WINBIND: UID and GID false mappings on domain member

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

WINBIND: UID and GID false mappings on domain member

rawi
Hi @ALL

Trying to migrate to Samba AD after 12 lucky years with samba NT-domain + server profiles and homes in a small research institute.

I decided to provision a new domain and create the users and groups using samba-tool with most of its parameters.
I decided against classicupgrade, because I didn't get all posix attributes automatically set and I cannot do LDAP kung-fu.

Intention is to administer most of it with samba-tool and Co, not Windows RSAT.
In the NT domain I set till now all rights trough the Unix-rights, UID and GID.

Even if I'm willing to recreate users and groups accordingly to the old UID and GID (not that many), I am _desperately_ needing to transfer the data with its original ownership.

I've set an "_ONLY_ DOMAIN CONTROLLER" and a first "DOMAIN MEMBER" as file server.

Mostly all is good, ntp, dns, kinit are working, the member server could join the dc, authentication works.

WHAT I DO NOT GET CORRECTLY are the UID and GID of users and groups on the domain member (PARTIALLY DEPENDING if I have the lines with "idmap config *:..." or not ??? - see below)

And yes, I red in the last _weeks_ most of the docs and Q&A I could find. I've said I'm desperate...

Please see the configs and the tests. May the force be with you :)

Many thanks in advance!

Environment: Ubuntu Server 16.04.1 + Samba 4.3.9

### DOMAIN CONTROLLER
root@hg-dc1:/etc/samba# cat smb.conf
# Global parameters
[global]
        workgroup = HUMGEN
        realm = HUMGEN.0ZONE
        netbios name = HG-DC1
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc

        idmap_ldb:use rfc2307 = yes
        dns-nameservers 127.0.0.1

        tls enabled  = yes
        tls keyfile  = tls/myKey.pem
        tls certfile = tls/myCert.pem
        tls cafile   =

# [netlogon] is on the member server and defined in the user's object

# I let sysvol here, as I don't understand it's role
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

### DOMAIN MEMBER
root@hg004:/etc/samba# cat smb.conf
netbios name = HG004
server string = Fileserver HG004 - Samba 4.3.9-Ubuntu
security = ADS
workgroup = HUMGEN
realm = HUMGEN.0ZONE
server role = member server

server services = -dnsupdate -dns

interfaces = bond0, lo
bind interfaces only = yes

domain master = no
local master = no
preferred master = no
domain logons = no

encrypt passwords = yes

log file = /var/log/samba/%m.log
log level = passdb:5 auth:10 winbind:10

syslog only = no
# syslog 0=LOG_ERR, 1=LOG_WARNING, 2=LOG_NOTICE, 3=LOG_INFO
syslog = 0

# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-4000

# idmap config for domain HUMGEN
idmap config HUMGEN:backend = ad
idmap config HUMGEN:schema_mode = rfc2307
idmap config HUMGEN:range = 5000-30000
idmap config HUMGEN:default = yes

# Use settings from AD for login shell and home directory
winbind use default domain = yes
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes

# no logon with cached credentials
winbind offline logon = no

winbind refresh tickets = yes
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab

wins server = hg-dc1.humgen.0zone

socket options = TCP_NODELAY IPTOS_LOWDELAY

# no templates. They are coming from LDAP in Active Directory
template homedir =
template shell =

# They are also coming from LDAP in Active Directory
logon script =
logon path =
logon drive =
logon home =

# case sensitive: auto=NO for Windows and maybe YES for CIFS
case sensitive = no
preserve case = Yes
short preserve case = Yes

# don't show the shares
browseable = no

map to guest = never

# default. Speeds transfers up. There are also others oplocks params
oplocks = yes
veto oplock files = /*.mdb/*.MDB/*.mde/*.MDE/*.mdw/*.MDW/*.ldb/*.LDB

# allow no local caching of data on the client
csc policy = disable

hide unreadable = yes
hide dot files = no

reset on zero vc = yes

[netlogon]
    path = /mnt/SRVDATA_crypt/samba/netlogon
    read only = yes

[homes]
    comment = %u's Home Directory
    path = /mnt/SRVDATA_crypt/samba/home/%S
    browsable = no
    read only = no
    valid users = %S

# server profiles are inside the user's home on the domain member and defined in the user's object in AD
;[profiles]

### TEST USER
root@hg-dc1:/etc/samba# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=test)'
# record 1
dn: CN=test,CN=Users,DC=humgen,DC=0zone
cn: test
sn:: VGVzdOKAiC0tZ2l2ZW4tbmFtZT1XYW50IFRv
title: Test Pilot
description: Want to Test
physicalDeliveryOfficeName: Bldg. 11, 12th floor, Room 1234
telephoneNumber: 12345
initials: WT.
instanceType: 4
whenCreated: 20160728135850.0Z
displayName:: IFdULiBUZXN04oCILS1naXZlbi1uYW1lPVdhbnQgVG8=
uSNCreated: 3803
department:: SW5zdGl0dXRl
company:: VU5J
wWWHomePage: institute.uni.de
name: test
objectGUID: af9cf66f-d5c7-4d7f-980f-c4c87a5765e5
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-1231847632-1110290357-1532217621-1108
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: test
sAMAccountType: 805306368
userPrincipalName: test@humgen.0zone
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=humgen,DC=0zone
mail: test@humgen.0zone
uid: test
uidNumber: 9439
gidNumber: 5001
gecos: Want to Test
loginShell: /bin/bash
msSFU30NisDomain: humgen
msSFU30Name: test
unixUserPassword: ABCD!efgh12345$67890
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
userAccountControl: 512
pwdLastSet: 131142705100000000
scriptPath: \\hg004.humgen.0zone\netlogon\login.bat
homeDirectory: \\hg004.humgen.0zone\%USERNAME%
homeDrive: U
profilePath: \\hg004.humgen.0zone\%USERNAME%\winprofile
unixHomeDirectory: //hg004.humgen.0zone/test/linhome
lastLogonTimestamp: 131153950658668290
whenChanged: 20160811131745.0Z
uSNChanged: 3847
lastLogon: 131154694735501500
distinguishedName: CN=test,CN=Users,DC=humgen,DC=0zone

### TEST GROUP
root@hg-dc1:/etc/samba# ldbsearch -H /var/lib/samba/private/sam.ldb '(cn=hg_allg)'
# record 1
dn: CN=hg_allg,CN=Users,DC=humgen,DC=0zone
objectClass: top
objectClass: group
cn: hg_allg
description: All Users of HumGen
instanceType: 4
whenCreated: 20160801120752.0Z
whenChanged: 20160801120752.0Z
uSNCreated: 3835
uSNChanged: 3835
name: hg_allg
objectGUID: 7acc757d-3164-471c-a101-c8f8ed5d8339
objectSid: S-1-5-21-1231847632-1110290357-1532217621-1113
sAMAccountName: hg_allg
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=humgen,DC=0zone
msSFU30Name: hg_allg
msSFU30NisDomain: humgen
gidNumber: 5001
distinguishedName: CN=hg_allg,CN=Users,DC=humgen,DC=0zone

###
# on the domain controller
###

root@hg-dc1:/etc/bind# wbinfo --user-info test
HUMGEN\test:*:9439:100: WT. Test --given-name=Want To:/home/HUMGEN/test:/bin/false

root@hg-dc1:/etc/bind# wbinfo --group-info hg_allg
HUMGEN\hg_allg:x:5001:

###
# on the member server
###
root@hg004:/etc/samba# wbinfo -u
administrator
dns-hg-dc1
krbtgt
guest
test

root@hg004:/etc/samba# wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins
hg_allg

root@hg004:/etc/samba# wbinfo --group-info hg_allg
hg_allg:x:5001: # correct

root@hg004:/etc/samba# wbinfo --user-info test
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user test
### ?!?!?! PROBLEM

root@hg004:/etc/samba# wbinfo -n test
S-1-5-21-1231847632-1110290357-1532217621-1108 SID_USER (1)

root@hg004:/etc/samba# wbinfo --sid-to-uid S-1-5-21-1231847632-1110290357-1532217621-1108
9439 # correct

root@hg004:/etc/samba# getent passwd
#... only local users, NO USER test - PROBLEM

root@hg004:/etc/samba# getent group
#... local and domain groups - correct
hg_allg:x:5001:

###
# if I comment or delete:
# idmap config *:backend = tdb
# idmap config *:range = 2000-4000
# I get all I want - with false UID and GID
###

root@hg004:/home/iroot# getent passwd test
test:*:4294967295:4294967295:Want to Test://hg004.humgen.0zone/test/linhome:/bin/bash

root@hg004:/etc/samba# getent group hg_allg
hg_allg:x:4294967295:

###
# Thank you for enduring this to its bitter end.
###
Reply | Threaded
Open this post in threaded view
|

Re: WINBIND: UID and GID false mappings on domain member

Samba - General mailing list
On Fri, 12 Aug 2016 07:33:27 -0700 (PDT)
rawi via samba <[hidden email]> wrote:

> Hi @ALL
>
> Trying to migrate to Samba AD after 12 lucky years with samba
> NT-domain + server profiles and homes in a small research institute.
>
> I decided to provision a new domain and create the users and groups
> using samba-tool with most of its parameters.
> I decided against classicupgrade, because I didn't get all posix
> attributes automatically set and I cannot do LDAP kung-fu.
>
> Intention is to administer most of it with samba-tool and Co, not
> Windows RSAT.
> In the NT domain I set till now all rights trough the Unix-rights,
> UID and GID.
>
> Even if I'm willing to recreate users and groups accordingly to the
> old UID and GID (not that many), I am _desperately_ needing to
> transfer the data with its original ownership.
>
> I've set an "_ONLY_ DOMAIN CONTROLLER" and a first "DOMAIN MEMBER" as
> file server.
>
> Mostly all is good, ntp, dns, kinit are working, the member server
> could join the dc, authentication works.
>
> WHAT I DO NOT GET CORRECTLY are the UID and GID of users and groups
> on the domain member (PARTIALLY DEPENDING if I have the lines with
> "idmap config *:..." or not ??? - see below)

Have you added uidNumber & gidNumber attributes to the user &
groupobjects in AD ?

>
> And yes, I red in the last _weeks_ most of the docs and Q&A I could
> find. I've said I'm desperate...
>
> Please see the configs and the tests. May the force be with you :)
>
> Many thanks in advance!
>
> Environment: Ubuntu Server 16.04.1 + Samba 4.3.9
>
> ### DOMAIN CONTROLLER
> root@hg-dc1:/etc/samba# cat smb.conf
> # Global parameters
> [global]
>         workgroup = HUMGEN
>         realm = HUMGEN.0ZONE
>         netbios name = HG-DC1
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc
>
>         idmap_ldb:use rfc2307 = yes
>         dns-nameservers 127.0.0.1

I take it you are using bind9 as the nameserver and you have set it up
correctly ?
In which case you will have a line similar to this in
named.conf.options:
        forwarders { 8.8.8.8; 8.8.4.4; };

So remove 'dns-nameservers 127.0.0.1' from smb.conf, I don't recognise
it, so I suppose Samba won't either, there is the setting 'dns
forwarder' but this is only used with the internal DNS server and you
wouldn't use '127.0.0.1'

>
>         tls enabled  = yes
>         tls keyfile  = tls/myKey.pem
>         tls certfile = tls/myCert.pem
>         tls cafile   =
>
> # [netlogon] is on the member server and defined in the user's object

I suggest you put it back
 
> # I let sysvol here, as I don't understand it's role

I suggest you find out, it is rather important, I will give you a hint,
GPOs

> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> ### DOMAIN MEMBER
> root@hg004:/etc/samba# cat smb.conf
> netbios name = HG004
> server string = Fileserver HG004 - Samba 4.3.9-Ubuntu
> security = ADS
> workgroup = HUMGEN
> realm = HUMGEN.0ZONE
> server role = member server
>
> server services = -dnsupdate -dns

You do not need these lines on a domain member

>
> interfaces = bond0, lo
> bind interfaces only = yes
>


From here:
 
> domain master = no
> local master = no
> preferred master = no
> domain logons = no
>
> encrypt passwords = yes
>

To here, can be removed.
 

> log file = /var/log/samba/%m.log
> log level = passdb:5 auth:10 winbind:10
>
> syslog only = no
> # syslog 0=LOG_ERR, 1=LOG_WARNING, 2=LOG_NOTICE, 3=LOG_INFO
> syslog = 0
>
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 2000-4000
>
> # idmap config for domain HUMGEN
> idmap config HUMGEN:backend = ad
> idmap config HUMGEN:schema_mode = rfc2307
> idmap config HUMGEN:range = 5000-30000
> idmap config HUMGEN:default = yes
>
> # Use settings from AD for login shell and home directory
> winbind use default domain = yes
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
>
> # no logon with cached credentials
> winbind offline logon = no
>
> winbind refresh tickets = yes
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
>

Again remove lines, from here:

> wins server = hg-dc1.humgen.0zone
>
> socket options = TCP_NODELAY IPTOS_LOWDELAY
>
> # no templates. They are coming from LDAP in Active Directory
> template homedir =
> template shell =
>
> # They are also coming from LDAP in Active Directory
> logon script =
> logon path =
> logon drive =
> logon home =
>

To here.

> # case sensitive: auto=NO for Windows and maybe YES for CIFS
> case sensitive = no
> preserve case = Yes
> short preserve case = Yes
>
> # don't show the shares
> browseable = no
>
> map to guest = never
>
> # default. Speeds transfers up. There are also others oplocks params
> oplocks = yes
> veto oplock files = /*.mdb/*.MDB/*.mde/*.MDE/*.mdw/*.MDW/*.ldb/*.LDB
>
> # allow no local caching of data on the client
> csc policy = disable
>
> hide unreadable = yes
> hide dot files = no
>
> reset on zero vc = yes
>

Remove these next lines and put them back on the DC:
 
> [netlogon]
>     path = /mnt/SRVDATA_crypt/samba/netlogon
>     read only = yes
>

 

> [homes]
>     comment = %u's Home Directory
>     path = /mnt/SRVDATA_crypt/samba/home/%S
>     browsable = no
>     read only = no
>     valid users = %S
>
> # server profiles are inside the user's home on the domain member and
> defined in the user's object in AD
> ;[profiles]
>
> ### TEST USER
> root@hg-dc1:/etc/samba# ldbsearch -H /var/lib/samba/private/sam.ldb
> '(cn=test)'
> # record 1
> dn: CN=test,CN=Users,DC=humgen,DC=0zone
> cn: test
> sn:: VGVzdOKAiC0tZ2l2ZW4tbmFtZT1XYW50IFRv
> title: Test Pilot
> description: Want to Test
> physicalDeliveryOfficeName: Bldg. 11, 12th floor, Room 1234
> telephoneNumber: 12345
> initials: WT.
> instanceType: 4
> whenCreated: 20160728135850.0Z
> displayName:: IFdULiBUZXN04oCILS1naXZlbi1uYW1lPVdhbnQgVG8=
> uSNCreated: 3803
> department:: SW5zdGl0dXRl
> company:: VU5J
> wWWHomePage: institute.uni.de
> name: test
> objectGUID: af9cf66f-d5c7-4d7f-980f-c4c87a5765e5
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-1231847632-1110290357-1532217621-1108
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: test
> sAMAccountType: 805306368
> userPrincipalName: test@humgen.0zone
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=humgen,DC=0zone mail:
> test@humgen.0zone uid: test
> uidNumber: 9439
> gidNumber: 5001
> gecos: Want to Test
> loginShell: /bin/bash
> msSFU30NisDomain: humgen
> msSFU30Name: test
> unixUserPassword: ABCD!efgh12345$67890
> objectClass: top
> objectClass: posixAccount

You do not need and should not add the POSIX objectclasses

> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> userAccountControl: 512
> pwdLastSet: 131142705100000000
> scriptPath: \\hg004.humgen.0zone\netlogon\login.bat
> homeDirectory: \\hg004.humgen.0zone\%USERNAME%
> homeDrive: U
> profilePath: \\hg004.humgen.0zone\%USERNAME%\winprofile
> unixHomeDirectory: //hg004.humgen.0zone/test/linhome
> lastLogonTimestamp: 131153950658668290
> whenChanged: 20160811131745.0Z
> uSNChanged: 3847
> lastLogon: 131154694735501500
> distinguishedName: CN=test,CN=Users,DC=humgen,DC=0zone
>
> ### TEST GROUP
> root@hg-dc1:/etc/samba# ldbsearch -H /var/lib/samba/private/sam.ldb
> '(cn=hg_allg)'
> # record 1
> dn: CN=hg_allg,CN=Users,DC=humgen,DC=0zone
> objectClass: top
> objectClass: group
> cn: hg_allg
> description: All Users of HumGen
> instanceType: 4
> whenCreated: 20160801120752.0Z
> whenChanged: 20160801120752.0Z
> uSNCreated: 3835
> uSNChanged: 3835
> name: hg_allg
> objectGUID: 7acc757d-3164-471c-a101-c8f8ed5d8339
> objectSid: S-1-5-21-1231847632-1110290357-1532217621-1113
> sAMAccountName: hg_allg
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=humgen,DC=0zone
> msSFU30Name: hg_allg
> msSFU30NisDomain: humgen
> gidNumber: 5001
> distinguishedName: CN=hg_allg,CN=Users,DC=humgen,DC=0zone
>
> ###
> # on the domain controller
> ###
>
> root@hg-dc1:/etc/bind# wbinfo --user-info test
> HUMGEN\test:*:9439:100: WT. Test --given-name=Want
> To:/home/HUMGEN/test:/bin/false
>
> root@hg-dc1:/etc/bind# wbinfo --group-info hg_allg
> HUMGEN\hg_allg:x:5001:
>
> ###
> # on the member server
> ###
> root@hg004:/etc/samba# wbinfo -u
> administrator
> dns-hg-dc1
> krbtgt
> guest
> test
>
> root@hg004:/etc/samba# wbinfo -g
> allowed rodc password replication group
> enterprise read-only domain controllers
> denied rodc password replication group
> read-only domain controllers
> group policy creator owners
> ras and ias servers
> domain controllers
> enterprise admins
> domain computers
> cert publishers
> dnsupdateproxy
> domain admins
> domain guests
> schema admins
> domain users
> dnsadmins
> hg_allg
>
> root@hg004:/etc/samba# wbinfo --group-info hg_allg
> hg_allg:x:5001: # correct
>
> root@hg004:/etc/samba# wbinfo --user-info test
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user test
> ### ?!?!?! PROBLEM
>
> root@hg004:/etc/samba# wbinfo -n test
> S-1-5-21-1231847632-1110290357-1532217621-1108 SID_USER (1)
>
> root@hg004:/etc/samba# wbinfo --sid-to-uid
> S-1-5-21-1231847632-1110290357-1532217621-1108
> 9439 # correct
>
> root@hg004:/etc/samba# getent passwd
> #... only local users, NO USER test - PROBLEM
>
> root@hg004:/etc/samba# getent group
> #... local and domain groups - correct
> hg_allg:x:5001:
>
> ###
> # if I comment or delete:
> # idmap config *:backend = tdb
> # idmap config *:range = 2000-4000
> # I get all I want - with false UID and GID
> ###
>
> root@hg004:/home/iroot# getent passwd test
> test:*:4294967295:4294967295:Want to
> Test://hg004.humgen.0zone/test/linhome:/bin/bash
>
> root@hg004:/etc/samba# getent group hg_allg
> hg_allg:x:4294967295:
>
> ###
> # Thank you for enduring this to its bitter end.
> ###
>
>
>

Have you given 'Domain Users' a gidNumber inside the range 5000-30000 ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: WINBIND: UID and GID false mappings on domain member

rawi
Thank you Rowland for looking into this!

> WHAT I DO NOT GET CORRECTLY are the UID and GID of users and groups
> on the domain member (PARTIALLY DEPENDING if I have the lines with
> "idmap config *:..." or not ??? - see below)
«  [hide part of quote]

Have you added uidNumber & gidNumber attributes to the user &
groupobjects in AD ?
Not myself, I simply provisioned with --use-rfc2307

I take it you are using bind9 as the nameserver and you have set it up
correctly ?
In which case you will have a line similar to this in
named.conf.options:
        forwarders { 8.8.8.8; 8.8.4.4; };

So remove 'dns-nameservers 127.0.0.1' from smb.conf, I don't recognise
it, so I suppose Samba won't either, there is the setting 'dns
forwarder' but this is only used with the internal DNS server and you
wouldn't use '127.0.0.1'
Well, I simplified the tale:
I wanted to have only one domain for all, samba and the rest. Not a subdomain for samba.
I have all in bind9 and dhcp. So I looked samba's dnsupdates the first time, took the dns records and put them fixed in bind9. All the rest records of the clients will be generated (included list) from a script. In DHCP I have mostly static assignments.
Then I deleted dnsupdate from samba's roles. It works good, forward and reverse.

 > # [netlogon] is on the member server and defined in the user's object

I suggest you put it back
I will. In my eyes is netlogon a share, like each other and the DC shouldn't share files.
I thought, it would have been enough to have the netlogon pointer to the file server - in the user's LDAP object.

> objectClass: posixAccount
«  [hide part of quote]

You do not need and should not add the POSIX objectclasses
I didn't. I used samba-tool to add the user and the group. And I tried to use the most of the parameters of "user add", to learn and see what happens. So samba-tool did it.

Have you given 'Domain Users' a gidNumber inside the range 5000-30000 ?
No, Domain Users has no GID.
Until now it was unimportant to me. All my users are in the group "hg_allg" with GID 5001. As primary group in unix passwd in the old NT domain.

Oh, I remember something awkward...

Till couple of days ago, I got the users UID but NOT THE GROUP's GID. THIS ALWAYS without the lines "idmap config *:..."
I could login from a joined Windows 8.1, I got the logon script running (from the domain member), but the home was not bound to the HOMEDIR. This could happen, because at that time the UID came correctly and matched the old UID of the user.

I got today a kernel update.... and the situation changed, like I said... Now I get GID but no UID.

Somehow spooky...

rawi
Reply | Threaded
Open this post in threaded view
|

Re: WINBIND: UID and GID false mappings on domain member

Samba - General mailing list
On Fri, 12 Aug 2016 09:41:19 -0700 (PDT)
rawi via samba <[hidden email]> wrote:

> Thank you Rowland for looking into this!
>
>

> > Have you added uidNumber & gidNumber attributes to the user &
> > groupobjects in AD ?
>
> Not myself, I simply provisioned with --use-rfc2307

Just provisioning with --rfc2307 isn't enough, you personally need to
add any required RFC2307 attributes.

>
>
> > I take it you are using bind9 as the nameserver and you have set it
> > up correctly ?
> > In which case you will have a line similar to this in
> > named.conf.options:
> >         forwarders { 8.8.8.8; 8.8.4.4; };
> >
> > So remove 'dns-nameservers 127.0.0.1' from smb.conf, I don't
> > recognise it, so I suppose Samba won't either, there is the setting
> > 'dns forwarder' but this is only used with the internal DNS server
> > and you wouldn't use '127.0.0.1'
>
> Well, I simplified the tale:
> I wanted to have only one domain for all, samba and the rest. Not a
> subdomain for samba.
> I have all in bind9 and dhcp. So I looked samba's dnsupdates the
> first time, took the dns records and put them fixed in bind9. All the
> rest records of the clients will be generated (included list) from a
> script. In DHCP I have mostly static assignments.
> Then I deleted dnsupdate from samba's roles. It works good, forward
> and reverse.

Can I suggest you put dnsupdate back and then setup bind9 on the DC
correctly. you can if you wish run DHCP elsewhere, but you can also it
on the DC, I can supply instructions if required.

>
>
> >  > # [netlogon] is on the member server and defined in the user's
> >  > object
> >
> > I suggest you put it back
>
> I will. In my eyes is netlogon a share, like each other and the DC
> shouldn't share files.
> I thought, it would have been enough to have the netlogon pointer to
> the file server - in the user's LDAP object.
>
>
> >> objectClass: posixAccount
> > «  [hide part of quote]
> >
> > You do not need and should not add the POSIX objectclasses
>
> I didn't. I used samba-tool to add the user and the group. And I
> tried to use the most of the parameters of "user add", to learn and
> see what happens. So samba-tool did it.

You must be using an old version of samba-tool, it doesn't do that now.

>
>
> > Have you given 'Domain Users' a gidNumber inside the range
> > 5000-30000 ?
>
> No, Domain Users has no GID.
> Until now it was unimportant to me. All my users are in the group
> "hg_allg" with GID 5001. As primary group in unix passwd in the old
> NT domain.

No they are not:

dn: CN=test,CN=Users,DC=humgen,DC=0zone
......
primaryGroupID: 513

This makes the users primary group 'Domain Users' and as such, the
primary group must have a gidNumber, or all your users will be ignored
by winbind. Do not think of changing the users primaryGroupID, windows
expects all users to be members of 'Domain Users'

>
> Oh, I remember something awkward...
>
> Till couple of days ago, I got the users UID but NOT THE GROUP's GID.
> THIS ALWAYS without the lines "idmap config *:..."
> I could login from a joined Windows 8.1, I got the logon script
> running (from the domain member), but the home was not bound to the
> HOMEDIR. This could happen, because at that time the UID came
> correctly and matched the old UID of the user.
>
> I got today a kernel update.... and the situation changed, like I
> said... Now I get GID but no UID.
>
> Somehow spooky...
>

No, just that you have set up Samba incorrectly, you are trying to use
AD like you used your old NT4-style domain.

Can I suggest that you go and read the Samba wiki:
https://wiki.samba.org/index.php/Main_Page

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: WINBIND: UID and GID false mappings on domain member

rawi
Just provisioning with --rfc2307 isn't enough, you personally need to
add any required RFC2307 attributes.
But you see my test user has his attributes. From samba-tool. Do you mean the basic objects, the templates for the user and group? If yes, how to do it?

Can I suggest you put dnsupdate back and then setup bind9 on the DC
correctly.
I will...

You must be using an old version of samba-tool, it doesn't do that now.
Version 4.3.9 from the last fresh ubuntu LTS.
And I asked on FreeNode, they would not upgrade to the 4.4. branch if 4.3 hasn't bugs...

No they are not:

dn: CN=test,CN=Users,DC=humgen,DC=0zone
......
primaryGroupID: 513
Oh, I hoped winbind would give me:
uidNumber: 9439
gidNumber: 5001
... from the posix attributes

This makes the users primary group 'Domain Users' and as such, the
primary group must have a gidNumber, or all your users will be ignored
by winbind. Do not think of changing the users primaryGroupID, windows
expects all users to be members of 'Domain Users'
I'll remember this
How would behave a group mapping of "domain users" on my group 5001 (hg_allg) ?

No, just that you have set up Samba incorrectly, you are trying to use
AD like you used your old NT4-style domain.

Can I suggest that you go and read the Samba wiki:
OK, I'll set dnsupdate back and all the rest new.
I tryed to find my way around the problem with the data's posix rights.

Would be sssd a better fit for this?

Can you think of a work around, to transfer the current data with the old unix UID/GID, so that the users will see it the same?
How should I define the new created users for this?

Thank you Rowland!
Reply | Threaded
Open this post in threaded view
|

Re: WINBIND: UID and GID false mappings on domain member

Samba - General mailing list
On Fri, 12 Aug 2016 10:42:54 -0700 (PDT)
rawi via samba <[hidden email]> wrote:

>
> > Just provisioning with --rfc2307 isn't enough, you personally need
> > to add any required RFC2307 attributes.
>
> But you see my test user has his attributes. From samba-tool. Do you
> mean the basic objects, the templates for the user and group? If yes,
> how to do it?

OOPS, red face time, you are correct, they are there.

>
>
> > Can I suggest you put dnsupdate back and then setup bind9 on the DC
> > correctly.
>
> I will...
>
>
> > You must be using an old version of samba-tool, it doesn't do that
> > now.
>
> Version 4.3.9 from the last fresh ubuntu LTS.
> And I asked on FreeNode, they would not upgrade to the 4.4. branch if
> 4.3 hasn't bugs...

Ubuntu will not want to materially change an LTS version and Samba
changes so fast, in fact version 4.5.0 is slated for release in min
September.
 

>
>
> > No they are not:
> >
> > dn: CN=test,CN=Users,DC=humgen,DC=0zone
> > ......
> > primaryGroupID: 513
>
> Oh, I hoped winbind would give me:
> uidNumber: 9439
> gidNumber: 5001
> ... from the posix attributes
>

Well, it will use the uidNumber as the users Unix UID, but winbind will
use the gidNumber attribute from 'Domain Users' and if it isn't found,
all users will be ignored. The gidNumber attribute will be used as
another group for the user.

>
> > This makes the users primary group 'Domain Users' and as such, the
> > primary group must have a gidNumber, or all your users will be
> > ignored by winbind. Do not think of changing the users
> > primaryGroupID, windows expects all users to be members of 'Domain
> > Users'
>
> I'll remember this
> How would behave a group mapping of "domain users" on my group 5001
> (hg_allg) ?

You don't map groups anymore

>
>
> > No, just that you have set up Samba incorrectly, you are trying to
> > use AD like you used your old NT4-style domain.
> >
> > Can I suggest that you go and read the Samba wiki:
>
> OK, I'll set dnsupdate back and all the rest new.
> I tryed to find my way around the problem with the data's posix
> rights.
>
> Would be sssd a better fit for this?

No, because it works pretty much like winbind.

>
> Can you think of a work around, to transfer the current data with the
> old unix UID/GID, so that the users will see it the same?
> How should I define the new created users for this?

Well, you could try creating the users as you have done, but without
the gidNumber. Now create (or extend) your group with a gidNumber, Now
add your users to the group, now provide you copy the data over and set
the permissions correctly, I think it should work.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

SOLVED: WINBIND: UID and GID false mappings on domain member

rawi
I bump this only to say SOLVED and many thanks to Rowland.

Lessons learned:

1.
Indeed, my problems where related to not having a gidNumber for "Domain Users".
After adding it I got real wbinfo --user-info on the domain member (file server).
My test user could log in in his old home from the NT domain preserving the old UID and GID.

2. (question = why?)
And login.bat was called at login time _only_ after moving the [netlogon] share from the domain member to the ad-dc.
Why on earth it could not be called from the file server remains a mystery to me.
The LDAP field scriptPath was configured: \\member_server\netlogon\login.bat.

3.
To bind the homeDrive I had to put a colon (:) after the drive letter.

4. (question = how changing/correct surname, givenName?)
wbinfo output is slightly different on ad-dc and domain member with regard to the Geckos

On the ad-dc:
HUMGEN\test:*:9439:5000: WT. Test --given-name=Want To:/home/HUMGEN/test:/bin/false

The Geckos on ad-dc are composed from initials + surname + givenName.

On the domain member (real Geckos field or may be description) :
test:*:9439:5000:Want to Test://hg004.humgen.0zone/test/linhome:/bin/bash

The Geckos from the ad-dc will be sent as FullName to a joined Windows 8.1 computer.

The fields (I gave them to samba-tool by creating the test user) surname and givenName are not visible in the output of ldbsearch.
So, how would one modify the surname after a women married and changed it?

5. (bug?)
Adding "hosts allow =" on the ad-dc breaks everything.
wbinfo will give no output on the ad-dc and an error on the domain member.

6.
After spying what dnsupdate does (rndc dumpdb -zones) I could take out the server service dnsupdate from smb.conf and insert the records statically in bind9. So I have all my subnet uniformly in one place (dhcp+bind, forward+reverse) regardless if the computer or printer is in the domain or not.

7.
The share [homes] (on the domain member) will generate after a generic path=/path/to/homes a share like \\file-server\test and inside this is again a directory test.
So to have the home directory content directly inside the homeDrive one has to declare the path=/path/to/homes/%S.

8.
With a combination of chmod g+s on a directory and "inherit permissions" in the smb.conf I can avoid a lot of the acl default hassle and administer the file system like in the old linux times, acl remaining a possibility.

9.
Given the developments it's pity that Ubuntu Xenial LTS won't upgrade to the last branch. If I move now my NT domain to 4.3 I'll stay so for the next 10 years - for fear to break something.

All the above is for all of you common knowledge.
This were now discoveries for me after sleeping the last 12 years behind an old samba NT domain :)

Thanks to all samba team and forum helpers for making it happen again and again.

rawi
Reply | Threaded
Open this post in threaded view
|

SOLVED: WINBIND: UID and GID false mappings on domain member

rawi
Supplement:

> To bind the homeDrive I had to put a colon (:) after the drive letter.

And I discovered that

   homeDirectory: \\hg004.humgen.0zone\%USERNAME%

...won't work, but with the real login-name yes

I don't know now, which of both changes did the trick
Reply | Threaded
Open this post in threaded view
|

Re: SOLVED: WINBIND: UID and GID false mappings on domain member

Samba - General mailing list
In reply to this post by rawi
On Wed, 17 Aug 2016 04:54:41 -0700 (PDT)
rawi via samba <[hidden email]> wrote:

> I bump this only to say SOLVED and many thanks to Rowland.
>
> Lessons learned:
>
> 1.
> Indeed, my problems where related to not having a gidNumber for
> "Domain Users".
> After adding it I got real wbinfo --user-info on the domain member
> (file server).
> My test user could log in in his old home from the NT domain
> preserving the old UID and GID.
>
> 2. (question = why?)
> And login.bat was called at login time _only_ after moving the
> [netlogon] share from the domain member to the ad-dc.
> Why on earth it could not be called from the file server remains a
> mystery to me.
> The LDAP field scriptPath was configured:
> \\member_server\netlogon\login.bat.
>
> 3.
> To bind the homeDrive I had to put a colon (:) after the drive letter.
>
> 4. (question = how changing/correct surname, givenName?)
> wbinfo output is slightly different on ad-dc and domain member with
> regard to the Geckos

I think you mean 'gecos', a Gecko is a type of lizard ;-)

>
> On the ad-dc:
> HUMGEN\test:*:9439:5000: WT. Test --given-name=Want
> To:/home/HUMGEN/test:/bin/false
>
> The Geckos on ad-dc are composed from initials + surname + givenName.
>
> On the domain member (real Geckos field or may be description) :
> test:*:9439:5000:Want to
> Test://hg004.humgen.0zone/test/linhome:/bin/bash
>
> The Geckos from the ad-dc will be sent as FullName to a joined
> Windows 8.1 computer.

This is a known problem, winbindd on the DC only extracts uidNumber &
gidNumber attributes, I just wish somebody would fix this.

>
> The fields (I gave them to samba-tool by creating the test user)
> surname and givenName are not visible in the output of ldbsearch.
> So, how would one modify the surname after a women married and
> changed it?

you should get virtually all of a users attributes, there are a few
exceptions i.e. the users unicode password.

root@dc1:~# ldbsearch -H /usr/local/samba/private/sam.ldb '(&(objectclass=user)(samaccountname=rowland))'
# record 1
dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
cn: Rowland Penny
sn: Penny
givenName: Rowland
instanceType: 4
whenCreated: 20151109093821.0Z
displayName: Rowland Penny
uSNCreated: 3871
name: Rowland Penny
objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
logonCount: 0
sAMAccountName: rowland
sAMAccountType: 805306368
userPrincipalName: [hidden email]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
 om
pwdLastSet: 130915355010000000
unixUserPassword: ABCD!efgh12345$67890
uid: rowland
msSFU30Name: rowland
msSFU30NisDomain: samdom
uidNumber: 10000
unixHomeDirectory: /home/rowland
loginShell: /bin/bash
userAccountControl: 66048
accountExpires: 0
gidNumber: 10000
objectClass: top
objectClass: securityPrincipal
objectClass: person
objectClass: organizationalPerson
objectClass: user
gecos: Rowland Penny
memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
homeDrive: H:
homeDirectory: \\DC2\home\rowland
whenChanged: 20160813074443.0Z
uSNChanged: 283069
lastLogonTimestamp: 131155478831131360
lastLogon: 131158939536858180
distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com

>
> 5. (bug?)
> Adding "hosts allow =" on the ad-dc breaks everything.
> wbinfo will give no output on the ad-dc and an error on the domain
> member.
>

If you can duplicate this at will, then it does sound like a bug.

> 6.
> After spying what dnsupdate does (rndc dumpdb -zones) I could take
> out the server service dnsupdate from smb.conf and insert the records
> statically in bind9. So I have all my subnet uniformly in one place
> (dhcp+bind, forward+reverse) regardless if the computer or printer is
> in the domain or not.
>

I do something like this, but use dhcp to do it automatically, for
static IPs, I use samba-tool to add them. If ypu mean that you have
removed 'dnsupdate' from the 'server services' line, can I recommend
you put it back, you need it for the 'samba_dnsupdate' script.
 

> 7.
> The share [homes] (on the domain member) will generate after a generic
> path=/path/to/homes a share like \\file-server\test and inside this
> is again a directory test.
> So to have the home directory content directly inside the homeDrive
> one has to declare the path=/path/to/homes/%S.
>
> 8.
> With a combination of chmod g+s on a directory and "inherit
> permissions" in the smb.conf I can avoid a lot of the acl default
> hassle and administer the file system like in the old linux times,
> acl remaining a possibility.
>
> 9.
> Given the developments it's pity that Ubuntu Xenial LTS won't upgrade
> to the last branch. If I move now my NT domain to 4.3 I'll stay so
> for the next 10 years - for fear to break something.

Don't be afraid of breaking things, that way you will miss a lot of the
changes that have already happened and the ones to come.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: SOLVED: WINBIND: UID and GID false mappings on domain member

rawi
> you should get virtually all of a users attributes, there are a few
> exceptions i.e. the users unicode password.

Well yes, (embarrassed) I was looking only with one eye. With both eyes I can see the fields; the second eye has grasped, that some fields are base64 coded...

btw. unicode passwords: could I set them to passwords from the old NT domain?
(I decided to start with a fresh ad-dc, against classic-upgrade, in order to avoid possible errors from the old files and SIDs. So I'm willing to create all my users again per script. But passwords and machine credentials would be gorgeous.)

>> 5. (bug?)
>> Adding "hosts allow =" on the ad-dc breaks everything.
>> wbinfo will give no output on the ad-dc and an error on the domain
>> member.
>
> If you can duplicate this at will, then it does sound like a bug.

Yes, I can. Each time I write into the ad-dc a "hosts allow = 10.1.2.0/255.255.255.0" - wbinfo -u or -g would give no output any more (Samba Version 4.3.9-Ubuntu) on the ad-dc and output error on the domain member.
Having the "hosts allow" set on the domain member seems OK. I didn't try, if it is also effective...

> If you mean that you have
> removed 'dnsupdate' from the 'server services' line, can I recommend
> you put it back, you need it for the 'samba_dnsupdate' script.

Sorry I do not understand what "samba_dnsupdate" is doing, once I have already all the domain records fixed in zone files and I'll disable the clients per registry hack to try to update dns? Please, why do I need it? How is it working?

> Don't be afraid of breaking things, that way you will miss a lot of the
> changes that have already happened and the ones to come.

Well, I have a helluva of respect facing self compilations with cryptic parameters.
I need to stay with the repositories. There are the people knowing this doing.

Best regards
rawi