Web lists-archives.com

Re: [Samba] domain member idmap wbinfo WBC_ERR_DOMAIN_NOT_FOUND




On 10/07/17 17:05, Rowland Penny via samba wrote:
> On Mon, 10 Jul 2017 14:17:42 +1000
> Tom Robinson via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
>> Hi,
>>
>> I've done a classic upgrade to from samba 3.6.23 to samba 4.6.5
>> bringing across all the user accounts. The samba 3.6.23 we set up
>> with smbldap as an NT Domain with OpenLDAP. After a lot of effort the
>> classic upgrade worked well but now I'm a bit stuck with idmapping.
>>
>> The new AD DC is running 4.6.5 on CentOS7 and I can connect using
>> ADUC. I set up a separate AD DM on a another CentOS7 install but
>> mapping id's is confusing me.
>>
>> All the users and groups brought across have 'UNIX Attributes'
>> assigned when I check in ADUC. BUILTINs and other 'Well Known' SIDS
>> don't.
>>
>> Part of my issue may stem from the fact that the original samba 3.6
>> POSIX UIDs/GIDs were all low numbers (starting at around 500 and up).
>> The accounts are legacy upon legacy, originally coming
>> from /etc/{passwd,group} files that were manually sync'ed from host
>> to host to host a long time ago (before my time) then brought into
>> samba 3.6.23/OpenLDAP and now samba 4.6.5. Are these low numbered
>> UIDs an issue?
>>
>> On the DM I am getting an error: WBC_ERR_DOMAIN_NOT_FOUND when using
>> wbinfo. This is very similar to thread:
>>
>> https://lists.samba.org/archive/samba/2015-November/195991.html
>>
>> On the DC:
>>
>> # wbinfo -u
>> MY.DOM\administrator
>> MY.DOM\auser
>> MY.DOM\user2
>> MY.DOM\user3
>> ...
>>
>> # wbinfo -n auser
>> S-1-5-21-2252255531-4061614174-2474224977-2184 SID_USER (1)
>>
>> # wbinfo -i auser
>> MY.DOM\auser:*:592:100::/home/MY.DOM/auser:/bin/false
>>
>> On the DM:
>>
>> # wbinfo -u
>> MY.DOM\administrator
>> MY.DOM\auser
>> MY.DOM\user2
>> MY.DOM\user3
>> ...
>>
>> # wbinfo -n auser
>> S-1-5-21-2252255531-4061614174-2474224977-2184 SID_USER (1)
>>
>> # wbinfo -i auser
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user auser
>>
>> BUT still on the DM:
>>
>> # wbinfo -i MY.DOM\\auser
>> MY.DOM\auser:*:592:513:Adam User:/home/MY.DOM/auser:/bin/false
>>
>> # getent passwd auser
>>
>> (returns with $?=2, no output)
>>
>> here's my DM config files:
>>
>> /etc/samba/smb.conf
>>
>> [global]
>>         security = ADS
>>         workgroup = MY.DOM
>>         realm = DOM.MOTEC.COM.AU
>>
>>         log level = 1 winbind:1 idmap:1
>>
>>         idmap config * : backend = tdb
>>         idmap config * : range = 3000000-3999999
>>         idmap config MY.DOM : backend = ad
>>         idmap config MY.DOM : schema_mode = rfc2307
>>         idmap config MY.DOM : range = 500-10000
>>         idmap config MY.DOM : unix_nss_info = yes
>>
>> # grep winbind /etc/nsswitch.conf
>> passwd:     files winbind sss
>> group:      files winbind sss
>>
>> Any help is appreciated.
>>
>> Kind regards,
>> Tom
>>
> Before 4.6.0 all users had to use 'Domain Users' as their primary group
> and so you had to give 'Domain Users' a gidNumber inside the range set
> in smb.conf (in your case 500-10000). From 4.6.0, you still have to do
> this unless you also added this 'idmap config <DOMAIN> :
> unix_primary_group = yes' to smb.conf. You will then have to give every
> user a gidNumber attribute, this attribute will contain the ID number
> of the group you want to use for the user (which of course means the
> group in question will also have to have a gidNumber containing the
> same ID number)
Hi Rowland,

Thanks for that detailed explanation. On the samba 3.6 NT Domain we have been using 'Domain Users'
as the default group for all users. I checked all my 'Well Known' users via ADSIEdit on the DC and
discovered that some of them do in fact have 'gidNumber's assigned (sorry for that previously
misleading statement):

MY.DOM
Domain Users,513
Domain Guests,514
Domain Computers,515
Domain Admins,512

BUILTIN
Administrators,544
Account Operators,548
Print Operators,550
Backup Operators,551
Replicator,552

This is confusing though... wbinfo reports the gidNumber for 'Domain Users' on the DC as 100 but on
the DM as 513 (see also wbinfo -i output in my original post for the 'default group' assigned to
users and below for the group query).

DC:
# wbinfo --group-info Domain\ Users
MY.DOM\domain users:x:100:

DM:
# wbinfo --group-info Domain\ Users <--still give an error unless I provide the 'domain'
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group Domain Users

# wbinfo --group-info MY.DOM\\Domain\ Users
MY.DOM\domain users:x:513:

Why is the gidNumber 100 on the DC and 513 on the DM?

So, given that I have a gidNumber already set on 'Domain Users' and that shows up on the DM side
(but only if I put the domain component in my query), whey do I get the WBC_ERR_DOMAIN_NOT_FOUND
error? Why is that happening and should I be concerned? Is that something to do with the gidNumber
mismatch on DC/DM?

> The problem with using low ID numbers with Samba, isn't a problem for
> Samba, up until something goes wrong. At this point, the only user that
> will be able to login would be root, this is because you will not be
> able to have ANY local Unix users (or groups).

What do you mean by 'something goes wrong'? Can I expect that something?

> I hope that 'MY.DOM' is just a placeholder for your Netbios domain
> name and your real one is just one word without dots.

On Samba4 my actual REALM is MRC.MOTEC.COM.AU; the workgroup is set to MY.DOM. On samba 3.6, MY.DOM
was the 'NT Domain' (workgroup setting in samba 3.6 smb.conf). During the classicupgrade I tried but
couldn't change it (or did it wrong). If I can change that during the classicupgrade and can get
some pointers on how to do that, I will do the classicupgrade again. I would actually prefer it to
be something simpler like MRC.

On that topic, when I joined a Windows computer to the domain I had to put in MY.DOM to join but now
that it's joined it shows MRC.MOTEC.COM.AU as the domain. Which one is the real domain?

> Why do you have sssd installed, I hope you are not using it for
> authentication in any way.
>

A really good question. No, I'm not using sssd and I don't even have it installed. The entry comes
from an 'updated' nsswitch.conf provided through an updated package for CentOS7. It installed on the
system as /etc/nsswitch.conf.rpmnew and I moved it into place. I will remove the sss entries as I
don't see them as providing anything at this stage.

Kind regards,
Tom

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba