Hi @ALL Trying to migrate to Samba AD after 12 lucky years with samba NT-domain + server profiles and homes in a small research institute. I decided to provision a new domain and create the users and groups using samba-tool with most of its parameters. I decided against classicupgrade, because I didn't get all posix attributes automatically set and I cannot do LDAP kung-fu. Intention is to administer most of it with samba-tool and Co, not Windows RSAT. In the NT domain I set till now all rights trough the Unix-rights, UID and GID. Even if I'm willing to recreate users and groups accordingly to the old UID and GID (not that many), I am _desperately_ needing to transfer the data with its original ownership. I've set an "_ONLY_ DOMAIN CONTROLLER" and a first "DOMAIN MEMBER" as file server. Mostly all is good, ntp, dns, kinit are working, the member server could join the dc, authentication works. WHAT I DO NOT GET CORRECTLY are the UID and GID of users and groups on the domain member (PARTIALLY DEPENDING if I have the lines with "idmap config *:..." or not ??? - see below) And yes, I red in the last _weeks_ most of the docs and Q&A I could find. I've said I'm desperate... Please see the configs and the tests. May the force be with you :) Many thanks in advance! Environment: Ubuntu Server 16.04.1 + Samba 4.3.9 ### DOMAIN CONTROLLER root at hg-dc1:/etc/samba# cat smb.conf # Global parameters [global] workgroup = HUMGEN realm = HUMGEN.0ZONE netbios name = HG-DC1 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc idmap_ldb:use rfc2307 = yes dns-nameservers 127.0.0.1 tls enabled = yes tls keyfile = tls/myKey.pem tls certfile = tls/myCert.pem tls cafile = # [netlogon] is on the member server and defined in the user's object # I let sysvol here, as I don't understand it's role [sysvol] path = /var/lib/samba/sysvol read only = No ### DOMAIN MEMBER root at hg004:/etc/samba# cat smb.conf netbios name = HG004 server string = Fileserver HG004 - Samba 4.3.9-Ubuntu security = ADS workgroup = HUMGEN realm = HUMGEN.0ZONE server role = member server server services = -dnsupdate -dns interfaces = bond0, lo bind interfaces only = yes domain master = no local master = no preferred master = no domain logons = no encrypt passwords = yes log file = /var/log/samba/%m.log log level = passdb:5 auth:10 winbind:10 syslog only = no # syslog 0=LOG_ERR, 1=LOG_WARNING, 2=LOG_NOTICE, 3=LOG_INFO syslog = 0 # Default idmap config used for BUILTIN and local accounts/groups idmap config *:backend = tdb idmap config *:range = 2000-4000 # idmap config for domain HUMGEN idmap config HUMGEN:backend = ad idmap config HUMGEN:schema_mode = rfc2307 idmap config HUMGEN:range = 5000-30000 idmap config HUMGEN:default = yes # Use settings from AD for login shell and home directory winbind use default domain = yes winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes # no logon with cached credentials winbind offline logon = no winbind refresh tickets = yes kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab wins server = hg-dc1.humgen.0zone socket options = TCP_NODELAY IPTOS_LOWDELAY # no templates. They are coming from LDAP in Active Directory template homedir template shell # They are also coming from LDAP in Active Directory logon script logon path logon drive logon home # case sensitive: auto=NO for Windows and maybe YES for CIFS case sensitive = no preserve case = Yes short preserve case = Yes # don't show the shares browseable = no map to guest = never # default. Speeds transfers up. There are also others oplocks params oplocks = yes veto oplock files = /*.mdb/*.MDB/*.mde/*.MDE/*.mdw/*.MDW/*.ldb/*.LDB # allow no local caching of data on the client csc policy = disable hide unreadable = yes hide dot files = no reset on zero vc = yes [netlogon] path = /mnt/SRVDATA_crypt/samba/netlogon read only = yes [homes] comment = %u's Home Directory path = /mnt/SRVDATA_crypt/samba/home/%S browsable = no read only = no valid users = %S # server profiles are inside the user's home on the domain member and defined in the user's object in AD ;[profiles] ### TEST USER root at hg-dc1:/etc/samba# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=test)' # record 1 dn: CN=test,CN=Users,DC=humgen,DC=0zone cn: test sn:: VGVzdOKAiC0tZ2l2ZW4tbmFtZT1XYW50IFRv title: Test Pilot description: Want to Test physicalDeliveryOfficeName: Bldg. 11, 12th floor, Room 1234 telephoneNumber: 12345 initials: WT. instanceType: 4 whenCreated: 20160728135850.0Z displayName:: IFdULiBUZXN04oCILS1naXZlbi1uYW1lPVdhbnQgVG8uSNCreated: 3803 department:: SW5zdGl0dXRl company:: VU5J wWWHomePage: institute.uni.de name: test objectGUID: af9cf66f-d5c7-4d7f-980f-c4c87a5765e5 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 primaryGroupID: 513 objectSid: S-1-5-21-1231847632-1110290357-1532217621-1108 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: test sAMAccountType: 805306368 userPrincipalName: test at humgen.0zone objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=humgen,DC=0zone mail: test at humgen.0zone uid: test uidNumber: 9439 gidNumber: 5001 gecos: Want to Test loginShell: /bin/bash msSFU30NisDomain: humgen msSFU30Name: test unixUserPassword: ABCD!efgh12345$67890 objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 512 pwdLastSet: 131142705100000000 scriptPath: \\hg004.humgen.0zone\netlogon\login.bat homeDirectory: \\hg004.humgen.0zone\%USERNAME% homeDrive: U profilePath: \\hg004.humgen.0zone\%USERNAME%\winprofile unixHomeDirectory: //hg004.humgen.0zone/test/linhome lastLogonTimestamp: 131153950658668290 whenChanged: 20160811131745.0Z uSNChanged: 3847 lastLogon: 131154694735501500 distinguishedName: CN=test,CN=Users,DC=humgen,DC=0zone ### TEST GROUP root at hg-dc1:/etc/samba# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=hg_allg)' # record 1 dn: CN=hg_allg,CN=Users,DC=humgen,DC=0zone objectClass: top objectClass: group cn: hg_allg description: All Users of HumGen instanceType: 4 whenCreated: 20160801120752.0Z whenChanged: 20160801120752.0Z uSNCreated: 3835 uSNChanged: 3835 name: hg_allg objectGUID: 7acc757d-3164-471c-a101-c8f8ed5d8339 objectSid: S-1-5-21-1231847632-1110290357-1532217621-1113 sAMAccountName: hg_allg sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=humgen,DC=0zone msSFU30Name: hg_allg msSFU30NisDomain: humgen gidNumber: 5001 distinguishedName: CN=hg_allg,CN=Users,DC=humgen,DC=0zone ### # on the domain controller ### root at hg-dc1:/etc/bind# wbinfo --user-info test HUMGEN\test:*:9439:100: WT. Test --given-name=Want To:/home/HUMGEN/test:/bin/false root at hg-dc1:/etc/bind# wbinfo --group-info hg_allg HUMGEN\hg_allg:x:5001: ### # on the member server ### root at hg004:/etc/samba# wbinfo -u administrator dns-hg-dc1 krbtgt guest test root at hg004:/etc/samba# wbinfo -g allowed rodc password replication group enterprise read-only domain controllers denied rodc password replication group read-only domain controllers group policy creator owners ras and ias servers domain controllers enterprise admins domain computers cert publishers dnsupdateproxy domain admins domain guests schema admins domain users dnsadmins hg_allg root at hg004:/etc/samba# wbinfo --group-info hg_allg hg_allg:x:5001: # correct root at hg004:/etc/samba# wbinfo --user-info test failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user test ### ?!?!?! PROBLEM root at hg004:/etc/samba# wbinfo -n test S-1-5-21-1231847632-1110290357-1532217621-1108 SID_USER (1) root at hg004:/etc/samba# wbinfo --sid-to-uid S-1-5-21-1231847632-1110290357-1532217621-1108 9439 # correct root at hg004:/etc/samba# getent passwd #... only local users, NO USER test - PROBLEM root at hg004:/etc/samba# getent group #... local and domain groups - correct hg_allg:x:5001: ### # if I comment or delete: # idmap config *:backend = tdb # idmap config *:range = 2000-4000 # I get all I want - with false UID and GID ### root at hg004:/home/iroot# getent passwd test test:*:4294967295:4294967295:Want to Test://hg004.humgen.0zone/test/linhome:/bin/bash root at hg004:/etc/samba# getent group hg_allg hg_allg:x:4294967295: ### # Thank you for enduring this to its bitter end. ### -- View this message in context: http://samba.2283325.n4.nabble.com/WINBIND-UID-and-GID-false-mappings-on-domain-member-tp4706553.html Sent from the Samba - General mailing list archive at Nabble.com.
Rowland Penny
2016-Aug-12 15:45 UTC
[Samba] WINBIND: UID and GID false mappings on domain member
On Fri, 12 Aug 2016 07:33:27 -0700 (PDT) rawi via samba <samba at lists.samba.org> wrote:> Hi @ALL > > Trying to migrate to Samba AD after 12 lucky years with samba > NT-domain + server profiles and homes in a small research institute. > > I decided to provision a new domain and create the users and groups > using samba-tool with most of its parameters. > I decided against classicupgrade, because I didn't get all posix > attributes automatically set and I cannot do LDAP kung-fu. > > Intention is to administer most of it with samba-tool and Co, not > Windows RSAT. > In the NT domain I set till now all rights trough the Unix-rights, > UID and GID. > > Even if I'm willing to recreate users and groups accordingly to the > old UID and GID (not that many), I am _desperately_ needing to > transfer the data with its original ownership. > > I've set an "_ONLY_ DOMAIN CONTROLLER" and a first "DOMAIN MEMBER" as > file server. > > Mostly all is good, ntp, dns, kinit are working, the member server > could join the dc, authentication works. > > WHAT I DO NOT GET CORRECTLY are the UID and GID of users and groups > on the domain member (PARTIALLY DEPENDING if I have the lines with > "idmap config *:..." or not ??? - see below)Have you added uidNumber & gidNumber attributes to the user & groupobjects in AD ?> > And yes, I red in the last _weeks_ most of the docs and Q&A I could > find. I've said I'm desperate... > > Please see the configs and the tests. May the force be with you :) > > Many thanks in advance! > > Environment: Ubuntu Server 16.04.1 + Samba 4.3.9 > > ### DOMAIN CONTROLLER > root at hg-dc1:/etc/samba# cat smb.conf > # Global parameters > [global] > workgroup = HUMGEN > realm = HUMGEN.0ZONE > netbios name = HG-DC1 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc > > idmap_ldb:use rfc2307 = yes > dns-nameservers 127.0.0.1I take it you are using bind9 as the nameserver and you have set it up correctly ? In which case you will have a line similar to this in named.conf.options: forwarders { 8.8.8.8; 8.8.4.4; }; So remove 'dns-nameservers 127.0.0.1' from smb.conf, I don't recognise it, so I suppose Samba won't either, there is the setting 'dns forwarder' but this is only used with the internal DNS server and you wouldn't use '127.0.0.1'> > tls enabled = yes > tls keyfile = tls/myKey.pem > tls certfile = tls/myCert.pem > tls cafile = > > # [netlogon] is on the member server and defined in the user's objectI suggest you put it back> # I let sysvol here, as I don't understand it's roleI suggest you find out, it is rather important, I will give you a hint, GPOs> [sysvol] > path = /var/lib/samba/sysvol > read only = No > > ### DOMAIN MEMBER > root at hg004:/etc/samba# cat smb.conf > netbios name = HG004 > server string = Fileserver HG004 - Samba 4.3.9-Ubuntu > security = ADS > workgroup = HUMGEN > realm = HUMGEN.0ZONE > server role = member server > > server services = -dnsupdate -dnsYou do not need these lines on a domain member> > interfaces = bond0, lo > bind interfaces only = yes >From here:> domain master = no > local master = no > preferred master = no > domain logons = no > > encrypt passwords = yes >To here, can be removed.> log file = /var/log/samba/%m.log > log level = passdb:5 auth:10 winbind:10 > > syslog only = no > # syslog 0=LOG_ERR, 1=LOG_WARNING, 2=LOG_NOTICE, 3=LOG_INFO > syslog = 0 > > # Default idmap config used for BUILTIN and local accounts/groups > idmap config *:backend = tdb > idmap config *:range = 2000-4000 > > # idmap config for domain HUMGEN > idmap config HUMGEN:backend = ad > idmap config HUMGEN:schema_mode = rfc2307 > idmap config HUMGEN:range = 5000-30000 > idmap config HUMGEN:default = yes > > # Use settings from AD for login shell and home directory > winbind use default domain = yes > winbind nss info = rfc2307 > winbind enum users = yes > winbind enum groups = yes > > # no logon with cached credentials > winbind offline logon = no > > winbind refresh tickets = yes > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.keytab >Again remove lines, from here:> wins server = hg-dc1.humgen.0zone > > socket options = TCP_NODELAY IPTOS_LOWDELAY > > # no templates. They are coming from LDAP in Active Directory > template homedir > template shell > > # They are also coming from LDAP in Active Directory > logon script > logon path > logon drive > logon home >To here.> # case sensitive: auto=NO for Windows and maybe YES for CIFS > case sensitive = no > preserve case = Yes > short preserve case = Yes > > # don't show the shares > browseable = no > > map to guest = never > > # default. Speeds transfers up. There are also others oplocks params > oplocks = yes > veto oplock files = /*.mdb/*.MDB/*.mde/*.MDE/*.mdw/*.MDW/*.ldb/*.LDB > > # allow no local caching of data on the client > csc policy = disable > > hide unreadable = yes > hide dot files = no > > reset on zero vc = yes >Remove these next lines and put them back on the DC:> [netlogon] > path = /mnt/SRVDATA_crypt/samba/netlogon > read only = yes >> [homes] > comment = %u's Home Directory > path = /mnt/SRVDATA_crypt/samba/home/%S > browsable = no > read only = no > valid users = %S > > # server profiles are inside the user's home on the domain member and > defined in the user's object in AD > ;[profiles] > > ### TEST USER > root at hg-dc1:/etc/samba# ldbsearch -H /var/lib/samba/private/sam.ldb > '(cn=test)' > # record 1 > dn: CN=test,CN=Users,DC=humgen,DC=0zone > cn: test > sn:: VGVzdOKAiC0tZ2l2ZW4tbmFtZT1XYW50IFRv > title: Test Pilot > description: Want to Test > physicalDeliveryOfficeName: Bldg. 11, 12th floor, Room 1234 > telephoneNumber: 12345 > initials: WT. > instanceType: 4 > whenCreated: 20160728135850.0Z > displayName:: IFdULiBUZXN04oCILS1naXZlbi1uYW1lPVdhbnQgVG8> uSNCreated: 3803 > department:: SW5zdGl0dXRl > company:: VU5J > wWWHomePage: institute.uni.de > name: test > objectGUID: af9cf66f-d5c7-4d7f-980f-c4c87a5765e5 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-1231847632-1110290357-1532217621-1108 > accountExpires: 9223372036854775807 > logonCount: 0 > sAMAccountName: test > sAMAccountType: 805306368 > userPrincipalName: test at humgen.0zone > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=humgen,DC=0zone mail: > test at humgen.0zone uid: test > uidNumber: 9439 > gidNumber: 5001 > gecos: Want to Test > loginShell: /bin/bash > msSFU30NisDomain: humgen > msSFU30Name: test > unixUserPassword: ABCD!efgh12345$67890 > objectClass: top > objectClass: posixAccountYou do not need and should not add the POSIX objectclasses> objectClass: person > objectClass: organizationalPerson > objectClass: user > userAccountControl: 512 > pwdLastSet: 131142705100000000 > scriptPath: \\hg004.humgen.0zone\netlogon\login.bat > homeDirectory: \\hg004.humgen.0zone\%USERNAME% > homeDrive: U > profilePath: \\hg004.humgen.0zone\%USERNAME%\winprofile > unixHomeDirectory: //hg004.humgen.0zone/test/linhome > lastLogonTimestamp: 131153950658668290 > whenChanged: 20160811131745.0Z > uSNChanged: 3847 > lastLogon: 131154694735501500 > distinguishedName: CN=test,CN=Users,DC=humgen,DC=0zone > > ### TEST GROUP > root at hg-dc1:/etc/samba# ldbsearch -H /var/lib/samba/private/sam.ldb > '(cn=hg_allg)' > # record 1 > dn: CN=hg_allg,CN=Users,DC=humgen,DC=0zone > objectClass: top > objectClass: group > cn: hg_allg > description: All Users of HumGen > instanceType: 4 > whenCreated: 20160801120752.0Z > whenChanged: 20160801120752.0Z > uSNCreated: 3835 > uSNChanged: 3835 > name: hg_allg > objectGUID: 7acc757d-3164-471c-a101-c8f8ed5d8339 > objectSid: S-1-5-21-1231847632-1110290357-1532217621-1113 > sAMAccountName: hg_allg > sAMAccountType: 268435456 > groupType: -2147483646 > objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=humgen,DC=0zone > msSFU30Name: hg_allg > msSFU30NisDomain: humgen > gidNumber: 5001 > distinguishedName: CN=hg_allg,CN=Users,DC=humgen,DC=0zone > > ### > # on the domain controller > ### > > root at hg-dc1:/etc/bind# wbinfo --user-info test > HUMGEN\test:*:9439:100: WT. Test --given-name=Want > To:/home/HUMGEN/test:/bin/false > > root at hg-dc1:/etc/bind# wbinfo --group-info hg_allg > HUMGEN\hg_allg:x:5001: > > ### > # on the member server > ### > root at hg004:/etc/samba# wbinfo -u > administrator > dns-hg-dc1 > krbtgt > guest > test > > root at hg004:/etc/samba# wbinfo -g > allowed rodc password replication group > enterprise read-only domain controllers > denied rodc password replication group > read-only domain controllers > group policy creator owners > ras and ias servers > domain controllers > enterprise admins > domain computers > cert publishers > dnsupdateproxy > domain admins > domain guests > schema admins > domain users > dnsadmins > hg_allg > > root at hg004:/etc/samba# wbinfo --group-info hg_allg > hg_allg:x:5001: # correct > > root at hg004:/etc/samba# wbinfo --user-info test > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user test > ### ?!?!?! PROBLEM > > root at hg004:/etc/samba# wbinfo -n test > S-1-5-21-1231847632-1110290357-1532217621-1108 SID_USER (1) > > root at hg004:/etc/samba# wbinfo --sid-to-uid > S-1-5-21-1231847632-1110290357-1532217621-1108 > 9439 # correct > > root at hg004:/etc/samba# getent passwd > #... only local users, NO USER test - PROBLEM > > root at hg004:/etc/samba# getent group > #... local and domain groups - correct > hg_allg:x:5001: > > ### > # if I comment or delete: > # idmap config *:backend = tdb > # idmap config *:range = 2000-4000 > # I get all I want - with false UID and GID > ### > > root at hg004:/home/iroot# getent passwd test > test:*:4294967295:4294967295:Want to > Test://hg004.humgen.0zone/test/linhome:/bin/bash > > root at hg004:/etc/samba# getent group hg_allg > hg_allg:x:4294967295: > > ### > # Thank you for enduring this to its bitter end. > ### > > >Have you given 'Domain Users' a gidNumber inside the range 5000-30000 ? Rowland
Thank you Rowland for looking into this!>> WHAT I DO NOT GET CORRECTLY are the UID and GID of users and groups >> on the domain member (PARTIALLY DEPENDING if I have the lines with >> "idmap config *:..." or not ??? - see below) > « [hide part of quote] > > Have you added uidNumber & gidNumber attributes to the user & > groupobjects in AD ?Not myself, I simply provisioned with --use-rfc2307> I take it you are using bind9 as the nameserver and you have set it up > correctly ? > In which case you will have a line similar to this in > named.conf.options: > forwarders { 8.8.8.8; 8.8.4.4; }; > > So remove 'dns-nameservers 127.0.0.1' from smb.conf, I don't recognise > it, so I suppose Samba won't either, there is the setting 'dns > forwarder' but this is only used with the internal DNS server and you > wouldn't use '127.0.0.1'Well, I simplified the tale: I wanted to have only one domain for all, samba and the rest. Not a subdomain for samba. I have all in bind9 and dhcp. So I looked samba's dnsupdates the first time, took the dns records and put them fixed in bind9. All the rest records of the clients will be generated (included list) from a script. In DHCP I have mostly static assignments. Then I deleted dnsupdate from samba's roles. It works good, forward and reverse.> > # [netlogon] is on the member server and defined in the user's object > > I suggest you put it backI will. In my eyes is netlogon a share, like each other and the DC shouldn't share files. I thought, it would have been enough to have the netlogon pointer to the file server - in the user's LDAP object.>> objectClass: posixAccount > « [hide part of quote] > > You do not need and should not add the POSIX objectclassesI didn't. I used samba-tool to add the user and the group. And I tried to use the most of the parameters of "user add", to learn and see what happens. So samba-tool did it.> Have you given 'Domain Users' a gidNumber inside the range 5000-30000 ?No, Domain Users has no GID. Until now it was unimportant to me. All my users are in the group "hg_allg" with GID 5001. As primary group in unix passwd in the old NT domain. Oh, I remember something awkward... Till couple of days ago, I got the users UID but NOT THE GROUP's GID. THIS ALWAYS without the lines "idmap config *:..." I could login from a joined Windows 8.1, I got the logon script running (from the domain member), but the home was not bound to the HOMEDIR. This could happen, because at that time the UID came correctly and matched the old UID of the user. I got today a kernel update.... and the situation changed, like I said... Now I get GID but no UID. Somehow spooky... rawi -- View this message in context: http://samba.2283325.n4.nabble.com/WINBIND-UID-and-GID-false-mappings-on-domain-member-tp4706553p4706560.html Sent from the Samba - General mailing list archive at Nabble.com.
Reasonably Related Threads
- WINBIND: UID and GID false mappings on domain member
- Difficulties with Windows XP: failed to find cifs/fileserver.y.z@Y.Z in keytab (arcfour-hmac-md5)
- SOLVED(aproximative?): Difficulties with Windows XP: failed to find cifs/fileserver.y.z@Y.Z in keytab (arcfour-hmac-md5)
- WINBIND: UID and GID false mappings on domain member
- SOLVED(I hope): Difficulties with Windows XP: failed to find cifs/fileserver.y.z@Y.Z in keytab (arcfour-hmac-md5)