Winbind Centos wrong UID/GID

Here's the scenario:

I have two machine:

Ubuntu, running ldap to authencticate users

CentOs, uses winbind to authenticate users

to mount homedirs I use fstab and nfs shares.

The problem is this:

on Ubuntu, in getent passwd a user look like this:

john:x:3000052:1901:John Doe:/home/john:/bin/bash

but on CentOs the same user use like this in getent passwd:

john:*:16777228:16777218:John Doe:/home/john:/bin/bash

as you can see the UID and GID aren't matching which resolves to permissions are denied when a user try to access there homefoler on CentOS. I want CentOS to have the exact same UID and GID as Ubuntu has, for the AD users.

I managed to find out something about idmap in smb.conf, but I haven't got it working.

[global]
idmap workgroup = MOSEK
idmap config MOSEK:backend  = rid
idmap config MOSEK:base_rid = 0
idmap config MOSEK:range    = 3000040 - 4999999

#--authconfig--start-line--

# Generated by authconfig on 2014/09/30 08:26:52
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

workgroup = MOSEK
...autogenerated stuff
#--authconfig--end-line--

But this isn't working.

I hope I am clear in what I'm trying to do

EDIT:

okay so here's what authconfig has generated for me. Because of your answer, I think this could be relevant.

#--authconfig--start-line--

# Generated by authconfig on 2014/09/30 08:26:52
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

workgroup = MOSEK
password server = nyborg.mosek.zentyal
realm = MOSEK.ZENTYAL
security = ads
idmap config * : range = 1000-999999
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = false
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind enum groups = true
winbind cache time = 5
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind cache time = 5
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true
winbind nested groups = true

#--authconfig--end-line-- 

EDIT2: when i tried giving sssd.conf the right permissions, it got me a new error:

[root@centosy sssd]# journalctl -xn
-- Logs begin at Mon 2014-10-06 10:14:59 CEST, end at Tue 2014-10-07 10:28:42 CEST. --
Oct 07 10:28:36 centosy.mosek.zentyal sssd[be[5567]: Starting up
Oct 07 10:28:38 centosy.mosek.zentyal sssd[be[5568]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5570]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5569]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5571]: Starting up
Oct 07 10:28:41 centosy.mosek.zentyal sssd[5572]: Starting up
Oct 07 10:28:42 centosy.mosek.zentyal sssd[be[5573]: Starting up
Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: sssd.service: control process exited,  code=exited status=1
Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: Failed to start System Security Services    Daemon.
-- Subject: Unit sssd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit sssd.service has failed.
-- 
-- The result is failed.
Oct 07 10:28:42 centosy.mosek.zentyal systemd[1]: Unit sssd.service entered failed state.

EDIT3:

okay i followed your guide and here's what i did from start to finish:

[root@centosy sssd]# authconfig --update --disableldap --ldapbasedn="dc=mosek,dc=zentyal" --ldapserver="ldap://172.16.0.5" --enablerfc2307bis --disablekrb5 --enablekrb5kdcdns --krb5realm=mosek.zentyal --enablesssd --enablesssdauth --enablemkhomedir --enablepamaccess --enablelocauthorize --smbrealm=mosek.zentyal --smbservers=nyborg.mosek.zentyal --smbworkgroup=MOSEK --smbsecurity=ads
getsebool:  SELinux is disabled

[root@centosy sssd]# net ads join createupn=host/`hostname -f`@MOSEK.ZENTYAL -U tomas
Ignoring unknown parameter "idmap workgroup"
Ignoring unknown parameter "idmap workgroup"
Enter tomas's password:
Using short domain name -- MOSEK
Joined 'CENTOSY' to dns domain 'mosek.zentyal'

and here's my sssd.conf:

[sssd]
 config_file_version = 2
 domains = mosek.zentyal
 services = nss, pam
 debug_level = 0

[nss]

[pam]

[domain/mosek.zentyal]
 debug_level = 5
 cache_credentials = false
 enumerate = false
 id_provider = ldap
 auth_provider = krb5
 chpass_provider = krb5
 access_provider = ldap

 ldap_sasl_mech = GSSAPI
 ldap_sasl_authid = host/[email protected]
 ldap_sasl_canonicalize = false

 ldap_user_search_base = ou=Users,dc=mosek,dc=zentyal
 ldap_user_object_class = user
 ldap_user_home_directory = unixHomeDirectory
 ldap_user_name = sAMAccountName
 ldap_user_shell = loginShell

 ldap_group_name = msSFU30Name
 ldap_group_object_class = group
 ldap_group_search_base = ou=Groups,dc=mosek,dc=zentyal

 ldap_access_order = expire
 ldap_account_expire_policy = ad
 ldap_force_upper_case_realm = true
 ldap_disable_referrals = true
 ldap_id_mapping = false
 ldap_schema = rfc2307bis

 krb5_realm = MOSEK.ZENTYAL
 krb5_canonicalize = false
 krb5_server = mosek.zentyal

so now I restart sssd:

[root@centosy sssd]# service sssd restart
Redirecting to /bin/systemctl restart  sssd.service

EDIT 4:

this is my nsswitch.conf:

passwd:     files sss
shadow:     files sss
group:      files sss

hosts:      files dns


bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:    files nisplus

I just edited the question so you can see the autogenerated code. It seems that it is already using ads idmap. Also I'm trying to use ads because I'm pretty sure that th AD and ldap uses the same UID and GID.

I investigated a bit further, and ldap uses the UNIX basic attributes only. how will I be able to make centos do the same? I need to configure krb5.conf and smb.conf, but how?

I have added the authconfig steps and sssd configuration.

When trying to run the authconfig command I get: authconfig: Authentication module /lib64/security/pam_sss.so is missing. Authentication process might not work correctly.

I installed the sssd package and the error disappeared although the sssd.conf doesn't exist in /etc/sssd/ and when i try to create it and start SSSD service: [root@centosy sssd]# service sssd start Redirecting to /bin/systemctl start sssd.service Job for sssd.service failed. See 'systemctl status sssd.service' and 'journalctl -xn' for details. [root@centosy sssd]# /etc/init.d/ iprdump iprinit iprupdate netconsole network [root@centosy sssd]# systemctl status ssd.service ssd.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead)

I looked in journalctl as the error suggested and i found this: -- Unit sssd.service has begun starting up. Oct 07 10:13:45 centosy.mosek.zentyal sssd[5526]: NSCD socket was detected and seems to be configured to cache some of the data Oct 07 10:13:45 centosy.mosek.zentyal sssd[5526]: Cannot read config file /etc/sssd/sssd.conf. Please check if permissions are Oct 07 10:13:45 centosy.mosek.zentyal systemd[1]: sssd.service: control process exited, code=exited status=4 Oct 07 10:13:45 centosy.mosek.zentyal systemd[1]: Failed to start System Security Services Daemon.

/etc/sssd/sssd.conf should be mode 600 (rw-------).

I editted my question with a new error

I tried deleting and remaking the sssd.conf and I got it running, but even though i followed your guide, now when i look at getent passwd, non of the AD users are there.

Did it joing the domain ok? Check the sssd logs (/var/log/sssd/*).

I added all the configs and sssd log in my question

Missed the creation of the keytab file, so added it in after the domain join command. See if that helps.

kinit throws this error: [root@centosy ~]# kinit @MOSEK.ZENTYAL kinit: Client not found in Kerberos database while getting initial credentials I had to install krb5-workstation to get kinit installed, and when i install the workstation package I ran the authconfig and join commands again to be sure.

@Tomas - Leave that command out and go ahead and create the keytab file (assuming you have just run the net ads join command)?

okay I tried the command kinit [email protected] and it got me trough, now when I try to create a keytab it ask for root's password, and then say that [email protected] doesn't exist. how can I get it to ask for the Domain Admin Tomas's password?

I fixed my keytab problems with adding the U flag to both commands. but although i made the keytab, and added the host. although i got a kerberos ticket form the AD, it still doesn't have any of the users in getent passwd

I change /etc/sssd/sssd.conf to have ldap_sasl_authid = host/[email protected]. What should /etc/nsswitch.conf look like when correctly populated?

I added my nsswitch.conf, so you can see, if something's wrong with it

@Tomas nsswitch.conf is fine. Try kinit -k host/[email protected], then run getent ... while checking the logs: /var/log/sssd/*.logs Failing that then install ldapsearch and run a query against your LDAP server.

I try running the kinit command, and get the error: kinit: Keytab contains no suitable keys for host/[email protected] while getting initial credentials

Also in /var/log/sssd/ldap_child.log i keep getting these: (Thu Oct 16 07:01:01 2014) [[sssd[ldap_child[6554]]]] [sss_krb5_verify_keytab_ex] (0x0010): Principal [host/[email protected]] not found in keytab [default] (Thu Oct 16 07:01:01 2014) [[sssd[ldap_child[6554]]]] [ldap_child_get_tgt_sync] (0x0040): Unable to verify principal is present in the keytab (Thu Oct 16 07:01:01 2014) [[sssd[ldap_child[6554]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.

okay I found out, that although the user isn't in getent passwd they can stil log in, which is great, but the UID still seems to be incorrect

Good news, what is the AD UID and the currently assigned UID?

bad news again. it was some other configurations i tried that made it possible to log in. configurations with winbind. I tried reinstalling and run through your configurations again, and I was unable to log in, unfurtunately :( I really appreciate you helping me by thew way

also when I try the command kinit tomas i get to right the password, and then it returns the error kinit: KDC reply did not match expectations while getting initial credentials

That is the SFU attribute for Windows AD that maps the unix LDAP equivalent for uid. So in LDAP, does the UID just have the windows username?

My AD server is not windows. It is something called zentyal, which runs on top of ubuntu, and works as a windows AD server

So in LDAP, is the UID attribute the same as the zentyal AD username?

I'm unclear on what you mean? you can see on my ubuntu client that uses purely ldap authentication that the UID is the right one, which means that the UID that ldap retrieves is the same as on the zentyal AD

"This uses an algorithm to generate a random number for the UID between the limits that you set in the range, which will always be different between hosts." rid should, if set up identically on both machines (same range and base_rid), always give you the same UID for the same user. I suspect one server using winbind and the other using LDAP might be a problem though