samba - Aug 2016 - SOLVED: WINBIND: UID and GID false mappings on domain member

I bump this only to say SOLVED and many thanks to Rowland.

Lessons learned:

1.
Indeed, my problems where related to not having a gidNumber for "Domain
Users".
After adding it I got real wbinfo --user-info on the domain member (file
server).
My test user could log in in his old home from the NT domain preserving the
old UID and GID.

2. (question = why?)
And login.bat was called at login time _only_ after moving the [netlogon]
share from the domain member to the ad-dc.
Why on earth it could not be called from the file server remains a mystery
to me.
The LDAP field scriptPath was configured:
\\member_server\netlogon\login.bat.

3.
To bind the homeDrive I had to put a colon (:) after the drive letter.

4. (question = how changing/correct surname, givenName?)
wbinfo output is slightly different on ad-dc and domain member with regard
to the Geckos

On the ad-dc:
HUMGEN\test:*:9439:5000: WT. Test --given-name=Want
To:/home/HUMGEN/test:/bin/false

The Geckos on ad-dc are composed from initials + surname + givenName.

On the domain member (real Geckos field or may be description) :
test:*:9439:5000:Want to Test://hg004.humgen.0zone/test/linhome:/bin/bash

The Geckos from the ad-dc will be sent as FullName to a joined Windows 8.1
computer.

The fields (I gave them to samba-tool by creating the test user) surname and
givenName are not visible in the output of ldbsearch.
So, how would one modify the surname after a women married and changed it?

5. (bug?)
Adding "hosts allow =" on the ad-dc breaks everything.
wbinfo will give no output on the ad-dc and an error on the domain member.

6.
After spying what dnsupdate does (rndc dumpdb -zones) I could take out the
server service dnsupdate from smb.conf and insert the records statically in
bind9. So I have all my subnet uniformly in one place (dhcp+bind,
forward+reverse) regardless if the computer or printer is in the domain or
not.

7.
The share [homes] (on the domain member) will generate after a generic
path=/path/to/homes a share like \\file-server\test and inside this is again
a directory test.
So to have the home directory content directly inside the homeDrive one has
to declare the path=/path/to/homes/%S.

8.
With a combination of chmod g+s on a directory and "inherit
permissions" in
the smb.conf I can avoid a lot of the acl default hassle and administer the
file system like in the old linux times, acl remaining a possibility.

9.
Given the developments it's pity that Ubuntu Xenial LTS won't upgrade to
the
last branch. If I move now my NT domain to 4.3 I'll stay so for the next 10
years - for fear to break something.

All the above is for all of you common knowledge.
This were now discoveries for me after sleeping the last 12 years behind an
old samba NT domain :)

Thanks to all samba team and forum helpers for making it happen again and
again.

rawi




--
View this message in context:
http://samba.2283325.n4.nabble.com/WINBIND-UID-and-GID-false-mappings-on-domain-member-tp4706553p4706722.html
Sent from the Samba - General mailing list archive at Nabble.com.

Supplement:
> To bind the homeDrive I had to put a colon (:) after the drive letter.
And I discovered that 

   homeDirectory: \\hg004.humgen.0zone\%USERNAME%

...won't work, but with the real login-name yes

I don't know now, which of both changes did the trick



--
View this message in context:
http://samba.2283325.n4.nabble.com/WINBIND-UID-and-GID-false-mappings-on-domain-member-tp4706553p4706723.html
Sent from the Samba - General mailing list archive at Nabble.com.

On Wed, 17 Aug 2016 04:54:41 -0700 (PDT)
rawi via samba <samba at lists.samba.org> wrote:
> I bump this only to say SOLVED and many thanks to Rowland.
> 
> Lessons learned:
> 
> 1.
> Indeed, my problems where related to not having a gidNumber for
> "Domain Users".
> After adding it I got real wbinfo --user-info on the domain member
> (file server).
> My test user could log in in his old home from the NT domain
> preserving the old UID and GID.
> 
> 2. (question = why?)
> And login.bat was called at login time _only_ after moving the
> [netlogon] share from the domain member to the ad-dc.
> Why on earth it could not be called from the file server remains a
> mystery to me.
> The LDAP field scriptPath was configured:
> \\member_server\netlogon\login.bat.
> 
> 3.
> To bind the homeDrive I had to put a colon (:) after the drive letter.
> 
> 4. (question = how changing/correct surname, givenName?)
> wbinfo output is slightly different on ad-dc and domain member with
> regard to the Geckos
I think you mean 'gecos', a Gecko is a type of lizard ;-)
> 
> On the ad-dc:
> HUMGEN\test:*:9439:5000: WT. Test --given-name=Want
> To:/home/HUMGEN/test:/bin/false
> 
> The Geckos on ad-dc are composed from initials + surname + givenName.
> 
> On the domain member (real Geckos field or may be description) :
> test:*:9439:5000:Want to
> Test://hg004.humgen.0zone/test/linhome:/bin/bash
> 
> The Geckos from the ad-dc will be sent as FullName to a joined
> Windows 8.1 computer.
This is a known problem, winbindd on the DC only extracts uidNumber &
gidNumber attributes, I just wish somebody would fix this.
> 
> The fields (I gave them to samba-tool by creating the test user)
> surname and givenName are not visible in the output of ldbsearch.
> So, how would one modify the surname after a women married and
> changed it?
you should get virtually all of a users attributes, there are a few
exceptions i.e. the users unicode password.

root at dc1:~# ldbsearch -H /usr/local/samba/private/sam.ldb
'(&(objectclass=user)(samaccountname=rowland))'
# record 1
dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
cn: Rowland Penny
sn: Penny
givenName: Rowland
instanceType: 4
whenCreated: 20151109093821.0Z
displayName: Rowland Penny
uSNCreated: 3871
name: Rowland Penny
objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
logonCount: 0
sAMAccountName: rowland
sAMAccountType: 805306368
userPrincipalName: rowland at samdom.example.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
 om
pwdLastSet: 130915355010000000
unixUserPassword: ABCD!efgh12345$67890
uid: rowland
msSFU30Name: rowland
msSFU30NisDomain: samdom
uidNumber: 10000
unixHomeDirectory: /home/rowland
loginShell: /bin/bash
userAccountControl: 66048
accountExpires: 0
gidNumber: 10000
objectClass: top
objectClass: securityPrincipal
objectClass: person
objectClass: organizationalPerson
objectClass: user
gecos: Rowland Penny
memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
homeDrive: H:
homeDirectory: \\DC2\home\rowland
whenChanged: 20160813074443.0Z
uSNChanged: 283069
lastLogonTimestamp: 131155478831131360
lastLogon: 131158939536858180
distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> 
> 5. (bug?)
> Adding "hosts allow =" on the ad-dc breaks everything.
> wbinfo will give no output on the ad-dc and an error on the domain
> member.
> 
If you can duplicate this at will, then it does sound like a bug. 
> 6.
> After spying what dnsupdate does (rndc dumpdb -zones) I could take
> out the server service dnsupdate from smb.conf and insert the records
> statically in bind9. So I have all my subnet uniformly in one place
> (dhcp+bind, forward+reverse) regardless if the computer or printer is
> in the domain or not.
> 
I do something like this, but use dhcp to do it automatically, for
static IPs, I use samba-tool to add them. If ypu mean that you have
removed 'dnsupdate' from the 'server services' line, can I
recommend
you put it back, you need it for the 'samba_dnsupdate' script.
 
> 7.
> The share [homes] (on the domain member) will generate after a generic
> path=/path/to/homes a share like \\file-server\test and inside this
> is again a directory test.
> So to have the home directory content directly inside the homeDrive
> one has to declare the path=/path/to/homes/%S.
> 
> 8.
> With a combination of chmod g+s on a directory and "inherit
> permissions" in the smb.conf I can avoid a lot of the acl default
> hassle and administer the file system like in the old linux times,
> acl remaining a possibility.
> 
> 9.
> Given the developments it's pity that Ubuntu Xenial LTS won't
upgrade
> to the last branch. If I move now my NT domain to 4.3 I'll stay so
> for the next 10 years - for fear to break something.
Don't be afraid of breaking things, that way you will miss a lot of the
changes that have already happened and the ones to come.

Rowland

> you should get virtually all of a users attributes, there are a few 
> exceptions i.e. the users unicode password.
Well yes, (embarrassed) I was looking only with one eye. With both eyes I
can see the fields; the second eye has grasped, that some fields are base64
coded...

btw. unicode passwords: could I set them to passwords from the old NT
domain?
(I decided to start with a fresh ad-dc, against classic-upgrade, in order to
avoid possible errors from the old files and SIDs. So I'm willing to create
all my users again per script. But passwords and machine credentials would
be gorgeous.)
>> 5. (bug?) 
>> Adding "hosts allow =" on the ad-dc breaks everything. 
>> wbinfo will give no output on the ad-dc and an error on the domain 
>> member. 
>
> If you can duplicate this at will, then it does sound like a bug.
Yes, I can. Each time I write into the ad-dc a "hosts allow
10.1.2.0/255.255.255.0" - wbinfo -u or -g would give no output any more
(Samba Version 4.3.9-Ubuntu) on the ad-dc and output error on the domain
member.
Having the "hosts allow" set on the domain member seems OK. I
didn't try, if
it is also effective...
> If you mean that you have 
> removed 'dnsupdate' from the 'server services' line, can I
recommend
> you put it back, you need it for the 'samba_dnsupdate' script.
Sorry I do not understand what "samba_dnsupdate" is doing, once I have
already all the domain records fixed in zone files and I'll disable the
clients per registry hack to try to update dns? Please, why do I need it?
How is it working?
> Don't be afraid of breaking things, that way you will miss a lot of the
> changes that have already happened and the ones to come.
Well, I have a helluva of respect facing self compilations with cryptic
parameters.
I need to stay with the repositories. There are the people knowing this
doing.

Best regards
rawi




--
View this message in context:
http://samba.2283325.n4.nabble.com/WINBIND-UID-and-GID-false-mappings-on-domain-member-tp4706553p4706728.html
Sent from the Samba - General mailing list archive at Nabble.com.