[Samba] centos 6.5 sernet-samba 4.1.6 member server winbind idmap fail

[Lorenzo Faleschini]

Hi everybody,

I've searched deeply into the samba wiki and the list for some working
examples, but I cannot find my way out, I'm a kind of rough samba user
(let's say almost newbie).. so asking help here:

This is my setup:

DC (samba.my.domain.com <http://samba.my.domain.com/>): CentOS 6.5 with
sernet-samba 4.1.6 started in "ad" mode
(upgraded successfully from early 4.0.5, working fine with windows
clients and servers, deployed with rfc2307, wbinfo and getent working fine)

MEMBER (files.my.domain.com <http://files.my.domain.com/>): Centos 6.5
with sernet-samba 4.1.6 started in "classic" mode
(successfully joined with net ads join, dns updated correctly and host
is able to resolv domain names, followed the howto on samba wiki, tried
also by installing from source with parameters suggested in but with no
luck)

NOTE: disabled iptables and selinux in this test environment
NOTE: created testuser and testgroup with windowsRSAT (AD
users&computers) and filled the UNIX attributes tab.. so I suppose at
least for that 2 user and group I have correctly set UID GID

____________________config files_______________________________

##############/etc/samba/smb.conf
[global]

workgroup = MY
security = ADS
realm = MY.DOMAIN.COM

idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config MY:backend = ad
idmap config MY:schema_mode = rfc2307
idmap config MY:range = 500-40000

winbind nss info = rfc2307

[test]
path = /condivisioni/test
read only = no


#################/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MY.DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
MY.DOMAIN.COM = {
kdc = samba.my.domain.com
admin_server = samba.my.domain.com }

[domain_realm]
.my.domain.com = MY.DOMAIN.COM
my.domain.com = MY.DOMAIN.COM

#################/etc/nsswitch.conf (edited lines)
passwd: files winbind
group: files winbind

________________________________________________________

~> wbinfo -p
~> wbinfo -u
~> wbinfo -g
~> wbinfo -n testuser

return expected output

~> getent passwd
~> getent group

return only local unix users and groups

~> wbinfo -i testuser
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user testuser
~> wbinfo --group-info testgroup
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group testgroup


on DC getent is working correctly and also wbinfo -i:
~> wbinfo -i testuser
MY\testuser:*:10000:100:testuser:/home/MY/testuser:/bin/false
~> wbinfo --group-info testgroup
MY\testgroup:*:10000:
~> wbinfo -i marco
MY\marco:*:3000043:100:Marco:/home/MY/marco:/bin/false
~> wbinfo --group-info "domain users"
MY\Domain Users:*:100:


... any suggestions?
... I've searched the /vat/log/samba logs but can't find anythig
relevant there about errors? should I look somewhere else?
... would it be better do add this MEMBER as a DC with samba tool? any
gotchas in doing so?
... I read many times Steve and Rowland suggesting sssd over winbind..
I've tried to configure it but without success either (quite frustrated :( )

thanks

--

Lorenzo Faleschini
IT Manager @ Nord Est Systems srl
----------------------------------------
m: +39 335 6055225 | skype: falegalizeit

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[L.P.H. van Belle]

yes, the solution ( aka worked for me on debian with sernet )

make use of usermap
add to smb.conf :

# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping

add in the file samba_usermapping
!root = DOMAINNAME\Administrator DOMAINNAME\administrator

restart samba


>-----Oorspronkelijk bericht-----
>Van: lorenzo.f...@nordestsystems.com
>[mailto:samba-...@lists.samba.org] Namens Lorenzo Faleschini
>Verzonden: donderdag 10 april 2014 11:20
>Aan: sa...@lists.samba.org
>Onderwerp: [Samba] centos 6.5 sernet-samba 4.1.6 member server
>winbind idmap fail

[Lorenzo Faleschini]

ok,
now if I specify domain in wbinfo and getent queries I get expected results
eg:

> getent passwd MY\\userx
MY\userx:*:10001:10000:User X:/home/userx:/bin/sh
> wbinfo -i MY\\userx
MY\userx:*:10001:10000:User X:/home/userx:/bin/sh

I can setup shares and manage trough ComputerManagement (logged as
Domain Admin - Administrator),
but if I remove "Everyone" with "Full Control" from share permissions I
cannot use the Security Tab anymore (until I set Full Control to
Everyone back in share's permission)

this is weird IMHO and makes the fileserver unusable

I'll try a debian machine now. can you please post your working configs?


Il giorno giovedì 10 aprile 2014 15:00:02 UTC+2, L. P. H. van Belle ha
scritto:

> yes, the solution ( aka worked for me on debian with sernet )
>
>
>
> make use of usermap
>
> add to smb.conf :
>
>
>
> # user Administrator workaround, without it you are unable to set
privileges
>
> username map = /etc/samba/samba_usermapping
>
>
>
> add in the file samba_usermapping
>
> !root = DOMAINNAME\Administrator DOMAINNAME\administrator
>
>
>
> restart samba
>
>
>
>
>
> >-----Oorspronkelijk bericht-----
>
> >Van: lorenzo.f...@nordestsystems.com
>
> >[mailto:samba-...@lists.samba.org] Namens Lorenzo Faleschini
>
> >Verzonden: donderdag 10 april 2014 11:20
>
> >Aan: sa...@lists.samba.org
>
> >Onderwerp: [Samba] centos 6.5 sernet-samba 4.1.6 member server
>
> >winbind idmap fail
>
> >
>

[Rowland Penny]

Have you given 'Domain Users' a gidNumber and if so is that gidNumber
'100' ?
If you are using '100' for your gidNumber, then it is below the range
you set in smb.conf and winbind will not pass this to getent and
therefore you get no domain users.
If you have not added a gidnumber, then the same applies, windbind will
not pass this to getent and you get no domain users.

Rowland

>
> ... any suggestions?
> ... I've searched the /vat/log/samba logs but can't find anythig
> relevant there about errors? should I look somewhere else?
> ... would it be better do add this MEMBER as a DC with samba tool? any
> gotchas in doing so?
> ... I read many times Steve and Rowland suggesting sssd over winbind..
> I've tried to configure it but without success either (quite
> frustrated :( )
>
> thanks
>

--

[Lorenzo Faleschini]

I have

Domain Admins GID=10000
Domain Users GID=10001

Administator UID=10000
userx UID=10001

getent and wbinfo are working now (only if I call the users or groups
that I've configured UNIX attributes for)
eg: getent group "MY\\Domain Admins" - works
getent group - doesn't show anything

I've added to /etc/samba/smb.conf
username map = /etc/samba/samba_usermapping

and in /etc/samba/samba_usermapping

!root = DOMAINNAME\Administrator DOMAINNAME\administrator

as suggested by L.P.H. van Belle

Now my problem is that if I try to setup share permissions I can manage
the share only if I leave "Full Control" to "Everyone".. and this is
quite useless.

Lorenzo Faleschini
IT Manager @ Nord Est Systems srl
----------------------------------------
m: +39 335 6055225 | skype: falegalizeit

Il 10/04/2014 17:55, Rowland Penny ha scritto:
>
> Have you given 'Domain Users' a gidNumber and if so is that gidNumber
> '100' ?
> If you are using '100' for your gidNumber, then it is below the range
> you set in smb.conf and winbind will not pass this to getent and
> therefore you get no domain users.
> If you have not added a gidnumber, then the same applies, windbind
> will not pass this to getent and you get no domain users.
>
> Rowland

[Rowland Penny]

On 10/04/14 17:15, Lorenzo Faleschini wrote:
> I have
>
> Domain Admins GID=10000
> Domain Users GID=10001
>
> Administator UID=10000
> userx UID=10001
>
> getent and wbinfo are working now (only if I call the users or groups
> that I've configured UNIX attributes for)
> eg: getent group "MY\\Domain Admins" - works
> getent group - doesn't show anything
>

You have a problem somewhere, getent should display all users, local and
domain. There seems to be bug in getent (or is a feature) when it comes
to groups, you must use 'getent group <domain group name>'

> I've added to /etc/samba/smb.conf
> username map = /etc/samba/samba_usermapping
>
> and in /etc/samba/samba_usermapping
> !root = DOMAINNAME\Administrator DOMAINNAME\administrator
>
> as suggested by L.P.H. van Belle
>
> Now my problem is that if I try to setup share permissions I can
> manage the share only if I leave "Full Control" to "Everyone".. and
> this is quite useless.
>

Where are the shares stored, on the Samba DC or or on the fileserver ?

[Lorenzo Faleschini]

When I go into the share permissions and security tab in compmgmt.msc
I see Administrator with a red X on it (as if it was disabled, but it's
not in ADUC).

I created another account (otheradmin) with UNIX Attributes, added to
Domain Admins (and set this as primary UNIX group)

with this user seems that I can manage shares correctly (and get rid of
Everyone's permissions)

there's a strange behaviour for administrator user

Il 10/04/2014 19:21, Rowland Penny ha scritto:
>> eg: getent group "MY\\Domain Admins" - works
>> getent group - doesn't show anything
>>
>
> You have a problem somewhere, getent should display all users, local
> and domain. There seems to be bug in getent (or is a feature) when it
> comes to groups, you must use 'getent group <domain group name>'

getent -V returns 2.12

anyway
getent passwd returns system users + domain users (that have UID set)

getent group returns only system groups

getent group "MY\\Domain Admins" returns
domain admins:x:10000:otheradmin,administrator
getent group "MY\\Domain Users" returns
domain users:x:10001:
(the users are not listed in the "Domain Users" group by default?
because is the everyone's default group?)

>> Now my problem is that if I try to setup share permissions I can
>> manage the share only if I leave "Full Control" to "Everyone".. and
>> this is quite useless.
>>
> Where are the shares stored, on the Samba DC or or on the fileserver ?

shares are on fileserver (I've checked the behaviour of Administrator
user also on the DC and the red X is always there)

>
> Rowland

thanks for your time Rowland

Lorenzo Faleschini
IT Manager @ Nord Est Systems srl
----------------------------------------
m: +39 335 6055225 | skype: falegalizeit

[Rowland Penny]

Try removing the uidNumber from the Administrator, my Administrator does
not have a uidNumber and everything just seems to work. Mapping
Administrator to root in a file read by smb.conf is a much better idea.

Rowland

[Lorenzo Faleschini]

Il 10/04/2014 20:24, Rowland Penny ha scritto:
>
> Try removing the uidNumber from the Administrator, my Administrator
> does not have a uidNumber and everything just seems to work. Mapping
> Administrator to root in a file read by smb.conf is a much better idea.
>
> Rowland

Tried this, but no results.
The Administrator user seem to have no privileges.
When I use the Computer Management console as Administrator to manage
shares on fileserver or dc I cannot even open the "sessions" or "open
files" tab, nor I can set the "Security" tab for a share.
When I use the Computer Management console as OtherAdmin (manually
created user added to Domain Admins) I can do everything as expected and
shares work properly.

I tried also to disable Administrator and reenable in ADUC but no way.

I don't know if there's any problem in having Administrator user not
working 100%..
I think I'll copy all the membership of Administrator's groups to
another user (OtherAdmin) then I'll deactivate the Administrator
account. Looks like a workaround but if it works I will not complain.

do you think I should file a bug? maybe try to reproduce it from a fresh
install?

Lorenzo Faleschini
IT Manager @ Nord Est Systems srl
----------------------------------------
m: +39 335 6055225 | skype: falegalizeit

[Rowland Penny]

On 10/04/14 20:51, Lorenzo Faleschini wrote:
> Il 10/04/2014 20:24, Rowland Penny ha scritto:
>>
>> Try removing the uidNumber from the Administrator, my Administrator
>> does not have a uidNumber and everything just seems to work. Mapping
>> Administrator to root in a file read by smb.conf is a much better idea.
>>
>> Rowland
>
> Tried this, but no results.
> The Administrator user seem to have no privileges.
> When I use the Computer Management console as Administrator to manage
> shares on fileserver or dc I cannot even open the "sessions" or "open
> files" tab, nor I can set the "Security" tab for a share.

My Administrator CAN do all of the above.

> When I use the Computer Management console as OtherAdmin (manually
> created user added to Domain Admins) I can do everything as expected
> and shares work properly.
>
> I tried also to disable Administrator and reenable in ADUC but no way.
>
> I don't know if there's any problem in having Administrator user not
> working 100%..

If Administrator is not working correctly, then you will have problems,

> I think I'll copy all the membership of Administrator's groups to
> another user (OtherAdmin) then I'll deactivate the Administrator
> account. Looks like a workaround but if it works I will not complain.
>

You should not have to do this and I cannot recommend doing it.

> do you think I should file a bug? maybe try to reproduce it from a
> fresh install?

If it is a bug then I think that you are probably the only one suffering
from it ;-) I think that your last idea is probably the best, move the
relevant dirs etc (sysvol, private etc) out of the way and re-provision,
add a gidNumber to Domain Users, add a user and add a uidNumber to the
new user and then go from there.

Rowland

[L.P.H. van Belle]

Hai,

>> I think I'll copy all the membership of Administrator's groups to
>> another user (OtherAdmin) then I'll deactivate the Administrator
>> account. Looks like a workaround but if it works I will not complain.
>>
>You should not have to do this and I cannot recommend doing it.

Dont do this. !

because of kerberos updates and dns updates..

look : cat /var/lib/samba/private/named.conf.update

/* this file is auto-generated - do not edit */
update-policy {
grant INTERNAL.DOMAIN.TLD ms-self * A AAAA;
====>> grant Admini...@INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME; <<< =======
grant RTD-DC1$@INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
grant RTD-DC2$@INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
};

what do you think will happen if you disable administrator.. ;-)

Louis




>-----Oorspronkelijk bericht-----
>Van: rowlan...@googlemail.com
>[mailto:samba-...@lists.samba.org] Namens Rowland Penny
>Verzonden: donderdag 10 april 2014 22:07
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] centos 6.5 sernet-samba 4.1.6 member
>server winbind idmap fail
>

[Lorenzo Faleschini]

ok, I was just wondering wrong :) my domain is clearly screwed.

I didn't noticed this weird behaviour of Administrator until I started
to play with a linux member.

on samba logs I see no errors (except CUPS but I don't bother)
I have a zimbra box that uses the dc for autoprovisioning accounts and
auth.. perfectly working
an owncloud server whit LDAP accounts from DC.. no problems
some windows machines with a couple of GPO and shares... running

...really can't say at what point in time this got broken.

I have to face a complete reprovision an rejoin all the clients (I hope
zimbra and owncloud will give no problems as I suppose they'll stick to
their config files as the're not joined with net join but just using
LDAP accounts to get auth and info)

maybe better start from clean VMs
- install sernet's packages
- provision same domain
- set domain users with a GID
- import users (and set UID and GID directly from samba-tool create)
- join fileserver as member
- test administrator behaviour and all the other functions

if it's all ok, then I shut down old dc, change ip on the new one
(adapting also DNS entries and fileserver's net config) and I should be
good to go
(rejoining all the windows boxes)

am I right with this hard-path?

Lorenzo Faleschini
IT Manager @ Nord Est Systems srl
----------------------------------------
m: +39 335 6055225 | skype: falegalizeit