[Samba] Samba with AD : SID rejected
Rowland Penny
rpenny at samba.org
Mon May 6 09:23:08 UTC 2019
On Mon, 6 May 2019 10:58:56 +0200
Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:
> Le 06/05/2019 à 10:46, Rowland Penny via samba a écrit :
> > On Mon, 6 May 2019 09:08:10 +0200
> > Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:
> >
> >> Hi,
> >>
> >> sorry for the mistake, I meaned
> >>
> >> getent passwd vincent shows nothing and I got in the log file:
> >>
> >> winbindd_getpwnam: My domain -- rejecting getpwnam() for
> >> FOO\vincent.
> >>
> >> 'wbinfo -u | grep 'vincent' returns vincent, it's the good
> >> username.
> > Just because 'wbinfo' shows a user, doesn't mean that a Unix OS will
> > know the user, even if the smb.conf appears to be correct.
> >
> > You originally posted this:
> >
> > idmap config FOO:backend = ad
> > idmap config FOO:schema_mode = rfc2307
> > idmap config FOO:range = 10000-999999
> > idmap config FOO:unix_nss_info = yes
> > idmap config FOO:unix_primary_group = yes
> >
> > So, does 'vincent' have a uidNumber attribute containing a number
> > inside the range '10000-99999999' AND either a gidnumber attribute
> > containing the gidNumber of an AD group, or does Domain
> > Users have gidNumber attribute ? The gidNumber must be inside the
> > same range.
> >
> > Rowland
>
> Yes, user 'vincent' has uidNumber 10010, gidNumber 13010 and
> primaryGroupID 513.
>
> 513 corresponds to the group "Domain Users", which have gidNumber
> 13010
>
> Vincent
>
OK, can you try something as a test ?
Change this:
idmap config FOO:backend = ad
idmap config FOO:schema_mode = rfc2307
idmap config FOO:range = 10000-999999
idmap config FOO:unix_nss_info = yes
idmap config FOO:unix_primary_group = yes
To this:
idmap config FOO:backend = rid
idmap config FOO:range = 10000-999999
Restart Samba and run:
net cache flush
Then run:
getent passwd vincent
This will test the connectivity between your Unix domain member and the
DC.
Don't worry if you get ID's that you don't expect, this is just a test,
just change everything back after the test.
Rowland
More information about the samba
mailing list