[Samba] Winbindd Strangeness
Rowland Penny
rowlandpenny at googlemail.com
Wed Jun 24 00:58:28 MDT 2015
On 24/06/15 02:55, David Minard wrote:
> On 23/06/15 13:32, David Minard wrote:
>
>> I've Set up a DC and a Member Server for a file server. Both are
>> running on Centos7 and samba version 4.2.2. The Member Server is
>> running smbd and winbindd.
>>
>> I've followed the wiki and for the most part it's working.
>> However, after stuffing up the ranges, then fixing them up, when I
>> create new accounts, adding all the Unix attributes, the UID_Number
>> is not showing the correct value for new accounts. Existing ones are
>> okay.
>>
>> Member_Server Config:
>>
>> [global]
>>
>> netbios name = MS1
>> workgroup = AD
>> security = ADS
>> realm = SAMBADOM
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 30000000-40000000
>> idmap config SAMBADOM:backend = ad
>> idmap config SAMBADOM:schema_mode = rfc2307
>> idmap config SAMBADOM:range = 600-29999999
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind refresh tickets = Yes
>>
>>
>>
>> Existing Account:
>> getent passwd fred
>>
>> fred:*:4999:30000000:Fred Nerks:/home/fred:/bin/tcsh
>>
>> New Account:
>>
>> fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh
>>
>> Fred1 was set up with --uid-number='5004'
>>
>> I've tried clearing winbindd caches as per some post I read:
>>
>> systemctl stop winbindd
>> rm /usr/local/samba/var/locks/group_mapping.tdb*
>> /usr/local/samba/var/locks/winbindd_idmap.tdb*
>> /usr/local/samba/var/locks/winbindd_cache.tdb*
>> systemctl start winbindd
>>
>> But no change.
>>
>> I've also noticed that the default group that all users are in
>> used to be "domain users", now for some reason they are all in
>> "BUILTIN\administrators" !
>> Am I doing something wrong? If so, what. If not, how do
>> I track down why this is happening?
>>
>> Cheers,
>> David Minard.
>> Ph: 0247 360 155
>> Fax: 0247 360 770
>>
>> School of Computing, Engineering, and Mathematics
>> Building Y - Penrith Campus (Kingswood)
>> Locked bag 1797
>> Penrith South DC
>> NSW 1797
>>
>> [Sometimes waking up just isn't worth the insult of the day to
>> come.]
>>
>>
> Yes, you do appear to doing things wrong workgroup = AD but: idmap
> config SAMBADOM:backend = ad idmap config SAMBADOM:schema_mode =
> rfc2307 idmap config SAMBADOM:range = 600-29999999 'SAMBADOM' should
> be 'AD' You have 'realm = SAMBADOM' , it really should be something
> like 'realm = SAMBADOM.COM' Rowland
>
> Thanks for the quick reply Roland. The change didn't make any
> difference. I remember having it the way you suggested in the first
> place, but was still getting strangeness. I have put it back to the
> right way as suggested. I now have a config of:
>
> [global]
>
> netbios name = MS1
> workgroup = AD
> security = ADS
> realm = SAMDOM
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = 30000000-40000000
> idmap config AD:backend = ad
> idmap config AD:schema_mode = rfc2307
> idmap config AD:range = 600-29999999
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = Yes
>
>
> SAMDOM is as you say, a domain name for the AD.
>
> I noticed that the UIDNumber of new accounts are overlapping with
> system accounts.
>
> fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh
> krbtgt:*:30000002:30000000:krbtgt:/home/AD/krbtgt:/bin/false
>
> fred:*:30000000:30000000:Fred Nerks:/home/fred:/bin/tcsh
> administrator:*:30000000:30000000:Administrator:/home/AD/administrator:/bin/false
>
>
Strange, have you tried running 'net cache flush' on the member server ?
Have you given all the users & groups an ID number in AD ?
Can you post the exact command you are using to create users.
Rowland
More information about the samba
mailing list