samba - Feb 2018 - Winbind idmap partially fails to load attributes with 4.6.7 (Ubuntu 17.10)

Greetings, All!

I'm stumbled upon an event I can't understand. Rolled out a new Ubuntu
17.10
box in preparation for eventual 18.04 launch and… it just does not fly.

Here's a brief and apparent summary of the problem:

$ smbd -V; getent passwd anrdaemon

Version 4.3.11-Ubuntu (14.04, 16.04)
anrdaemon:*:10000:10001:Andrey Repin,,,,umask=0027:/home/anrdaemon:/bin/bash

Version 4.6.7-Ubuntu (17.10)
anrdaemon:*:10000:10001::/home/DARKDRAGON/anrdaemon:/bin/false

The data retrieved by 4.3.11 client is correct as written in AD.
On 4.6.7, only UID:GID is correct. The rest comes from local template.

Both hosts are setup from the same script, with same set of related packages,
with identical set of related configuration files (in fact, they were sourced
from fame templates for this test)

Related installed modules: libnss-winbind, libpam-krb5.

nsswitch.conf and krb5.conf are exactly the same.

Here's a comprehensive run through the smb.conf on two hosts (thanks to
GitHub):
https://gist.github.com/AnrDaemon/d559668017220fabbba37528855e75f5/revisions

On all hosts I'm able to retrieve at least partial information, which means
NSS somehow works, and I'm able to authenticate, making PAM working too.
Of course, I get booted from 17.10 box due to wrong shell.

Any ideas?


-- 
With best regards,
Andrey Repin
Sunday, February 18, 2018 01:31:36

Sorry for my terrible english...

Hello,
I think the configuration changed in 4.6. see here:

https://wiki.samba.org/index.php/Idmap_config_ad

Regards


> Am 18.02.2018 um 00:00 schrieb Andrey Repin via samba <samba at
lists.samba.org>:
> 
> Greetings, All!
> 
> I'm stumbled upon an event I can't understand. Rolled out a new
Ubuntu 17.10
> box in preparation for eventual 18.04 launch and… it just does not fly.
> 
> Here's a brief and apparent summary of the problem:
> 
> $ smbd -V; getent passwd anrdaemon
> 
> Version 4.3.11-Ubuntu (14.04, 16.04)
> anrdaemon:*:10000:10001:Andrey
Repin,,,,umask=0027:/home/anrdaemon:/bin/bash
> 
> Version 4.6.7-Ubuntu (17.10)
> anrdaemon:*:10000:10001::/home/DARKDRAGON/anrdaemon:/bin/false
> 
> The data retrieved by 4.3.11 client is correct as written in AD.
> On 4.6.7, only UID:GID is correct. The rest comes from local template.
> 
> Both hosts are setup from the same script, with same set of related
packages,
> with identical set of related configuration files (in fact, they were
sourced
> from fame templates for this test)
> 
> Related installed modules: libnss-winbind, libpam-krb5.
> 
> nsswitch.conf and krb5.conf are exactly the same.
> 
> Here's a comprehensive run through the smb.conf on two hosts (thanks to
GitHub):
>
https://gist.github.com/AnrDaemon/d559668017220fabbba37528855e75f5/revisions
> 
> On all hosts I'm able to retrieve at least partial information, which
means
> NSS somehow works, and I'm able to authenticate, making PAM working
too.
> Of course, I get booted from 17.10 box due to wrong shell.
> 
> Any ideas?
> 
> 
> -- 
> With best regards,
> Andrey Repin
> Sunday, February 18, 2018 01:31:36
> 
> Sorry for my terrible english...
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Follow @BRAINbiotech on Twitter: https://twitter.com/BRAINbiotech
Read BRAIN's magazine: https://www.brain-biotech.de/blickwinkel

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
Aufsichtsratsvorsitzender: Dr. Ludger Mueller

On Sun, 18 Feb 2018 02:00:35 +0300
Andrey Repin via samba <samba at lists.samba.org> wrote:
> Greetings, All!
> 
> I'm stumbled upon an event I can't understand. Rolled out a new
> Ubuntu 17.10 box in preparation for eventual 18.04 launch and… it
> just does not fly.
> 
> Here's a brief and apparent summary of the problem:
> 
> $ smbd -V; getent passwd anrdaemon
> 
> Version 4.3.11-Ubuntu (14.04, 16.04)
> anrdaemon:*:10000:10001:Andrey
> Repin,,,,umask=0027:/home/anrdaemon:/bin/bash
> 
> Version 4.6.7-Ubuntu (17.10)
> anrdaemon:*:10000:10001::/home/DARKDRAGON/anrdaemon:/bin/false
> 
> The data retrieved by 4.3.11 client is correct as written in AD.
> On 4.6.7, only UID:GID is correct. The rest comes from local template.
> 
> Both hosts are setup from the same script, with same set of related
> packages, with identical set of related configuration files (in fact,
> they were sourced from fame templates for this test)
> 
> Related installed modules: libnss-winbind, libpam-krb5.
> 
> nsswitch.conf and krb5.conf are exactly the same.
> 
> Here's a comprehensive run through the smb.conf on two hosts (thanks
> to GitHub):
>
https://gist.github.com/AnrDaemon/d559668017220fabbba37528855e75f5/revisions
> 
> On all hosts I'm able to retrieve at least partial information, which
> means NSS somehow works, and I'm able to authenticate, making PAM
> working too. Of course, I get booted from 17.10 box due to wrong
> shell.
> 
> Any ideas?
Yes, don't post the output of 'testparm -v', just post the output of
'testparm'. Also don't post a 'diff', post two separate
smb.conf files,
better still post them into a post here.

I refuse to try and wade through all those parameters, when most of
them are DEFAULT settings.

Rowland

Greetings, Christian Naumer!
> Hello,
> I think the configuration changed in 4.6. see here:
> https://wiki.samba.org/index.php/Idmap_config_ad
Thanks, Christian, most appreciated!

$ smbd -V; getent passwd anrdaemon
Version 4.6.7-Ubuntu
anrdaemon:*:10000:10001:Andrey Repin,,,,umask=0027:/home/anrdaemon:/bin/bash

Unfortunately, there's no way to find these settings, unless you know they
are
there...


-- 
With best regards,
Andrey Repin
Monday, February 19, 2018 00:17:12

Sorry for my terrible english...

Greetings, Rowland Penny!
> Yes, don't post the output of 'testparm -v', just post the
output of
> 'testparm'. Also don't post a 'diff', post two separate
smb.conf files,
> better still post them into a post here.
> I refuse to try and wade through all those parameters, when most of
> them are DEFAULT settings.
I wasn't expecting anything better from you.
Honestly, I was not expecting a reply at all. But you just broke a new low.


-- 
With best regards,
Andrey Repin
Monday, February 19, 2018 00:28:13

Sorry for my terrible english...