SOLVED How to query AD for user's real name?

[Luke Jaeger]

I have FreeNAS-9.3-STABLE-201602031011 set up for CIFS sharing in a college lab environment.

It's bound to AD and that seems to be working fine: users can log into the FreeNAS with their AD name and password, which is what we want.

The FreeNAS is also hosting a static web site (hosted by Apache in a jail) with a directory for every student to display their projects. I would like these student subdirectories to show up on the site with the students' real names ("Lizzie Borden") instead of their UID's ("lborden"). So I need a command-line method to query AD somehow and retrieve those attributes for each user who has a home directory on the FreeNAS box.

I know how to do this from the local /etc/groups database but I can't figure out how to get the same info out of AD. I've tried a few things with wbinfo and ldaptool but so far I'm stumped. Any guidance will be appreciated! thanks -- LJ

 

[anodos]

When winbind is properly configured AD users will appear as local users. So you can use the following commands to retrieve their real name:

Code:

getent passwd lborden | cut -d ':' -f 5

or

Code:

getent passwd UID | cut -d ':' -f 5

Of course, some of the more experienced Unix admins here like dlavigne or jgreco may have a more efficient way of doing this.

Out of curiosity, did you configure winbind in your jail? If not, how are you retrieving UIDs of AD users?

 

[Luke Jaeger]

Nope, all I can get is the username, either with that method or with wbinfo. I don't know if winbind is pulling other info down from the AD server.

getent passwd MS\\ljaeger

returns:

MS\ljaeger:*:48685:20513::/home/MS/ljaeger:/bin/sh

"MS" is the name of the AD domain

 

[Luke Jaeger]

I didn't configure winbind in the jail ... that shouldn't be necessary. I have a bash script that creates the index.html file for the site root, which is just a list of all the student project directories. It works fine when the source is a local group, which up to now it has been. But I can't figure out how to make it do the same thing based on members of an AD group.

 

[anodos]

Nope, all I can get is the username, either with that method or with wbinfo. I don't know if winbind is pulling other info down from the AD server.

getent passwd MS\\ljaeger

returns:

MS\ljaeger:*:48685:20513::/home/MS/ljaeger:/bin/sh

"MS" is the name of the AD domain

Ah, that behavior depends on whether you've set the parameter "winbind use default domain = yes". This is controlled in the freenas webgui by "Directory Service" -> "Active Directory" with the "Use Default Domain" checkbox. If it is checked (or parameter set to "yes") you will be able to query by username without having to prefix the domain name. It works somewhat better for some purposes. There are some caveats. See samba documentation here: https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html#WINBINDUSEDEFAULTDOMAIN

 

[Luke Jaeger]

ok, I set "winbind use default domain = yes" and now I can query either with or without the domain name prefix. But I get the same info back either way ... uid, gid, username, home directory, and default shell. But no first name or last name. Is winbind caching the first name & last name somewhere local, or do I have to query the AD server for it? I'm not seeing how to make that query with wbinfo or any of the other tools.

And I'm querying by username, not uid, because it's easier.

 

[anodos]

ok, I set "winbind use default domain = yes" and now I can query either with or without the domain name prefix. But I get the same info back either way ... uid, gid, username, home directory, and default shell. But no first name or last name. Is winbind caching the first name & last name somewhere local, or do I have to query the AD server for it? I'm not seeing how to make that query with wbinfo or any of the other tools.

And I'm querying by username, not uid, because it's easier.

On my AD member servers (I have several of them) "getent passwd" shows the user's full name in the output. What idmap backend are you using?

Note that I'm using Server 2012R2 with a domain functional level of 2008R2. User profiles are viewed through "Active Directory Administrative Center" parameter that gets populated by winbind is "Full Name". In "Active Directory Users and Computers" this appears as the parameter "Display name" under the "General" tab.

Or if you use powershell, the value of the "Name" variable when you type the command

Code:

Get-ADUser -filter {SamAccountName -eq "lborden"}

. I'm pretty sure there's no way to pull "GivenName" and "Surname" using samba.

 

[Luke Jaeger]

On my AD member servers (I have several of them) "getent passwd" shows the user's full name in the output. What idmap backend are you using?

Note that I'm using Server 2012R2 with a domain functional level of 2008R2. User profiles are viewed through "Active Directory Administrative Center" parameter that gets populated by winbind is "Full Name". In "Active Directory Users and Computers" this appears as the parameter "Display name" under the "General" tab.

That I cannot tell you, unfortunately, because it's not my AD server. But maybe the AD admin can fix that .... thanks

 

[anodos]

That I cannot tell you, unfortunately, because it's not my AD server. But maybe the AD admin can fix that .... thanks

If for some reason the displayname is unpopulated or populated with the wrong info, it should be fairly easy for an AD admin to use powershell to fix it (i.e. set display name be concatenating the givenname and surname).

If rebooting the FreeNAS server is an option (i.e. you're not in production yet), then you can try doing that and seeing if samba / winbind / something else is being stupid.

 

[Luke Jaeger]

And, just noticed that after enabling AD binding, I can't log in with any of the local accounts. That's not good. Fortunately this box isn't in production until september. Unchecked 'enable' in the AD setup page and it works again.

 

[anodos]

You should be able to authenticate using local users. Perhaps the idmap range for your local users overlaps the idmap range for your domain. Post contents of /etc/local/smb4.conf enclosed in [ code ] tags.

 

[Luke Jaeger]

will do tomorrow ... do I need to re-enable AD binding before pulling the smb4. conf?

 

[anodos]

will do tomorrow ... do I need to re-enable AD binding before pulling the smb4. conf?

Yes

 

[Luke Jaeger]

Code:

[global]
    server max protocol = SMB2
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 1885709
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    hostname lookups = yes
    time server = yes
    acl allow execute always = true
    acl check permissions = true
    dos filemode = yes
    multicast dns register = yes
    domain logons = no
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = member server
    netbios name = NAS
    workgroup = MS
    realm = MS.MTHOLYOKE.EDU
    security = ADS
    client use spnego = yes
    cache directory = /var/tmp/.cache/.samba
    local master = no
    domain master = no
    preferred master = no
    ads dns update = yes
    winbind cache time = 7200
    winbind offline logon = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    winbind use default domain = no
    winbind refresh tickets = yes
    idmap config MS: backend = rid
    idmap config MS: range = 20000-90000000
    allow trusted domains = no
    client ldap sasl wrapping = plain
    template shell = /bin/sh
    template homedir = /home/%D/%U
    pid directory = /var/run/samba
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1
   

[3d_print_files]
    path = /mnt/pool1/share/3d_print_files
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = no
    vfs objects = zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
   

[CS_CasperShare]
    path = /mnt/pool1/share/CS_CasperShare
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    vfs objects = zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
   

[homes]
    valid users = %D\%U
    path = /mnt/pool1/share/userhomes/%D/%U
    comment = Home Directories
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = no
    vfs objects = zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare

 

[anodos]

The smb.conf file on one of my AD member servers is identical to yours, but I can't replicate the authentication problem you are experiencing. How are you trying to authenticate as a local user (ssh session, ftp, etc.)? Are you trying to authenticate to one of your CIFS shares using the local user account?

Note that you cannot authenticate to the same Windows / Samba server using two separate sets of credentials on a Windows client. For instance if you have

Share 1 - accessible by AD members
Share 2 - only accessible by a local user account.

You will probably not be able to access Share 2 from a domain-joined computer because your client will automatically authenticate as your AD user when it connects to the samba server's IPC$ share when you browse to \\NAS.

 

[Luke Jaeger]

I was trying to mount a CIFS share via SMB to a Mac which is not AD-joined, using an account that is local to the FreeNAS. If I uncheck 'enable' in the AD setup GUI it works again. I haven't done anything to the share permissions since enabling AD, so maybe that's the issue. The error I got seemed typical of bad permissions ("cannot find the share" or something like that)

 

[anodos]

I was trying to mount a CIFS share via SMB to a Mac which is not AD-joined, using an account that is local to the FreeNAS. If I uncheck 'enable' in the AD setup GUI it works again. I haven't done anything to the share permissions since enabling AD, so maybe that's the issue. The error I got seemed typical of bad permissions ("cannot find the share" or something like that)

Increase logging verbosity then review /var/log/samba4/log.smbd to see what user the mac is trying to authenticate as when the FreeNAS server is joined to the domain vs. not joined to the domain. Also try using both CIFS and SMB by ip-address (i.e. cifs://<ip address> or smb://<ip address>). Macs can behave oddly.

 

[Luke Jaeger]

thanks, will try that

 

[Luke Jaeger]

Same result whether I try it with IP address or hostname.
Interestingly, when I try cifs://my.server.edu I get the "shaking login box" to indicate bad password
when I try smb://my.server.edu I get "there was a problem connecting to the share" error message

this is (I think) the relevant portion of the log:

Code:

[2016/03/22 10:00:53.892259,  3] ../source3/auth/auth.c:177(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [MS]\[student1]@[workstation] with the new password interface
[2016/03/22 10:00:53.892302,  3] ../source3/auth/auth.c:180(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [MS]\[student1]@[workstation]
[2016/03/22 10:00:53.894642,  2] ../source3/auth/auth.c:288(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [student1] -> [student1] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/03/22 10:00:53.894694,  3] ../source3/auth/auth_util.c:1593(do_map_to_guest_server_info)
  No such user student1 [MS] - using guest account
[2016/03/22 10:00:53.894758,  2] ../auth/gensec/spnego.c:956(gensec_spnego_update)
  GENSEC SPNEGO: failed to verify mechListMIC: NT_STATUS_INVALID_PARAMETER
[2016/03/22 10:00:53.894792,  2] ../auth/gensec/spnego.c:743(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_INVALID_PARAMETER
[2016/03/22 10:00:53.900610,  3] ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62888215
[2016/03/22 10:00:53.901758,  3] ../auth/ntlmssp/ntlmssp_server.c:358(ntlmssp_server_preauth)
  Got user=[student1] domain=[MS] workstation=[workstation] len1=24 len2=232
[2016/03/22 10:00:53.901799,  3] ../source3/param/loadparm.c:4842(lp_load_ex)
  lp_load_ex: refreshing parameters
[2016/03/22 10:00:53.901852,  3] ../source3/param/loadparm.c:750(init_globals)
  Initialising global parameters
[2016/03/22 10:00:53.901963,  3] ../lib/util/params.c:550(pm_process)
  params.c:pm_process() - Processing configuration file "/usr/local/etc/smb4.conf"
[2016/03/22 10:00:53.901998,  3] ../source3/param/loadparm.c:3568(do_section)
  Processing section "[global]"
[2016/03/22 10:00:53.903360,  2] ../source3/param/loadparm.c:3585(do_section)
  Processing section "[3d_print_files]"
[2016/03/22 10:00:53.903695,  2] ../source3/param/loadparm.c:3585(do_section)
  Processing section "[CS_CasperShare]"
[2016/03/22 10:00:53.904022,  2] ../source3/param/loadparm.c:3585(do_section)
  Processing section "[homes]"
[2016/03/22 10:00:53.904367,  3] ../source3/param/loadparm.c:1775(lp_add_ipc)
  adding IPC service
[2016/03/22 10:00:53.904560,  3] ../source3/auth/auth.c:177(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [MS]\[student1]@[workstation] with the new password interface
[2016/03/22 10:00:53.904598,  3] ../source3/auth/auth.c:180(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [MS]\[student1]@[workstation]
[2016/03/22 10:00:53.905892,  2] ../source3/auth/auth.c:288(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [student1] -> [student1] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/03/22 10:00:53.905946,  3] ../source3/auth/auth_util.c:1593(do_map_to_guest_server_info)
  No such user student1 [MS] - using guest account
[2016/03/22 10:00:53.905979,  2] ../auth/gensec/spnego.c:956(gensec_spnego_update)
  GENSEC SPNEGO: failed to verify mechListMIC: NT_STATUS_INVALID_PARAMETER
[2016/03/22 10:00:53.906009,  2] ../auth/gensec/spnego.c:743(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_INVALID_PARAMETER
[2016/03/22 10:00:56.585934,  3] ../source3/smbd/server_exit.c:221(exit_server_common)
  Server exit (NT_STATUS_END_OF_FILE)

 

[anodos]

You may need to authenticate with "Domain\User" rather than "user". (Where "domain" is the local freenas box) for instance "freenas\student" or whatever the Mac syntax is.