Samba4 Linux user has two uid's
Rowland Penny
repenny at f2s.com
Wed Mar 27 07:52:04 MDT 2013
On 26/03/13 17:29, Thomas Simmons wrote:
> I'm sorry, the smb.conf I provided is missing this:
>
> idmap config * : backend = tdb
> idmap config * : range = 900000-910000
>
> Kill your winbindd process, add that to smb.conf and run 'net cache
> flush'. Start winbindd back up and you should be good to go.
Hi Thomas, I did have something very similar to the above in my smb.conf
and after doing all I can think of, I am still getting the same problem,
with the line: 'idmap config EXAMPLE:backend = ad' in my smb.conf, I get
no domain users. If I swap 'ad' for 'rid', I do get domain users.
This is the smb.conf I have been using:
[global]
workgroup = EXAMPLE
realm = example.com
preferred master = no
server string = ubuntu client
security = ads
encrypt passwords = yes
log level = 3
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 10000-20000
idmap config EXAMPLE:default = yes
idmap config EXAMPLE:backend = ad
idmap config EXAMPLE:schema mode = rfc2307
idmap config EXAMPLE:range = 3000000-31000000
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind nss info = rfc2307
winbind refresh tickets = Yes
template homedir = /home/%D/%U
template shell = /bin/bash
This is an ldif file of a user on the Samba4 AD server
dn: CN=testuser,CN=Users,DC=example,DC=com
cn: testuser
instanceType: 4
whenCreated: 20130320122306.0Z
uSNCreated: 3778
name: testuser
objectGUID:: siE+gJgV2kKaQO0qslOkVg==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAtvprU8QVtn/NH/GlUQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: testuser
sAMAccountType: 805306368
userPrincipalName: testuser at example.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
pwdLastSet: 130082557870000000
userAccountControl: 512
uidNumber: 3000016
gidNumber: 100
unixHomeDirectory: /example/EXAMPLE/testuser
loginShell: /bin/bash
profilePath: \\adserver\profiles\testuser
exampleDrive: Z:
exampleDirectory: \\adserver\home\testuser
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
whenChanged: 20130326132819.0Z
uSNChanged: 3855
distinguishedName: CN=testuser,CN=Users,DC=example,DC=com
And this is what I find in '/var/log/samba/log.winbindd-idmap' after I
run 'getent passwd'
[2013/03/27 13:22:08.697614, 0]
winbindd/idmap_tdb.c:149(idmap_tdb_upgrade)
Upgrading winbindd_idmap.tdb from an old version
[2013/03/27 13:22:08.747114, 3] winbindd/idmap.c:230(idmap_init_domain)
idmap backend ad not found
[2013/03/27 13:22:08.748825, 2] lib/module.c:64(do_smb_load_module)
Module '/usr/lib/samba/idmap/ad.so' loaded
[2013/03/27 13:22:08.749165, 3] libsmb/namequery.c:2533(get_dc_list)
get_dc_list: preferred server list: "adserver.example.com, *"
[2013/03/27 13:22:08.762494, 3] libads/ldap.c:640(ads_connect)
Successfully contacted LDAP server 192.168.0.10
[2013/03/27 13:22:08.762828, 3] libsmb/namequery.c:2533(get_dc_list)
get_dc_list: preferred server list: "adserver.example.com, *"
[2013/03/27 13:22:08.763190, 3] libsmb/namequery.c:2533(get_dc_list)
get_dc_list: preferred server list: "adserver.example.com, *"
[2013/03/27 13:22:08.777696, 3] libads/ldap.c:640(ads_connect)
Successfully contacted LDAP server 192.168.0.10
[2013/03/27 13:22:08.780683, 3] libads/ldap.c:694(ads_connect)
Connected to LDAP server adserver.example.com
[2013/03/27 13:22:08.807827, 3] libads/sasl.c:869(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2013/03/27 13:22:08.808305, 3] libads/sasl.c:869(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2013/03/27 13:22:08.808456, 3] libads/sasl.c:869(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2013/03/27 13:22:08.808604, 3] libads/sasl.c:878(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got server principal name =
not_defined_in_RFC4178 at please_ignore
[2013/03/27 13:22:08.809768, 3] libsmb/clikrb5.c:787(ads_krb5_mk_req)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
found)
[2013/03/27 13:22:08.966573, 3]
libsmb/clikrb5.c:632(ads_cleanup_expired_creds)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
expiration Wed, 27 Mar 2013 23:22:08 GMT
[2013/03/27 13:22:08.966866, 3] libsmb/clikrb5.c:840(ads_krb5_mk_req)
ads_krb5_mk_req: server marked as OK to delegate to, building
forwardable TGT
[2013/03/27 13:22:09.543036, 1]
winbindd/idmap_ad.c:657(idmap_ad_sids_to_unixids)
Could not get unix ID
[2013/03/27 13:22:09.549311, 1]
winbindd/idmap_ad.c:657(idmap_ad_sids_to_unixids)
Could not get unix ID
[2013/03/27 13:22:09.554357, 1]
winbindd/idmap_ad.c:657(idmap_ad_sids_to_unixids)
Could not get unix ID
[2013/03/27 13:22:09.614386, 1]
winbindd/idmap_ad.c:657(idmap_ad_sids_to_unixids)
Could not get unix ID
[2013/03/27 13:22:09.625233, 1]
winbindd/idmap_ad.c:657(idmap_ad_sids_to_unixids)
Could not get unix ID
[2013/03/27 13:22:09.630888, 1]
winbindd/idmap_ad.c:657(idmap_ad_sids_to_unixids)
Could not get unix ID
Does anybody have any suggestions how I can get this to work, I am being
driven to distraction by this and it is probably something I am doing or
not doing.
Rowland
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba-technical
mailing list