rawi
2016-Aug-17 11:54 UTC
[Samba] SOLVED: WINBIND: UID and GID false mappings on domain member
I bump this only to say SOLVED and many thanks to Rowland. Lessons learned: 1. Indeed, my problems where related to not having a gidNumber for "Domain Users". After adding it I got real wbinfo --user-info on the domain member (file server). My test user could log in in his old home from the NT domain preserving the old UID and GID. 2. (question = why?) And login.bat was called at login time _only_ after moving the [netlogon] share from the domain member to the ad-dc. Why on earth it could not be called from the file server remains a mystery to me. The LDAP field scriptPath was configured: \\member_server\netlogon\login.bat. 3. To bind the homeDrive I had to put a colon (:) after the drive letter. 4. (question = how changing/correct surname, givenName?) wbinfo output is slightly different on ad-dc and domain member with regard to the Geckos On the ad-dc: HUMGEN\test:*:9439:5000: WT. Test --given-name=Want To:/home/HUMGEN/test:/bin/false The Geckos on ad-dc are composed from initials + surname + givenName. On the domain member (real Geckos field or may be description) : test:*:9439:5000:Want to Test://hg004.humgen.0zone/test/linhome:/bin/bash The Geckos from the ad-dc will be sent as FullName to a joined Windows 8.1 computer. The fields (I gave them to samba-tool by creating the test user) surname and givenName are not visible in the output of ldbsearch. So, how would one modify the surname after a women married and changed it? 5. (bug?) Adding "hosts allow =" on the ad-dc breaks everything. wbinfo will give no output on the ad-dc and an error on the domain member. 6. After spying what dnsupdate does (rndc dumpdb -zones) I could take out the server service dnsupdate from smb.conf and insert the records statically in bind9. So I have all my subnet uniformly in one place (dhcp+bind, forward+reverse) regardless if the computer or printer is in the domain or not. 7. The share [homes] (on the domain member) will generate after a generic path=/path/to/homes a share like \\file-server\test and inside this is again a directory test. So to have the home directory content directly inside the homeDrive one has to declare the path=/path/to/homes/%S. 8. With a combination of chmod g+s on a directory and "inherit permissions" in the smb.conf I can avoid a lot of the acl default hassle and administer the file system like in the old linux times, acl remaining a possibility. 9. Given the developments it's pity that Ubuntu Xenial LTS won't upgrade to the last branch. If I move now my NT domain to 4.3 I'll stay so for the next 10 years - for fear to break something. All the above is for all of you common knowledge. This were now discoveries for me after sleeping the last 12 years behind an old samba NT domain :) Thanks to all samba team and forum helpers for making it happen again and again. rawi -- View this message in context: http://samba.2283325.n4.nabble.com/WINBIND-UID-and-GID-false-mappings-on-domain-member-tp4706553p4706722.html Sent from the Samba - General mailing list archive at Nabble.com.
rawi
2016-Aug-17 12:24 UTC
[Samba] SOLVED: WINBIND: UID and GID false mappings on domain member
Supplement:> To bind the homeDrive I had to put a colon (:) after the drive letter.And I discovered that homeDirectory: \\hg004.humgen.0zone\%USERNAME% ...won't work, but with the real login-name yes I don't know now, which of both changes did the trick -- View this message in context: http://samba.2283325.n4.nabble.com/WINBIND-UID-and-GID-false-mappings-on-domain-member-tp4706553p4706723.html Sent from the Samba - General mailing list archive at Nabble.com.
Rowland Penny
2016-Aug-17 12:33 UTC
[Samba] SOLVED: WINBIND: UID and GID false mappings on domain member
On Wed, 17 Aug 2016 04:54:41 -0700 (PDT) rawi via samba <samba at lists.samba.org> wrote:> I bump this only to say SOLVED and many thanks to Rowland. > > Lessons learned: > > 1. > Indeed, my problems where related to not having a gidNumber for > "Domain Users". > After adding it I got real wbinfo --user-info on the domain member > (file server). > My test user could log in in his old home from the NT domain > preserving the old UID and GID. > > 2. (question = why?) > And login.bat was called at login time _only_ after moving the > [netlogon] share from the domain member to the ad-dc. > Why on earth it could not be called from the file server remains a > mystery to me. > The LDAP field scriptPath was configured: > \\member_server\netlogon\login.bat. > > 3. > To bind the homeDrive I had to put a colon (:) after the drive letter. > > 4. (question = how changing/correct surname, givenName?) > wbinfo output is slightly different on ad-dc and domain member with > regard to the GeckosI think you mean 'gecos', a Gecko is a type of lizard ;-)> > On the ad-dc: > HUMGEN\test:*:9439:5000: WT. Test --given-name=Want > To:/home/HUMGEN/test:/bin/false > > The Geckos on ad-dc are composed from initials + surname + givenName. > > On the domain member (real Geckos field or may be description) : > test:*:9439:5000:Want to > Test://hg004.humgen.0zone/test/linhome:/bin/bash > > The Geckos from the ad-dc will be sent as FullName to a joined > Windows 8.1 computer.This is a known problem, winbindd on the DC only extracts uidNumber & gidNumber attributes, I just wish somebody would fix this.> > The fields (I gave them to samba-tool by creating the test user) > surname and givenName are not visible in the output of ldbsearch. > So, how would one modify the surname after a women married and > changed it?you should get virtually all of a users attributes, there are a few exceptions i.e. the users unicode password. root at dc1:~# ldbsearch -H /usr/local/samba/private/sam.ldb '(&(objectclass=user)(samaccountname=rowland))' # record 1 dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com cn: Rowland Penny sn: Penny givenName: Rowland instanceType: 4 whenCreated: 20151109093821.0Z displayName: Rowland Penny uSNCreated: 3871 name: Rowland Penny objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 primaryGroupID: 513 objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107 logonCount: 0 sAMAccountName: rowland sAMAccountType: 805306368 userPrincipalName: rowland at samdom.example.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c om pwdLastSet: 130915355010000000 unixUserPassword: ABCD!efgh12345$67890 uid: rowland msSFU30Name: rowland msSFU30NisDomain: samdom uidNumber: 10000 unixHomeDirectory: /home/rowland loginShell: /bin/bash userAccountControl: 66048 accountExpires: 0 gidNumber: 10000 objectClass: top objectClass: securityPrincipal objectClass: person objectClass: organizationalPerson objectClass: user gecos: Rowland Penny memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com homeDrive: H: homeDirectory: \\DC2\home\rowland whenChanged: 20160813074443.0Z uSNChanged: 283069 lastLogonTimestamp: 131155478831131360 lastLogon: 131158939536858180 distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com> > 5. (bug?) > Adding "hosts allow =" on the ad-dc breaks everything. > wbinfo will give no output on the ad-dc and an error on the domain > member. >If you can duplicate this at will, then it does sound like a bug.> 6. > After spying what dnsupdate does (rndc dumpdb -zones) I could take > out the server service dnsupdate from smb.conf and insert the records > statically in bind9. So I have all my subnet uniformly in one place > (dhcp+bind, forward+reverse) regardless if the computer or printer is > in the domain or not. >I do something like this, but use dhcp to do it automatically, for static IPs, I use samba-tool to add them. If ypu mean that you have removed 'dnsupdate' from the 'server services' line, can I recommend you put it back, you need it for the 'samba_dnsupdate' script.> 7. > The share [homes] (on the domain member) will generate after a generic > path=/path/to/homes a share like \\file-server\test and inside this > is again a directory test. > So to have the home directory content directly inside the homeDrive > one has to declare the path=/path/to/homes/%S. > > 8. > With a combination of chmod g+s on a directory and "inherit > permissions" in the smb.conf I can avoid a lot of the acl default > hassle and administer the file system like in the old linux times, > acl remaining a possibility. > > 9. > Given the developments it's pity that Ubuntu Xenial LTS won't upgrade > to the last branch. If I move now my NT domain to 4.3 I'll stay so > for the next 10 years - for fear to break something.Don't be afraid of breaking things, that way you will miss a lot of the changes that have already happened and the ones to come. Rowland
rawi
2016-Aug-17 14:08 UTC
[Samba] SOLVED: WINBIND: UID and GID false mappings on domain member
> you should get virtually all of a users attributes, there are a few > exceptions i.e. the users unicode password.Well yes, (embarrassed) I was looking only with one eye. With both eyes I can see the fields; the second eye has grasped, that some fields are base64 coded... btw. unicode passwords: could I set them to passwords from the old NT domain? (I decided to start with a fresh ad-dc, against classic-upgrade, in order to avoid possible errors from the old files and SIDs. So I'm willing to create all my users again per script. But passwords and machine credentials would be gorgeous.)>> 5. (bug?) >> Adding "hosts allow =" on the ad-dc breaks everything. >> wbinfo will give no output on the ad-dc and an error on the domain >> member. > > If you can duplicate this at will, then it does sound like a bug.Yes, I can. Each time I write into the ad-dc a "hosts allow 10.1.2.0/255.255.255.0" - wbinfo -u or -g would give no output any more (Samba Version 4.3.9-Ubuntu) on the ad-dc and output error on the domain member. Having the "hosts allow" set on the domain member seems OK. I didn't try, if it is also effective...> If you mean that you have > removed 'dnsupdate' from the 'server services' line, can I recommend > you put it back, you need it for the 'samba_dnsupdate' script.Sorry I do not understand what "samba_dnsupdate" is doing, once I have already all the domain records fixed in zone files and I'll disable the clients per registry hack to try to update dns? Please, why do I need it? How is it working?> Don't be afraid of breaking things, that way you will miss a lot of the > changes that have already happened and the ones to come.Well, I have a helluva of respect facing self compilations with cryptic parameters. I need to stay with the repositories. There are the people knowing this doing. Best regards rawi -- View this message in context: http://samba.2283325.n4.nabble.com/WINBIND-UID-and-GID-false-mappings-on-domain-member-tp4706553p4706728.html Sent from the Samba - General mailing list archive at Nabble.com.
Possibly Parallel Threads
- SOLVED: WINBIND: UID and GID false mappings on domain member
- WINBIND: UID and GID false mappings on domain member
- WINBIND: UID and GID false mappings on domain member
- WINBIND: UID and GID false mappings on domain member
- WINBIND: UID and GID false mappings on domain member