Samba 4 Domain Member - problem

Rowland Penny repenny241155 at gmail.com
Fri Dec 20 10:48:25 MST 2013 

On 20/12/13 17:39, Carlos Miguel Bustillo Rdguez wrote:
> Our domain is based entirely Windows Server 2008R2.
>
> I don't know really your question.
>
> Is necessary that domain users have a uidNumbers?? Where I can see this
> numbers??
>
> Thanks, Carlos
> On 12/20/2013 12:27 PM, Rowland Penny wrote:
>> On 20/12/13 17:11, Carlos Miguel Bustillo Rdguez wrote:
>>> Rowland:
>>>
>>>    thanks for your time. I have made your recomendation. But the 
>>> problem
>>> remains:
>>>
>>> # wbinfo -i mmorales
>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>> Could not get info for user mmorales
>>>
>>> # id mmorales
>>> id: mmorales: No such user
>>>
>>> Why the command "id" worked initially?
>>> Sometimes command "id" identify the users and others don't do it.
>>>
>>> Regards, Carlos
>>>
>>> PD: Happy Christmas for all!!
>>>
>>> On 12/20/2013 04:37 AM, Rowland Penny wrote:
>>>> On 19/12/13 23:12, Carlos Miguel Bustillo Rdguez wrote:
>>>>> Hello list:
>>>>>
>>>>> Recently I join my Samba 4.1.3 (from Sernet packages in Debian 
>>>>> Wheezy)
>>>>> to my Microsoft Windows 2008R2 Domain as member server.
>>>>>
>>>>> I following the steps in
>>>>> https://wiki.samba.org/index.php/Samba/Domain_Member
>>>>>
>>>>> Initially all worked perfectly, but later I note that some user in my
>>>>> MSAD don't appear when I use "id" command:
>>>>> # id joe
>>>>> id: joe: No such user
>>>>>
>>>>> These are the result from "testparm" command:
>>>>> Load smb config files from /etc/samba/smb.conf
>>>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>>>>> (16384)
>>>>> Processing section "[pkt]"
>>>>> Processing section "[test]"
>>>>> Loaded services file OK.
>>>>> Server role: ROLE_DOMAIN_MEMBER
>>>>> Press enter to see a dump of your service definitions
>>>>>
>>>>> [global]
>>>>>       workgroup = MYDOMAIN
>>>>>       realm = MYDOMAIN.COM
>>>>>       security = ADS
>>>>>       winbind enum users = Yes
>>>>>       winbind enum groups = Yes
>>>>>       winbind use default domain = Yes
>>>>>       winbind nss info = rfc2307
>>>>>       idmap config MYDOMAIN:range = 500-100000
>>>>>       idmap config MYDOMAIN:schema_mode = rfc2307
>>>>>       idmap config MYDOMAIN:backend = ad
>>>>>       idmap config *:range = 70001-80000
>>>>>       idmap config * : backend = tdb
>>>>>       map acl inherit = Yes
>>>>>       printing = bsd
>>>>>       print command = lpr -r -P'%p' %s
>>>>>       lpq command = lpq -P'%p'
>>>>>       lprm command = lprm -P'%p' %j
>>>>>       store dos attributes = Yes
>>>>>       vfs objects = acl_xattr
>>>>>
>>>>> [pkt]
>>>>>       path = /home/big
>>>>>       read only = No
>>>>>
>>>>> [test]
>>>>>       path = /home/test
>>>>>       read only = No
>>>>>
>>>>> The big problem is when I add new users to the shares above (pkt and
>>>>> test), they cannot login.
>>>>>
>>>>> I think that the problem is associated with winbind and
>>>>> libnss_winbind.so.2 library:
>>>>>
>>>>> I put the necessary symbolic links in /lib64 (my hardware is x86_64),
>>>>> the I ran the following to check if the libraries are activated:
>>>>> #ldconfig -v | grep winbind
>>>>> ldconfig: Path `/lib/x86_64-linux-gnu' given more than once
>>>>> ldconfig: Path `/usr/lib/x86_64-linux-gnu' given more than once
>>>>>       libnss_winbind.so -> libnss_winbind.so.2
>>>>>       libnss_winbind.so -> libnss_winbind.so.2
>>>>>
>>>>>
>>>>> I appreciate some help about it.
>>>>>
>>>>> Regards, Carlos
>>>>>
>>>>>
>>>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>>>> http://www.uclv.edu.cu
>>>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>>>
>>>>>
>>>> First thing that you need to fix is your ranges, 'idmap config 
>>>> *:range =
>>>> 70001-80000' is inside 'idmap config MYDOMAIN:range = 500-100000'
>>>> The *:range needs to come before or after MYDOMAIN:range
>>>> i.e.
>>>> idmap config MYDOMAIN:range = 500-100000
>>>> idmap config *:range = 100001-101000
>>>>
>>>> Rowland
>>>>
>>>>
>>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>>> http://www.uclv.edu.cu
>>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>>
>>>>
>>>> .
>>>>
>>>
>>> La Universidad Central "Marta Abreu" de Las Villas en su 60
>>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en:
>>> http://www.uclv.edu.cu
>>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014.
>>> Habana. Cuba. http://www.congresouniversidad.cu/
>>>
>>>
>> Do the users that do not appear have uidNumbers in AD and if they do,
>> are these numbers inside the range you set for your domain ?
>>
>> Rowland
>>
>>
>> La Universidad Central "Marta Abreu" de Las Villas en su 60 
>> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en: 
>> http://www.uclv.edu.cu
>> Participe en Universidad 2014, del 10 al 14 de febrero de 2014. 
>> Habana. Cuba. http://www.congresouniversidad.cu/
>>
>>
>> .
>>
>
>
> La Universidad Central "Marta Abreu" de Las Villas en su 60 
> Aniversario. Fundada el 30 de noviembre de 1952. Visítenos en: 
> http://www.uclv.edu.cu
> Participe en Universidad 2014, del 10 al 14 de febrero de 2014. 
> Habana. Cuba. http://www.congresouniversidad.cu/
>
>
If you don't know about them, then that is the problem. You are using 
the ad backend in your smb.conf and this relies on finding uidNumber & 
gidNumber in the users & groups CN's and these numbers have to be inside 
the range you set.
As for adding them, go to ADUC, select a user or group and then go to 
the 'UNIX Attributes' tab, here you can add the required info.

Rowland

More information about the samba-technical mailing list