >> ii libpam-runtime 1.1.8-3.2ubuntu2 >> ii libpam-systemd:amd64 229-4ubuntu6 >> ii libpam-winbind:amd64 2:4.3.9+dfsg-0ubuntu0.16.04.2 >> ii libpam0g:amd64 1.1.8-3.2ubuntu2 >> >> pam_krb5 (my old auth method) is disabled via pam-update-auth >> >> my /etc/nsswitch.conf >> passwd: compat winbind >> group: compat winbind >> #passwd: compat ldap >> #group: compat ldap >> shadow: compat >> >> hosts: files mdns4_minimal [NOTFOUND=return] dns >> networks: files >> >> protocols: db files >> services: db files >> ethers: db files >> rpc: db files >> >> netgroup: nis >> >> > > OK, everything looks correct there, but I have had a second thought, > you posted: > > net ads search '(SamAccountName=b.btstest)' samaccountName uinumber > gidnumber gecos -U administrator > Enter administrator's password: > Got 1 replies > > sAMAccountName: b.btstest > uidNumber: 13367 > gidNumber: 10002 > gecos: BTSTEST B > --------------- > > ----- > #getent passwd b.btstest (no output) > ------ > > You also posted: > > # net ads search '(SamAccountName=info2)' samaccountname gidnumber -P > Got 1 replies > > sAMAccountName: info2 > gidNumber: 10002 > ------------------ > # getent group info2 > info2:x:10002: > > Now if I do something similar: > > net ads search '(SamAccountName=rowland)' samaccountName uidnumber > gidnumber gecos -U administrator > Enter administrator's password: > Got 1 replies > > sAMAccountName: rowland > uidNumber: 10000 > gidNumber: 10000 > gecos: Rowland Penny > > rowland at devstation:~/programming/git/samba-master$ getent group 10000 > domain_users:x:10000 > > Have you changed the 'primaryGroupID' attribute for the users ? > > Rowland > >The strange behavior is the different output between group object and user object and net ads search -U administrator net ads search -P in Samba Wiki, primarygroupid refers to the one for User's "Unix Attributes" tab. Which is in fact GidNumber. (I have made tests to check this) The primaryGroupID attribute refers to Posix primary Group in user's "member of" tab. Which is a conversion from SID. Both are different numbers but points to same group. I find this quite confusing.