samba - Dec 2019 - security = ads, backend = ad parameter not working in samba 4.10.10

On Thu, 2019-12-05 at 17:15 +0000, Rowland penny via samba
wrote:
> On 05/12/2019 17:00, S?rgio Basto wrote:
> > On Thu, 2019-12-05 at 10:15 +0000, Rowland penny via samba wrote:
> > > On 05/12/2019 06:16, S?rgio Basto wrote:
> > > > Sorry , I spoke too soon getent passwd "a new user to
this
> > > > server"
> > > > doesn't work .
> > > > But wbinfo -u or wbinfo -g always worked perfectly in any
case
> > > > ,
> > > > why
> > > > getent don't ?
> > > > 
> > > If 'wbinfo -u' works, 'getent passwd username'
doesn't, then it
> > > points
> > > to a lack of, or wrong, rfc2307 attributes (if you are using the
> > > 'ad'
> > > backend).
> > > 
> > > Any users you want to be visible to Unix, must have a uidNumber
> > > attribute containing a unique number inside the DOMAIN range set
> > > in
> > > smb.conf. You MUST also give Domain Users a gidNumber containing
> > > a
> > > number inside the same range.
> > yes, I use backend = ad , if configure backend = ad with realm [1]
> > (as
> > you said is wrong ) every 'getent passwd username' give me a
new
> > uidNumber or make a new uidNumber in sequence [1].
> > when I  configure backend = ad with workgroup (as you said that
> > must
> > have to be ) 'getent passwd username' don't produce any
new id .
> > and in /var/log/samba/winbindd.log I see
> > Could not convert sid S-1-5-21-2685600491-4108878147-961307473-
> > 2662:
> > NT_STATUS_NO_SUCH_USER
> > 
> > 
> > [1]
> > idmap config CORP.LOCAL : backend = ad
> > 
> > [2]
> > root at repo:~# getent passwd "vmjp01"
> > vmjp01:*:1000019:1000000::/srv/samba/users/vmjp01:/bin/false
> > root at repo:~# getent passwd "maa001"
> > maa001:*:1000020:1000000::/srv/samba/users/maa001:/bin/false
> > root at repo:~# getent passwd "tsdg01"
> > tsdg01:*:1000021:1000000::/srv/samba/users/tsdg01:/bin/false
> > root at repo:~# getent passwd "rmac01"
> > rmac01:*:1000022:1000000::/srv/samba/users/rmac01:/bin/false
> > 
> > 
> > 
> > > Rowland
> > > 
> > > 
> > > 
> Have you added any RFC2307 attributes (uidNumber, gidNumber, etc) to 
> your users and groups in AD ?
Users is AD was migrated from one SAMBA sernet 4.0.0 , I don't know but
I think not , what you recommend ? 
I don't find ATM the scripts to convert users but I used ldb tools ... 

> Rowland
> 
> 
> 
-- 
S?rgio M. B.

On 05/12/2019 17:30, S?rgio Basto wrote:
> On Thu, 2019-12-05 at 17:15 +0000, Rowland penny via samba wrote:
>> On 05/12/2019 17:00, S?rgio Basto wrote:
>>> On Thu, 2019-12-05 at 10:15 +0000, Rowland penny via samba wrote:
>>>> On 05/12/2019 06:16, S?rgio Basto wrote:
>>>>> Sorry , I spoke too soon getent passwd "a new user to
this
>>>>> server"
>>>>> doesn't work .
>>>>> But wbinfo -u or wbinfo -g always worked perfectly in any
case
>>>>> ,
>>>>> why
>>>>> getent don't ?
>>>>>
>>>> If 'wbinfo -u' works, 'getent passwd username'
doesn't, then it
>>>> points
>>>> to a lack of, or wrong, rfc2307 attributes (if you are using
the
>>>> 'ad'
>>>> backend).
>>>>
>>>> Any users you want to be visible to Unix, must have a uidNumber
>>>> attribute containing a unique number inside the DOMAIN range
set
>>>> in
>>>> smb.conf. You MUST also give Domain Users a gidNumber
containing
>>>> a
>>>> number inside the same range.
>>> yes, I use backend = ad , if configure backend = ad with realm [1]
>>> (as
>>> you said is wrong ) every 'getent passwd username' give me
a new
>>> uidNumber or make a new uidNumber in sequence [1].
>>> when I  configure backend = ad with workgroup (as you said that
>>> must
>>> have to be ) 'getent passwd username' don't produce any
new id .
>>> and in /var/log/samba/winbindd.log I see
>>> Could not convert sid S-1-5-21-2685600491-4108878147-961307473-
>>> 2662:
>>> NT_STATUS_NO_SUCH_USER
>>>
>>>
>>> [1]
>>> idmap config CORP.LOCAL : backend = ad
>>>
>>> [2]
>>> root at repo:~# getent passwd "vmjp01"
>>> vmjp01:*:1000019:1000000::/srv/samba/users/vmjp01:/bin/false
>>> root at repo:~# getent passwd "maa001"
>>> maa001:*:1000020:1000000::/srv/samba/users/maa001:/bin/false
>>> root at repo:~# getent passwd "tsdg01"
>>> tsdg01:*:1000021:1000000::/srv/samba/users/tsdg01:/bin/false
>>> root at repo:~# getent passwd "rmac01"
>>> rmac01:*:1000022:1000000::/srv/samba/users/rmac01:/bin/false
>>>
>>>
>>>
>>>> Rowland
>>>>
>>>>
>>>>
>> Have you added any RFC2307 attributes (uidNumber, gidNumber, etc) to
>> your users and groups in AD ?
> Users is AD was migrated from one SAMBA sernet 4.0.0 , I don't know but
> I think not , what you recommend ?
> I don't find ATM the scripts to convert users but I used ldb tools ...
If you do not have any uidNumber and gidNumber attributes in AD, then 
the winbind 'ad' backend will not work, try the 'rid' backend
instead.

Rowland

On Thu, 2019-12-05 at 17:30 +0000, S?rgio Basto via samba
wrote:
> On Thu, 2019-12-05 at 17:15 +0000, Rowland penny via samba wrote:
> > On 05/12/2019 17:00, S?rgio Basto wrote:
> > > On Thu, 2019-12-05 at 10:15 +0000, Rowland penny via samba wrote:
> > > > On 05/12/2019 06:16, S?rgio Basto wrote:
> > > > > Sorry , I spoke too soon getent passwd "a new user
to this
> > > > > server"
> > > > > doesn't work .
> > > > > But wbinfo -u or wbinfo -g always worked perfectly in
any
> > > > > case
> > > > > ,
> > > > > why
> > > > > getent don't ?
> > > > > 
> > > > If 'wbinfo -u' works, 'getent passwd
username' doesn't, then it
> > > > points
> > > > to a lack of, or wrong, rfc2307 attributes (if you are using
> > > > the
> > > > 'ad'
> > > > backend).
> > > > 
> > > > Any users you want to be visible to Unix, must have a
uidNumber
> > > > attribute containing a unique number inside the DOMAIN range
> > > > set
> > > > in
> > > > smb.conf. You MUST also give Domain Users a gidNumber
> > > > containing
> > > > a
> > > > number inside the same range.
> > > yes, I use backend = ad , if configure backend = ad with realm
> > > [1]
> > > (as
> > > you said is wrong ) every 'getent passwd username' give
me a new
> > > uidNumber or make a new uidNumber in sequence [1].
> > > when I  configure backend = ad with workgroup (as you said that
> > > must
> > > have to be ) 'getent passwd username' don't produce
any new id .
> > > and in /var/log/samba/winbindd.log I see
> > > Could not convert sid S-1-5-21-2685600491-4108878147-961307473-
> > > 2662:
> > > NT_STATUS_NO_SUCH_USER
> > > 
> > > 
> > > [1]
> > > idmap config CORP.LOCAL : backend = ad
> > > 
> > > [2]
> > > root at repo:~# getent passwd "vmjp01"
> > > vmjp01:*:1000019:1000000::/srv/samba/users/vmjp01:/bin/false
> > > root at repo:~# getent passwd "maa001"
> > > maa001:*:1000020:1000000::/srv/samba/users/maa001:/bin/false
> > > root at repo:~# getent passwd "tsdg01"
> > > tsdg01:*:1000021:1000000::/srv/samba/users/tsdg01:/bin/false
> > > root at repo:~# getent passwd "rmac01"
> > > rmac01:*:1000022:1000000::/srv/samba/users/rmac01:/bin/false
> > > 
> > > 
> > > 
> > > > Rowland
> > > > 
> > > > 
> > > > 
> > Have you added any RFC2307 attributes (uidNumber, gidNumber, etc)
> > to 
> > your users and groups in AD ?
> 
> Users is AD was migrated from one SAMBA sernet 4.0.0 , I don't know
> but
> I think not , what you recommend ? 
> I don't find ATM the scripts to convert users but I used ldb tools
> ... 

I did migration with something like this : 

ldbsearch -H /opt/samba/private/sam.ldb -s sub -b dc=old_ad,dc=local
'(objectClass=user)' > user-export2.ldif
scp user-export2.ldif to_the_new_machine:

in new machine :

sed -i 's/DC=old_ad/DC=corp/g; s/old_ad.local/corp.local/g'
user-export2.ldif
sed -i bla bla  user-export2.ldif

ldbmodify -H /var/lib/samba/private/sam.ldb
--controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 user-export2.ldif

> 
> > Rowland
> > 
> > 
> > 
> -- 
> S?rgio M. B.
> 
> 
-- 
S?rgio M. B.

On Thu, 2019-12-05 at 17:45 +0000, Rowland penny via samba
wrote:
> On 05/12/2019 17:30, S?rgio Basto wrote:
> > On Thu, 2019-12-05 at 17:15 +0000, Rowland penny via samba wrote:
> > > On 05/12/2019 17:00, S?rgio Basto wrote:
> > > > On Thu, 2019-12-05 at 10:15 +0000, Rowland penny via samba
> > > > wrote:
> > > > > On 05/12/2019 06:16, S?rgio Basto wrote:
> > > > > > Sorry , I spoke too soon getent passwd "a new
user to this
> > > > > > server"
> > > > > > doesn't work .
> > > > > > But wbinfo -u or wbinfo -g always worked perfectly
in any
> > > > > > case
> > > > > > ,
> > > > > > why
> > > > > > getent don't ?
> > > > > > 
> > > > > If 'wbinfo -u' works, 'getent passwd
username' doesn't, then
> > > > > it
> > > > > points
> > > > > to a lack of, or wrong, rfc2307 attributes (if you are
using
> > > > > the
> > > > > 'ad'
> > > > > backend).
> > > > > 
> > > > > Any users you want to be visible to Unix, must have a
> > > > > uidNumber
> > > > > attribute containing a unique number inside the DOMAIN
range
> > > > > set
> > > > > in
> > > > > smb.conf. You MUST also give Domain Users a gidNumber
> > > > > containing
> > > > > a
> > > > > number inside the same range.
> > > > yes, I use backend = ad , if configure backend = ad with
realm
> > > > [1]
> > > > (as
> > > > you said is wrong ) every 'getent passwd username'
give me a
> > > > new
> > > > uidNumber or make a new uidNumber in sequence [1].
> > > > when I  configure backend = ad with workgroup (as you said
that
> > > > must
> > > > have to be ) 'getent passwd username' don't
produce any new id
> > > > .
> > > > and in /var/log/samba/winbindd.log I see
> > > > Could not convert sid
S-1-5-21-2685600491-4108878147-961307473-
> > > > 2662:
> > > > NT_STATUS_NO_SUCH_USER
> > > > 
> > > > 
> > > > [1]
> > > > idmap config CORP.LOCAL : backend = ad
> > > > 
> > > > [2]
> > > > root at repo:~# getent passwd "vmjp01"
> > > > vmjp01:*:1000019:1000000::/srv/samba/users/vmjp01:/bin/false
> > > > root at repo:~# getent passwd "maa001"
> > > > maa001:*:1000020:1000000::/srv/samba/users/maa001:/bin/false
> > > > root at repo:~# getent passwd "tsdg01"
> > > > tsdg01:*:1000021:1000000::/srv/samba/users/tsdg01:/bin/false
> > > > root at repo:~# getent passwd "rmac01"
> > > > rmac01:*:1000022:1000000::/srv/samba/users/rmac01:/bin/false
> > > > 
> > > > 
> > > > 
> > > > > Rowland
> > > > > 
> > > > > 
> > > > > 
> > > Have you added any RFC2307 attributes (uidNumber, gidNumber, etc)
> > > to
> > > your users and groups in AD ?
> > Users is AD was migrated from one SAMBA sernet 4.0.0 , I don't
know
> > but
> > I think not , what you recommend ?
> > I don't find ATM the scripts to convert users but I used ldb tools
> > ...
> 
> If you do not have any uidNumber and gidNumber attributes in AD,
> then 
> the winbind 'ad' backend will not work, try the 'rid'
backend
> instead.
ah ok , now this starts to make sense , but I want add  uidNumber and
gidNumber to every new user and group , how I can do that  ? 

Many thanks for the support 
> 
> Rowland
> 
> 
> 
> 
-- 
S?rgio M. B.

On Thu, 2019-12-05 at 17:45 +0000, Rowland penny via samba
wrote:
> On 05/12/2019 17:30, S?rgio Basto wrote:
> > On Thu, 2019-12-05 at 17:15 +0000, Rowland penny via samba wrote:
> > > On 05/12/2019 17:00, S?rgio Basto wrote:
> > > > On Thu, 2019-12-05 at 10:15 +0000, Rowland penny via samba
> > > > wrote:
> > > > > On 05/12/2019 06:16, S?rgio Basto wrote:
> > > > > > Sorry , I spoke too soon getent passwd "a new
user to this
> > > > > > server"
> > > > > > doesn't work .
> > > > > > But wbinfo -u or wbinfo -g always worked perfectly
in any
> > > > > > case
> > > > > > ,
> > > > > > why
> > > > > > getent don't ?
> > > > > > 
> > > > > If 'wbinfo -u' works, 'getent passwd
username' doesn't, then
> > > > > it
> > > > > points
> > > > > to a lack of, or wrong, rfc2307 attributes (if you are
using
> > > > > the
> > > > > 'ad'
> > > > > backend).
> > > > > 
> > > > > Any users you want to be visible to Unix, must have a
> > > > > uidNumber
> > > > > attribute containing a unique number inside the DOMAIN
range
> > > > > set
> > > > > in
> > > > > smb.conf. You MUST also give Domain Users a gidNumber
> > > > > containing
> > > > > a
> > > > > number inside the same range.
> > > > yes, I use backend = ad , if configure backend = ad with
realm
> > > > [1]
> > > > (as
> > > > you said is wrong ) every 'getent passwd username'
give me a
> > > > new
> > > > uidNumber or make a new uidNumber in sequence [1].
> > > > when I  configure backend = ad with workgroup (as you said
that
> > > > must
> > > > have to be ) 'getent passwd username' don't
produce any new id
> > > > .
> > > > and in /var/log/samba/winbindd.log I see
> > > > Could not convert sid
S-1-5-21-2685600491-4108878147-961307473-
> > > > 2662:
> > > > NT_STATUS_NO_SUCH_USER
> > > > 
> > > > 
> > > > [1]
> > > > idmap config CORP.LOCAL : backend = ad
> > > > 
> > > > [2]
> > > > root at repo:~# getent passwd "vmjp01"
> > > > vmjp01:*:1000019:1000000::/srv/samba/users/vmjp01:/bin/false
> > > > root at repo:~# getent passwd "maa001"
> > > > maa001:*:1000020:1000000::/srv/samba/users/maa001:/bin/false
> > > > root at repo:~# getent passwd "tsdg01"
> > > > tsdg01:*:1000021:1000000::/srv/samba/users/tsdg01:/bin/false
> > > > root at repo:~# getent passwd "rmac01"
> > > > rmac01:*:1000022:1000000::/srv/samba/users/rmac01:/bin/false
> > > > 
> > > > 
> > > > 
> > > > > Rowland
> > > > > 
> > > > > 
> > > > > 
> > > Have you added any RFC2307 attributes (uidNumber, gidNumber, etc)
> > > to
> > > your users and groups in AD ?
> > Users is AD was migrated from one SAMBA sernet 4.0.0 , I don't
know
> > but
> > I think not , what you recommend ?
> > I don't find ATM the scripts to convert users but I used ldb tools
> > ...
> 
> If you do not have any uidNumber and gidNumber attributes in AD,
> then 
> the winbind 'ad' backend will not work, try the 'rid'
backend
> instead.
ah ok , now this starts to make sense , but I want add a new uidNumber
and gidNumber to every user and group in AD , how I can do that  ? 

Many thanks for the support 
> Rowland
> 
> 
> 
> 
-- 
S?rgio M. B.


-- 
S?rgio M. B.

On 05/12/2019 17:48, S?rgio Basto wrote:
> I did migration with something like this :
>
> ldbsearch -H /opt/samba/private/sam.ldb -s sub -b dc=old_ad,dc=local
> '(objectClass=user)' > user-export2.ldif
> scp user-export2.ldif to_the_new_machine:
>
> in new machine :
>
> sed -i 's/DC=old_ad/DC=corp/g; s/old_ad.local/corp.local/g'
user-export2.ldif
> sed -i bla bla  user-export2.ldif
>
> ldbmodify -H /var/lib/samba/private/sam.ldb
--controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 user-export2.ldif
>
Sorry, but it is more involved than that, you should have joined a new 
DC, then demoted the old DC, you might have had to do this a few times 
to move from Samba 4.x.x to a supported Samba version.

I am very surprised that this worked in any way at all.

Rowland