Quantcast

winbind/idmap/AD problem?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

winbind/idmap/AD problem?

Rippl, Steve-2
Hi,

I'm running 3.0.28a on Ubuntu 8.04 (their package).  I've got security =
ads and idmap backend = ad (smb.conf is posted below). I'm using
libnss-ldap and have ldap in nsswitch.conf (also posted below) and ldap
connected to the AD server.  I have the drive mounted using acl and
xattr_user options in fstab (acl is installed).  I can connect to the
share, I see in the logs that it's picking up the uid and gid from SFU
in AD, however, when I go into the explorer security tab (on the client)
and try to add a user it fails.  I don't get an error message within
windows (the user adding another user is the owner of the file/folder),
the user just disappears from the list as it refreshes!  On the server
I'm seeing a lot of this in log.winbindd-idmap

[2008/07/18 09:32:59, 1]
nsswitch/idmap_ad.c:idmap_ad_unixids_to_sids(294)
  ADS uninitialized

Now I don't know if this is related, but if I wbinfo -n wsd\\rippls I
get a long SID number, if I do wbinfo -s [same SID number] I get wsd
\rippls.  However, if I do wbinfo -U [uid for same user] I get a
different SID from before!

I'm trying very hard this summer to make this work so I can retire our
MS file server, so any help would be appreciated.  I tried this
initially in Etch, but I that version wasn't handling the connection to
AD for nss and winbind very well at all, hence I'm trying in Ubuntu.

Thanks!


====smb.conf=====

[global]

   workgroup = WSD
   realm = woodland.wednet.edu
   server string = %h server

   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0

   panic action = /usr/share/samba/panic-action %d

   security = ads
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   invalid users = root

   socket options = TCP_NODELAY

   idmap backend = ad
   winbind nss info = sfu
   winbind nested groups = yes
   winbind use default domain = yes


[Student]
   path = /srv/Student
   read only = no
   store dos attributes = yes
   nt acl support = yes
   map acl inherit = yes
   inherit acls = yes
   acl map full control = yes
   dos filemode = yes


=====nsswitch.conf=====

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: winbind/idmap/AD problem?

David Molina Cuevas
Have you tried to add "winbind" at the file nsswitch.conf for the fields
passwd, group and shadow?

So, if you have SFU at your DC, you don't need winbind to authenticate
users, you can configure the system for a LDAP binding.
Read the PDFs of this web, the last 2 are very interesting for your problem:
http://www.interopsystems.com/learning.htm

They work with 2003 R2 and Fedora, but it's the same, because R2 version has
the SFU integrated.

And by the way, a time ago I tried to make a LDAP binding with an Ubuntu
7.10, but it didn't work. May be with Hardy it's different.

Luck!
David Molina

On Fri, Jul 18, 2008 at 8:11 PM, Steve Rippl <[hidden email]>
wrote:

> Hi,
>
> I'm running 3.0.28a on Ubuntu 8.04 (their package).  I've got security =
> ads and idmap backend = ad (smb.conf is posted below). I'm using
> libnss-ldap and have ldap in nsswitch.conf (also posted below) and ldap
> connected to the AD server.  I have the drive mounted using acl and
> xattr_user options in fstab (acl is installed).  I can connect to the
> share, I see in the logs that it's picking up the uid and gid from SFU
> in AD, however, when I go into the explorer security tab (on the client)
> and try to add a user it fails.  I don't get an error message within
> windows (the user adding another user is the owner of the file/folder),
> the user just disappears from the list as it refreshes!  On the server
> I'm seeing a lot of this in log.winbindd-idmap
>
> [2008/07/18 09:32:59, 1]
> nsswitch/idmap_ad.c:idmap_ad_unixids_to_sids(294)
>  ADS uninitialized
>
> Now I don't know if this is related, but if I wbinfo -n wsd\\rippls I
> get a long SID number, if I do wbinfo -s [same SID number] I get wsd
> \rippls.  However, if I do wbinfo -U [uid for same user] I get a
> different SID from before!
>
> I'm trying very hard this summer to make this work so I can retire our
> MS file server, so any help would be appreciated.  I tried this
> initially in Etch, but I that version wasn't handling the connection to
> AD for nss and winbind very well at all, hence I'm trying in Ubuntu.
>
> Thanks!
>
>
> ====smb.conf=====
>
> [global]
>
>   workgroup = WSD
>   realm = woodland.wednet.edu
>   server string = %h server
>
>   log file = /var/log/samba/log.%m
>   max log size = 1000
>   syslog = 0
>
>   panic action = /usr/share/samba/panic-action %d
>
>   security = ads
>   encrypt passwords = true
>   passdb backend = tdbsam
>   obey pam restrictions = yes
>   invalid users = root
>
>   socket options = TCP_NODELAY
>
>   idmap backend = ad
>   winbind nss info = sfu
>   winbind nested groups = yes
>   winbind use default domain = yes
>
>
> [Student]
>   path = /srv/Student
>   read only = no
>   store dos attributes = yes
>   nt acl support = yes
>   map acl inherit = yes
>   inherit acls = yes
>   acl map full control = yes
>   dos filemode = yes
>
>
> =====nsswitch.conf=====
>
> passwd:         files ldap
> group:          files ldap
> shadow:         files ldap
>
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: winbind/idmap/AD problem?

Rippl, Steve-2
In reply to this post by Rippl, Steve-2
Thanks David, yes I have tried all these and nothing seems to be
working!

Here's where I'm at... libnss-ldap is working with my AD server, with
just 'files ldap' in nsswitch.conf a getent passwd returns local users
and users from AD, but they seem to be treated as local, ie they are
'admin' rather than 'wsd\admin'.  So, on a windows client I go to my
test share as a domain user, in the log I see that it picks up the
uid/gid from AD, but in the security tab the user is 'Unix User
\2009test' NOT 'wsd\2009test'.  If I try to add a user through this tab
they are wsd\username, and then I get

[2008/07/23 09:30:45, 0] smbd/posix_acls.c:create_canon_ace_lists(1438)
  create_canon_ace_lists: unable to map SID
S-1-5-21-3668144929-636610183-3299198910-1120 to uid or gid.

in the log file when I hit apply.  I'm also still getting

[2008/07/23 09:30:45, 1]
nsswitch/idmap_ad.c:idmap_ad_unixids_to_sids(294)
  ADS uninitialized

in log.winbindd-idmap.

If I add winbind to the list in nsswitch it makes no difference, if I
have just 'file winbind' nothing works!  This is all with idmap backend
= ad, if I set it to tdb winbind does work correctly.

What do I have to do to configure idmap backend = ad correctly????  I've
now complied 3.0.31 with --with-shared-modules=idmap_ad, I've tried
winbind nss info = sfu and leaving it out.  Some people said use rfc2307
even though they claimed to be using SFU not R2, tried that and it
didn't make any difference (I'm using SFU 3.5).  David's references seem
to be using ldap to store idmap info rather than getting uid/gid info
from ad.  

Has someone out there got this working?  The Samba-3 Howto for this says
to just use 'files ldap' in nsswitch, but to reiterate, if I do that I'm
not getting connected users recognised as domain user?!!




>
> Have you tried to add "winbind" at the file nsswitch.conf for the
> fields
> passwd, group and shadow?
>
> So, if you have SFU at your DC, you don't need winbind to authenticate
> users, you can configure the system for a LDAP binding.
> Read the PDFs of this web, the last 2 are very interesting for your
> problem:
> http://www.interopsystems.com/learning.htm
>
> They work with 2003 R2 and Fedora, but it's the same, because R2
> version has
> the SFU integrated.
>
> And by the way, a time ago I tried to make a LDAP binding with an
> Ubuntu
> 7.10, but it didn't work. May be with Hardy it's different.
>
> Luck!
> David Molina
>
>
> On Fri, 2008-07-18 at 11:11 -0700, Steve Rippl wrote:
> > Hi,
> >
> > I'm running 3.0.28a on Ubuntu 8.04 (their package).  I've got
> security =
> > ads and idmap backend = ad (smb.conf is posted below). I'm using
> > libnss-ldap and have ldap in nsswitch.conf (also posted below) and
> ldap
> > connected to the AD server.  I have the drive mounted using acl and
> > xattr_user options in fstab (acl is installed).  I can connect to
> the
> > share, I see in the logs that it's picking up the uid and gid from
> SFU
> > in AD, however, when I go into the explorer security tab (on the
> client)
> > and try to add a user it fails.  I don't get an error message within
> > windows (the user adding another user is the owner of the
> file/folder),
> > the user just disappears from the list as it refreshes!  On the
> server
> > I'm seeing a lot of this in log.winbindd-idmap
> >
> > [2008/07/18 09:32:59, 1]
> > nsswitch/idmap_ad.c:idmap_ad_unixids_to_sids(294)
> >   ADS uninitialized
> >
> > Now I don't know if this is related, but if I wbinfo -n wsd\\rippls
> I
> > get a long SID number, if I do wbinfo -s [same SID number] I get wsd
> > \rippls.  However, if I do wbinfo -U [uid for same user] I get a
> > different SID from before!
> >
> > I'm trying very hard this summer to make this work so I can retire
> our
> > MS file server, so any help would be appreciated.  I tried this
> > initially in Etch, but I that version wasn't handling the connection
> to
> > AD for nss and winbind very well at all, hence I'm trying in Ubuntu.
> >
> > Thanks!
> >
> >
> > ====smb.conf=====
> >
> > [global]
> >
> >    workgroup = WSD
> >    realm = woodland.wednet.edu
> >    server string = %h server
> >
> >    log file = /var/log/samba/log.%m
> >    max log size = 1000
> >    syslog = 0
> >
> >    panic action = /usr/share/samba/panic-action %d
> >
> >    security = ads
> >    encrypt passwords = true
> >    passdb backend = tdbsam
> >    obey pam restrictions = yes
> >    invalid users = root
> >
> >    socket options = TCP_NODELAY
> >
> >    idmap backend = ad
> >    winbind nss info = sfu
> >    winbind nested groups = yes
> >    winbind use default domain = yes
> >
> >
> > [Student]
> >    path = /srv/Student
> >    read only = no
> >    store dos attributes = yes
> >    nt acl support = yes
> >    map acl inherit = yes
> >    inherit acls = yes
> >    acl map full control = yes
> >    dos filemode = yes
> >
> >
> > =====nsswitch.conf=====
> >
> > passwd:         files ldap
> > group:          files ldap
> > shadow:         files ldap
> >
> > hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
> > networks:       files
> >
> > protocols:      db files
> > services:       db files
> > ethers:         db files
> > rpc:            db files
> >
> > netgroup:       nis
> >
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: winbind/idmap/AD problem?

Howard Wilkinson
Steve Rippl wrote:

> Thanks David, yes I have tried all these and nothing seems to be
> working!
>
> Here's where I'm at... libnss-ldap is working with my AD server, with
> just 'files ldap' in nsswitch.conf a getent passwd returns local users
> and users from AD, but they seem to be treated as local, ie they are
> 'admin' rather than 'wsd\admin'.  So, on a windows client I go to my
> test share as a domain user, in the log I see that it picks up the
> uid/gid from AD, but in the security tab the user is 'Unix User
> \2009test' NOT 'wsd\2009test'.  If I try to add a user through this tab
> they are wsd\username, and then I get
>
> [2008/07/23 09:30:45, 0] smbd/posix_acls.c:create_canon_ace_lists(1438)
>   create_canon_ace_lists: unable to map SID
> S-1-5-21-3668144929-636610183-3299198910-1120 to uid or gid.
>
> in the log file when I hit apply.  I'm also still getting
>
> [2008/07/23 09:30:45, 1]
> nsswitch/idmap_ad.c:idmap_ad_unixids_to_sids(294)
>   ADS uninitialized
>
> in log.winbindd-idmap.
>
> If I add winbind to the list in nsswitch it makes no difference, if I
> have just 'file winbind' nothing works!  This is all with idmap backend
> = ad, if I set it to tdb winbind does work correctly.
>
> What do I have to do to configure idmap backend = ad correctly????  I've
> now complied 3.0.31 with --with-shared-modules=idmap_ad, I've tried
> winbind nss info = sfu and leaving it out.  Some people said use rfc2307
> even though they claimed to be using SFU not R2, tried that and it
> didn't make any difference (I'm using SFU 3.5).  David's references seem
> to be using ldap to store idmap info rather than getting uid/gid info
> from ad.  
>
> Has someone out there got this working?  The Samba-3 Howto for this says
> to just use 'files ldap' in nsswitch, but to reiterate, if I do that I'm
> not getting connected users recognised as domain user?!!
>
>
>  
Have you put POSIX attributes onto the users in the active directory?

        idmap backend = ad:ldap://domain.fqdn
        winbind nss info = rfc2307
 

Should work. You also need
        use kerberos keytab = yes
 
Howard.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: winbind/idmap/AD problem?

Howard Wilkinson
Steve Rippl wrote:
> On Wed, 2008-07-23 at 10:22 -0700, Howard Wilkinson wrote:
>  
[snip]

>> Have you put POSIX attributes onto the users in the active directory?
>>
>>         idmap backend = ad:ldap://domain.fqdn
>>         winbind nss info = rfc2307
>>
>>
>> Should work. You also need
>>         use kerberos keytab = yes
>>
>> Howard.
>>
>>    
> Yep, I've got posix attributes for users in AD.  I added the keytab (net
> ads keytab create -P) and changed smb.conf to reflect the lines you have
> above (with my actual fqdn for the AD server), and now I get this in
> log.winbindd-idmap
>
> [2008/07/23 15:33:25, 1] nsswitch/idmap.c:idmap_init(377)
>   Initializing idmap domains
> [2008/07/23 15:33:25, 2] lib/module.c:do_smb_load_module(64)
>   Module '/usr/local/samba/lib/idmap/ad.so' loaded
> [2008/07/23 15:33:25, 2] lib/module.c:do_smb_load_module(64)
>   Module '/usr/local/samba/lib/idmap/ad.so' loaded
> [2008/07/23 15:33:25, 2] nsswitch/idmap.c:idmap_init(779)
>   idmap_init: Unable to get methods for alloc backend ad
>  
The line above look suspicious! It looks as though your build does not
do the dynamic linking properly! I would need to get to this release and
build it locally to find out what is going wrong. Perhaps somebody else
could tell us what is going on here.

> [2008/07/23 15:33:25, 2]
> nsswitch/idmap_ad.c:ad_idmap_cached_connection(152)
>   ad_idmap_cached_connection: Failed to obtain schema details!
> [2008/07/23 15:33:25, 1]
> nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(514)
>   ADS uninitialized
> [2008/07/23 15:33:25, 2]
> nsswitch/idmap.c:idmap_backends_sids_to_unixids(1233)
>   ERROR: NTSTATUS = 0xc0000001
>
>
> I can wbinfo -a|n|s, that works, but getent is still not returning the
> user.  I copied libnss_winbind into /lib and ran ldconfig but it seems
> as though getent isn't using it?!
>
> Also, maybe I'm wrong but I though that to query ldap attributes in AD
> you had to bind with a valid user, how is the idmap backend doing that?
>  

The way I do this is to use kerberos keytabs in my nss_ldap lookups. I
take the machine keytab (or specially created ones) and add them to the
nss_Ldap setup.

This needs at least nss_ldap 259 and my latest patches which I published
about 2 weeks ago.

I have not yet tried the libnss-ldapd software as I need to write
patches for that as well. My systems are all Fedora Linux (7,8,9 with
some bleeding edge backports) so similar but not the same as yours.

However, I can confirm the pam_krb5, nss_ldap, samba combination can be
made to work with an AD backend just about seamlessly. SO keep plugging
away and you will get it to work.

Howard.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Loading...