[Samba] Winbind question

Ryan Ashley ryana at reachtechfp.com
Mon Aug 11 09:10:14 MDT 2014 

I just rebuilt my second member server and it finally has the exact same 
ID's as the other one. That configuration parameter was the key. I owe 
you big-time. Now let's get your other issue fixed!

On 08/11/2014 11:02 AM, Bruno MACADRÉ wrote:
> I've just recompiled so I didn't change anything.... I think i made a 
> mistake in configuration
>
> I will try to rejoin
>
> Le 11/08/2014 17:00, Ryan Ashley a écrit :
>> Have you edited "/etc/nsswith.conf" and set passwd and group to use 
>> winbind? Mine is below. Also, have you joined the member server with 
>> "net ads join -U<domain admin name>"?
>>
>> passwd:         compat winbind
>> group:          compat winbind
>> shadow:         compat
>>
>> On 08/11/2014 10:57 AM, Bruno MACADRÉ wrote:
>>> wbinfo -u works but not wbinfo -i....
>>>
>>> Le 11/08/2014 16:55, Ryan Ashley a écrit :
>>>> Did you start the winbind, nmbd, and smbd services? If winbindd is 
>>>> not running, you cannot use wbinfo.
>>>>
>>>> On 08/11/2014 10:54 AM, Bruno MACADRÉ wrote:
>>>>> Nice, for me it's not so cool.... ad beckend works and winbind 
>>>>> list users but if I want infos about it I get a 
>>>>> 'WBC_ERR_DOMAIN_NOT_FOUND' error..... I must search again.....
>>>>>
>>>>>
>>>>> Le 11/08/2014 16:51, Ryan Ashley a écrit :
>>>>>> THAT DID IT! I am now pulling the correct ID's! I spent weeks on 
>>>>>> this and kept thinking it was configuration files or a bug. Man, 
>>>>>> I owe you dinner if you're ever in the states!
>>>>>>
>>>>>> On 08/11/2014 10:47 AM, Ryan Ashley wrote:
>>>>>>> My thoughts are the same. I am rebuilding Samba on my member 
>>>>>>> server now using the parameter you mentioned. I did a full 
>>>>>>> rebuild from scratch, but I will let you know if it works when 
>>>>>>> it finishes. My fingers are crossed!
>>>>>>>
>>>>>>> On 08/11/2014 10:45 AM, Bruno MACADRÉ wrote:
>>>>>>>> I think only members 'cause it's only on it we have the message 
>>>>>>>> 'can't load ad backend'
>>>>>>>>
>>>>>>>> Le 11/08/2014 16:37, Ryan Ashley a écrit :
>>>>>>>>> I have not seen that mentioned in my 121 posts about this 
>>>>>>>>> issue. Does that need to be enabled on the DC and members or 
>>>>>>>>> just members?
>>>>>>>>>
>>>>>>>>> On 08/11/2014 10:35 AM, Bruno MACADRÉ wrote:
>>>>>>>>>> Nice clue,
>>>>>>>>>>
>>>>>>>>>> I quickly research in my tutorial and see that I forget an 
>>>>>>>>>> option on my configure line :
>>>>>>>>>>
>>>>>>>>>> --with-shared-modules=idmap_ad
>>>>>>>>>>
>>>>>>>>>> I recompile my samba and retry... I come back when finished
>>>>>>>>>>
>>>>>>>>>> Le 11/08/2014 16:30, Ryan Ashley a écrit :
>>>>>>>>>>> I forgot to tell you, if you are pulling from the TDB range, 
>>>>>>>>>>> your ID numbers will NOT be the same across member servers. 
>>>>>>>>>>> That is what I have been working on for a month now. I have 
>>>>>>>>>>> two member servers and they keep pulling from the TDB range, 
>>>>>>>>>>> causing a user to have an ID of 70001 on one member server 
>>>>>>>>>>> but 70004 on the other. Both servers claim they cannot probe 
>>>>>>>>>>> the idmap ad module.
>>>>>>>>>>>
>>>>>>>>>>> On 08/11/2014 10:21 AM, Bruno MACADRÉ wrote:
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> I successfully set up an AD DC, and now, I want to join a 
>>>>>>>>>>>> file server as member in this domain.
>>>>>>>>>>>>
>>>>>>>>>>>> I followed this tutorial : 
>>>>>>>>>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server 
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> All works fine, my server join my AD without problem, samba 
>>>>>>>>>>>> starts fine and winbind too. But when I look at my domain 
>>>>>>>>>>>> users, the uid/gid returned by winbind are in the TDB range 
>>>>>>>>>>>> instead of the AD range.....
>>>>>>>>>>>>
>>>>>>>>>>>> This is my smb.conf :
>>>>>>>>>>>> [global]
>>>>>>>>>>>>
>>>>>>>>>>>>    netbios name = filzen
>>>>>>>>>>>>    workgroup = SAMDOM
>>>>>>>>>>>>    security = ADS
>>>>>>>>>>>>    realm = SAMDOM.FR
>>>>>>>>>>>>    encrypt passwords = yes
>>>>>>>>>>>>
>>>>>>>>>>>>    log level = 10
>>>>>>>>>>>>
>>>>>>>>>>>>    template homedir = /home/%U
>>>>>>>>>>>>    template shell = /bin/bash
>>>>>>>>>>>>
>>>>>>>>>>>>    winbind use default domain = yes
>>>>>>>>>>>>    winbind enum users  = yes
>>>>>>>>>>>>    winbind enum groups = yes
>>>>>>>>>>>>
>>>>>>>>>>>>    idmap config SAMDOM:backend = ad
>>>>>>>>>>>>    idmap config SAMDOM:range = 20001-70000
>>>>>>>>>>>>    idmap config SAMDOM:default = yes
>>>>>>>>>>>>    idmap config *:backend = tdb
>>>>>>>>>>>>    idmap config *:range = 70001-80000
>>>>>>>>>>>>
>>>>>>>>>>>> If I type :
>>>>>>>>>>>> # wbinfo -i administrator
>>>>>>>>>>>>
>>>>>>>>>>>> I get :
>>>>>>>>>>>> administrator:*:70001:70001::/home/administrator:/bin/bash
>>>>>>>>>>>>
>>>>>>>>>>>> If I create a user (foo) and trying to obtain his 
>>>>>>>>>>>> informations :
>>>>>>>>>>>> # wbinfo -i foo
>>>>>>>>>>>>
>>>>>>>>>>>> I get:
>>>>>>>>>>>> foo:*:70002:70001::/home/foo:/bin/bash
>>>>>>>>>>>>
>>>>>>>>>>>> Why winbind doen't use AD range instead of TBD range ? And 
>>>>>>>>>>>> even if I must use TDB range is there a certainty that this 
>>>>>>>>>>>> uid/gid are the same over all members ?
>>>>>>>>>>>>
>>>>>>>>>>>> Another clue : If I use SAMDOM:backend = rid the users 
>>>>>>>>>>>> receive a uid/gid in SAMDOM range and not in TDB range 
>>>>>>>>>>>> (maybe a bug in ad backend ?)
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks for any answers
>>>>>>>>>>>> Regards,
>>>>>>>>>>>> Bruno.
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

More information about the samba mailing list