samba - Sep 2016 - IDMAP + GETENT

Hi guys!

I'm looking for a way to solve the problem between my Samba 4.4.4 DC and my
samba 4.3 File Server.

The users and groups ids are not the same in both servers and i can't find
the solution for this.

Can anyone help me?

This is the environment:

DC: Samba 4.4.4
------------------------
smb.conf:

[global]

interfaces = lo eth0

workgroup = DOMAIN

realm = DOMAIN.LOCAL

netbios name = SERVER

server role = active directory domain controller

dns forwarder = 10.x.x.x

allow dns updates = nonsecure

        idmap config *:backend = tdb

        idmap config *:range = 70001-80000

        idmap config DOMAIN:backend = ad

        idmap config DOMAIN:schema_mode = rfc2307

        idmap config DOMAIN:range = 3000000-4000000

        winbind nss info = rfc2307

        winbind trusted domains only = no

        winbind use default domain = yes

        winbind enum users = yes

        winbind enum groups = yes


root at server:/usr/local/src/samba-4.4.6# wbinfo --name-to-sid edsontadeu

S-1-5-21-1058002876-845724780-2777320708-1106 SID_USER (1)


root at server:/usr/local/src/samba-4.4.6# wbinfo --sid-to-uid
S-1-5-21-1058002876-845724780-2777320708-1106

3000019


FILE SERVER: Samba 4.3.6

------------------------
smb.conf

[global]

        workgroup = DOMAIN

        netbios name = FS1

        realm = DOMAIN.LOCAL

        security = domain

        server services = smb winbindd

        encrypt passwords = true

        wins server = 10.x.x.x

        idmap config * : backend = tdb

        idmap config * : range = 70001-80000

        idmap config DOMAIN : backend = ad

        idmap config DOMAIN : schema_mode = rfc2307

        idmap config DOMAIN : range = 3000000-4000000

        winbind nss info = rfc2307

        winbind trusted domains only = no

        winbind use default domain = yes

        winbind enum users = yes

        winbind enum groups = yes

        vfs objects = acl_xattr

        map acl inherit = Yes

        store dos attributes = Yes

        domain master = no

        local master = no

        preferred master = no

        os level = 0

        log level = 2 vfs:7 auth:2 passdb:2


root at fs1:~# wbinfo --name-to-sid edsontadeu

S-1-5-21-1058002876-845724780-2777320708-1106 SID_USER (1)


root at fs1:~# wbinfo --sid-to-uid
S-1-5-21-1058002876-845724780-2777320708-1106

70001


root at fs1:~# id edsontadeu

id: edsontadeu: no such user


root at fs1:~# getent passwd edsontadeu

(NO RESULTS)


root at fs1:~# wbinfo -i edsontadeu

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

Could not get info for user edsontadeu


wbinfo -u and wbinfo -g works well. They give-me all my AD Users.



Thanks all!!


-- 

-------------------------------------------
Edson Tadeu Almeida Silveira
http://sites.google.com/site/edsontadeu/
-------------------------------------------

On Thu, 22 Sep 2016 19:35:57 -0300
Edson Tadeu Almeida da Silveira via samba <samba at lists.samba.org>
wrote:
> Hi guys!
> 
> I'm looking for a way to solve the problem between my Samba 4.4.4 DC
> and my samba 4.3 File Server.
> 
> The users and groups ids are not the same in both servers and i can't
> find the solution for this.
> 
> Can anyone help me?
> 
> This is the environment:
> 
> DC: Samba 4.4.4
> ------------------------
> smb.conf:
> 
> [global]
> 
> interfaces = lo eth0
> 
> workgroup = DOMAIN
> 
> realm = DOMAIN.LOCAL
> 
> netbios name = SERVER
> 
> server role = active directory domain controller
> 
> dns forwarder = 10.x.x.x
> 
> allow dns updates = nonsecure
> 
>         idmap config *:backend = tdb
> 
>         idmap config *:range = 70001-80000
> 
>         idmap config DOMAIN:backend = ad
> 
>         idmap config DOMAIN:schema_mode = rfc2307
> 
>         idmap config DOMAIN:range = 3000000-4000000
> 
>         winbind nss info = rfc2307
> 
>         winbind trusted domains only = no
> 
>         winbind use default domain = yes
> 
>         winbind enum users = yes
> 
>         winbind enum groups = yes
> 
> 
> root at server:/usr/local/src/samba-4.4.6# wbinfo --name-to-sid
> edsontadeu
> 
> S-1-5-21-1058002876-845724780-2777320708-1106 SID_USER (1)
> 
> 
> root at server:/usr/local/src/samba-4.4.6# wbinfo --sid-to-uid
> S-1-5-21-1058002876-845724780-2777320708-1106
> 
> 3000019
> 
> 
> FILE SERVER: Samba 4.3.6
> 
> ------------------------
> smb.conf
> 
> [global]
> 
>         workgroup = DOMAIN
> 
>         netbios name = FS1
> 
>         realm = DOMAIN.LOCAL
> 
>         security = domain
> 
>         server services = smb winbindd
> 
>         encrypt passwords = true
> 
>         wins server = 10.x.x.x
> 
>         idmap config * : backend = tdb
> 
>         idmap config * : range = 70001-80000
> 
>         idmap config DOMAIN : backend = ad
> 
>         idmap config DOMAIN : schema_mode = rfc2307
> 
>         idmap config DOMAIN : range = 3000000-4000000
> 
>         winbind nss info = rfc2307
> 
>         winbind trusted domains only = no
> 
>         winbind use default domain = yes
> 
>         winbind enum users = yes
> 
>         winbind enum groups = yes
> 
>         vfs objects = acl_xattr
> 
>         map acl inherit = Yes
> 
>         store dos attributes = Yes
> 
>         domain master = no
> 
>         local master = no
> 
>         preferred master = no
> 
>         os level = 0
> 
>         log level = 2 vfs:7 auth:2 passdb:2
> 
> 
> root at fs1:~# wbinfo --name-to-sid edsontadeu
> 
> S-1-5-21-1058002876-845724780-2777320708-1106 SID_USER (1)
> 
> 
> root at fs1:~# wbinfo --sid-to-uid
> S-1-5-21-1058002876-845724780-2777320708-1106
> 
> 70001
> 
> 
> root at fs1:~# id edsontadeu
> 
> id: edsontadeu: no such user
> 
> 
> root at fs1:~# getent passwd edsontadeu
> 
> (NO RESULTS)
> 
> 
> root at fs1:~# wbinfo -i edsontadeu
> 
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> 
> Could not get info for user edsontadeu
> 
> 
> wbinfo -u and wbinfo -g works well. They give-me all my AD Users.
> 
> 
> 
> Thanks all!!
> 
> 
OK, can I suggest you change the DC smb.conf to this:

[global]
    netbios name = SERVER
    realm = DOMAIN.LOCAL
    workgroup = DOMAIN
    server role = active directory domain controller
    dns forwarder = 10.x.x.x
    allow dns updates = nonsecure
    winbind enum users = yes
    winbind enum groups = yes

All the other lines you added will not do anything on a DC.

You should also change the domain member smb.conf to this:

[global]
        workgroup = DOMAIN
        security = domain # wrong
        realm = DOMAIN.LOCAL
        netbios name = FS1

        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        winbind expand groups = 4
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        winbind normalize names = Yes

        idmap config * : backend = tdb
        idmap config * : range = 2000-9999
        idmap config DOMAIN : backend = ad
        idmap config DOMAIN : schema_mode = rfc2307
        idmap config DOMAIN : range = 10000-999999

        domain master = no
        local master = no
        preferred master = no

        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes

        log level = 2 vfs:7 auth:2 passdb:2

You will then need to give Domain Users a gidNumber attribute inside
the range '10000-999999'
You will then need to give each user a uidNumber attribute inside the
range '10000-999999'

If you follow the above, you should then get the same ID numbers on the
DC and the domain member, provided nsswitch & links are set up on the
DC.

Rowland

On Fri, 23 Sep 2016 08:06:56 -0300
Edson Tadeu Almeida da Silveira <edson.tadeu at gmail.com> wrote:
> I´m using ADUC, but Unix attributes is not enabled to insert GID.
> Should i recompile my samba with rfc option ?
If you are using ADUC on windows 10, there is no Unix Attributes tab,
if you are using any other version of windows, you need to install
IDMU, see here:

https://wiki.samba.org/index.php/Installing_RSAT

This does depend on you adding the option '--use-rfc2307' to the
provision command, but if you didn't, you can add it later, see here:

https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
> 
> So, let me see if i understood.
> 
> For each existent or new user and group, should i insert a unique
> UID/GID manually?
If you need to have the same IDs everywhere you need to do the
following:

For a windows user to be a Unix user as well, you need to add
a uidNumber attribute.
You also need to give 'Domain Users' a gidNumber attribute, if you do
not do this and use winbind, you will not get any Unix users.

These 'uidNumber' and 'gidNumber' attributes are NOT created
automatically, it needs to be a manual action.

Rowland

On Fri, 23 Sep 2016 09:50:38 -0300
Edson Tadeu Almeida da Silveira <edson.tadeu at gmail.com> wrote:
> I don´t know why, but, ldbmodify is not working with me :-)
> 
> ldbmodify
> -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif-CHANGED
> --option="dsdb:schema update allowed"=true
> 
> Invalid option --option=dsdb:schema update allowed=true: unknown
> option
> 
Strange, it should work, is 'sam.ldb' in /usr/local/samba/private ? or
to put it another way, did you compile Samba yourself ?

There is another way of doing this (once you are sure you are running
ldbmodify against the correct path to sam.ldb), add 'dsdb:schema update
allowed = true' to the DCs smb.conf, restart samba and then run the
command without the '--option'

If this works, remove the line you added to smb.conf and restart samba
again.

Rowland

On Fri, 23 Sep 2016 10:38:18 -0300
Edson Tadeu Almeida da Silveira <edson.tadeu at gmail.com> wrote:
> Yes. My DC i compiled by myself.
> 
> i did what you said an then:
> 
> # ldbmodify
> -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif-cbmerj
> WARNING: Module [samba_dsdb] not found - do you need to set
> LDB_MODULES_PATH? Unable to load modules
> for /usr/local/samba/private/sam.ldb: (null) Failed to connect
> to /usr/local/samba/private/sam.ldb - (null)
> 
It looks like your Python path isn't setup correctly, I would
investigate how to do this for your OS.

Rowland

On Fri, 23 Sep 2016 11:10:51 -0300
Edson Tadeu Almeida da Silveira <edson.tadeu at gmail.com> wrote:
> I think my ubuntu version doesn´t have support for the necessary
> libraries:
> 
> ldb: unable to dlopen /usr/local/samba/lib/ldb/acl.so :
> /usr/lib/x86_64-linux-gnu/libtalloc.so.2: version `TALLOC_2.1.0' not
> found (required by /usr/local/samba/lib/libsamba-hostconfig.so.0)
> ldb: unable to dlopen /usr/local/samba/lib/ldb/aclread.so :
> /usr/lib/x86_64-linux-gnu/libtalloc.so.2: version `TALLOC_2.1.0' not
> found (required by /usr/local/samba/lib/libsamba-hostconfig.so.0)
> ldb: unable to dlopen /usr/local/samba/lib/ldb/anr.so :
> /usr/lib/x86_64-linux-gnu/libldb.so.1: version `LDB_1.1.19' not found
> (required by /usr/local/samba/lib/private/libldbsamba-samba4.so)
> 
> I´m tunning with
> 
> python-talloc 2.0.7
> python-ldb 1.1.4
> 
I think that explains it, you are using the OS package libs not the
ones you compiled with Samba. I do not have those packages installed (I
use Devuan) and it works for me.
Try removing those packages and you will probably want to ensure
that /usr/local/samba/bin and /usr/local/samba/sbin are at the front of
your env PATH variable.

Rowland

On Fri, 23 Sep 2016 19:54:36 -0300
Edson Tadeu Almeida da Silveira <edson.tadeu at gmail.com> wrote:
> Hi Rowland.
> 
> I did the ldif import and it seems ok now.
> 
> I set only gid to my groups, because they are in small quantity.
> 
> But, when i insert these lines to my member server:
> 
> #        idmap config CBMERJ : backend = ad
> 
> #        idmap config CBMERJ : schema_mode = rfc2307
> 
> #        idmap config CBMERJ : range = 3000000-4000000
> 
> 
> I can't access they shares though my windows clients.
> 
> 
> This only will work if a set all uid to my users, or there is
> something else?
> 
> 
The only groups that need a gidNumber are 'Domain Users' and any other
group that you want/need to be visible to Unix.
You MUST also give a uidNumber to any users that you want to be visible
to Unix (Note: you do not have to use the 3000000 numbers)

This is where a lot of people go wrong or misunderstand the winbind ad
backend. 

Rowland