samba - Jul 2018 - wbinfo not resolving SID to username

I suspect there's something wrong in wbinfo on a freshly installed Samba 
AD Domain Controller on Ubuntu 18.04 server.
wbinfo does not resolve Windows SID to usernames:

# wbinfo -S S-1-5-21-299502267-616249376-1417001333-14107
3000103

I should see "SAMDOM\username" instead of "3000103", right?

getfacls has the same behavior:

# getfacl /var/lib/samba/sysvol
# file: var/lib/samba/sysvol
# owner: root
# group: 3000073
user::rwx
user:root:rwx
user:3000000:rwx
user:3000013:r-x
user:3000014:r-x
user:3000073:rwx
group::rwx
group:3000000:rwx
group:3000013:r-x
group:3000014:r-x
group:3000073:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000013:r-x
default:user:3000014:r-x
default:user:3000073:rwx
default:group::---
default:group:3000000:rwx
default:group:3000013:r-x
default:group:3000014:r-x
default:group:3000073:rwx
default:mask::rwx
default:other::---

What's wrong?

Some other info below:

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04 LTS
Release:        18.04
Codename:       bionic

# samba --version
Version 4.7.6-Ubuntu

# cat /etc/samba/smb.conf
[global]
         bind interfaces only = Yes
         interfaces = lo eth_lan
         netbios name = SRVADDC
         realm = SAMDOM.LOCAL
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         workgroup = SAMDOM
         winbind enum users = yes
         winbind enum groups = yes
         winbind use default domain = Yes

         # logging
         log level = 4
         log file = /var/log/samba/samba.log.%m
         debug timestamp = yes

         # Cap the size of the individual log files (in KiB).
         max log size = 10000

[netlogon]
         path = /var/lib/samba/sysvol/samdom.local/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

On Mon, 2 Jul 2018 12:16:42 +0200
"Ing. Claudio Nicora via samba" <samba at lists.samba.org>
wrote:
> I suspect there's something wrong in wbinfo on a freshly installed
> Samba AD Domain Controller on Ubuntu 18.04 server.
> wbinfo does not resolve Windows SID to usernames:
> 
> # wbinfo -S S-1-5-21-299502267-616249376-1417001333-14107
> 3000103
> 
> I should see "SAMDOM\username" instead of "3000103",
right?
Not necessarily ;-)

On a DC, idmap.ldb is used to map AD users & groups to 'xidNumbers'.
It takes the 'SID-RID' and maps this to the next available number in
the '3000000' range.

Now winbind can map some of these xidNumbers to names, but not all and
it will not map any xidNumbers to names if libnss_winbind isn't set up
correctly.

> 
> # samba --version
> Version 4.7.6-Ubuntu
> 
> # cat /etc/samba/smb.conf
> [global]
>          bind interfaces only = Yes
>          interfaces = lo eth_lan
>          netbios name = SRVADDC
>          realm = SAMDOM.LOCAL
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = SAMDOM
>          winbind enum users = yes
>          winbind enum groups = yes
>          winbind use default domain = Yes
You should remove the three 'winbind' lines, you do not need the first
two (and they can slow things down) and the last one does nothing on a
DC.

Rowland

On Mon, 2 Jul 2018 13:41:16 +0200
"Ing. Claudio Nicora" <claudio.nicora at gmail.com> wrote:
> > Now winbind can map some of these xidNumbers to names, but not all
> > and it will not map any xidNumbers to names if libnss_winbind
isn't
> > set up correctly.
> Now I've changed /etc/nsswitch.conf and added "winbind" like
this:
> 
> # cat /etc/nsswitch.conf
> passwd:         compat systemd winbind
> group:          compat systemd winbind
> shadow:         compat winbind
you should remove 'winbind' from the shadow line, it isn't required.
> 
> now getfacl shows group names (with some strange chars in them) but 
> still not users:
That is all perfectly normal on a Samba AD DC. The only way to get all
users and groups mapped to names, is to use uidNumber & gidNumber
attributes for all users & groups. This is NOT recommended on a DC, this
is because of sysvol, where some groups have also to be users to own
things. This is done in idmap.ldb where groups are mapped to
ID_TYPE_BOTH, if you give the wrong group a gidNumber, it will become
just a group and a group cannot own anything on Linux.
 
> You're right. I've added them when trying to fix it; they were not 
> present at first place.
> PS I've followed this guide step by step: 
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
Just as an aside, I think you will find that 'sysvol' is mostly empty,
you will need to sync it from the DC you joined this one to.

Rowland

> you should remove 'winbind' from the shadow line, it isn't
required.
Done, thanks.
> That is all perfectly normal on a Samba AD DC. The only way to get all
> users and groups mapped to names, is to use uidNumber & gidNumber 
> attributes for all users & groups. This is NOT recommended on a DC, 
> this is because of sysvol, where some groups have also to be users to 
> own things. This is done in idmap.ldb where groups are mapped to 
> ID_TYPE_BOTH, if you give the wrong group a gidNumber, it will become 
> just a group and a group cannot own anything on Linux. 
Ok. This is the first Samba DC I'm playing with and I like to check 
everything before putting it into production.
> Just as an aside, I think you will find that 'sysvol' is mostly
empty,
> you will need to sync it from the DC you joined this one to. Rowland
I've replicated sysvol with robocopy (from the Windows) and configured a 
task to keep things in sync till the Windows DC will be demoted.

What about the strange chars in getfacl output? They seem like escape 
sequences:
"default:group:BUILTIN\134administrators:rwx" should read 
"default:group:BUILTIN\administrators:rwx", right?

Is there something wrong here?

On Mon, Jul 02, 2018 at 12:16:42PM +0200, Ing. Claudio Nicora via samba
wrote:
>I suspect there's something wrong in wbinfo on a freshly installed 
>Samba AD Domain Controller on Ubuntu 18.04 server.
>wbinfo does not resolve Windows SID to usernames:
>
># wbinfo -S S-1-5-21-299502267-616249376-1417001333-14107
>3000103
>
>I should see "SAMDOM\username" instead of "3000103",
right?
No, you get what you asked for: -S. You want -s. :)

-slow

-- 
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG Key Fingerprint:           FAE2 C608 8A24 2520 51C5
                               59E4 AA1E 9B71 2639 9E46

>> I suspect there's something wrong in wbinfo on a freshly installed 
>> Samba AD Domain Controller on Ubuntu 18.04 server.
>> wbinfo does not resolve Windows SID to usernames:
>>
>> # wbinfo -S S-1-5-21-299502267-616249376-1417001333-14107
>> 3000103
>>
>> I should see "SAMDOM\username" instead of
"3000103", right?
>
> No, you get what you asked for: -S. You want -s. :)
>
> -slow
>
You're right, feel so stupid ;)

Right now it returns the correct username:

# wbinfo -s S-1-5-21-299502267-616249376-1417001333-14107
SAMDOM\username 1

Thanks ;)

On Mon, 2 Jul 2018 15:23:01 +0200
Ralph Böhme via samba <samba at lists.samba.org> wrote:
> On Mon, Jul 02, 2018 at 12:16:42PM +0200, Ing. Claudio Nicora via
> samba wrote:
> >I suspect there's something wrong in wbinfo on a freshly installed 
> >Samba AD Domain Controller on Ubuntu 18.04 server.
> >wbinfo does not resolve Windows SID to usernames:
> >
> ># wbinfo -S S-1-5-21-299502267-616249376-1417001333-14107
> >3000103
> >
> >I should see "SAMDOM\username" instead of
"3000103", right?
> 
> No, you get what you asked for: -S. You want -s. :)
Oh, good catch
> 
> -slow
>