samba - Aug 2016 - idmap_ad and RFC2370 (inconsistent results)

Hi everyone.
I'm encountering problems with the management of the id of the users,
in the DC and in the domain members (RFC2370).

I'm using Samba Version 4.2.10-Debian on Debian8.5.

This is the DC configuration / result.

root at samba4:/var/lib/samba# cat /etc/samba/smb.conf |grep -v '#'
[global]
    workgroup = MYNET
    realm = ad.mynet.lan
    netbios name = SAMBA4
    server role = active directory domain controller
    server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, smb
    server services = -s3fs -dns
    dcerpc endpoint servers = +winreg +srvsvc
    interfaces = 192.168.10.7
    log file = /var/log/samba/mynet.log
    syslog = 0
    log level = 3 passdb:0 auth:0 winbind:0 vfs:0
    vfs objects = full_audit

    idmap_ldb:use rfc2307 = yes
    winbind nss info = rfc2307

    idmap config *:backend = tdb
    idmap config *:range = 10000-49999

    idmap config MYNET:backend = ad
    idmap config MYNET:schema_mode = rfc2307
    idmap config MYNET:range = 50000-99999

    winbind enum users = Yes
    winbind enum groups = Yes

    winbind use default domain = Yes
    winbind refresh tickets = Yes
    winbind normalize names = Yes

    dsdb:schema update allowed = true

    tls enabled  = yes
    tls keyfile  = /etc/samba/certs/samba4.server.mynet.lan.key
    tls certfile = /etc/samba/certs/samba4.server.mynet.lan.crt

    kerberos method = system keytab
    client ldap sasl wrapping = sign
    allow dns updates = nonsecure and secure
    nsupdate command =  /usr/bin/nsupdate -g

    ldap server require strong auth = No

[netlogon]
    path = /var/lib/samba/sysvol/ad.mynet.lan/scripts
    read only = No

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

This is the result of the provisioning operation.
root at samba4:~# /usr/bin/samba-tool domain provision
--realm=ad.mynet.lan --domain=MYNET --adminpass='p4ssw0rd'
--server-role=dc --dns-backend=BIND9_DLZ --function-level=2008_R2
--use-xattr=yes --host-ip=192.168.10.7 --use-rfc2307
...
Server Role:           active directory domain controller
Hostname:              samba4
NetBIOS Domain:        MYNET
DNS Domain:            ad.mynet.lan
DOMAIN SID:            S-1-5-21-1682454527-3772531157-3555914497

root at samba4:~# head /etc/nsswitch.conf |grep -v '#'
passwd:         compat winbind
group:          compat winbind

root at samba4:/var/lib/samba# getent passwd testuser
MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false

root at samba4:/var/lib/samba# id testuser
uid=10001(MYNET\testuser) gid=100(users) groups=100(users)

root at adclient:/etc/samba# wbinfo -i testuser
MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false



This is the domain member configuration / result.

root at adclient:/etc/samba# id testuser
uid=10005(testuser) gid=10000(domain users) groups=10000(domain
users),10023(BUILTIN\users)

root at adclient:/etc/samba# getent passwd testuser
testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false

root at adclient:/etc/samba# wbinfo -i testuser
testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false

root at adclient:~# head /etc/nsswitch.conf |grep -v '#'
passwd:         compat winbind
group:          compat winbind

root at adclient:~# net ads info
LDAP server: 192.168.10.7
LDAP server name: samba4.ad.mynet.lan
Realm: AD.MYNET.LAN
Bind Path: dc=AD,dc=MYNET,dc=LAN
LDAP port: 389
Server time: Mon, 08 Aug 2016 16:22:35 CEST
KDC server: 192.168.10.7
Server time offset: 25

root at adclient:~# net ads testjoin
Join is OK

root at adclient:/etc/ldap# cat /etc/samba/smb.conf |grep -v '#'
[global]
    netbios name = ADCLIENT
    security = ads
    workgroup = MYNET
    realm = AD.MYNET.LAN
    server string = Active Directory Domain Member (test)

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    winbind refresh tickets = yes
    winbind trusted domains only = no
    winbind use default domain = yes

    winbind enum users  = yes
    winbind enum groups = yes

    log file = /var/log/samba/mynet.log
    syslog = 0
    log level = 3 passdb:0 auth:0 winbind:0 vfs:0

    idmap config MYNET:backend = ad
    idmap config MYNET:schema_mode = rfc2307
    idmap config MYNET:range = 50000-99999
    winbind nss info = rfc2307

    idmap_ldb:use rfc2307 = yes



This is a ldapsearch result for 'testuser'.
root at samba4:/var/lib/samba# ldapsearch -x -h samba4.server.mynet.lan
-b 'ou=Teachers,ou=Users,ou=MyNet,dc=ad,dc=mynet,dc=lan' -D
'administrator at ad.mynet.lan' -w 'p4ssw0rd'
'(&(objectClass=person)(sAMAccountName=testuser))'
...
uidNumber: 10001
unixHomeDirectory: /home/testuser
gidNumber: 10000
msSFU30Name: testuser
unixUserPassword: ABCD!efgh12345$67890
uid: testuser
loginShell: /bin/bash
...



As you can see, the NIS attributes are correcty stored inside the LDAP tree.
But the results are very different in each location.
In the DC: uidNumber and gidNumber are correctly extracted and viewed
(but the loginShell and unixHomeDirectory are wrong).
In the domain member: everything is independent from the AD stored user.
I'm alredy deleted the winbind cache with 'net cache flush' command,
tried to leave and join again the domain, and removed the *tdb files.
I've created 'testuser' with the ADUC utility running on Windows7
(I've enabled the UNIX attributes section).

Thanks in advance for your help.

See inline comments

On Mon, 8 Aug 2016 17:33:59 +0200
Stefano Pardini <stefanopardini at gmail.com> wrote:
> Hi everyone.
> I'm encountering problems with the management of the id of the users,
> in the DC and in the domain members (RFC2370).
> 
> I'm using Samba Version 4.2.10-Debian on Debian8.5.
> 
> This is the DC configuration / result.
> 
> root at samba4:/var/lib/samba# cat /etc/samba/smb.conf |grep -v '#'
> [global]
>     workgroup = MYNET
>     realm = ad.mynet.lan
>     netbios name = SAMBA4
>     server role = active directory domain controller
>     server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, smb
>     server services = -s3fs -dns
Why are you using the deprecated 'ntvfs' backend ?
>     dcerpc endpoint servers = +winreg +srvsvc
>     interfaces = 192.168.10.7
>     log file = /var/log/samba/mynet.log
>     syslog = 0
>     log level = 3 passdb:0 auth:0 winbind:0 vfs:0
>     vfs objects = full_audit
> 
>     idmap_ldb:use rfc2307 = yes
The lines below do nothing on a DC:
>     winbind nss info = rfc2307
> 
>     idmap config *:backend = tdb
>     idmap config *:range = 10000-49999
> 
>     idmap config MYNET:backend = ad
>     idmap config MYNET:schema_mode = rfc2307
>     idmap config MYNET:range = 50000-99999
These will work:
> 
>     winbind enum users = Yes
>     winbind enum groups = Yes
> 
>     winbind use default domain = Yes
>     winbind refresh tickets = Yes
>     winbind normalize names = Yes
> 
>     dsdb:schema update allowed = true
> 
>     tls enabled  = yes
>     tls keyfile  = /etc/samba/certs/samba4.server.mynet.lan.key
>     tls certfile = /etc/samba/certs/samba4.server.mynet.lan.crt
> 
>     kerberos method = system keytab
>     client ldap sasl wrapping = sign
>     allow dns updates = nonsecure and secure
>     nsupdate command =  /usr/bin/nsupdate -g
> 
>     ldap server require strong auth = No
> 
> [netlogon]
>     path = /var/lib/samba/sysvol/ad.mynet.lan/scripts
>     read only = No
> 
> [sysvol]
>     path = /var/lib/samba/sysvol
>     read only = No
> 
> This is the result of the provisioning operation.
> root at samba4:~# /usr/bin/samba-tool domain provision
> --realm=ad.mynet.lan --domain=MYNET --adminpass='p4ssw0rd'
> --server-role=dc --dns-backend=BIND9_DLZ --function-level=2008_R2
> --use-xattr=yes --host-ip=192.168.10.7 --use-rfc2307
> ...
> Server Role:           active directory domain controller
> Hostname:              samba4
> NetBIOS Domain:        MYNET
> DNS Domain:            ad.mynet.lan
> DOMAIN SID:            S-1-5-21-1682454527-3772531157-3555914497
> 
> root at samba4:~# head /etc/nsswitch.conf |grep -v '#'
> passwd:         compat winbind
> group:          compat winbind
> 
> root at samba4:/var/lib/samba# getent passwd testuser
> MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false
> 
> root at samba4:/var/lib/samba# id testuser
> uid=10001(MYNET\testuser) gid=100(users) groups=100(users)
> 
> root at adclient:/etc/samba# wbinfo -i testuser
> MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false
> 
> 
> 
> This is the domain member configuration / result.
> 
> root at adclient:/etc/samba# id testuser
> uid=10005(testuser) gid=10000(domain users) groups=10000(domain
> users),10023(BUILTIN\users)
> 
> root at adclient:/etc/samba# getent passwd testuser
> testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false
> 
> root at adclient:/etc/samba# wbinfo -i testuser
> testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false
> 
> root at adclient:~# head /etc/nsswitch.conf |grep -v '#'
> passwd:         compat winbind
> group:          compat winbind
> 
> root at adclient:~# net ads info
> LDAP server: 192.168.10.7
> LDAP server name: samba4.ad.mynet.lan
> Realm: AD.MYNET.LAN
> Bind Path: dc=AD,dc=MYNET,dc=LAN
> LDAP port: 389
> Server time: Mon, 08 Aug 2016 16:22:35 CEST
> KDC server: 192.168.10.7
> Server time offset: 25
> 
> root at adclient:~# net ads testjoin
> Join is OK
> 
> root at adclient:/etc/ldap# cat /etc/samba/smb.conf |grep -v '#'
> [global]
>     netbios name = ADCLIENT
>     security = ads
>     workgroup = MYNET
>     realm = AD.MYNET.LAN
>     server string = Active Directory Domain Member (test)
> 
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>     winbind refresh tickets = yes
>     winbind trusted domains only = no
>     winbind use default domain = yes
> 
>     winbind enum users  = yes
>     winbind enum groups = yes
> 
>     log file = /var/log/samba/mynet.log
>     syslog = 0
>     log level = 3 passdb:0 auth:0 winbind:0 vfs:0
> 
>     idmap config MYNET:backend = ad
>     idmap config MYNET:schema_mode = rfc2307
>     idmap config MYNET:range = 50000-99999
>     winbind nss info = rfc2307
>
You do not seem to have the '*' domain set up and the next line does
not have any place on a domain member
 
>     idmap_ldb:use rfc2307 = yes
> 
> 
> 
> This is a ldapsearch result for 'testuser'.
> root at samba4:/var/lib/samba# ldapsearch -x -h samba4.server.mynet.lan
> -b 'ou=Teachers,ou=Users,ou=MyNet,dc=ad,dc=mynet,dc=lan' -D
> 'administrator at ad.mynet.lan' -w 'p4ssw0rd'
> '(&(objectClass=person)(sAMAccountName=testuser))'
> ...
> uidNumber: 10001
> unixHomeDirectory: /home/testuser
> gidNumber: 10000
> msSFU30Name: testuser
> unixUserPassword: ABCD!efgh12345$67890
> uid: testuser
> loginShell: /bin/bash
> ...
> 
> 
> 
> As you can see, the NIS attributes are correcty stored inside the
> LDAP tree. But the results are very different in each location.
> In the DC: uidNumber and gidNumber are correctly extracted and viewed
> (but the loginShell and unixHomeDirectory are wrong).
> In the domain member: everything is independent from the AD stored
> user. I'm alredy deleted the winbind cache with 'net cache
flush'
> command, tried to leave and join again the domain, and removed the
> *tdb files. I've created 'testuser' with the ADUC utility
running on
> Windows7 (I've enabled the UNIX attributes section).
If you have RFC2307 attributes in AD, then you should get the same IDs
on all Samba computers, DCs & domain members

i.e.
root at dc1:~# getent passwd rowland
SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

rowland at devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

Can I suggest you have a look here:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Rowland

On Mon, 8 Aug 2016 17:33:59 +0200
Stefano Pardini <stefanopardini at gmail.com> wrote:
> Hi everyone.
> I'm encountering problems with the management of the id of the users,
> in the DC and in the domain members (RFC2370).
> 
> I'm using Samba Version 4.2.10-Debian on Debian8.5.
> 
> This is the DC configuration / result.
> 
> root at samba4:/var/lib/samba# cat /etc/samba/smb.conf |grep -v '#'
> [global]
>     workgroup = MYNET
>     realm = ad.mynet.lan
>     netbios name = SAMBA4
>     server role = active directory domain controller
>     server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, smb
>     server services = -s3fs -dns
>     dcerpc endpoint servers = +winreg +srvsvc
>     interfaces = 192.168.10.7
>     log file = /var/log/samba/mynet.log
>     syslog = 0
>     log level = 3 passdb:0 auth:0 winbind:0 vfs:0
>     vfs objects = full_audit
> 
>     idmap_ldb:use rfc2307 = yes
>     winbind nss info = rfc2307
> 
>     idmap config *:backend = tdb
>     idmap config *:range = 10000-49999
> 
>     idmap config MYNET:backend = ad
>     idmap config MYNET:schema_mode = rfc2307
>     idmap config MYNET:range = 50000-99999
> 
>     winbind enum users = Yes
>     winbind enum groups = Yes
> 
>     winbind use default domain = Yes
>     winbind refresh tickets = Yes
>     winbind normalize names = Yes
> 
>     dsdb:schema update allowed = true
> 
>     tls enabled  = yes
>     tls keyfile  = /etc/samba/certs/samba4.server.mynet.lan.key
>     tls certfile = /etc/samba/certs/samba4.server.mynet.lan.crt
> 
>     kerberos method = system keytab
>     client ldap sasl wrapping = sign
>     allow dns updates = nonsecure and secure
>     nsupdate command =  /usr/bin/nsupdate -g
> 
>     ldap server require strong auth = No
> 
> [netlogon]
>     path = /var/lib/samba/sysvol/ad.mynet.lan/scripts
>     read only = No
> 
> [sysvol]
>     path = /var/lib/samba/sysvol
>     read only = No
> 
> This is the result of the provisioning operation.
> root at samba4:~# /usr/bin/samba-tool domain provision
> --realm=ad.mynet.lan --domain=MYNET --adminpass='p4ssw0rd'
> --server-role=dc --dns-backend=BIND9_DLZ --function-level=2008_R2
> --use-xattr=yes --host-ip=192.168.10.7 --use-rfc2307
> ...
> Server Role:           active directory domain controller
> Hostname:              samba4
> NetBIOS Domain:        MYNET
> DNS Domain:            ad.mynet.lan
> DOMAIN SID:            S-1-5-21-1682454527-3772531157-3555914497
> 
> root at samba4:~# head /etc/nsswitch.conf |grep -v '#'
> passwd:         compat winbind
> group:          compat winbind
> 
> root at samba4:/var/lib/samba# getent passwd testuser
> MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false
> 
> root at samba4:/var/lib/samba# id testuser
> uid=10001(MYNET\testuser) gid=100(users) groups=100(users)
> 
> root at adclient:/etc/samba# wbinfo -i testuser
> MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false
> 
> 
> 
> This is the domain member configuration / result.
> 
> root at adclient:/etc/samba# id testuser
> uid=10005(testuser) gid=10000(domain users) groups=10000(domain
> users),10023(BUILTIN\users)
> 
> root at adclient:/etc/samba# getent passwd testuser
> testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false
> 
> root at adclient:/etc/samba# wbinfo -i testuser
> testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false
> 
> root at adclient:~# head /etc/nsswitch.conf |grep -v '#'
> passwd:         compat winbind
> group:          compat winbind
> 
> root at adclient:~# net ads info
> LDAP server: 192.168.10.7
> LDAP server name: samba4.ad.mynet.lan
> Realm: AD.MYNET.LAN
> Bind Path: dc=AD,dc=MYNET,dc=LAN
> LDAP port: 389
> Server time: Mon, 08 Aug 2016 16:22:35 CEST
> KDC server: 192.168.10.7
> Server time offset: 25
> 
> root at adclient:~# net ads testjoin
> Join is OK
> 
> root at adclient:/etc/ldap# cat /etc/samba/smb.conf |grep -v '#'
> [global]
>     netbios name = ADCLIENT
>     security = ads
>     workgroup = MYNET
>     realm = AD.MYNET.LAN
>     server string = Active Directory Domain Member (test)
> 
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>     winbind refresh tickets = yes
>     winbind trusted domains only = no
>     winbind use default domain = yes
> 
>     winbind enum users  = yes
>     winbind enum groups = yes
> 
>     log file = /var/log/samba/mynet.log
>     syslog = 0
>     log level = 3 passdb:0 auth:0 winbind:0 vfs:0
> 
>     idmap config MYNET:backend = ad
>     idmap config MYNET:schema_mode = rfc2307
>     idmap config MYNET:range = 50000-99999
>     winbind nss info = rfc2307
> 
>     idmap_ldb:use rfc2307 = yes
> 
> 
> 
> This is a ldapsearch result for 'testuser'.
> root at samba4:/var/lib/samba# ldapsearch -x -h samba4.server.mynet.lan
> -b 'ou=Teachers,ou=Users,ou=MyNet,dc=ad,dc=mynet,dc=lan' -D
> 'administrator at ad.mynet.lan' -w 'p4ssw0rd'
> '(&(objectClass=person)(sAMAccountName=testuser))'
> ...
> uidNumber: 10001
> unixHomeDirectory: /home/testuser
> gidNumber: 10000
> msSFU30Name: testuser
> unixUserPassword: ABCD!efgh12345$67890
> uid: testuser
> loginShell: /bin/bash
> ...
> 
> 
> 
> As you can see, the NIS attributes are correcty stored inside the
> LDAP tree. But the results are very different in each location.
> In the DC: uidNumber and gidNumber are correctly extracted and viewed
> (but the loginShell and unixHomeDirectory are wrong).
> In the domain member: everything is independent from the AD stored
> user. I'm alredy deleted the winbind cache with 'net cache
flush'
> command, tried to leave and join again the domain, and removed the
> *tdb files. I've created 'testuser' with the ADUC utility
running on
> Windows7 (I've enabled the UNIX attributes section).
> 
> Thanks in advance for your help.
> 
I missed something, turn on 'winbindd' on the DC instead of the old,
deprecated 'winbind'

Rowland