Re: [Samba] Users created in last few years cannot login after 4.7 -> 4.8 + winbind
- Date: Fri, 4 Jan 2019 15:14:06 -0500 (EST)
- From: Paul Raines via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Users created in last few years cannot login after 4.7 -> 4.8 + winbind
On Fri, 4 Jan 2019 4:57am, Rowland Penny wrote:
On Thu, 3 Jan 2019 17:46:51 -0500 (EST)
Paul Raines via samba <samba@xxxxxxxxxxxxxxx> wrote:
TLDR: after upgrading our CentOS 7.5 servers using Samba 4.7.x with
security = ads and no winbind to CentOS 7.6 with Samba 4.8.x with
security = ads + winbind all users accounts created in the last few
years can no longer login.
Explaining this requires a fairly long back story
Our corporate is primarily a Windows shop while our own research
department primarly uses Linux. For over a decade we used our own
account/group/file namespace in our Linux infrastructure totally
separate from corporate.
A couple years ago for new security hardening purposes corporate has
dictated all logins need to be based off their AD server so they
can manage/monitor/enforce password changes, access, etc.
So go back to them, point out it isn't working and they need to
extend AD by adding the IDMU ldif and create your users and groups in
AD with the correct ID's ;-)
This is not an option for me. Corporate is not going to change anything
on AD for me. And this would create the opposite problem were my users
with resources on the corporate instrastructure will have things break
if the IDs are changed.
The issue was we had petabytes of data using our accounts which had
in most cases both different names and underlying user ids. For
example, my Linux username is raines with ID 5829
I take it this ID is the Unix users ID found in /etc/passwd
My LDAP server, but yes
and my corparte/AD username is per2 with ID 2040470.
And this is the users AD RID
uidNumber you get when searching account on AD via LDAP
And groups have no relation
whatsoever. Simply reconfiguring our Linux servers to do straight
LDAP or winbind/nss to corporate AD was not possible without a
wholesale painful re-ID-ing of files and breakage of lots of apps
that hard code usernames in settings.
It wouldn't have been a problem if AD had been extended properly.
I really don't see how that was realistically possible. ANd I am positive the
managers would not allow the UIDs in the range 5000-10000 I had use for my
users. I have a handful of users from the early 2000s with UIDs in the
100-5000 range (predates me -- this is before distros started enforcing user
creation >500). It most likely conflicts with system accounts they had
For all non-Samba resources (login, web, LDAP-based apps, ...) I
could solve this issue using LDAP SASL passthru. In this scheme you
set the user LDAP record the userPassword field to be something like
and any authentication to the LDAP server for user 'raines' is passed
through to the AD server as authentication for user 'per2'.
The issue was this did not work for Samba. The solution I came up
with was to create a "username map = /etc/samba/users.map" with lines
raines = MYDOMAIN\per2
aea32 = MYDOMAIN\aea32
That's one way of doing it, it isn't how I would have done it.
Except for "extending AD" as above is there another way.
All I want and need from corporate AD is password authentication. I
don't want or need anything else, including user or group ids. I
want Samba to get everything else (user id, group ids, shell, homedir, ...)
from the local NIS backend (i.e. my LDAP server)
and then have in smb.conf
workgroup = MYDOMAIN
security = ads
passdb backend = tdbsam
realm = MYDOMAIN.ORG
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
preferred master = no
encrypt passwords = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536
idmap config *:backend = tdb
idmap config *:range = 100-999999
That is a foolish range, it interferes with the local system users.
The '*' domain is for the Well Known Sids and anything outside the
Again, I am not using WINBIND for actual NIS in the system. It
will not be in /etc/nsswitch.conf, pam, etc. I never used it before
in Samba 4.7.x or before. I am only running it because it is now
required to use security=ads for authentication. I DO want any
login on the samba server of any system account to always fail.
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:range = 1000000-9999999
Sorry, but this is wrong for your Samba version, see here:
The range must reflect the uidNumber & gidNumber attributes in AD.
I have tried using the nss backend and the results are random.
Sometimes it works. Sometimes it doesn't. It still always works
for my "old" account. Just not for new accounts.
Do you have any configuration suggestion?
Is there a way to have winbind not fail a login just because it
cannot map a SID to GID? Is there a way for me to force
a mapping for S-1-5-21-8915387-943144406-1916815836-513?
I tried wbinfo --set-gid-mapping but just got WBC_ERR_NOT_IMPLEMENTED
I guess for now I will continue to run Samba 4.7.x as long as I can still get
it to run
To unsubscribe from this list go to the following URL and read the