[Samba] userid shows 4294967295
Nico De Ranter
nico.deranter at esaturnus.com
Mon Dec 7 16:08:45 UTC 2015
I'm coming from a Debian system so my system accounts are below 1000,
regular accounts start at 1000. For some historical reason somebody gave
our main group id 500 so therefor I want my usable range to start at 500.
Do I need both idmap config *:range and idmap config SAMDOM:range? I also
tried with only 'idmap config *:range' but that didn't seem to help. I'll
try again tomorrow.
I also noticed that my second AD didn't have rfc2307 enabled so that may
also have introduced some issues.
@Stefan Kania, thanks for the 'net cache flush', I didn't know that.
Nico
On Mon, Dec 7, 2015 at 4:27 PM, Rowland penny <rpenny at samba.org> wrote:
> On 07/12/15 12:52, Nico De Ranter wrote:
>
>> Hello again,
>>
>> I'm getting close to a working setup but still run into glitches here and
>> there.
>>
>> I have 2 Ubuntu servers working as AD server, one Ubuntu desktop with
>> winbind configured. I've setup a number of accounts with Unix
>> properties. I've been primarily testing with my own account which works
>> just fine. I've now assigned Unix properties to another account. When I
>> run 'wbinfo -i' on the AD server I see the correct info:
>>
>> root at dc1:~# wbinfo -i test
>> OFFICE\test:*:10000:500:test:/home/OFFICE/test:/bin/false
>>
>> When I try the same thing on the client I get:
>>
>> root at testpc2:~# wbinfo -i test
>> test:*:4294967295:4294967295::/home/test:/bin/bash
>>
>> I also tried some other accounts and got the same result. The only
>> account
>> that seems to work fine is my own account (and no it is not in /etc/passwd
>> :-)
>>
>> Any idea what might be wrong?
>>
>> smb.conf on the client:
>>
>> [global]
>> security = ADS
>> workgroup = OFFICE
>> realm = WIN.OFFICE
>>
>> log file = /var/log/samba/%m.log
>> log level = 1
>>
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> winbind refresh tickets = yes
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind offline logon = yes
>>
>> client signing = yes
>> client use spnego = yes
>>
>> idmap config = ad
>> winbind nss info = rfc2307
>>
>> # Default idmap config used for BUILTIN and local accounts/groups
>> idmap backend = tdb
>> idmap range = 100-499
>>
>> # idmap config for domain OFFICE
>> idmap config OFFICE : backend = ad
>> idmap config OFFICE : schema_mode = rfc2307
>> idmap config OFFICE : range = 500-29999
>>
>
> Your 'idmap config' block really should look like this:
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 10000-99999
>
> Also why are you using such strange ID numbers?
>
> Rowland
>
> It worked for the user with uid 1048, it doesn't work for uid 1059, 1000,
>> 9999, 10000
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Nico De Ranter
Operations Engineer
T. +32 16 40 12 82
M. +32 497 91 53 78
<http://www.esaturnus.com>
<http://www.esaturnus.com>
<http://www.esaturnus.com/company/news/313>
<http://www.esaturnus.com/>
More information about the samba
mailing list