Am 08.12.2016 um 13:55 schrieb Rowland Penny via samba:> On Thu, 8 Dec 2016 12:52:53 +0100 > Oliver Heinz via samba <samba at lists.samba.org> wrote: > >> I'm trying to get Samba 4 AD to work with rfc2307 extensions. >> >> wbinfo -i fails >> >> root at m1:~# wbinfo -i SAMDOM\\demo01 >> >> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND >> >> >> winbindd.log it here: http://pastebin.com/X0rEaLt2 >> >> Pretty much everything else seems to work: >> >> root at m1:~# wbinfo --ping-dc >> >> checking the NETLOGON for domain[SAMDOM] dc connection to >> "dc1.samdom.example.com" succeeded >> >> root at m1:~# wbinfo --uid-to-sid=10000 >> >> S-1-5-21-2104162034-3764151921-3268498227-1108 >> >> root at m1:~# wbinfo --name-to-sid SAMDOM\\demo01 >> >> S-1-5-21-2104162034-3764151921-3268498227-1108 SID_USER (1) >> >> >> What did I miss? >> >> >> My setup: >> >> dc1.example.com as per >> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller >> m1.example.com as per >> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member >> >> Both with SerNet 4.5.2-9 Packages >> >> >> root at dc1:~# cat /etc/samba/smb.conf >> >> # Global parameters >> >> [global] >> >> netbios name = DC1 >> >> realm = SAMDOM.EXAMPLE.COM >> >> workgroup = SAMDOM >> >> dns forwarder = 192.168.8.10 >> >> server role = active directory domain controller >> >> idmap_ldb:use rfc2307 = yes >> >> [netlogon] >> >> path = /var/lib/samba/sysvol/samdom.example.com/scripts >> >> read only = No >> >> [sysvol] >> >> path = /var/lib/samba/sysvol >> >> read only = No >> >> root at m1:~# cat /etc/samba/smb.conf >> >> [global] >> >> security = ADS >> >> workgroup = SAMDOM >> >> realm = SAMDOM.EXAMPLE.COM >> >> log file = /var/log/samba/%m.log >> >> log level = 1 winbind:10 >> >> # idmap config used for your domain. >> >> # Click on the following links for more information >> >> # on the available winbind idmap backends, >> >> # Choose the one that fits your requirements >> >> # then add the corresponding configuration. >> >> idmap config * : backend = tdb >> >> idmap config * : range = 2000-9999 >> >> # idmap config for the SAMDOM domain >> >> idmap config SAMDOM:backend = ad >> >> idmap config SAMDOM:schema_mode = rfc2307 >> >> idmap config SAMDOM:range = 10000-999999 >> >> winbind nss info = rfc2307 >> >> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234! >> samaccountname=demo01 >> >> # record 1 >> >> dn: CN=demo01,OU=example,DC=samdom,DC=example,DC=com >> >> objectClass: top >> >> objectClass: person >> >> objectClass: organizationalPerson >> >> objectClass: user >> >> cn: demo01 >> >> instanceType: 4 >> >> whenCreated: 20161207153641.0Z >> >> uSNCreated: 3797 >> >> name: demo01 >> >> objectGUID: f636d153-a965-4251-a5ae-64ac05c89e5d >> >> badPwdCount: 0 >> >> codePage: 0 >> >> countryCode: 0 >> >> badPasswordTime: 0 >> >> lastLogoff: 0 >> >> lastLogon: 0 >> >> primaryGroupID: 513 >> >> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1108 >> >> accountExpires: 9223372036854775807 >> >> logonCount: 0 >> >> sAMAccountName: demo01 >> >> sAMAccountType: 805306368 >> >> userPrincipalName: demo01 at samdom.example.com >> >> objectCategory: >> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c >> >> om >> >> uidNumber: 10000 >> >> loginShell: /bin/bash >> >> unixHomeDirectory: /home/demo01 >> >> msSFU30NisDomain: samdom >> >> msSFU30Name: demo01 >> >> unixUserPassword: ABCD!efgh12345$67890 >> >> pwdLastSet: 131255986018743120 >> >> userAccountControl: 512 >> >> gidNumber: 10000 >> >> uid: demo01 >> >> whenChanged: 20161208113015.0Z >> >> uSNChanged: 3832 >> >> distinguishedName: CN=demo01,OU=example,DC=samdom,DC=example,DC=com >> >> # Referral >> >> ref: >> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com >> >> # Referral >> >> ref: >> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> >> # Referral >> >> ref: >> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> # returned 4 records >> >> # 1 entries >> >> # 3 referrals >> >> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234! >> cn=demogroup >> >> # record 1 >> >> dn: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com >> >> objectClass: top >> >> objectClass: group >> >> cn: demogroup >> >> instanceType: 4 >> >> whenCreated: 20161207161213.0Z >> >> uSNCreated: 3815 >> >> name: demogroup >> >> objectGUID: 30ea6c61-63fc-44f7-87d9-0311abbac9ae >> >> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1110 >> >> sAMAccountName: demogroup >> >> sAMAccountType: 268435456 >> >> groupType: -2147483646 >> >> objectCategory: >> CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=co >> >> m >> >> msSFU30NisDomain: SAMDOM >> >> gidNumber: 10000 >> >> whenChanged: 20161208104335.0Z >> >> uSNChanged: 3824 >> >> distinguishedName: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com >> >> # Referral >> >> ref: >> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com >> >> # Referral >> >> ref: >> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> >> # Referral >> >> ref: >> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> # returned 4 records >> >> # 1 entries >> >> # 3 referrals >> >> >> TIA, >> Oliver >> >> >> > > Have you given 'Domain Users' a gidNumber attribute containing a number > inside '10000-999999' ? > > Rowland >I did not touch the builtin domain groups. I thought it was sufficient if the the primary posix group of that user (demogroup) was within the range. demogroup has a gidNumber of 10000. Do I need still to modify the domain users in that case? Any other domain groups that I need to modify? Oliver
Am 08.12.2016 um 14:31 schrieb Oliver Heinz:> > > Am 08.12.2016 um 13:55 schrieb Rowland Penny via samba: >> On Thu, 8 Dec 2016 12:52:53 +0100 >> Oliver Heinz via samba <samba at lists.samba.org> wrote: >> >>> I'm trying to get Samba 4 AD to work with rfc2307 extensions. >>> >>> wbinfo -i fails >>> >>> root at m1:~# wbinfo -i SAMDOM\\demo01 >>> >>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND >>> >>> >>> winbindd.log it here: http://pastebin.com/X0rEaLt2 >>> >>> Pretty much everything else seems to work: >>> >>> root at m1:~# wbinfo --ping-dc >>> >>> checking the NETLOGON for domain[SAMDOM] dc connection to >>> "dc1.samdom.example.com" succeeded >>> >>> root at m1:~# wbinfo --uid-to-sid=10000 >>> >>> S-1-5-21-2104162034-3764151921-3268498227-1108 >>> >>> root at m1:~# wbinfo --name-to-sid SAMDOM\\demo01 >>> >>> S-1-5-21-2104162034-3764151921-3268498227-1108 SID_USER (1) >>> >>> >>> What did I miss? >>> >>> >>> My setup: >>> >>> dc1.example.com as per >>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller >>> >>> m1.example.com as per >>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member >>> >>> Both with SerNet 4.5.2-9 Packages >>> >>> >>> root at dc1:~# cat /etc/samba/smb.conf >>> >>> # Global parameters >>> >>> [global] >>> >>> netbios name = DC1 >>> >>> realm = SAMDOM.EXAMPLE.COM >>> >>> workgroup = SAMDOM >>> >>> dns forwarder = 192.168.8.10 >>> >>> server role = active directory domain controller >>> >>> idmap_ldb:use rfc2307 = yes >>> >>> [netlogon] >>> >>> path = /var/lib/samba/sysvol/samdom.example.com/scripts >>> >>> read only = No >>> >>> [sysvol] >>> >>> path = /var/lib/samba/sysvol >>> >>> read only = No >>> >>> root at m1:~# cat /etc/samba/smb.conf >>> >>> [global] >>> >>> security = ADS >>> >>> workgroup = SAMDOM >>> >>> realm = SAMDOM.EXAMPLE.COM >>> >>> log file = /var/log/samba/%m.log >>> >>> log level = 1 winbind:10 >>> >>> # idmap config used for your domain. >>> >>> # Click on the following links for more information >>> >>> # on the available winbind idmap backends, >>> >>> # Choose the one that fits your requirements >>> >>> # then add the corresponding configuration. >>> >>> idmap config * : backend = tdb >>> >>> idmap config * : range = 2000-9999 >>> >>> # idmap config for the SAMDOM domain >>> >>> idmap config SAMDOM:backend = ad >>> >>> idmap config SAMDOM:schema_mode = rfc2307 >>> >>> idmap config SAMDOM:range = 10000-999999 >>> >>> winbind nss info = rfc2307 >>> >>> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234! >>> samaccountname=demo01 >>> >>> # record 1 >>> >>> dn: CN=demo01,OU=example,DC=samdom,DC=example,DC=com >>> >>> objectClass: top >>> >>> objectClass: person >>> >>> objectClass: organizationalPerson >>> >>> objectClass: user >>> >>> cn: demo01 >>> >>> instanceType: 4 >>> >>> whenCreated: 20161207153641.0Z >>> >>> uSNCreated: 3797 >>> >>> name: demo01 >>> >>> objectGUID: f636d153-a965-4251-a5ae-64ac05c89e5d >>> >>> badPwdCount: 0 >>> >>> codePage: 0 >>> >>> countryCode: 0 >>> >>> badPasswordTime: 0 >>> >>> lastLogoff: 0 >>> >>> lastLogon: 0 >>> >>> primaryGroupID: 513 >>> >>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1108 >>> >>> accountExpires: 9223372036854775807 >>> >>> logonCount: 0 >>> >>> sAMAccountName: demo01 >>> >>> sAMAccountType: 805306368 >>> >>> userPrincipalName: demo01 at samdom.example.com >>> >>> objectCategory: >>> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c >>> >>> om >>> >>> uidNumber: 10000 >>> >>> loginShell: /bin/bash >>> >>> unixHomeDirectory: /home/demo01 >>> >>> msSFU30NisDomain: samdom >>> >>> msSFU30Name: demo01 >>> >>> unixUserPassword: ABCD!efgh12345$67890 >>> >>> pwdLastSet: 131255986018743120 >>> >>> userAccountControl: 512 >>> >>> gidNumber: 10000 >>> >>> uid: demo01 >>> >>> whenChanged: 20161208113015.0Z >>> >>> uSNChanged: 3832 >>> >>> distinguishedName: CN=demo01,OU=example,DC=samdom,DC=example,DC=com >>> >>> # Referral >>> >>> ref: >>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com >>> >>> # Referral >>> >>> ref: >>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>> >>> # Referral >>> >>> ref: >>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>> >>> # returned 4 records >>> >>> # 1 entries >>> >>> # 3 referrals >>> >>> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234! >>> cn=demogroup >>> >>> # record 1 >>> >>> dn: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com >>> >>> objectClass: top >>> >>> objectClass: group >>> >>> cn: demogroup >>> >>> instanceType: 4 >>> >>> whenCreated: 20161207161213.0Z >>> >>> uSNCreated: 3815 >>> >>> name: demogroup >>> >>> objectGUID: 30ea6c61-63fc-44f7-87d9-0311abbac9ae >>> >>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1110 >>> >>> sAMAccountName: demogroup >>> >>> sAMAccountType: 268435456 >>> >>> groupType: -2147483646 >>> >>> objectCategory: >>> CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=co >>> >>> m >>> >>> msSFU30NisDomain: SAMDOM >>> >>> gidNumber: 10000 >>> >>> whenChanged: 20161208104335.0Z >>> >>> uSNChanged: 3824 >>> >>> distinguishedName: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com >>> >>> # Referral >>> >>> ref: >>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com >>> >>> # Referral >>> >>> ref: >>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>> >>> # Referral >>> >>> ref: >>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>> >>> # returned 4 records >>> >>> # 1 entries >>> >>> # 3 referrals >>> >>> >>> TIA, >>> Oliver >>> >>> >>> >> >> Have you given 'Domain Users' a gidNumber attribute containing a number >> inside '10000-999999' ? >> >> Rowland >> > > > I did not touch the builtin domain groups. I thought it was sufficient > if the the primary posix group of that user (demogroup) was within the > range. demogroup has a gidNumber of 10000. > Do I need still to modify the domain users in that case? Any other > domain groups that I need to modify? > > OliverSo I gave Domain Users 99999 and voilà: root at m1:~# wbinfo -i SAMDOM\\demo01 SAMDOM\demo01:*:10000:99999:demo01:/home/demo01:/bin/bash Seems samba always uses the primaryGroupID which for demo01 is set to 'Domain Users'. Im just wondering a bit then why there is a gidNumber as an user attribute, as it is not used in the posix context. Thanks for your help, Oliver
On Thu, 8 Dec 2016 14:31:40 +0100 Oliver Heinz via samba <samba at lists.samba.org> wrote:> > > Am 08.12.2016 um 13:55 schrieb Rowland Penny via samba: > > On Thu, 8 Dec 2016 12:52:53 +0100 > > Oliver Heinz via samba <samba at lists.samba.org> wrote: > > > >> I'm trying to get Samba 4 AD to work with rfc2307 extensions. > >> > >> wbinfo -i fails > >> > >> root at m1:~# wbinfo -i SAMDOM\\demo01 > >> > >> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > >> > >> > >> winbindd.log it here: http://pastebin.com/X0rEaLt2 > >> > >> Pretty much everything else seems to work: > >> > >> root at m1:~# wbinfo --ping-dc > >> > >> checking the NETLOGON for domain[SAMDOM] dc connection to > >> "dc1.samdom.example.com" succeeded > >> > >> root at m1:~# wbinfo --uid-to-sid=10000 > >> > >> S-1-5-21-2104162034-3764151921-3268498227-1108 > >> > >> root at m1:~# wbinfo --name-to-sid SAMDOM\\demo01 > >> > >> S-1-5-21-2104162034-3764151921-3268498227-1108 SID_USER (1) > >> > >> > >> What did I miss? > >> > >> > >> My setup: > >> > >> dc1.example.com as per > >> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller > >> m1.example.com as per > >> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > >> > >> Both with SerNet 4.5.2-9 Packages > >> > >> > >> root at dc1:~# cat /etc/samba/smb.conf > >> > >> # Global parameters > >> > >> [global] > >> > >> netbios name = DC1 > >> > >> realm = SAMDOM.EXAMPLE.COM > >> > >> workgroup = SAMDOM > >> > >> dns forwarder = 192.168.8.10 > >> > >> server role = active directory domain controller > >> > >> idmap_ldb:use rfc2307 = yes > >> > >> [netlogon] > >> > >> path = /var/lib/samba/sysvol/samdom.example.com/scripts > >> > >> read only = No > >> > >> [sysvol] > >> > >> path = /var/lib/samba/sysvol > >> > >> read only = No > >> > >> root at m1:~# cat /etc/samba/smb.conf > >> > >> [global] > >> > >> security = ADS > >> > >> workgroup = SAMDOM > >> > >> realm = SAMDOM.EXAMPLE.COM > >> > >> log file = /var/log/samba/%m.log > >> > >> log level = 1 winbind:10 > >> > >> # idmap config used for your domain. > >> > >> # Click on the following links for more information > >> > >> # on the available winbind idmap backends, > >> > >> # Choose the one that fits your requirements > >> > >> # then add the corresponding configuration. > >> > >> idmap config * : backend = tdb > >> > >> idmap config * : range = 2000-9999 > >> > >> # idmap config for the SAMDOM domain > >> > >> idmap config SAMDOM:backend = ad > >> > >> idmap config SAMDOM:schema_mode = rfc2307 > >> > >> idmap config SAMDOM:range = 10000-999999 > >> > >> winbind nss info = rfc2307 > >> > >> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234! > >> samaccountname=demo01 > >> > >> # record 1 > >> > >> dn: CN=demo01,OU=example,DC=samdom,DC=example,DC=com > >> > >> objectClass: top > >> > >> objectClass: person > >> > >> objectClass: organizationalPerson > >> > >> objectClass: user > >> > >> cn: demo01 > >> > >> instanceType: 4 > >> > >> whenCreated: 20161207153641.0Z > >> > >> uSNCreated: 3797 > >> > >> name: demo01 > >> > >> objectGUID: f636d153-a965-4251-a5ae-64ac05c89e5d > >> > >> badPwdCount: 0 > >> > >> codePage: 0 > >> > >> countryCode: 0 > >> > >> badPasswordTime: 0 > >> > >> lastLogoff: 0 > >> > >> lastLogon: 0 > >> > >> primaryGroupID: 513 > >> > >> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1108 > >> > >> accountExpires: 9223372036854775807 > >> > >> logonCount: 0 > >> > >> sAMAccountName: demo01 > >> > >> sAMAccountType: 805306368 > >> > >> userPrincipalName: demo01 at samdom.example.com > >> > >> objectCategory: > >> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c > >> > >> om > >> > >> uidNumber: 10000 > >> > >> loginShell: /bin/bash > >> > >> unixHomeDirectory: /home/demo01 > >> > >> msSFU30NisDomain: samdom > >> > >> msSFU30Name: demo01 > >> > >> unixUserPassword: ABCD!efgh12345$67890 > >> > >> pwdLastSet: 131255986018743120 > >> > >> userAccountControl: 512 > >> > >> gidNumber: 10000 > >> > >> uid: demo01 > >> > >> whenChanged: 20161208113015.0Z > >> > >> uSNChanged: 3832 > >> > >> distinguishedName: CN=demo01,OU=example,DC=samdom,DC=example,DC=com > >> > >> # Referral > >> > >> ref: > >> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com > >> > >> # Referral > >> > >> ref: > >> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com > >> > >> # Referral > >> > >> ref: > >> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com > >> > >> # returned 4 records > >> > >> # 1 entries > >> > >> # 3 referrals > >> > >> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234! > >> cn=demogroup > >> > >> # record 1 > >> > >> dn: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com > >> > >> objectClass: top > >> > >> objectClass: group > >> > >> cn: demogroup > >> > >> instanceType: 4 > >> > >> whenCreated: 20161207161213.0Z > >> > >> uSNCreated: 3815 > >> > >> name: demogroup > >> > >> objectGUID: 30ea6c61-63fc-44f7-87d9-0311abbac9ae > >> > >> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1110 > >> > >> sAMAccountName: demogroup > >> > >> sAMAccountType: 268435456 > >> > >> groupType: -2147483646 > >> > >> objectCategory: > >> CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=co > >> > >> m > >> > >> msSFU30NisDomain: SAMDOM > >> > >> gidNumber: 10000 > >> > >> whenChanged: 20161208104335.0Z > >> > >> uSNChanged: 3824 > >> > >> distinguishedName: > >> CN=demogroup,OU=example,DC=samdom,DC=example,DC=com > >> > >> # Referral > >> > >> ref: > >> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com > >> > >> # Referral > >> > >> ref: > >> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com > >> > >> # Referral > >> > >> ref: > >> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com > >> > >> # returned 4 records > >> > >> # 1 entries > >> > >> # 3 referrals > >> > >> > >> TIA, > >> Oliver > >> > >> > >> > > > > Have you given 'Domain Users' a gidNumber attribute containing a > > number inside '10000-999999' ? > > > > Rowland > > > > > I did not touch the builtin domain groups. I thought it was > sufficient if the the primary posix group of that user (demogroup) > was within the range. demogroup has a gidNumber of 10000.Sorry but it isn't enough ;-)> Do I need still to modify the domain users in that case?Most definitely yes, every AD users primary group is 'Domain Users' and winbind will not show any users unless this is given a gidNumber.> Any other > domain groups that I need to modify?Probably 'Domain Admins' Rowland
On Thu, 8 Dec 2016 14:44:16 +0100 Oliver Heinz via samba <samba at lists.samba.org> wrote:> > > Am 08.12.2016 um 14:31 schrieb Oliver Heinz: > > > > > > Am 08.12.2016 um 13:55 schrieb Rowland Penny via samba: > >> On Thu, 8 Dec 2016 12:52:53 +0100 > >> Oliver Heinz via samba <samba at lists.samba.org> wrote: > >> > >>> I'm trying to get Samba 4 AD to work with rfc2307 extensions. > >>> > >>> wbinfo -i fails > >>> > >>> root at m1:~# wbinfo -i SAMDOM\\demo01 > >>> > >>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > >>> > >>> > >>> winbindd.log it here: http://pastebin.com/X0rEaLt2 > >>> > >>> Pretty much everything else seems to work: > >>> > >>> root at m1:~# wbinfo --ping-dc > >>> > >>> checking the NETLOGON for domain[SAMDOM] dc connection to > >>> "dc1.samdom.example.com" succeeded > >>> > >>> root at m1:~# wbinfo --uid-to-sid=10000 > >>> > >>> S-1-5-21-2104162034-3764151921-3268498227-1108 > >>> > >>> root at m1:~# wbinfo --name-to-sid SAMDOM\\demo01 > >>> > >>> S-1-5-21-2104162034-3764151921-3268498227-1108 SID_USER (1) > >>> > >>> > >>> What did I miss? > >>> > >>> > >>> My setup: > >>> > >>> dc1.example.com as per > >>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller > >>> > >>> m1.example.com as per > >>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > >>> > >>> Both with SerNet 4.5.2-9 Packages > >>> > >>> > >>> root at dc1:~# cat /etc/samba/smb.conf > >>> > >>> # Global parameters > >>> > >>> [global] > >>> > >>> netbios name = DC1 > >>> > >>> realm = SAMDOM.EXAMPLE.COM > >>> > >>> workgroup = SAMDOM > >>> > >>> dns forwarder = 192.168.8.10 > >>> > >>> server role = active directory domain controller > >>> > >>> idmap_ldb:use rfc2307 = yes > >>> > >>> [netlogon] > >>> > >>> path = /var/lib/samba/sysvol/samdom.example.com/scripts > >>> > >>> read only = No > >>> > >>> [sysvol] > >>> > >>> path = /var/lib/samba/sysvol > >>> > >>> read only = No > >>> > >>> root at m1:~# cat /etc/samba/smb.conf > >>> > >>> [global] > >>> > >>> security = ADS > >>> > >>> workgroup = SAMDOM > >>> > >>> realm = SAMDOM.EXAMPLE.COM > >>> > >>> log file = /var/log/samba/%m.log > >>> > >>> log level = 1 winbind:10 > >>> > >>> # idmap config used for your domain. > >>> > >>> # Click on the following links for more information > >>> > >>> # on the available winbind idmap backends, > >>> > >>> # Choose the one that fits your requirements > >>> > >>> # then add the corresponding configuration. > >>> > >>> idmap config * : backend = tdb > >>> > >>> idmap config * : range = 2000-9999 > >>> > >>> # idmap config for the SAMDOM domain > >>> > >>> idmap config SAMDOM:backend = ad > >>> > >>> idmap config SAMDOM:schema_mode = rfc2307 > >>> > >>> idmap config SAMDOM:range = 10000-999999 > >>> > >>> winbind nss info = rfc2307 > >>> > >>> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234! > >>> samaccountname=demo01 > >>> > >>> # record 1 > >>> > >>> dn: CN=demo01,OU=example,DC=samdom,DC=example,DC=com > >>> > >>> objectClass: top > >>> > >>> objectClass: person > >>> > >>> objectClass: organizationalPerson > >>> > >>> objectClass: user > >>> > >>> cn: demo01 > >>> > >>> instanceType: 4 > >>> > >>> whenCreated: 20161207153641.0Z > >>> > >>> uSNCreated: 3797 > >>> > >>> name: demo01 > >>> > >>> objectGUID: f636d153-a965-4251-a5ae-64ac05c89e5d > >>> > >>> badPwdCount: 0 > >>> > >>> codePage: 0 > >>> > >>> countryCode: 0 > >>> > >>> badPasswordTime: 0 > >>> > >>> lastLogoff: 0 > >>> > >>> lastLogon: 0 > >>> > >>> primaryGroupID: 513 > >>> > >>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1108 > >>> > >>> accountExpires: 9223372036854775807 > >>> > >>> logonCount: 0 > >>> > >>> sAMAccountName: demo01 > >>> > >>> sAMAccountType: 805306368 > >>> > >>> userPrincipalName: demo01 at samdom.example.com > >>> > >>> objectCategory: > >>> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c > >>> > >>> om > >>> > >>> uidNumber: 10000 > >>> > >>> loginShell: /bin/bash > >>> > >>> unixHomeDirectory: /home/demo01 > >>> > >>> msSFU30NisDomain: samdom > >>> > >>> msSFU30Name: demo01 > >>> > >>> unixUserPassword: ABCD!efgh12345$67890 > >>> > >>> pwdLastSet: 131255986018743120 > >>> > >>> userAccountControl: 512 > >>> > >>> gidNumber: 10000 > >>> > >>> uid: demo01 > >>> > >>> whenChanged: 20161208113015.0Z > >>> > >>> uSNChanged: 3832 > >>> > >>> distinguishedName: > >>> CN=demo01,OU=example,DC=samdom,DC=example,DC=com > >>> > >>> # Referral > >>> > >>> ref: > >>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com > >>> > >>> # Referral > >>> > >>> ref: > >>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com > >>> > >>> # Referral > >>> > >>> ref: > >>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com > >>> > >>> # returned 4 records > >>> > >>> # 1 entries > >>> > >>> # 3 referrals > >>> > >>> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234! > >>> cn=demogroup > >>> > >>> # record 1 > >>> > >>> dn: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com > >>> > >>> objectClass: top > >>> > >>> objectClass: group > >>> > >>> cn: demogroup > >>> > >>> instanceType: 4 > >>> > >>> whenCreated: 20161207161213.0Z > >>> > >>> uSNCreated: 3815 > >>> > >>> name: demogroup > >>> > >>> objectGUID: 30ea6c61-63fc-44f7-87d9-0311abbac9ae > >>> > >>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1110 > >>> > >>> sAMAccountName: demogroup > >>> > >>> sAMAccountType: 268435456 > >>> > >>> groupType: -2147483646 > >>> > >>> objectCategory: > >>> CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=co > >>> > >>> m > >>> > >>> msSFU30NisDomain: SAMDOM > >>> > >>> gidNumber: 10000 > >>> > >>> whenChanged: 20161208104335.0Z > >>> > >>> uSNChanged: 3824 > >>> > >>> distinguishedName: > >>> CN=demogroup,OU=example,DC=samdom,DC=example,DC=com > >>> > >>> # Referral > >>> > >>> ref: > >>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com > >>> > >>> # Referral > >>> > >>> ref: > >>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com > >>> > >>> # Referral > >>> > >>> ref: > >>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com > >>> > >>> # returned 4 records > >>> > >>> # 1 entries > >>> > >>> # 3 referrals > >>> > >>> > >>> TIA, > >>> Oliver > >>> > >>> > >>> > >> > >> Have you given 'Domain Users' a gidNumber attribute containing a > >> number inside '10000-999999' ? > >> > >> Rowland > >> > > > > > > I did not touch the builtin domain groups. I thought it was > > sufficient if the the primary posix group of that user (demogroup) > > was within the range. demogroup has a gidNumber of 10000. > > Do I need still to modify the domain users in that case? Any other > > domain groups that I need to modify? > > > > Oliver > > So I gave Domain Users 99999 and voilà: > > root at m1:~# wbinfo -i SAMDOM\\demo01 > SAMDOM\demo01:*:10000:99999:demo01:/home/demo01:/bin/bash > > Seems samba always uses the primaryGroupID which for demo01 is set to > 'Domain Users'. Im just wondering a bit then why there is a gidNumber > as an user attribute, as it is not used in the posix context. > > Thanks for your help, > Oliver > > >If a group doesn't have a gidNumber it is invisible to Unix. Rowland
On 08/12/2016 13:44, Oliver Heinz wrote:> So I gave Domain Users 99999 and voilà: > > root at m1:~# wbinfo -i SAMDOM\\demo01 > SAMDOM\demo01:*:10000:99999:demo01:/home/demo01:/bin/bash > > Seems samba always uses the primaryGroupID which for demo01 is set to > 'Domain Users'. Im just wondering a bit then why there is a gidNumber > as an user attribute, as it is not used in the posix context.I asked the same question recently: https://lists.samba.org/archive/samba/2016-November/204786.html https://lists.samba.org/archive/samba/2016-November/204810.html The answer is that Samba's own winbind doesn't use the user's gidNumber, but other consumers of Active Directory may - including RedHat's sssd-ad. => In the case of winbind, the user entry's gidNumber is ignored. The user's gid is taken from the user's primary Windows group (which *must* have a gidNumber, otherwise the user is entirely ignored by winbind) => In the case of sssd-ad, the user entry must have a uidNumber and gidNumber, and that's all. There doesn't even have to be any group with a corresponding gidNumber. The Windows primary group is ignored. HTH, Brian.