Active Directory service not showing correct UID/GID numbers

[sfum]

I have a test setup: newest FreeNAS 11 connected via active directory to a 2012 level AD domain. The connection seems to work, I get users and their group assignments right, but the UID and GID do not match up to what is set in the domain Unix Attributes tab. I know those are set up correctly because other machines on the network running SSSD manage to get the correct UIDs. I have tried various idmap backends and none of them seem to work properly.
I have the "Unix Attributes" box in freenas selected, is there any other speciffic trick to it?

 

[anodos]

What idmap backend have you configured? It sounds like you're using 'RID' when you want 'AD'.

 

[sfum]

It was set to rid, I swapped it to ad, did rebuild and even rebooted just to be sure, still the same: correct users and group assignments, wrong UID/GID.

 

[anodos]

Did the UIDs/GIDs change after the config change?

 

[sfum]

No, they seem to be all the same

 

[anodos]

No, they seem to be all the same

Please run "testparm" and post the output here. Feel free to edit out any sensitive information (domain names, etc). I have a hunch that your UID/GID cache isn't getting cleared.

 

[sfum]

Load smb config files from /usr/local/etc/smb4.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
dos charset = CP437
realm = DO.MAIN.COM
server string = FreeNAS Server
workgroup = DO
domain master = No
lm announce = Yes
local master = No
preferred master = No
nsupdate command = /usr/local/bin/samba-nsupdate -g
client ldap sasl wrapping = plain
logging = file
max log size = 51200
domain logons = Yes
kernel change notify = No
panic action = /usr/local/libexec/samba/samba-backtrace
pid directory = /var/run/samba
disable spoolss = Yes
load printers = No
printcap name = /dev/null
time server = Yes
allow trusted domains = No
map to guest = Bad User
obey pam restrictions = Yes
security = ADS
server role = member server
deadtime = 15
hostname lookups = Yes
max open files = 940970
template homedir = None/%D/%U
template shell = /bin/sh
winbind cache time = 7200
winbind enum groups = Yes
winbind enum users = Yes
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
dns proxy = No
idmap config vi: schema mode = rfc2307
idmap config vi: range = 10000-90000000
idmap config vi: backend = ad
idmap config *: range = 90000001-100000000
idmap config * : backend = tdb
store dos attributes = Yes
strict locking = No
directory name cache size = 0
dos filemode = Yes
acl allow execute always = Yes
ea support = Yes
create mask = 0666
directory mask = 0777

 

[anodos]

Are the UIDs / GIDs you allocated in your AD schema within the 10000-90000000 range?

 

[sfum]

Are the UIDs / GIDs you allocated in your AD schema within the 10000-90000000 range?

Yes, they all appear to be in the 20000-30000 range, both UID and GID

 

[anodos]

Create a bug report here: https://bugs.freenas.org/projects/freenas and upload a debug file. The debug file contains sensitive information and so you'll probably want to mark it as 'private'.

 

[anodos]

Create a bug report here: https://bugs.freenas.org/projects/freenas and upload a debug file. The debug file contains sensitive information and so you'll probably want to mark it as 'private'.

If you're up for it, PM me a debug file as well, I'll try to look into it when I have some free time.

 

[anodos]

Let's try a few things:
1) verify that domain join is working properly
wbinfo -t - check trust secret
wbinfo --ping-dc - check the netlogon connection

2) manually expire caching on FreeNAS (I think this probably does the same thing as the gui button to clear cache)
service ix-cache stop
service ix-cache start

 

[sfum]

Ok, here are the results:

root@freenas:~ # wbinfo -t
checking the trust secret for domain DOMAIN via RPC calls succeeded
root@freenas:~ # wbinfo --ping-dc
checking the NETLOGON for domain[DOMAIN] dc connection to "controller.domain.com" succeeded

after running
service ix-cache stop
service ix-cache start
The UIDs remain incorrect

 

[anodos]

Okay. Perhaps you need to clear the winbind cache.
service samba_server stop
net cache flush
service ix-pre-samba start
service samba_server start

If that doesn't work, then I'll start to actually look at your debug file. :D

 

[sfum]

On advice via the bug report I made, I already ran:

service samba_server stop
rm -f /var/db/samba4/winbindd_cache.tdb*
service samba_server start

This seems to have cleared out the incorrect UIDs, but now "getent passwd" returns only local users, so it's a step in the right direction.
My guess is it doesn't matter, but I also ran those 4 commands you posted, same thing: only local users listed.

Interestingly: when I click "rebuild directory service cache" debug.log gets a bunch of non-error messages, followed by 1 line looking like this:
Jul 21 11:11:17 freenas /cachetool.py: [common.freenasldap:2717] Error on getpwnam: 'getpwnam(): name not found: username'
for what looks like every user and group on the domain.

 

[anodos]

On advice via the bug report I made, I already ran:

service samba_server stop
rm -f /var/db/samba4/winbindd_cache.tdb*
service samba_server start

This seems to have cleared out the incorrect UIDs, but now "getent passwd" returns only local users, so it's a step in the right direction.
My guess is it doesn't matter, but I also ran those 4 commands you posted, same thing: only local users listed.

Interestingly: when I click "rebuild directory service cache" debug.log gets a bunch of non-error messages, followed by 1 line looking like this:
Jul 21 11:11:17 freenas /cachetool.py: [common.freenasldap:2717] Error on getpwnam: 'getpwnam(): name not found: username'
for what looks like every user and group on the domain.

Okay. Now try disabling active directory (uncheck 'enable'), click 'Save', then check 'enable', click save.

 

[sfum]

ok, done, still no domain users listed

 

[anodos]

ok, done, still no domain users listed

Have you installed schema extensions in AD? Are you certain that your AD is using RFC2307 schema mode and not SFU? Post contents of /var/log/samba4/log.wb-VI and /var/log/samba4/log.smbd or PM them to me.

 

[anodos]

That's interesting. I'm probably missing something painfully obvious. Hopefully, you're getting better help on the bugtracker. Let's try to do this: increase logging in Services->SMB to "debug" and run the following command - wbinfo -i "DOMAIN\User". Send me the same logs again.

Send me output of net cache list as well.

Query the LDAP on your AD DC using one of your user's SIDs using net ads sid <sid> For example net ads sid 'S-1-5-21-1948654364-3441083670-3320579074-1163'. Do you get the expected result?

 

[sfum]

Ok, running net ads sid does return the correct info, particularly "uidNumber" and "gidNumber" are correct, but running: wbinfo -i "DOMAIN\User" (with valid domain/user combo) results in:
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user DOMAIN\Username
And interestingly, even on the debug setting, the log files did not change when I ran that.