#### Tested with UCS 2.4-1 and W2k3R2 ## note: ARW2K8R2U24 actually is the W2k3R2 domain. ## see also Ticket#: 2011011710013431 root@qamaster:~# apt-get install winbind Paketlisten werden gelesen... Fertig Abhängigkeitsbaum wird aufgebaut Lese Status-Informationen ein... Fertig Die folgenden Pakete wurden automatisch installiert und werden nicht länger benötigt: libapt-pkg-perl Verwenden Sie »apt-get autoremove«, um sie zu entfernen. Die folgenden NEUEN Pakete werden installiert: winbind 0 aktualisiert, 1 neu installiert, 0 zu entfernen und 0 nicht aktualisiert. Es müssen 5246kB an Archiven heruntergeladen werden. Nach dieser Operation werden 15,1MB Plattenplatz zusätzlich benutzt. WARNUNG: Die folgenden Pakete können nicht authentifiziert werden! winbind Authentifizierungswarnung überstimmt. Hole:1 http://univention-repository.knut.univention.de 2.4-1/i386/ winbind 2:3.5.4~dfsg-1.465.201011191326 [5246kB] Es wurden 5246kB in 0s geholt (22,2MB/s) Wähle vormals abgewähltes Paket winbind. (Lese Datenbank ... 168038 Dateien und Verzeichnisse sind derzeit installiert.) Entpacke winbind (aus .../winbind_2%3a3.5.4~dfsg-1.465.201011191326_i386.deb) ... Verarbeite Trigger für man-db ... Richte winbind ein (2:3.5.4~dfsg-1.465.201011191326) ... * Starting the Winbind daemon winbind [ ok ] PKGDB: cannot create a handle to the database pkgdb in qamaster.arucs241i1.qa root@qamaster:~# net rpc trustdom establish ARW2K8R2U24 Enter ARUCS241I1$'s password: Could not connect to server W2K3R2-32 Trust to domain ARW2K8R2U24 established ### 1. first ping to winbindd must work root@qamaster:~# wbinfo -p Ping to winbindd failed could not ping winbindd! root@qamaster:~# /etc/init.d/samba restart * Stopping Samba daemons: nmbd * Stopping Samba daemons: smbd ...done. * Starting Samba daemons: nmbd * Starting Samba daemons: smbd ...done. root@qamaster:~# wbinfo -p Ping to winbindd failed could not ping winbindd! root@qamaster:~# /etc/init.d/winbind restart * Stopping the Winbind daemon winbind [ ok ] * Starting the Winbind daemon winbind [ ok ] root@qamaster:~# wbinfo -p Ping to winbindd succeeded ### 2. listing trustdoms does not work with machine account ## either setauthuser ## or net rpc join ## see e.g. https://forge.univention.org/bugzilla/show_bug.cgi?id=24030#c6 root@qamaster:~# net rpc trustdom list -UAdministrator%univention Could not connect to server QAMASTER Connection failed: NT_STATUS_IO_TIMEOUT Couldn't connect to domain controller: NT_STATUS_IO_TIMEOUT root@qamaster:~# wbinfo --ping-dc checking the NETLOGON dc connection failed root@qamaster:~# net setauthuser -U Administrator Enter the auth user's password: root@qamaster:~# /etc/init.d/winbind restart * Stopping the Winbind daemon winbind [ ok ] * Starting the Winbind daemon winbind root@qamaster:~# net rpc trustdom list -UAdministrator%univention Trusted domains list: ARW2K8R2U24 S-1-5-21-215963510-1792852931-2165353431 Trusting domains list: none root@qamaster:~# wbinfo --ping-dc checking the NETLOGON dc connection failed root@qamaster:~# net setauthuser delete root@qamaster:~# net getauthuser No authorised user configured root@qamaster:~# /etc/init.d/samba restart * Stopping Samba daemons: nmbd * Stopping Samba daemons: smbd ...done. * Starting Samba daemons: nmbd * Starting Samba daemons: smbd ...done. root@qamaster:~# /etc/init.d/winbind restart * Stopping the Winbind daemon winbind [ ok ] * Starting the Winbind daemon winbind [ ok ] root@qamaster:~# net rpc trustdom list -UAdministrator%univention Could not connect to server QAMASTER Connection failed: NT_STATUS_IO_TIMEOUT Couldn't connect to domain controller: NT_STATUS_IO_TIMEOUT root@qamaster:~# net rpc testjoin get_schannel_session_key: could not fetch trust account password for domain 'ARUCS241I1' net_rpc_join_ok: failed to get schannel session key from server QAMASTER for domain ARUCS241I1. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Join to domain 'ARUCS241I1' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO root@qamaster:~# net rpc join Enter root's password: Interupted by signal. root@qamaster:~# net rpc join -UAdministrator%univntion Connection failed: NT_STATUS_IO_TIMEOUT Could not connect to server QAMASTER The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE root@qamaster:~# net rpc join -UAdministrator%univention Connection failed: NT_STATUS_IO_TIMEOUT Joined domain ARUCS241I1. root@qamaster:~# net rpc testjoin Join to 'ARUCS241I1' is OK root@qamaster:~# net rpc trustdom list -UAdministrator%univention Trusted domains list: ARW2K8R2U24 S-1-5-21-215963510-1792852931-2165353431 Trusting domains list: none root@qamaster:~# wbinfo --ping-dc checking the NETLOGON dc connection succeeded ### 3. resolving AD users does not work without "winbind rpc only" ## https://forge.univention.org/bugzilla/show_bug.cgi?id=17592 root@qamaster:~# wbinfo -n ARW2K8R2U24+Administrator Could not lookup name ARW2K8R2U24+Administrator root@qamaster:~# vim /etc/samba/local.conf ## winbind rpc only = yes root@qamaster:~# wbinfo -n ARW2K8R2U24+Administrator S-1-5-21-215963510-1792852931-2165353431-500 SID_USER (1) root@qamaster:~# wbinfo -n ARW2K8R2U24+aduser1 S-1-5-21-215963510-1792852931-2165353431-1108 SID_USER (1) ### 4. getent passwd only works if nss is configured to use winbind too root@qamaster:~# getent passwd ARW2K8R2U24+aduser1 || echo "unknown" unknown root@qamaster:~# ucr set auth/user/methods="krb5 ldap unix winbind" Setting auth/user/methods Multifile: /etc/pam.d/common-session File: /etc/nsswitch.conf File: /etc/pam.d/admin-auth-nowrite File: /etc/pam.d/admin-password File: /etc/pam.d/common-account Multifile: /etc/pam.d/common-auth File: /etc/pam.d/common-auth-nowrite File: /etc/pam.d/common-password File: /etc/pam.d/univention-management-console File: /etc/ssh/ssh_config root@qamaster:~# /etc/init.d/nscd restart * Restarting NSCD . root@qamaster:~# getent passwd ARW2K8R2U24+aduser1 || echo unknown unknown root@qamaster:~# wbinfo -S S-1-5-21-215963510-1792852931-2165353431-1108 Could not convert sid S-1-5-21-215963510-1792852931-2165353431-1108 to uid root@qamaster:~# tail -4 /var/log/samba/log.winbindd-idmap [2012/07/05 19:11:49.481843, 0] winbindd/idmap_ldap.c:123(get_credentials) get_credentials: Unable to fetch auth credentials for cn=admin,dc=arucs241i1,dc=qa in ALLOC [2012/07/05 19:11:49.481869, 0] winbindd/idmap.c:589(idmap_alloc_init) ERROR: Initialization failed for alloc backend, deferred! root@qamaster:~# net idmap secret alloc $(cat /etc/ldap.secret) Secret stored root@qamaster:~# /etc/init.d/winbind restart * Stopping the Winbind daemon winbind [ ok ] * Starting the Winbind daemon winbind [ ok ] root@qamaster:~# wbinfo -S S-1-5-21-215963510-1792852931-2165353431-1108 55000 ## ok uid is allocated, strange that net idmap secret was necessary again, because: root@qamaster:~# grep 'idmap secret' /var/log/univention/* /var/log/univention/join.log:setting idmap secret for alloc from /etc/ldap.secret ## but getent passwd still fails root@qamaster:~# getent passwd ARW2K8R2U24+aduser1 || echo unknown unknown #### try to enumerate users root@qamaster:~# wbinfo -u join-backup join-slave administrator root@qamaster:~# net setauthuser -U Administrator Enter the auth user's password: ## see Ticket#: 2011011710013431 root@qamaster:~# wbinfo -u join-backup join-slave administrator ARW2K8R2U24+administrator ARW2K8R2U24+aduser1 ARW2K8R2U24+gast ARW2K8R2U24+krbtgt ARW2K8R2U24+support_388945a0 ## You have to give the Administrator Passwort for the AD domain here: root@qamaster:~# net getauthuser ARUCS241I1+Administrator%Univention123 ## THIS IS REALLY BROKEN ^^^^ that is the PW of ARW2K8R2U24+Administrator.. ## Probably this also works with machine account instead of setauthuser ## if a bidirectional trust is set up root@qamaster:~# getent passwd ARW2K8R2U24+aduser1 || echo unknown unknown root@qamaster:~# /etc/init.d/nscd restart * Restarting NSCD . root@qamaster:~# getent passwd ARW2K8R2U24+aduser1 || echo unknown ARW2K8R2U24+aduser1:*:55000:55000:aduser1 univention:/home/ARW2K8R2U24-aduser1:/bin/bash ## cross check root@qamaster:~# net setauthuser delete root@qamaster:~# /etc/init.d/winbind restart * Stopping the Winbind daemon winbind [ ok ] * Starting the Winbind daemon winbind [ ok ] root@qamaster:~# /etc/init.d/nscd restart * Restarting NSCD . root@qamaster:~# wbinfo -u join-backup join-slave administrator root@qamaster:~# getent passwd ARW2K8R2U24+aduser1 || echo unknown unknown root@qamaster:~# net setauthuser -U Administrator Enter the auth user's password: root@qamaster:~# /etc/init.d/winbind restart * Stopping the Winbind daemon winbind [ ok ] * Starting the Winbind daemon winbind [ ok ] root@qamaster:~# /etc/init.d/nscd restart * Restarting NSCD . root@qamaster:~# sleep 10 ## wait a bit for winbind.. getent passwd ARW2K8R2U24+aduser1 || echo unknown root@qamaster:~# getent passwd ARW2K8R2U24+aduser1 || echo unknown ARW2K8R2U24+aduser1:*:55000:55000:aduser1 univention:/home/ARW2K8R2U24-aduser1:/bin/bash ### Authentication root@qamaster:~# wbinfo -a ARW2K8R2U24+Administrator%Univention123 plaintext password authentication succeeded challenge/response password authentication succeeded ### Testscript for https://forge.univention.org/bugzilla/show_bug.cgi?id=25244 root@qamaster:~# wget 'https://forge.univention.org/bugzilla/attachment.cgi?id=3986' -O check-winbind-user root@qamaster:~# chmod 755 check-winbind-user root@qamaster:~# ./check-winbind-user ARW2K8R2U24+aduser1%'Test1234;.' sid: S-1-5-21-215963510-1792852931-2165353431-1108 username: ARW2K8R2U24+aduser1 uid: 55000 GIDs: 55000 groupsid: S-1-5-21-215963510-1792852931-2165353431-513 groupname: ARW2K8R2U24+Domänen-Benutzer getent passwd: ARW2K8R2U24+aduser1:*:55000:55000:aduser1 univention:/home/ARW2K8R2U24-aduser1:/bin/bash plaintext password authentication succeeded challenge/response password authentication succeeded dcname: w2k3r2-32.arw2k8r2u24.qa Could not lookup WINS by name w2k3r2-32.arw2k8r2u24.qa trying DNS: Host w2k3r2-32.arw2k8r2u24.qa not found: 3(NXDOMAIN) enum users for domain ARW2K8R2U24 successfull enum groups for domain ARW2K8R2U24 successfull ### Miscellaneous root@qamaster:~# wbinfo --online-status BUILTIN : online ARUCS241I1 : offline ARW2K8R2U24 : online ###### Memberserver ############################################################### root@qamember:~# net rpc testjoin Join to 'ARUCS241I1' is OK ### trustdom is already established, also for the memberserver: root@qamember:~# net rpc trustdom list -UAdministrator%univention Trusted domains list: ARW2K8R2U24 S-1-5-21-215963510-1792852931-2165353431 Trusting domains list: none root@qamember:~# wbinfo -p Ping to winbindd failed could not ping winbindd! root@qamember:~# wbinfo --ping-dc checking the NETLOGON dc connection failed Could not ping our DC ## oops? root@qamember:~# /etc/init.d/winbind restart * Stopping the Winbind daemon winbind [ ok ] * Starting the Winbind daemon winbind [ ok ] root@qamember:~# wbinfo -p Ping to winbindd succeeded root@qamember:~# wbinfo --ping-dc checking the NETLOGON dc connection succeeded ## ok.. ### resolving AD users on the memerserver also works without "winbind rpc only" root@qamember:~# wbinfo -n ARW2K8R2U24+Administrator S-1-5-21-215963510-1792852931-2165353431-500 SID_USER (1) root@qamember:~# wbinfo -n ARW2K8R2U24+aduser1 S-1-5-21-215963510-1792852931-2165353431-1108 SID_USER (1) ### IDMapping works without manual intervention: root@qamember:~# grep 'idmap secret' /var/log/univention/* /var/log/univention/join.log:setting idmap secret for alloc from /etc/machine.secret root@qamember:~# wbinfo -S S-1-5-21-215963510-1792852931-2165353431-1108 55000 root@qamember:~# wbinfo -n ARW2K8R2U24+aduser2 S-1-5-21-215963510-1792852931-2165353431-1110 SID_USER (1) root@qamember:~# wbinfo -S S-1-5-21-215963510-1792852931-2165353431-1110 55002 ### Authentication root@qamember:~# wbinfo -a ARW2K8R2U24+Administrator%Univention123 plaintext password authentication succeeded challenge/response password authentication succeeded root@qamember:~# wbinfo -a ARW2K8R2U24+aduser1%'Test1234;.' plaintext password authentication succeeded challenge/response password authentication succeeded ### Testscript for https://forge.univention.org/bugzilla/show_bug.cgi?id=25244 root@qamember:~# wget 'https://forge.univention.org/bugzilla/attachment.cgi?id=3986' -O check-winbind-user root@qamember:~# chmod 755 check-winbind-user root@qamember:~# ./check-winbind-user sid: S-1-5-21-1631607150-3973500847-3586540417 username: ARUCS241I1+ Could not convert sid S-1-5-21-1631607150-3973500847-3586540417 to uid root@qamember:~# ./check-winbind-user ARW2K8R2U24+aduser1%'Test1234;.' sid: S-1-5-21-215963510-1792852931-2165353431-1108 username: +aduser1 uid: 55000 GIDs: 55000 groupsid: S-1-5-21-215963510-1792852931-2165353431-513 groupname: +Domänen-Benutzer ERROR: getent passwd: no entry plaintext password authentication succeeded challenge/response password authentication succeeded Could not get dc name for ARW2K8R2U24 root@qamember:~# ucr set auth/user/methods="krb5 ldap unix winbind" Setting auth/user/methods File: /etc/pam.d/univention-management-console File: /etc/ssh/ssh_config Multifile: /etc/pam.d/common-session File: /etc/nsswitch.conf File: /etc/pam.d/admin-auth-nowrite File: /etc/pam.d/admin-password File: /etc/pam.d/common-account Multifile: /etc/pam.d/common-auth File: /etc/pam.d/common-auth-nowrite File: /etc/pam.d/common-password root@qamember:~# /etc/init.d/nscd restart * Restarting NSCD . root@qamember:~# ./check-winbind-user ARW2K8R2U24+aduser1%'Test1234;.' sid: S-1-5-21-215963510-1792852931-2165353431-1108 username: ARW2K8R2U24+aduser1 uid: 55000 GIDs: 55000 groupsid: S-1-5-21-215963510-1792852931-2165353431-513 groupname: +Domänen-Benutzer getent passwd: ARW2K8R2U24+aduser1:*:55000:55000::/home/ARW2K8R2U24-aduser1:/bin/bash plaintext password authentication succeeded challenge/response password authentication succeeded dcname: W2K3R2-32 WARNING: enum users failed for domain ARW2K8R2U24 WARNING: enum groups failed for domain ARW2K8R2U24 #### try to enumerate users #### strange: does not work yet! root@qamember:~# wbinfo -u QAMEMBER+nagios QAMEMBER+backup QAMEMBER+nobody QAMEMBER+lp QAMEMBER+postfix QAMEMBER+root QAMEMBER+sshd QAMEMBER+daemon QAMEMBER+mail QAMEMBER+tss QAMEMBER+news QAMEMBER+messagebus QAMEMBER+bin QAMEMBER+uucp QAMEMBER+ntp QAMEMBER+saned QAMEMBER+proxy QAMEMBER+sys QAMEMBER+systemmail QAMEMBER+listener QAMEMBER+hplip QAMEMBER+statd QAMEMBER+sync QAMEMBER+list QAMEMBER+apt-mirror QAMEMBER+games QAMEMBER+irc QAMEMBER+www-data QAMEMBER+gnats QAMEMBER+man QAMEMBER+libuuid ARUCS241I1+join-backup ARUCS241I1+join-slave ARUCS241I1+administrator root@qamember:~# net setauthuser -U Administrator Enter the auth user's password: ## AD password root@qamember:~# /etc/init.d/winbind restart * Stopping the Winbind daemon winbind [ ok ] * Starting the Winbind daemon winbind root@qamember:~# wbinfo -g --domain="ARW2K8R2U24" root@qamember:~# net setauthuser -U Administrator Enter the auth user's password: ## UCS password root@qamember:~# /etc/init.d/winbind restart * Stopping the Winbind daemon winbind [ ok ] * Starting the Winbind daemon winbind root@qamember:~# wbinfo -g --domain="ARW2K8R2U24" root@qamember:~# net setauthuser delete root@qamember:~# /etc/init.d/winbind restart * Stopping the Winbind daemon winbind [ ok ] * Starting the Winbind daemon winbind