Web lists-archives.com

Re: [Samba] `getent passwd` not working with ad backend




On Thu, 24 Jan 2019 09:59:08 +0000
Harpoon via samba <samba@xxxxxxxxxxxxxxx> wrote:

> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Thursday, January 24, 2019 9:33 AM, Rowland Penny via samba
> <samba@xxxxxxxxxxxxxxx> wrote:
> 
> > On Thu, 24 Jan 2019 08:57:21 +0000
> > Harpoon via samba samba@xxxxxxxxxxxxxxx wrote:
> >
> > > Hi all,
> > > I've been reading and it seems like ad backend has many features
> > > that I'd like to use. However, despite browsing many forums and
> > > docs, I am still unable to get domain users list using `getent
> > > passwd` while using `ad backend`. If I change backend to tdb,
> > > then I can get usernames on the clients. Authentication works
> > > fine too when using `tdb backend`. I think the only issue is with
> > > the mapping part. Otherwise the domain is working pretty fine.
> > > All boxes are running Debian Stretch.
> > >
> > > ===================================================
> > > Server's smb.conf
> > >
> > > ======================================================================
> > >
> > > Global parameters
> > >
> > > ==================
> > >
> > > [global]
> > > netbios name = DC1
> > > realm = SAMDOM.EXAMPLE.COM
> > > workgroup = SAMDOM
> > > dns forwarder = 10.0.5.200
> > > server role = active directory domain controller
> > > idmap_ldb:use rfc2307 = yes
> > > winbind enum users = yes
> > > winbind enum groups = yes
> > > template shell = /bin/bash
> > > [netlogon]
> > > path = /var/lib/samba/sysvol/samdom.example.com/scripts
> > > read only = No
> > > [sysvol]
> > > path = /var/lib/samba/sysvol
> > > read only = No
> > >
> > > ===================================================
> > > Client's smb.conf
> > >
> > > ======================================================================
> > >
> > > [global]
> > > netbios name = client1
> > > realm = SAMDOM.EXAMPLE.COM
> > > workgroup = SAMDOM
> > > security = ADS
> > > kerberos method = secrets and keytab
> > > winbind trusted domains only = no
> > > winbind enum users = yes
> > > winbind enum groups = yes
> > > winbind use default domain = yes
> > > winbind nss info = rfc2307
> > >
> > > FOR Samba-share `getent` testing
> > >
> > > =================================
> > >
> > > password server = dc1.samdom.example.com
> > >
> > > =========================================
> > >
> > > client signing = auto
> > >
> > > ======================
> > >
> > > server signing = auto
> > >
> > > ======================
> > >
> > > idmap config * : backend = tdb
> > > idmap config * : range = 10000-20000
> > >
> > > idmap config SAMDOM : backend = ad
> > > idmap config SAMDOM : range = 21000-200000
> > >
> > > ------------------------------------------------------------------------------
> > >
> > > With ad backend:
> > >
> > > 1.  wbinfo -u lists all domain users
> > > 2.  `getent passwd` doesn't list domain users
> > >
> > > WIth tdb backend:
> > >
> > > 1.  wbinfo -u lists all domain users
> > > 2.  `getent passwd` also lists all domain users
> > >
> > > Just by commenting out the `idmap config SAMDOM` lines in the
> > > client's smb.conf, all other things start working such as `getent
> > > passwd`, authentication, etc. I tried adding multiple Unix groups
> > > and users following instructions on Samba Wiki, but the result it
> > > always the same. I've been trying to sort it out for a couple of
> > > weeks and its now driving me insane. Any help would be
> > > appreciated! Kind regards,
> > > Harp
> >
> > 'wbinfo' goes direct to AD, it bypasses the underlying OS. It also
> > totally ignores anything to do with Unix, just because it shows the
> > users in AD, doesn't mean anything to Unix.
> That was indeed my understanding. Thanks for confirmation!
> 
> > With your smb.conf, it looks like something is wrong/missing,
> > probably the required uidNumber & gidNumber attributes.
> I did add uidNumber and gidNumber during creation of new groups and
> users.
> 
> > Does 'Domain Users' have a gidNumber attribute containing a number
> > inside the '21000-200000' range ?
> That was part of the problem. The 'Domain Users' group has GID 12000
> (set by following
> https://techblog.devlat.eu/2017/02/04/gid-of-the-domain-users-resetting-to-100-with-a-samba-ad-dc/
> guide).
> 
> So I modified client's smb.conf as:
> 
> [global]
> 	netbios name = client1
> 	 realm = SAMDOM.EXAMPLE.COM
> 	workgroup = SAMDOM
> 	security = ADS
> 	kerberos method = secrets and keytab
> 	winbind trusted domains only = no
>     winbind use default domain = yes
> 	winbind enum users = yes
> 	winbind enum groups = yes
>         winbind use default domain = yes
>         winbind nss info = rfc2307
> 
> 	idmap config * : backend = tdb
> 	idmap config * : range = 100-200
> 
>     idmap config SAMDOM : backend = ad
>     idmap config SAMDOM : range = 300-50000
> 
> Should it work?

NO, you have just trampled all over the Unix system ID's and your
ranges are still outside the uidNumber & gigNumber attributes set in AD.

Please read this very carefully:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba