I suspect there's something wrong in wbinfo on a freshly installed Samba AD Domain Controller on Ubuntu 18.04 server. wbinfo does not resolve Windows SID to usernames: # wbinfo -S S-1-5-21-299502267-616249376-1417001333-14107 3000103 I should see "SAMDOM\username" instead of "3000103", right? getfacls has the same behavior: # getfacl /var/lib/samba/sysvol # file: var/lib/samba/sysvol # owner: root # group: 3000073 user::rwx user:root:rwx user:3000000:rwx user:3000013:r-x user:3000014:r-x user:3000073:rwx group::rwx group:3000000:rwx group:3000013:r-x group:3000014:r-x group:3000073:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000013:r-x default:user:3000014:r-x default:user:3000073:rwx default:group::--- default:group:3000000:rwx default:group:3000013:r-x default:group:3000014:r-x default:group:3000073:rwx default:mask::rwx default:other::--- What's wrong? Some other info below: # lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04 LTS Release: 18.04 Codename: bionic # samba --version Version 4.7.6-Ubuntu # cat /etc/samba/smb.conf [global] bind interfaces only = Yes interfaces = lo eth_lan netbios name = SRVADDC realm = SAMDOM.LOCAL server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = SAMDOM winbind enum users = yes winbind enum groups = yes winbind use default domain = Yes # logging log level = 4 log file = /var/log/samba/samba.log.%m debug timestamp = yes # Cap the size of the individual log files (in KiB). max log size = 10000 [netlogon] path = /var/lib/samba/sysvol/samdom.local/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No
On Mon, 2 Jul 2018 12:16:42 +0200 "Ing. Claudio Nicora via samba" <samba at lists.samba.org> wrote:> I suspect there's something wrong in wbinfo on a freshly installed > Samba AD Domain Controller on Ubuntu 18.04 server. > wbinfo does not resolve Windows SID to usernames: > > # wbinfo -S S-1-5-21-299502267-616249376-1417001333-14107 > 3000103 > > I should see "SAMDOM\username" instead of "3000103", right?Not necessarily ;-) On a DC, idmap.ldb is used to map AD users & groups to 'xidNumbers'. It takes the 'SID-RID' and maps this to the next available number in the '3000000' range. Now winbind can map some of these xidNumbers to names, but not all and it will not map any xidNumbers to names if libnss_winbind isn't set up correctly.> > # samba --version > Version 4.7.6-Ubuntu > > # cat /etc/samba/smb.conf > [global] > bind interfaces only = Yes > interfaces = lo eth_lan > netbios name = SRVADDC > realm = SAMDOM.LOCAL > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = SAMDOM > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = YesYou should remove the three 'winbind' lines, you do not need the first two (and they can slow things down) and the last one does nothing on a DC. Rowland
On Mon, 2 Jul 2018 13:41:16 +0200 "Ing. Claudio Nicora" <claudio.nicora at gmail.com> wrote:> > Now winbind can map some of these xidNumbers to names, but not all > > and it will not map any xidNumbers to names if libnss_winbind isn't > > set up correctly. > Now I've changed /etc/nsswitch.conf and added "winbind" like this: > > # cat /etc/nsswitch.conf > passwd: compat systemd winbind > group: compat systemd winbind > shadow: compat winbindyou should remove 'winbind' from the shadow line, it isn't required.> > now getfacl shows group names (with some strange chars in them) but > still not users:That is all perfectly normal on a Samba AD DC. The only way to get all users and groups mapped to names, is to use uidNumber & gidNumber attributes for all users & groups. This is NOT recommended on a DC, this is because of sysvol, where some groups have also to be users to own things. This is done in idmap.ldb where groups are mapped to ID_TYPE_BOTH, if you give the wrong group a gidNumber, it will become just a group and a group cannot own anything on Linux.> You're right. I've added them when trying to fix it; they were not > present at first place. > PS I've followed this guide step by step: > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_DirectoryJust as an aside, I think you will find that 'sysvol' is mostly empty, you will need to sync it from the DC you joined this one to. Rowland
> you should remove 'winbind' from the shadow line, it isn't required.Done, thanks.> That is all perfectly normal on a Samba AD DC. The only way to get all > users and groups mapped to names, is to use uidNumber & gidNumber > attributes for all users & groups. This is NOT recommended on a DC, > this is because of sysvol, where some groups have also to be users to > own things. This is done in idmap.ldb where groups are mapped to > ID_TYPE_BOTH, if you give the wrong group a gidNumber, it will become > just a group and a group cannot own anything on Linux.Ok. This is the first Samba DC I'm playing with and I like to check everything before putting it into production.> Just as an aside, I think you will find that 'sysvol' is mostly empty, > you will need to sync it from the DC you joined this one to. RowlandI've replicated sysvol with robocopy (from the Windows) and configured a task to keep things in sync till the Windows DC will be demoted. What about the strange chars in getfacl output? They seem like escape sequences: "default:group:BUILTIN\134administrators:rwx" should read "default:group:BUILTIN\administrators:rwx", right? Is there something wrong here?
On Mon, Jul 02, 2018 at 12:16:42PM +0200, Ing. Claudio Nicora via samba wrote:>I suspect there's something wrong in wbinfo on a freshly installed >Samba AD Domain Controller on Ubuntu 18.04 server. >wbinfo does not resolve Windows SID to usernames: > ># wbinfo -S S-1-5-21-299502267-616249376-1417001333-14107 >3000103 > >I should see "SAMDOM\username" instead of "3000103", right?No, you get what you asked for: -S. You want -s. :) -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG Key Fingerprint: FAE2 C608 8A24 2520 51C5 59E4 AA1E 9B71 2639 9E46
>> I suspect there's something wrong in wbinfo on a freshly installed >> Samba AD Domain Controller on Ubuntu 18.04 server. >> wbinfo does not resolve Windows SID to usernames: >> >> # wbinfo -S S-1-5-21-299502267-616249376-1417001333-14107 >> 3000103 >> >> I should see "SAMDOM\username" instead of "3000103", right? > > No, you get what you asked for: -S. You want -s. :) > > -slow >You're right, feel so stupid ;) Right now it returns the correct username: # wbinfo -s S-1-5-21-299502267-616249376-1417001333-14107 SAMDOM\username 1 Thanks ;)
On Mon, 2 Jul 2018 15:23:01 +0200 Ralph Böhme via samba <samba at lists.samba.org> wrote:> On Mon, Jul 02, 2018 at 12:16:42PM +0200, Ing. Claudio Nicora via > samba wrote: > >I suspect there's something wrong in wbinfo on a freshly installed > >Samba AD Domain Controller on Ubuntu 18.04 server. > >wbinfo does not resolve Windows SID to usernames: > > > ># wbinfo -S S-1-5-21-299502267-616249376-1417001333-14107 > >3000103 > > > >I should see "SAMDOM\username" instead of "3000103", right? > > No, you get what you asked for: -S. You want -s. :)Oh, good catch> > -slow >