samba - Jan 2019 - Problems after upgrade from Samba3/OpenLDAP to Samba4 - New Useraccounts aren't properly working

Hello! 

We've got some problems after an Upgrade from OpenLDAP and Samba3 to Samba4
AD (4.5.12 on Debian 9). After a successfull upgrade. we can't create no new
properly working User-accounts with the RSAT-mmc (Windows 2k8, which is
connected to the DC). The account can be created in RSAT and can even login on a
Windows 7 Client - which is fine - but the account doe not got any access on
networkshares.  On dc-side you can retrieve the user-accounts via "wbinfo
-u" (the old and new ones), respectively old and new groups via
"wbinfo -g", but when you execute "getent passwd" it will
only display the old useraccounts and not the new ones. It seems new accounts
don't get valuable uid/gid. Does somebody know how to fix this problem?

On Wed, 16 Jan 2019 17:54:04 +0100 (CET)
Jens Günther via samba <samba at lists.samba.org> wrote:
> Hello! 
> 
> We've got some problems after an Upgrade from OpenLDAP and Samba3 to
> Samba4 AD (4.5.12 on Debian 9). After a successfull upgrade. we can't
> create no new properly working User-accounts with the RSAT-mmc
> (Windows 2k8, which is connected to the DC). The account can be
> created in RSAT and can even login on a Windows 7 Client - which is
> fine - but the account doe not got any access on networkshares.  On
> dc-side you can retrieve the user-accounts via "wbinfo -u" (the
old
> and new ones), respectively old and new groups via "wbinfo -g",
but
> when you execute "getent passwd" it will only display the old
> useraccounts and not the new ones. It seems new accounts don't get
> valuable uid/gid. Does somebody know how to fix this problem?
> 
>  
> 
I take it you mean that you have run classicupgrade and now have a
Samba AD DC with the users and groups from the old NT4-style domain.

You are now creating users on a Windows machine using RSAT, do you have
the Unix Attributes tab ? if not you need it. A normal windows user
does not get any rfc2307 attributes by default, you need to add them
via the Unix Attributes tab. Other ways of adding them are available.

Rowland

Do you have the getent problem on your DC or your fileserver?

If it's on a fileserver did you check that the RID is inside the range
you set up in smb.conf?


Am 16.01.19 um 17:54 schrieb Jens Günther via samba:
> Hello! 
>
> We've got some problems after an Upgrade from OpenLDAP and Samba3 to
Samba4 AD (4.5.12 on Debian 9). After a successfull upgrade. we can't create
no new properly working User-accounts with the RSAT-mmc (Windows 2k8, which is
connected to the DC). The account can be created in RSAT and can even login on a
Windows 7 Client - which is fine - but the account doe not got any access on
networkshares.  On dc-side you can retrieve the user-accounts via "wbinfo
-u" (the old and new ones), respectively old and new groups via
"wbinfo -g", but when you execute "getent passwd" it will
only display the old useraccounts and not the new ones. It seems new accounts
don't get valuable uid/gid. Does somebody know how to fix this problem?
>
>  
>
-- 
Stefan Kania



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190119/6d51262e/signature.sig>

On Sat, 19 Jan 2019 20:37:18 +0100
Stefan Kania via samba <samba at lists.samba.org> wrote:
> Do you have the getent problem on your DC or your fileserver?
> 
> If it's on a fileserver did you check that the RID is inside the range
> you set up in smb.conf?
That would be a good trick ;-)

I think you meant 'uidNumber' instead of 'RID'.

You are quite correct though, more info is required.

Rowland

On Wed, 23 Jan 2019 13:10:04 +0100 (CET)
Jens Günther <guenther at soscomp.de> wrote:
> Thank you so much for your replies. In the meantime, I was able to
> talk to the consultant again, who - as you already suspect - did the
> "classicupgrade" with us. He explained to me that we changed from
> rfc2307 to rid after the classic upgrade. 
Did he explain why you changed to the winbind 'rid' backend ?
Whilst this would have changed all folder & file ownerships on any Unix
domain members, it wouldn't have affected your windows clients.
>Here is a snippet of our
> smb.conf:
> 
>         winbind enum users = yes
>         winbind enum groups = yes
Did he also not advise you that the above two lines should only be used
for testing purposes.
>         winbind use default domain = yes
>         winbind refresh tickets = yes
> 
>         # winbind nss info = rfc2307
>         template shell = /bin/bash
>         ## idmap config for domain DOM
>         #idmap config DOM:backend = rid
>         #idmap config DOM:schema_mode = rfc2307
>         #idmap config DOM:range = 40000-49999
> 
>         idmap backend = tdb
>         idmap config * : range = 900000 - 999999
There is absolutely no reason for allowing for '99,999' users or groups
in the '*' domain, to be honest '999' is too much.
>         idmap config DOM : backend = rid
>         idmap config DOM : range = 400000 - 499999
When was the 'DOM' changed from '40000-49999' to
'400000-499999' ?

Have any files or folders been created since the change ?, where any
created before the change ?
> 
> Also a snippet of our nsswitch.conf:
> 
> /etc/nsswitch.conf looks like
> passwd: files winbind
> group: files winbind
> shadow: files winbind
Remove 'winbind' from the shadow line, it shouldn't be there.
> 
> After installing the UNIX Attribute tab in the RSAT by reinstalling
> the "Server for NIS Tools" feature on the management server, I
> noticed that the UIDs/GIDs must have stayed the same before the
> switch to RID. At least for the users other UIDs are displayed in the
> Unix attribute tab. The home path is also wrong. It points to the old
> one before the change. We would be very pleased about further
> solution suggestions. Many thanks in advance for your efforts!
When you ran classicupgrade, it created your users & groups with the
same uidNumber & gidNumber attributes as your old PDC. When you changed
to the 'rid' backend (again, why?), these attributes would just have
been ignored and not removed.

As to how to fix this ?
This depends on how long ago the upgrade was carried out, the amount of
data you have and what the ownership of this data (files & folders on
Unix) is (i.e. does it all show ownership by the correct name, or is
some of it owned by the wrong name or a number).

Rowland