• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 343
  • Last Modified:

AD Users and Groups problems on Linux machines connected to domain via Samba

I've got a working Active Directory and 3 Fedora Core 8 machines that have been successfully connected to that AD using kerberos & samba.

On all 3 machines # wbinfo -u/-g give the same output.

On one Fedora install I have no problems, any AD user can login and do what they want. This machine is a home drive server that serves up those directories using Samba for Windows clients and NFS for the other connected Linux boxes. Doing a # ls -al on /home/DOMAIN gives a listing of all home directories with the proper user and group permissions.

On another machine my personal user account can log in but an attempt to do so with any other user comes up with an error saying the password is wrong and it can't chroot into the users /home/DOMAIN/user directory. Running the command # ls -al on /home/DOMAIN on this machine shows only a correct UID for my user account and the rest are #s starting at 16777220, the GID on all directories is correct.

The last Linux box is the same as the previous except that the GID comes up with the same value for all (16777220).

The idmap gid/uid in the smb.conf files on all machines is the same.

Anyone run into this before or have any advice???

Thanks.
0
coanda
Asked:
coanda
  • 14
  • 8
1 Solution
 
Gabriel OrozcoSolution ArchitectCommented:
just a quick guess: do you have selinux active on the failing fedoras? try disabling it
0
 
coandaAuthor Commented:
selinux is active on all fedora installations. instead of disabling it i've set it to permissive, now what? when listing the directory i get the same output as mentioned before.
0
 
Gabriel OrozcoSolution ArchitectCommented:
- you can try disabling selinux just for the test.
- you can try increasing the log level on your smb.conf so you get information of what is happening when you try to do ls -l on the AD. you can set it to 6 at least and then browse the log. there should be anything.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
coandaAuthor Commented:
I'm not really sure what happened but I disabled SELinux on all machines and added nfs to system-config-securitylevel on all and now one machine won't connect the nfs mount point, the other client that used to be able to resolve the GID now cannot, and the NFS server itself will no longer allow me to start nfsd or statd.
0
 
Gabriel OrozcoSolution ArchitectCommented:
looks like they are not connecting to the AD.

did you increased the log level to see the exact error?

if you are using also the AD for NFS, then are you able to do queries directly to the AD?
0
 
coandaAuthor Commented:
All of the machines are connected to the AD, I'm able to log into any of the machines using my domain account. I did increase the log level, there are various log messages about SID privileges but nothing is added to the log after I execute ls -l.

I'm not really sure what you mean by using AD for NFS, or about being able to make queries to AD. I'm using Samba on the home directory server to connect to my AD. On that same machine I'm running an NFS server for the other Fedora installs which also connect to the AD via Samba.

For some reason running rpcinfo -p on the NFS server only gives output now for portmapper, mountd, nlockmgr, nfs and a couple of others don't appear anymore where they used to. I haven't shut any of these off so I'm not sure why they don't show up.
0
 
coandaAuthor Commented:
Ok, I've disabled all SELinux and all instances of iptables. I'm aware that this probably isn't the best idea but I don't really care right now. I'll figure out the firewall settings after. I'm back where I was at the beginning now, and looking into dmesg | tail there are a couple of lines that might suggest that things are trying to use nfsv4 instead of 3. I'm pretty sure I haven't added nfs4 support but I could be wrong. Is there a chance that this could screw things up?
0
 
Gabriel OrozcoSolution ArchitectCommented:
well, yes.

you should be sure the underlying layers are working before you can have everything on the upper layers running smoothly.

first have all machines using the same version of NFS and working and start iptables again...
SELinux can be restarted after the lower layers work again...
0
 
coandaAuthor Commented:
I have a problem with my iptables that prevents me from connecting one of the machines, that's why I shut it off. I'll re-enable that and SELinux once the problem that I've mentioned above has been dealt with.

All machines have the same version of NFS running, so now the question is; why are the uids and gids showing up as numbers 50% of the time despite a setup that's otherwise identical. Same fedora release, same krb5.conf, smb.conf, etc...
0
 
Gabriel OrozcoSolution ArchitectCommented:
some checks come to mind:
- check /etc/passwd on all machines. Is samba able to add users/groups when it gets them from the AD?
- check pam configuration. is Fedora Core 8 using PAM to authenticate against the AD? is that config the same?
0
 
coandaAuthor Commented:
Nothing in /etc/passwd seems out of the ordinary, what would I check for? How would I check if Samba is able to add users/groups when it gets them from the AD? I don't recall doing any special setup for that.

I didn't have to configure pam when I was connected the installs to my AD, but it is installed on all machines.
0
 
Gabriel OrozcoSolution ArchitectCommented:
samba creates users & groups taken from the AD when users log in to it by using winbindd
it should be able to do so in order to work correctly.
is winbindd running on all servers?

this is the howto and the winbindd explanation:
http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
0
 
coandaAuthor Commented:
yes, all are running winbind. on all 3 /etc/nsswitch.conf has

passwd: files winbind
shadow: files winbind
group: files winbind

I executed getent passwd/group on all machines and on the machine that was not able to resolve either the AD uid or gid of the home directory now gives an incorrect value.
0
 
coandaAuthor Commented:
also, it appears that the output of the 3 machines that getent passwd gives is different. on one there's maybe 3 domain groups, on the next 15, and on the last 25. why would this happen?
0
 
coandaAuthor Commented:
I meant to write users, not groups on the last line.
0
 
coandaAuthor Commented:
I think there's something wrong with my winbind setup, but I'm not sure how to fix this problem.

[root@srv1 /]# wbinfo -i domain\\user
DOMAIN\user:*:16777223:16777220:User Name:/home/DOMAIN/user:/bin/bash

[root@srv2 /]# wbinfo -i domain\\user
DOMAIN\user:*:16777218:16777216:User Name:/home/DOMAIN/user:/bin/bash

and on the other fedora it just fails to find any info for that user.
0
 
Gabriel OrozcoSolution ArchitectCommented:
Great! you found the problem.
now, I had not join samba to an AD before, since I always put samba in control...

looks to me like a sid problem or the way each server joined to the domain?

maybe you can redo all steps from the beginning on each server so you get the same answers on all...
0
 
coandaAuthor Commented:
I just read a forum that says winbind only doles out uids on a first come first served basis and there's no guarantee of things being the same machine to machine. it's starting to look like I'll need to run ldap to take care of the mappings.

even if I did redo the setup wouldn't I first need to flush the winbind database somehow? is that even possible?
0
 
Gabriel OrozcoSolution ArchitectCommented:
ti should. I have cleaned my setups backing up and cleaning /var/lib/samba directory on some distros.
0
 
coandaAuthor Commented:
it appears that letting things sit overnight have allowed winbind/AD to communicate because now a getent passwd on all machines yields the same output.

At the bottom of this site it mentions this problem + resolution.

https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

And I think I've found my problem, when I set up the first samba/winbind I chose an idmap uid/gid that were different than the second & third (which were done at the same time with the same settings) but I didn't really notice it then. so now that they're all mixed up I need to either refresh the mappings or re-enter them using wbinfo. any suggestions?
0
 
coandaAuthor Commented:
I've added the idmap_rid range, reset smb, nmb, and winbind and all of the mappings on the different fedora installs now match. now it looks like all that's left to be done is change the ownership settings of the home directories on the nfs server and everything should be good.

thanks for all your help redimido.
0
 
coandaAuthor Commented:
Thanks again for your help, I think it would have taken me a lot longer to find the problem without your help.
0

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 14
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now