Gaiseric Vandal
2016-Dec-13 14:51 UTC
[Samba] wbinfo -u does not listed trusted users, wbinfo -n works
Running a mix of samba versions (3.6.25 and 4.5.1) in two domains- one
"classic" (with samba domain controllers) and one AD (with windows
domain controllers.) The eventual goal is to drop the classic domain
in favor of the AD domain. Also trying to move from samba 3.x to 4.x
since Samba 3 is EOL'd.
the "wbinfo -u" command will list users in the servers domain but not
trusted domains. However the "wbinfo -n" comand (e.g. "wbinfo
-n
TRUSTEDDOMAIN\username") does return the user's SID, and "getent
passwd"
may be able to show the trusted user (depending on idmap config.)
Typical winbind settings are
# testparm -v | grep winbind
....
winbind separator = \
winbind cache time = 300
winbind reconnect delay = 30
winbind max clients = 200
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = Yes
winbind expand groups = 1
winbind nss info = template
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
winbind rpc only = No
winbind max domain connections = 1
#
Changing "winbind use default domain" or "winbind trusted domains
only"
to yes will change the how the own domain users are displayed
("MYDOMAIN\username" vs "username")
Logs show errors about winbind not being able to to connect to either
the own or trusted domains when I restart the winbind svc. It seems
like winbind has issues when it starts but then future "wbinfo -n"
lookups do connect. "wbinfo -D TRUSTDOMAIN" works.
I used to run just samba 3.6.25 in classic domain. Trusts with AD
domains were fine uninstall the various BADLOCK related patches came out
for windows. Samba 3.6.25 with backported badlock patches seemed to
fix trusts issues with domains BUT broke windows client logins. I
think I just need to get away from samba 3 (and classic domains) or I
will continue to have issues with the latest versions of windows.
thanks
Gaiseric Vandal
2016-Dec-14 19:46 UTC
[Samba] wbinfo -u does not listed trusted users, wbinfo -n works, idmap not working
On a samba 4.5.1 domain controllers (PDC and BDC), classic domain ,
LDAP is used as the backend for both user accounts AND for the idmapping
of trusted domains . Partial smb.conf below
workgroup = THISDOMAIN
security = user
passdb backend = ldapsam:ldap://xxxxxxxxxxxxxxxxx
idmap config * : backend = tdb
idmap config * : range = 5000-6000
idmap config THISDOMAIN : backend = nss
idmap config THISDOMAIN : range = 100-300
idmap config TRUSTEDDOMAIN:backend = ldap
idmap config TRUSTEDDOMAIN:readonly = no
idmap config TRUSTEDDOMAIN:default=no
idmap config TRUSTEDDOMAIN:ldap_base_dn = ou=xxxxxxxxxx
idmap config TRUSTEDDOMAIN:ldap_user_dn = xxxxxxxxx
idmap config TRUSTEDDOMAIN:ldap_url = ldap://xxxxxxxxxxx
idmap config TRUSTEDDOMAIN:range = 30000-39999
On the 4.5.1 domain members I have tried TDB backend for trusted domains
idmapping ...
idmap config TRUSTEDDOMAIN : backend = tdb
idmap config TRUSTEDDOMAIN : range = 30000-39999
...and I have tried LDAP backend
idmap config TRUSTEDDOMAIN:backend = ldap
idmap config TRUSTEDDOMAIN:readonly = no
idmap config TRUSTEDDOMAIN:default=no
idmap config TRUSTEDDOMAIN:ldap_base_dn = ou=xxxxxxxxxx
idmap config TRUSTEDDOMAIN:ldap_user_dn = xxxxxxxxx
idmap config TRUSTEDDOMAIN:ldap_url = ldap://xxxxxxxxxxx
idmap config TRUSTEDDOMAIN:range = 30000-39999
But idmap fails regardless on the domain members.
# /usr/local/samba/bin/wbinfo -n "THISDOMAIN\myname"
S-1-5-21-xxx-xxx-xxx-xxx SID_USER (1)
# /usr/local/samba/bin/wbinfo -i "THISDOMAIN\myname"
THISDOMAIN\myname:*:123:100:My Name :/home/THISDOMAIN/myname:/bin/false
# /usr/local/samba/bin/wbinfo -n "TRUSTEDUSER\someuser"
S-1-5-21-xxx-xxx-xxx-xxx SID_USER (1)
# /usr/local/samba/bin/wbinfo -i "TRUSTEDUSER\someuser"
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user TRUSTEDUSER\someuser
#
# /usr/local/samba/bin/wbinfo --allocate-uid
failed to call wbcAllocateUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not allocate a uid
#
I could never get idmapping for trusted domains working on member
servers with samba 3.6.x either.
It seems that wbinfo just doesn't like trusted domains.
I am presuming that I can only use idmap ad backend for my "own"
domain (if I were in an AD domain) and not for trusted domains. I also
suspect that idmap ldap backend is only valid on domain controllers.
Appreciate any help.
Thanks
On 12/13/16 09:51, Gaiseric Vandal wrote:> Running a mix of samba versions (3.6.25 and 4.5.1) in two domains-
> one "classic" (with samba domain controllers) and one AD (with
windows
> domain controllers.) The eventual goal is to drop the classic domain
> in favor of the AD domain. Also trying to move from samba 3.x to 4.x
> since Samba 3 is EOL'd.
>
>
> the "wbinfo -u" command will list users in the servers domain but
not
> trusted domains. However the "wbinfo -n" comand (e.g.
"wbinfo -n
> TRUSTEDDOMAIN\username") does return the user's SID, and
"getent
> passwd" may be able to show the trusted user (depending on idmap
config.)
>
>
> Typical winbind settings are
>
>
> # testparm -v | grep winbind
> ....
>
> winbind separator = \
> winbind cache time = 300
> winbind reconnect delay = 30
> winbind max clients = 200
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = No
> winbind trusted domains only = No
> winbind nested groups = Yes
> winbind expand groups = 1
> winbind nss info = template
> winbind refresh tickets = No
> winbind offline logon = No
> winbind normalize names = No
> winbind rpc only = No
> winbind max domain connections = 1
> #
>
> Changing "winbind use default domain" or "winbind trusted
domains
> only" to yes will change the how the own domain users are displayed
> ("MYDOMAIN\username" vs "username")
>
>
> Logs show errors about winbind not being able to to connect to either
> the own or trusted domains when I restart the winbind svc. It seems
> like winbind has issues when it starts but then future "wbinfo
-n"
> lookups do connect. "wbinfo -D TRUSTDOMAIN" works.
>
> I used to run just samba 3.6.25 in classic domain. Trusts with AD
> domains were fine uninstall the various BADLOCK related patches came
> out for windows. Samba 3.6.25 with backported badlock patches
> seemed to fix trusts issues with domains BUT broke windows client
> logins. I think I just need to get away from samba 3 (and
> classic domains) or I will continue to have issues with the latest
> versions of windows.
>
>
>
>
> thanks
>
>
>
>
>
Gaiseric Vandal
2016-Dec-19 22:17 UTC
[Samba] wbinfo -u does not listed trusted users, wbinfo -n works, idmap not working
On both Samba 4.5.1 member server and Samba 3.6.25 member server I tried
the following command
wbinfo –set-uid-mapping=35049,S-1-5-21-xx-xx-xxx-xxx
this should have created a mapping entry consistent with the one on the
domain controller for a trusted user
But I got the following error
failed to call wbcSetUidMapping: WBC_ERR_NOT_IMPLEMENTED
As far as I can tell from network captures and looking at logs on the
PDC, any "wbinfo" commands on the member servers only query the PDC
for
their own domain, even if they are querying info on users from a trusted
domain.
wbinfo -a (--authenticate) does work from member servers
# /usr/local/samba/bin/wbinfo -a "TRUSTEDDOMAIN\someuser "
EnterTRUSTEDDOMAIN\someuserr's password:
plaintext password authentication succeeded
Enter TRUSTEDDOMAIN\someuser's password:
challenge/response password authentication succeeded
#
On 12/14/16 14:46, Gaiseric Vandal wrote:> On a samba 4.5.1 domain controllers (PDC and BDC), classic domain ,
> LDAP is used as the backend for both user accounts AND for the
> idmapping of trusted domains . Partial smb.conf below
>
> workgroup = THISDOMAIN
> security = user
> passdb backend = ldapsam:ldap://xxxxxxxxxxxxxxxxx
>
> idmap config * : backend = tdb
> idmap config * : range = 5000-6000
>
>
> idmap config THISDOMAIN : backend = nss
> idmap config THISDOMAIN : range = 100-300
>
>
> idmap config TRUSTEDDOMAIN:backend = ldap
> idmap config TRUSTEDDOMAIN:readonly = no
> idmap config TRUSTEDDOMAIN:default=no
> idmap config TRUSTEDDOMAIN:ldap_base_dn = ou=xxxxxxxxxx
> idmap config TRUSTEDDOMAIN:ldap_user_dn = xxxxxxxxx
> idmap config TRUSTEDDOMAIN:ldap_url = ldap://xxxxxxxxxxx
> idmap config TRUSTEDDOMAIN:range = 30000-39999
>
>
>
> On the 4.5.1 domain members I have tried TDB backend for trusted
> domains idmapping ...
>
>
> idmap config TRUSTEDDOMAIN : backend = tdb
> idmap config TRUSTEDDOMAIN : range = 30000-39999
>
>
>
>
> ...and I have tried LDAP backend
>
> idmap config TRUSTEDDOMAIN:backend = ldap
> idmap config TRUSTEDDOMAIN:readonly = no
> idmap config TRUSTEDDOMAIN:default=no
> idmap config TRUSTEDDOMAIN:ldap_base_dn = ou=xxxxxxxxxx
> idmap config TRUSTEDDOMAIN:ldap_user_dn = xxxxxxxxx
> idmap config TRUSTEDDOMAIN:ldap_url = ldap://xxxxxxxxxxx
> idmap config TRUSTEDDOMAIN:range = 30000-39999
>
>
>
>
>
>
>
> But idmap fails regardless on the domain members.
>
> # /usr/local/samba/bin/wbinfo -n "THISDOMAIN\myname"
> S-1-5-21-xxx-xxx-xxx-xxx SID_USER (1)
>
> # /usr/local/samba/bin/wbinfo -i "THISDOMAIN\myname"
> THISDOMAIN\myname:*:123:100:My Name
> :/home/THISDOMAIN/myname:/bin/false
>
>
> # /usr/local/samba/bin/wbinfo -n "TRUSTEDUSER\someuser"
> S-1-5-21-xxx-xxx-xxx-xxx SID_USER (1)
>
> # /usr/local/samba/bin/wbinfo -i "TRUSTEDUSER\someuser"
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user TRUSTEDUSER\someuser
> #
>
>
> # /usr/local/samba/bin/wbinfo --allocate-uid
>
> failed to call wbcAllocateUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not allocate a uid
> #
>
>
>
> I could never get idmapping for trusted domains working on member
> servers with samba 3.6.x either.
>
>
> It seems that wbinfo just doesn't like trusted domains.
>
>
> I am presuming that I can only use idmap ad backend for my
"own"
> domain (if I were in an AD domain) and not for trusted domains. I
> also suspect that idmap ldap backend is only valid on domain controllers.
>
>
> Appreciate any help.
>
> Thanks
>
>
>
>
>
>
>
>
>
>
>
> On 12/13/16 09:51, Gaiseric Vandal wrote:
>> Running a mix of samba versions (3.6.25 and 4.5.1) in two domains-
>> one "classic" (with samba domain controllers) and one AD
(with
>> windows domain controllers.) The eventual goal is to drop the
>> classic domain in favor of the AD domain. Also trying to move from
>> samba 3.x to 4.x since Samba 3 is EOL'd.
>>
>>
>> the "wbinfo -u" command will list users in the servers domain
but not
>> trusted domains. However the "wbinfo -n" comand (e.g.
"wbinfo -n
>> TRUSTEDDOMAIN\username") does return the user's SID, and
"getent
>> passwd" may be able to show the trusted user (depending on idmap
>> config.)
>>
>>
>> Typical winbind settings are
>>
>>
>> # testparm -v | grep winbind
>> ....
>>
>> winbind separator = \
>> winbind cache time = 300
>> winbind reconnect delay = 30
>> winbind max clients = 200
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = No
>> winbind trusted domains only = No
>> winbind nested groups = Yes
>> winbind expand groups = 1
>> winbind nss info = template
>> winbind refresh tickets = No
>> winbind offline logon = No
>> winbind normalize names = No
>> winbind rpc only = No
>> winbind max domain connections = 1
>> #
>>
>> Changing "winbind use default domain" or "winbind
trusted domains
>> only" to yes will change the how the own domain users are
displayed
>> ("MYDOMAIN\username" vs "username")
>>
>>
>> Logs show errors about winbind not being able to to connect to either
>> the own or trusted domains when I restart the winbind svc. It
>> seems like winbind has issues when it starts but then future
"wbinfo
>> -n" lookups do connect. "wbinfo -D TRUSTDOMAIN" works.
>>
>> I used to run just samba 3.6.25 in classic domain. Trusts with AD
>> domains were fine uninstall the various BADLOCK related patches came
>> out for windows. Samba 3.6.25 with backported badlock patches
>> seemed to fix trusts issues with domains BUT broke windows client
>> logins. I think I just need to get away from samba 3 (and
>> classic domains) or I will continue to have issues with the latest
>> versions of windows.
>>
>>
>>
>>
>> thanks
>>
>>
>>
>>
>>
>