samba - Dec 2016 - winbind rfc2307 - wbinfo -i fails

I'm trying to get Samba 4 AD to work with rfc2307 extensions.

wbinfo -i fails

root at m1:~# wbinfo -i SAMDOM\\demo01

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND


winbindd.log it here: http://pastebin.com/X0rEaLt2

Pretty much everything else seems to work:

root at m1:~# wbinfo --ping-dc

checking the NETLOGON for domain[SAMDOM] dc connection to
"dc1.samdom.example.com" succeeded

root at m1:~# wbinfo  --uid-to-sid=10000

S-1-5-21-2104162034-3764151921-3268498227-1108

root at m1:~# wbinfo --name-to-sid SAMDOM\\demo01

S-1-5-21-2104162034-3764151921-3268498227-1108 SID_USER (1)


What did  I miss?


My setup:

dc1.example.com as per 
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
m1.example.com as per 
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Both with SerNet 4.5.2-9 Packages


root at dc1:~# cat /etc/samba/smb.conf

# Global parameters

[global]

         netbios name = DC1

         realm = SAMDOM.EXAMPLE.COM

         workgroup = SAMDOM

         dns forwarder = 192.168.8.10

         server role = active directory domain controller

         idmap_ldb:use rfc2307 = yes

[netlogon]

         path = /var/lib/samba/sysvol/samdom.example.com/scripts

         read only = No

[sysvol]

         path = /var/lib/samba/sysvol

         read only = No

root at m1:~# cat /etc/samba/smb.conf

[global]

        security = ADS

        workgroup = SAMDOM

        realm = SAMDOM.EXAMPLE.COM

        log file = /var/log/samba/%m.log

        log level = 1 winbind:10

        # idmap config used for your domain.

        # Click on the following links for more information

        # on the available winbind idmap backends,

        # Choose the one that fits your requirements

        # then add the corresponding configuration.

        idmap config * : backend = tdb

        idmap config * : range = 2000-9999

        # idmap config for the SAMDOM domain

        idmap config SAMDOM:backend = ad

        idmap config SAMDOM:schema_mode = rfc2307

        idmap config SAMDOM:range = 10000-999999

        winbind nss info = rfc2307

root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234!
samaccountname=demo01

# record 1

dn: CN=demo01,OU=example,DC=samdom,DC=example,DC=com

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

cn: demo01

instanceType: 4

whenCreated: 20161207153641.0Z

uSNCreated: 3797

name: demo01

objectGUID: f636d153-a965-4251-a5ae-64ac05c89e5d

badPwdCount: 0

codePage: 0

countryCode: 0

badPasswordTime: 0

lastLogoff: 0

lastLogon: 0

primaryGroupID: 513

objectSid: S-1-5-21-2104162034-3764151921-3268498227-1108

accountExpires: 9223372036854775807

logonCount: 0

sAMAccountName: demo01

sAMAccountType: 805306368

userPrincipalName: demo01 at samdom.example.com

objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c

  om

uidNumber: 10000

loginShell: /bin/bash

unixHomeDirectory: /home/demo01

msSFU30NisDomain: samdom

msSFU30Name: demo01

unixUserPassword: ABCD!efgh12345$67890

pwdLastSet: 131255986018743120

userAccountControl: 512

gidNumber: 10000

uid: demo01

whenChanged: 20161208113015.0Z

uSNChanged: 3832

distinguishedName: CN=demo01,OU=example,DC=samdom,DC=example,DC=com

# Referral

ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com

# Referral

ref: ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com

# Referral

ref: ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com

# returned 4 records

# 1 entries

# 3 referrals

root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234!
cn=demogroup

# record 1

dn: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com

objectClass: top

objectClass: group

cn: demogroup

instanceType: 4

whenCreated: 20161207161213.0Z

uSNCreated: 3815

name: demogroup

objectGUID: 30ea6c61-63fc-44f7-87d9-0311abbac9ae

objectSid: S-1-5-21-2104162034-3764151921-3268498227-1110

sAMAccountName: demogroup

sAMAccountType: 268435456

groupType: -2147483646

objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=co

  m

msSFU30NisDomain: SAMDOM

gidNumber: 10000

whenChanged: 20161208104335.0Z

uSNChanged: 3824

distinguishedName: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com

# Referral

ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com

# Referral

ref: ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com

# Referral

ref: ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com

# returned 4 records

# 1 entries

# 3 referrals


TIA,
Oliver

On Thu, 8 Dec 2016 12:52:53 +0100
Oliver Heinz via samba <samba at lists.samba.org> wrote:
> 
> I'm trying to get Samba 4 AD to work with rfc2307 extensions.
> 
> wbinfo -i fails
> 
> root at m1:~# wbinfo -i SAMDOM\\demo01
> 
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> 
> 
> winbindd.log it here: http://pastebin.com/X0rEaLt2
> 
> Pretty much everything else seems to work:
> 
> root at m1:~# wbinfo --ping-dc
> 
> checking the NETLOGON for domain[SAMDOM] dc connection to
> "dc1.samdom.example.com" succeeded
> 
> root at m1:~# wbinfo  --uid-to-sid=10000
> 
> S-1-5-21-2104162034-3764151921-3268498227-1108
> 
> root at m1:~# wbinfo --name-to-sid SAMDOM\\demo01
> 
> S-1-5-21-2104162034-3764151921-3268498227-1108 SID_USER (1)
> 
> 
> What did  I miss?
> 
> 
> My setup:
> 
> dc1.example.com as per 
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> m1.example.com as per 
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> 
> Both with SerNet 4.5.2-9 Packages
> 
> 
> root at dc1:~# cat /etc/samba/smb.conf
> 
> # Global parameters
> 
> [global]
> 
>          netbios name = DC1
> 
>          realm = SAMDOM.EXAMPLE.COM
> 
>          workgroup = SAMDOM
> 
>          dns forwarder = 192.168.8.10
> 
>          server role = active directory domain controller
> 
>          idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
> 
>          path = /var/lib/samba/sysvol/samdom.example.com/scripts
> 
>          read only = No
> 
> [sysvol]
> 
>          path = /var/lib/samba/sysvol
> 
>          read only = No
> 
> root at m1:~# cat /etc/samba/smb.conf
> 
> [global]
> 
>         security = ADS
> 
>         workgroup = SAMDOM
> 
>         realm = SAMDOM.EXAMPLE.COM
> 
>         log file = /var/log/samba/%m.log
> 
>         log level = 1 winbind:10
> 
>         # idmap config used for your domain.
> 
>         # Click on the following links for more information
> 
>         # on the available winbind idmap backends,
> 
>         # Choose the one that fits your requirements
> 
>         # then add the corresponding configuration.
> 
>         idmap config * : backend = tdb
> 
>         idmap config * : range = 2000-9999
> 
>         # idmap config for the SAMDOM domain
> 
>         idmap config SAMDOM:backend = ad
> 
>         idmap config SAMDOM:schema_mode = rfc2307
> 
>         idmap config SAMDOM:range = 10000-999999
> 
>         winbind nss info = rfc2307
> 
> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234!
> samaccountname=demo01
> 
> # record 1
> 
> dn: CN=demo01,OU=example,DC=samdom,DC=example,DC=com
> 
> objectClass: top
> 
> objectClass: person
> 
> objectClass: organizationalPerson
> 
> objectClass: user
> 
> cn: demo01
> 
> instanceType: 4
> 
> whenCreated: 20161207153641.0Z
> 
> uSNCreated: 3797
> 
> name: demo01
> 
> objectGUID: f636d153-a965-4251-a5ae-64ac05c89e5d
> 
> badPwdCount: 0
> 
> codePage: 0
> 
> countryCode: 0
> 
> badPasswordTime: 0
> 
> lastLogoff: 0
> 
> lastLogon: 0
> 
> primaryGroupID: 513
> 
> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1108
> 
> accountExpires: 9223372036854775807
> 
> logonCount: 0
> 
> sAMAccountName: demo01
> 
> sAMAccountType: 805306368
> 
> userPrincipalName: demo01 at samdom.example.com
> 
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
> 
>   om
> 
> uidNumber: 10000
> 
> loginShell: /bin/bash
> 
> unixHomeDirectory: /home/demo01
> 
> msSFU30NisDomain: samdom
> 
> msSFU30Name: demo01
> 
> unixUserPassword: ABCD!efgh12345$67890
> 
> pwdLastSet: 131255986018743120
> 
> userAccountControl: 512
> 
> gidNumber: 10000
> 
> uid: demo01
> 
> whenChanged: 20161208113015.0Z
> 
> uSNChanged: 3832
> 
> distinguishedName: CN=demo01,OU=example,DC=samdom,DC=example,DC=com
> 
> # Referral
> 
> ref:
> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
> 
> # Referral
> 
> ref:
> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> 
> # Referral
> 
> ref:
> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
> 
> # returned 4 records
> 
> # 1 entries
> 
> # 3 referrals
> 
> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234!
> cn=demogroup
> 
> # record 1
> 
> dn: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com
> 
> objectClass: top
> 
> objectClass: group
> 
> cn: demogroup
> 
> instanceType: 4
> 
> whenCreated: 20161207161213.0Z
> 
> uSNCreated: 3815
> 
> name: demogroup
> 
> objectGUID: 30ea6c61-63fc-44f7-87d9-0311abbac9ae
> 
> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1110
> 
> sAMAccountName: demogroup
> 
> sAMAccountType: 268435456
> 
> groupType: -2147483646
> 
> objectCategory:
> CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=co
> 
>   m
> 
> msSFU30NisDomain: SAMDOM
> 
> gidNumber: 10000
> 
> whenChanged: 20161208104335.0Z
> 
> uSNChanged: 3824
> 
> distinguishedName: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com
> 
> # Referral
> 
> ref:
> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
> 
> # Referral
> 
> ref:
> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> 
> # Referral
> 
> ref:
> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
> 
> # returned 4 records
> 
> # 1 entries
> 
> # 3 referrals
> 
> 
> TIA,
> Oliver
> 
> 
> 

Have you given 'Domain Users' a gidNumber attribute containing a number
inside '10000-999999' ?

Rowland

Am 08.12.2016 um 13:55 schrieb Rowland Penny via samba:
> On Thu, 8 Dec 2016 12:52:53 +0100
> Oliver Heinz via samba <samba at lists.samba.org> wrote:
>
>> I'm trying to get Samba 4 AD to work with rfc2307 extensions.
>>
>> wbinfo -i fails
>>
>> root at m1:~# wbinfo -i SAMDOM\\demo01
>>
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>
>>
>> winbindd.log it here: http://pastebin.com/X0rEaLt2
>>
>> Pretty much everything else seems to work:
>>
>> root at m1:~# wbinfo --ping-dc
>>
>> checking the NETLOGON for domain[SAMDOM] dc connection to
>> "dc1.samdom.example.com" succeeded
>>
>> root at m1:~# wbinfo  --uid-to-sid=10000
>>
>> S-1-5-21-2104162034-3764151921-3268498227-1108
>>
>> root at m1:~# wbinfo --name-to-sid SAMDOM\\demo01
>>
>> S-1-5-21-2104162034-3764151921-3268498227-1108 SID_USER (1)
>>
>>
>> What did  I miss?
>>
>>
>> My setup:
>>
>> dc1.example.com as per
>>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
>> m1.example.com as per
>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>
>> Both with SerNet 4.5.2-9 Packages
>>
>>
>> root at dc1:~# cat /etc/samba/smb.conf
>>
>> # Global parameters
>>
>> [global]
>>
>>           netbios name = DC1
>>
>>           realm = SAMDOM.EXAMPLE.COM
>>
>>           workgroup = SAMDOM
>>
>>           dns forwarder = 192.168.8.10
>>
>>           server role = active directory domain controller
>>
>>           idmap_ldb:use rfc2307 = yes
>>
>> [netlogon]
>>
>>           path = /var/lib/samba/sysvol/samdom.example.com/scripts
>>
>>           read only = No
>>
>> [sysvol]
>>
>>           path = /var/lib/samba/sysvol
>>
>>           read only = No
>>
>> root at m1:~# cat /etc/samba/smb.conf
>>
>> [global]
>>
>>          security = ADS
>>
>>          workgroup = SAMDOM
>>
>>          realm = SAMDOM.EXAMPLE.COM
>>
>>          log file = /var/log/samba/%m.log
>>
>>          log level = 1 winbind:10
>>
>>          # idmap config used for your domain.
>>
>>          # Click on the following links for more information
>>
>>          # on the available winbind idmap backends,
>>
>>          # Choose the one that fits your requirements
>>
>>          # then add the corresponding configuration.
>>
>>          idmap config * : backend = tdb
>>
>>          idmap config * : range = 2000-9999
>>
>>          # idmap config for the SAMDOM domain
>>
>>          idmap config SAMDOM:backend = ad
>>
>>          idmap config SAMDOM:schema_mode = rfc2307
>>
>>          idmap config SAMDOM:range = 10000-999999
>>
>>          winbind nss info = rfc2307
>>
>> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234!
>> samaccountname=demo01
>>
>> # record 1
>>
>> dn: CN=demo01,OU=example,DC=samdom,DC=example,DC=com
>>
>> objectClass: top
>>
>> objectClass: person
>>
>> objectClass: organizationalPerson
>>
>> objectClass: user
>>
>> cn: demo01
>>
>> instanceType: 4
>>
>> whenCreated: 20161207153641.0Z
>>
>> uSNCreated: 3797
>>
>> name: demo01
>>
>> objectGUID: f636d153-a965-4251-a5ae-64ac05c89e5d
>>
>> badPwdCount: 0
>>
>> codePage: 0
>>
>> countryCode: 0
>>
>> badPasswordTime: 0
>>
>> lastLogoff: 0
>>
>> lastLogon: 0
>>
>> primaryGroupID: 513
>>
>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1108
>>
>> accountExpires: 9223372036854775807
>>
>> logonCount: 0
>>
>> sAMAccountName: demo01
>>
>> sAMAccountType: 805306368
>>
>> userPrincipalName: demo01 at samdom.example.com
>>
>> objectCategory:
>> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
>>
>>    om
>>
>> uidNumber: 10000
>>
>> loginShell: /bin/bash
>>
>> unixHomeDirectory: /home/demo01
>>
>> msSFU30NisDomain: samdom
>>
>> msSFU30Name: demo01
>>
>> unixUserPassword: ABCD!efgh12345$67890
>>
>> pwdLastSet: 131255986018743120
>>
>> userAccountControl: 512
>>
>> gidNumber: 10000
>>
>> uid: demo01
>>
>> whenChanged: 20161208113015.0Z
>>
>> uSNChanged: 3832
>>
>> distinguishedName: CN=demo01,OU=example,DC=samdom,DC=example,DC=com
>>
>> # Referral
>>
>> ref:
>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
>>
>> # Referral
>>
>> ref:
>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>
>> # Referral
>>
>> ref:
>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>
>> # returned 4 records
>>
>> # 1 entries
>>
>> # 3 referrals
>>
>> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234!
>> cn=demogroup
>>
>> # record 1
>>
>> dn: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com
>>
>> objectClass: top
>>
>> objectClass: group
>>
>> cn: demogroup
>>
>> instanceType: 4
>>
>> whenCreated: 20161207161213.0Z
>>
>> uSNCreated: 3815
>>
>> name: demogroup
>>
>> objectGUID: 30ea6c61-63fc-44f7-87d9-0311abbac9ae
>>
>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1110
>>
>> sAMAccountName: demogroup
>>
>> sAMAccountType: 268435456
>>
>> groupType: -2147483646
>>
>> objectCategory:
>> CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=co
>>
>>    m
>>
>> msSFU30NisDomain: SAMDOM
>>
>> gidNumber: 10000
>>
>> whenChanged: 20161208104335.0Z
>>
>> uSNChanged: 3824
>>
>> distinguishedName: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com
>>
>> # Referral
>>
>> ref:
>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
>>
>> # Referral
>>
>> ref:
>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>
>> # Referral
>>
>> ref:
>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>
>> # returned 4 records
>>
>> # 1 entries
>>
>> # 3 referrals
>>
>>
>> TIA,
>> Oliver
>>
>>
>>
>
> Have you given 'Domain Users' a gidNumber attribute containing a
number
> inside '10000-999999' ?
>
> Rowland
>

I did not touch the builtin domain groups. I thought it was sufficient 
if the the primary posix group of that user (demogroup) was within the 
range. demogroup has a gidNumber of 10000.
Do I need still to modify the domain users in that case? Any other 
domain groups that I need to modify?

Oliver