Discussion:
[Samba] idmap_ad and RFC2370 (inconsistent results)
Stefano Pardini
2016-08-08 15:33:59 UTC
Permalink
Hi everyone.
I'm encountering problems with the management of the id of the users,
in the DC and in the domain members (RFC2370).

I'm using Samba Version 4.2.10-Debian on Debian8.5.

This is the DC configuration / result.

***@samba4:/var/lib/samba# cat /etc/samba/smb.conf |grep -v '#'
[global]
workgroup = MYNET
realm = ad.mynet.lan
netbios name = SAMBA4
server role = active directory domain controller
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, smb
server services = -s3fs -dns
dcerpc endpoint servers = +winreg +srvsvc
interfaces = 192.168.10.7
log file = /var/log/samba/mynet.log
syslog = 0
log level = 3 passdb:0 auth:0 winbind:0 vfs:0
vfs objects = full_audit

idmap_ldb:use rfc2307 = yes
winbind nss info = rfc2307

idmap config *:backend = tdb
idmap config *:range = 10000-49999

idmap config MYNET:backend = ad
idmap config MYNET:schema_mode = rfc2307
idmap config MYNET:range = 50000-99999

winbind enum users = Yes
winbind enum groups = Yes

winbind use default domain = Yes
winbind refresh tickets = Yes
winbind normalize names = Yes

dsdb:schema update allowed = true

tls enabled = yes
tls keyfile = /etc/samba/certs/samba4.server.mynet.lan.key
tls certfile = /etc/samba/certs/samba4.server.mynet.lan.crt

kerberos method = system keytab
client ldap sasl wrapping = sign
allow dns updates = nonsecure and secure
nsupdate command = /usr/bin/nsupdate -g

ldap server require strong auth = No

[netlogon]
path = /var/lib/samba/sysvol/ad.mynet.lan/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

This is the result of the provisioning operation.
***@samba4:~# /usr/bin/samba-tool domain provision
--realm=ad.mynet.lan --domain=MYNET --adminpass='p4ssw0rd'
--server-role=dc --dns-backend=BIND9_DLZ --function-level=2008_R2
--use-xattr=yes --host-ip=192.168.10.7 --use-rfc2307
...
Server Role: active directory domain controller
Hostname: samba4
NetBIOS Domain: MYNET
DNS Domain: ad.mynet.lan
DOMAIN SID: S-1-5-21-1682454527-3772531157-3555914497

***@samba4:~# head /etc/nsswitch.conf |grep -v '#'
passwd: compat winbind
group: compat winbind

***@samba4:/var/lib/samba# getent passwd testuser
MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false

***@samba4:/var/lib/samba# id testuser
uid=10001(MYNET\testuser) gid=100(users) groups=100(users)

***@adclient:/etc/samba# wbinfo -i testuser
MYNET\testuser:*:10001:100:Test User:/home/MYNET/testuser:/bin/false



This is the domain member configuration / result.

***@adclient:/etc/samba# id testuser
uid=10005(testuser) gid=10000(domain users) groups=10000(domain
users),10023(BUILTIN\users)

***@adclient:/etc/samba# getent passwd testuser
testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false

***@adclient:/etc/samba# wbinfo -i testuser
testuser:*:10005:10000:Test User:/home/MYNET/testuser:/bin/false

***@adclient:~# head /etc/nsswitch.conf |grep -v '#'
passwd: compat winbind
group: compat winbind

***@adclient:~# net ads info
LDAP server: 192.168.10.7
LDAP server name: samba4.ad.mynet.lan
Realm: AD.MYNET.LAN
Bind Path: dc=AD,dc=MYNET,dc=LAN
LDAP port: 389
Server time: Mon, 08 Aug 2016 16:22:35 CEST
KDC server: 192.168.10.7
Server time offset: 25

***@adclient:~# net ads testjoin
Join is OK

***@adclient:/etc/ldap# cat /etc/samba/smb.conf |grep -v '#'
[global]
netbios name = ADCLIENT
security = ads
workgroup = MYNET
realm = AD.MYNET.LAN
server string = Active Directory Domain Member (test)

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes

winbind enum users = yes
winbind enum groups = yes

log file = /var/log/samba/mynet.log
syslog = 0
log level = 3 passdb:0 auth:0 winbind:0 vfs:0

idmap config MYNET:backend = ad
idmap config MYNET:schema_mode = rfc2307
idmap config MYNET:range = 50000-99999
winbind nss info = rfc2307

idmap_ldb:use rfc2307 = yes



This is a ldapsearch result for 'testuser'.
***@samba4:/var/lib/samba# ldapsearch -x -h samba4.server.mynet.lan
-b 'ou=Teachers,ou=Users,ou=MyNet,dc=ad,dc=mynet,dc=lan' -D
'***@ad.mynet.lan' -w 'p4ssw0rd'
'(&(objectClass=person)(sAMAccountName=testuser))'
...
uidNumber: 10001
unixHomeDirectory: /home/testuser
gidNumber: 10000
msSFU30Name: testuser
unixUserPassword: ABCD!efgh12345$67890
uid: testuser
loginShell: /bin/bash
...



As you can see, the NIS attributes are correcty stored inside the LDAP tree.
But the results are very different in each location.
In the DC: uidNumber and gidNumber are correctly extracted and viewed
(but the loginShell and unixHomeDirectory are wrong).
In the domain member: everything is independent from the AD stored user.
I'm alredy deleted the winbind cache with 'net cache flush' command,
tried to leave and join again the domain, and removed the *tdb files.
I've created 'testuser' with the ADUC utility running on Windows7
(I've enabled the UNIX attributes section).

Thanks in advance for your help.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...