Stefano Pardini
2016-08-08 15:33:59 UTC
Hi everyone.
I'm encountering problems with the management of the id of the users,
in the DC and in the domain members (RFC2370).
I'm using Samba Version 4.2.10-Debian on Debian8.5.
This is the DC configuration / result.
***@samba4:/var/lib/samba# cat /etc/samba/smb.conf |grep -v '#'
[global]
workgroup = MYNET
realm = ad.mynet.lan
netbios name = SAMBA4
server role = active directory domain controller
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, smb
server services = -s3fs -dns
dcerpc endpoint servers = +winreg +srvsvc
interfaces = 192.168.10.7
log file = /var/log/samba/mynet.log
syslog = 0
log level = 3 passdb:0 auth:0 winbind:0 vfs:0
vfs objects = full_audit
idmap_ldb:use rfc2307 = yes
winbind nss info = rfc2307
idmap config *:backend = tdb
idmap config *:range = 10000-49999
idmap config MYNET:backend = ad
idmap config MYNET:schema_mode = rfc2307
idmap config MYNET:range = 50000-99999
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind normalize names = Yes
dsdb:schema update allowed = true
tls enabled = yes
tls keyfile = /etc/samba/certs/samba4.server.mynet.lan.key
tls certfile = /etc/samba/certs/samba4.server.mynet.lan.crt
kerberos method = system keytab
client ldap sasl wrapping = sign
allow dns updates = nonsecure and secure
nsupdate command = /usr/bin/nsupdate -g
ldap server require strong auth = No
[netlogon]
path = /var/lib/samba/sysvol/ad.mynet.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
This is the result of the provisioning operation.
***@samba4:~# /usr/bin/samba-tool domain provision
--realm=ad.mynet.lan --domain=MYNET --adminpass='p4ssw0rd'
--server-role=dc --dns-backend=BIND9_DLZ --function-level=2008_R2
--use-xattr=yes --host-ip=192.168.10.7 --use-rfc2307
...
Server Role: active directory domain controller
Hostname: samba4
NetBIOS Domain: MYNET
DNS Domain: ad.mynet.lan
DOMAIN SID: S-1-5-21-1682454527-3772531157-3555914497
***@samba4:~# head /etc/nsswitch.conf |grep -v '#'
passwd: compat winbind
group: compat winbind
***@samba4:/var/lib/samba# getent passwd testuser
MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false
***@samba4:/var/lib/samba# id testuser
uid=10001(MYNET\testuser) gid=100(users) groups=100(users)
***@adclient:/etc/samba# wbinfo -i testuser
MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false
This is the domain member configuration / result.
***@adclient:/etc/samba# id testuser
uid=10005(testuser) gid=10000(domain users) groups=10000(domain
users),10023(BUILTIN\users)
***@adclient:/etc/samba# getent passwd testuser
testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false
***@adclient:/etc/samba# wbinfo -i testuser
testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false
***@adclient:~# head /etc/nsswitch.conf |grep -v '#'
passwd: compat winbind
group: compat winbind
***@adclient:~# net ads info
LDAP server: 192.168.10.7
LDAP server name: samba4.ad.mynet.lan
Realm: AD.MYNET.LAN
Bind Path: dc=AD,dc=MYNET,dc=LAN
LDAP port: 389
Server time: Mon, 08 Aug 2016 16:22:35 CEST
KDC server: 192.168.10.7
Server time offset: 25
***@adclient:~# net ads testjoin
Join is OK
***@adclient:/etc/ldap# cat /etc/samba/smb.conf |grep -v '#'
[global]
netbios name = ADCLIENT
security = ads
workgroup = MYNET
realm = AD.MYNET.LAN
server string = Active Directory Domain Member (test)
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
log file = /var/log/samba/mynet.log
syslog = 0
log level = 3 passdb:0 auth:0 winbind:0 vfs:0
idmap config MYNET:backend = ad
idmap config MYNET:schema_mode = rfc2307
idmap config MYNET:range = 50000-99999
winbind nss info = rfc2307
idmap_ldb:use rfc2307 = yes
This is a ldapsearch result for 'testuser'.
***@samba4:/var/lib/samba# ldapsearch -x -h samba4.server.mynet.lan
-b 'ou=Teachers,ou=Users,ou=MyNet,dc=ad,dc=mynet,dc=lan' -D
'***@ad.mynet.lan' -w 'p4ssw0rd'
'(&(objectClass=person)(sAMAccountName=testuser))'
...
uidNumber: 10001
unixHomeDirectory: /home/testuser
gidNumber: 10000
msSFU30Name: testuser
unixUserPassword: ABCD!efgh12345$67890
uid: testuser
loginShell: /bin/bash
...
As you can see, the NIS attributes are correcty stored inside the LDAP tree.
But the results are very different in each location.
In the DC: uidNumber and gidNumber are correctly extracted and viewed
(but the loginShell and unixHomeDirectory are wrong).
In the domain member: everything is independent from the AD stored user.
I'm alredy deleted the winbind cache with 'net cache flush' command,
tried to leave and join again the domain, and removed the *tdb files.
I've created 'testuser' with the ADUC utility running on Windows7
(I've enabled the UNIX attributes section).
Thanks in advance for your help.
I'm encountering problems with the management of the id of the users,
in the DC and in the domain members (RFC2370).
I'm using Samba Version 4.2.10-Debian on Debian8.5.
This is the DC configuration / result.
***@samba4:/var/lib/samba# cat /etc/samba/smb.conf |grep -v '#'
[global]
workgroup = MYNET
realm = ad.mynet.lan
netbios name = SAMBA4
server role = active directory domain controller
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, smb
server services = -s3fs -dns
dcerpc endpoint servers = +winreg +srvsvc
interfaces = 192.168.10.7
log file = /var/log/samba/mynet.log
syslog = 0
log level = 3 passdb:0 auth:0 winbind:0 vfs:0
vfs objects = full_audit
idmap_ldb:use rfc2307 = yes
winbind nss info = rfc2307
idmap config *:backend = tdb
idmap config *:range = 10000-49999
idmap config MYNET:backend = ad
idmap config MYNET:schema_mode = rfc2307
idmap config MYNET:range = 50000-99999
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind normalize names = Yes
dsdb:schema update allowed = true
tls enabled = yes
tls keyfile = /etc/samba/certs/samba4.server.mynet.lan.key
tls certfile = /etc/samba/certs/samba4.server.mynet.lan.crt
kerberos method = system keytab
client ldap sasl wrapping = sign
allow dns updates = nonsecure and secure
nsupdate command = /usr/bin/nsupdate -g
ldap server require strong auth = No
[netlogon]
path = /var/lib/samba/sysvol/ad.mynet.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
This is the result of the provisioning operation.
***@samba4:~# /usr/bin/samba-tool domain provision
--realm=ad.mynet.lan --domain=MYNET --adminpass='p4ssw0rd'
--server-role=dc --dns-backend=BIND9_DLZ --function-level=2008_R2
--use-xattr=yes --host-ip=192.168.10.7 --use-rfc2307
...
Server Role: active directory domain controller
Hostname: samba4
NetBIOS Domain: MYNET
DNS Domain: ad.mynet.lan
DOMAIN SID: S-1-5-21-1682454527-3772531157-3555914497
***@samba4:~# head /etc/nsswitch.conf |grep -v '#'
passwd: compat winbind
group: compat winbind
***@samba4:/var/lib/samba# getent passwd testuser
MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false
***@samba4:/var/lib/samba# id testuser
uid=10001(MYNET\testuser) gid=100(users) groups=100(users)
***@adclient:/etc/samba# wbinfo -i testuser
MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false
This is the domain member configuration / result.
***@adclient:/etc/samba# id testuser
uid=10005(testuser) gid=10000(domain users) groups=10000(domain
users),10023(BUILTIN\users)
***@adclient:/etc/samba# getent passwd testuser
testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false
***@adclient:/etc/samba# wbinfo -i testuser
testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false
***@adclient:~# head /etc/nsswitch.conf |grep -v '#'
passwd: compat winbind
group: compat winbind
***@adclient:~# net ads info
LDAP server: 192.168.10.7
LDAP server name: samba4.ad.mynet.lan
Realm: AD.MYNET.LAN
Bind Path: dc=AD,dc=MYNET,dc=LAN
LDAP port: 389
Server time: Mon, 08 Aug 2016 16:22:35 CEST
KDC server: 192.168.10.7
Server time offset: 25
***@adclient:~# net ads testjoin
Join is OK
***@adclient:/etc/ldap# cat /etc/samba/smb.conf |grep -v '#'
[global]
netbios name = ADCLIENT
security = ads
workgroup = MYNET
realm = AD.MYNET.LAN
server string = Active Directory Domain Member (test)
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
log file = /var/log/samba/mynet.log
syslog = 0
log level = 3 passdb:0 auth:0 winbind:0 vfs:0
idmap config MYNET:backend = ad
idmap config MYNET:schema_mode = rfc2307
idmap config MYNET:range = 50000-99999
winbind nss info = rfc2307
idmap_ldb:use rfc2307 = yes
This is a ldapsearch result for 'testuser'.
***@samba4:/var/lib/samba# ldapsearch -x -h samba4.server.mynet.lan
-b 'ou=Teachers,ou=Users,ou=MyNet,dc=ad,dc=mynet,dc=lan' -D
'***@ad.mynet.lan' -w 'p4ssw0rd'
'(&(objectClass=person)(sAMAccountName=testuser))'
...
uidNumber: 10001
unixHomeDirectory: /home/testuser
gidNumber: 10000
msSFU30Name: testuser
unixUserPassword: ABCD!efgh12345$67890
uid: testuser
loginShell: /bin/bash
...
As you can see, the NIS attributes are correcty stored inside the LDAP tree.
But the results are very different in each location.
In the DC: uidNumber and gidNumber are correctly extracted and viewed
(but the loginShell and unixHomeDirectory are wrong).
In the domain member: everything is independent from the AD stored user.
I'm alredy deleted the winbind cache with 'net cache flush' command,
tried to leave and join again the domain, and removed the *tdb files.
I've created 'testuser' with the ADUC utility running on Windows7
(I've enabled the UNIX attributes section).
Thanks in advance for your help.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba