failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Daniele Dario
d.dario76 at gmail.com
Tue Jan 24 16:06:10 UTC 2017
On lun, 2017-01-16 at 16:10 +0100, Daniele Dario wrote:
>
>
> On lun, 2017-01-16 at 13:56 +0000, Rowland Penny wrote:
> > On Mon, 16 Jan 2017 14:10:52 +0100
> > Daniele Dario <d.dario76 at gmail.com> wrote:
> >
> > >
> > >
> > >
> > > On lun, 2017-01-16 at 11:22 +0000, Rowland Penny wrote:
> > > > On Mon, 16 Jan 2017 11:50:12 +0100
> > > > Daniele Dario <d.dario76 at gmail.com> wrote:
> > > >
> > > > > Hi list,
> > > > > I'm sorry to bother you with a request that probably is not for
> > > > > developers but I'm not able to find anywhere a real example of id
> > > > > mapping on a domain member and it's almost one week I'm
> > > > > googling and trying to figure out how to get things working :-(
> > > > >
> > > > > I have two samba AD DC in my domain and one of them is acting
> > > > > also as file server. I'd like to move the file server to a domain
> > > > > member and before to mess up things decided to create a test
> > > > > environment to find out how to proceed so I created 2 VMs with
> > > > > ubuntu 16.04 amd64 servers (named addc and addm1) and downloaded
> > > > > samba 4.5.3.
> > > > >
> > > > > Following the wiki I built/installed samba
> > > > > (just ./configure+make+make install) than provisioned test domain
> > > > > on addc as follow:
> > > > >
> > > > > [root at addc:~]# samba-tool domain provision --use-rfc2307
> > > > > --interactive Realm [SAMDOM.LOC]: SAMDOM.LOC
> > > > > Domain [SAMDOM]: SAMDOM
> > > > > Server Role (dc, member, standalone) [dc]: dc
> > > > > DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)
> > > > > [SAMBA_INTERNAL]: SAMBA_INTERNAL
> > > > > DNS forwarder IP address (write 'none' to disable forwarding)
> > > > > [8.8.8.8]: 8.8.8.8
> > > > > Administrator password: ...
> > > > >
> > > > > than followed the other steps of the wiki to complete DC setup.
> > > > >
> > > > > This is the smb.conf on addc:
> > > > >
> > > > > [root at addc:~]# cat /usr/local/samba/etc/smb.conf
> > > > > # Global parameters
> > > > > [global]
> > > > > netbios name = ADDC
> > > > > realm = SAMDOM.LOC
> > > > > workgroup = SAMDOM
> > > > > dns forwarder = 8.8.8.8
> > > > > server role = active directory domain controller
> > > > > idmap_ldb:use rfc2307 = yes
> > > > >
> > > > > template shell = /bin/bash
> > > > > template homedir = /home/SAMDOM/%U
> > > > >
> > > > > [netlogon]
> > > > > path
> > > > > = /usr/local/samba/var/locks/sysvol/samdom.loc/scripts read only
> > > > > = No
> > > > >
> > > > > [sysvol]
> > > > > path = /usr/local/samba/var/locks/sysvol
> > > > > read only = No
> > > > >
> > > > > I created the reverse lookup DNS zone
> > > > >
> > > > > [root at addc:~]# samba-tool dns zonecreate 192.168.12.204
> > > > > 12.168.192.in-addr.arpa -U administrator
> > > > > [root at addc:~]# samba-tool dns add 192.168.12.204
> > > > > 12.168.192.in-addr.arpa 204 PTR addc.samdom.loc -U administrator
> > > > >
> > > > > two test groups
> > > > >
> > > > > [root at addc:~]# samba-tool group add group1 --nis-domain=samdom
> > > > > --gid-number=4000100
> > > > > [root at addc:~]# samba-tool group add group2 --nis-domain=samdom
> > > > > --gid-number=4000101
> > > > >
> > > > > two test users
> > > > >
> > > > > [root at addc:~]# samba-tool user create user1 P4ssw0rd
> > > > > --nis-domain=samdom --unix-home=/home/SAMDOM/user1
> > > > > --uid-number=4001001 --login-shell=/bin/bash --gid-number=4000001
> > > > > [root at addc:~]# samba-tool user create user2 P4ssw0rd
> > > > > --nis-domain=samdom --unix-home=/home/SAMDOM/user2
> > > > > --uid-number=4001002 --login-shell=/bin/bash --gid-number=4000002
> > > > >
> > > > > and added users to groups
> > > > >
> > > > > [root at addc:~]# samba-tool group addmembers group1 user1
> > > > > [root at addc:~]# samba-tool group addmembers group2 user1
> > > > > [root at addc:~]# samba-tool group addmembers group1 user2
> > > > >
> > > > > Than tested if winbindd was working
> > > > >
> > > > > [root at addc:~]# getent passwd administrator
> > > > > SAMDOM\administrator:*:0:100::/home/SAMDOM/administrator:/bin/bash
> > > > >
> > > > > [root at addc:~]# getent passwd user1
> > > > > SAMDOM\user1:*:4001001:100::/home/SAMDOM/user1:/bin/bash
> > > > >
> > > > > [root at addc:~]# getent group 'domain users'
> > > > > SAMDOM\domain users:x:100:
> > > > >
> > > > > [root at addc:~]# getent group group1
> > > > > SAMDOM\group1:x:4000100:
> > > > >
> > > > > [root at addc:~]# id administrator
> > > > > uid=0(root) gid=0(root) groups=0(root)
> > > > >
> > > > > [root at addc:~]# id user1
> > > > > uid=4001001(SAMDOM\user1) gid=100(users)
> > > > > groups=100(users),4000100(SAMDOM\group1),4000101(SAMDOM
> > > > > \group2),3000009(BUILTIN\users)
> > > > >
> > > > > On the second VM: built/installed samba
> > > > > (just ./configure+make+make install) following instructions on
> > > > > wiki page "Setting Up Samba as a Domain Member".
> > > > >
> > > > > I wrote an smb.conf based on the one on wiki:
> > > > >
> > > > > [root at addm1:~]# cat /usr/local/samba/etc/smb.conf
> > > > > # Global parameters
> > > > > [global]
> > > > > security = ADS
> > > > > workgroup = SAMDOM
> > > > > realm = SAMDOM.LOC
> > > > >
> > > > > log file = /usr/local/samba/var/%m.log
> > > > > log level = 1
> > > > >
> > > > > winbind nss info = rfc2307
> > > > > winbind use default domain = yes
> > > > >
> > > > > # Default ID mapping configuration for local BUILTIN
> > > > > accounts # and groups on a domain member. The default (*) domain:
> > > > > # - must not overlap with any domain ID mapping
> > > > > configuration! # - must use an read-write-enabled back end, such
> > > > > as tdb. idmap config * : backend = tdb
> > > > > idmap config * : range = 3000-7999
> > > > >
> > > > > # ID mapping configuration for SAMDOM accounts
> > > > > idmap config SAMDOM:backend = ad
> > > > > idmap config SAMDOM:schema_mode = rfc2307
> > > > > idmap config SAMDOM:range = 10000-4999999
> > > > >
> > > > > # Map the domain administrator to the local root account
> > > > > username map = /usr/local/samba/etc/user.map
> > > > >
> > > > > Domain join succeeded and than modified nsswitch.conf as wiki says
> > > > > than started winbindd. Not having yet configured any share nor
> > > > > printer I didn't start smbd nor nmbd.
> > > > >
> > > > > Testing winbindd connectivity succeeded
> > > > >
> > > > > [root at addm1:~]# wbinfo --ping-dc
> > > > > checking the NETLOGON for domain[SAMDOM] dc connection to
> > > > > "DC.SAMDOM.LOC" succeeded
> > > > >
> > > > > so I linked libnss_winbind.so, restarted winbindd and tried
> > > > > lookup of user1 but had no output. So tried with wbinfo and
> > > > > increased debug level to 10.
> > > > >
> > > > > [root at addm1:~]# wbinfo -i user1
> > > > > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> > > > > Could not get info for user user1
> > > > >
> > > > > [2017/01/12 09:40:43.825777, 6, pid=1506, effective(0, 0),
> > > > > real(0, 0),
> > > > > class=winbind] ../source3/winbindd/winbindd.c:918(new_connection)
> > > > > accepted socket 29 [2017/01/12 09:40:43.826709, 10, pid=1506,
> > > > > effective(0, 0), real(0, 0),
> > > > > class=winbind] ../source3/winbindd/winbindd.c:760(process_request)
> > > > > process_request: request fn INTERFACE_VERSION [2017/01/12
> > > > > 09:40:43.826770, 3, pid=1506, effective(0, 0), real(0, 0),
> > > > > class=winbind] ../source3/winbindd/winbindd_misc.c:396(winbindd_interface_version)
> > > > > [ 1584]: request interface version (version = 28) [2017/01/12
> > > > > 09:40:43.826837, 10, pid=1506, effective(0, 0), real(0, 0),
> > > > > class=winbind] ../source3/winbindd/winbindd.c:863(winbind_client_response_written)
> > > > > winbind_client_response_written[1584:INTERFACE_VERSION]: delivered
> > > > > response to client [2017/01/12 09:40:43.827471, 10, pid=1506,
> > > > > effective(0, 0), real(0, 0),
> > > > > class=winbind] ../source3/winbindd/winbindd.c:760(process_request)
> > > > > process_request: request fn WINBINDD_PRIV_PIPE_DIR [2017/01/12
> > > > > 09:40:43.827522, 3, pid=1506, effective(0, 0), real(0, 0),
> > > > > class=winbind] ../source3/winbindd/winbindd_misc.c:429(winbindd_priv_pipe_dir)
> > > > > [ 1584]: request location of privileged pipe [2017/01/12
> > > > > 09:40:43.827597, 10, pid=1506, effective(0, 0), real(0, 0),
> > > > > class=winbind] ../source3/winbindd/winbindd.c:863(winbind_client_response_written)
> > > > > winbind_client_response_written[1584:WINBINDD_PRIV_PIPE_DIR]:
> > > > > delivered response to client [2017/01/12 09:40:43.828157, 6,
> > > > > pid=1506, effective(0, 0), real(0, 0),
> > > > > class=winbind] ../source3/winbindd/winbindd.c:918(new_connection)
> > > > > accepted socket 33 [2017/01/12 09:40:43.828585, 6, pid=1506,
> > > > > effective(0, 0), real(0, 0),
> > > > > class=winbind] ../source3/winbindd/winbindd.c:967(winbind_client_request_read)
> > > > > closing socket 29, client exited [2017/01/12 09:40:43.829039, 10,
> > > > > pid=1506, effective(0, 0), real(0, 0),
> > > > > class=winbind] ../source3/winbindd/winbindd.c:733(process_request)
> > > > > process_request: Handling async request 1584:GETPWNAM [2017/01/12
> > > > > 09:40:43.829090, 3, pid=1506, effective(0, 0), real(0, 0),
> > > > > class=winbind] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> > > > > getpwnam user1 [2017/01/12 09:40:43.829150, 1, pid=1506,
> > > > > effective(0, 0), real(0,
> > > > > 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > > > > wbint_LookupName: struct wbint_LookupName in: struct
> > > > > wbint_LookupName domain : *
> > > > > domain : 'SAMDOM'
> > > > > name : *
> > > > > name : 'USER1'
> > > > > flags : 0x00000008 (8)
> > > > > [2017/01/12 09:40:43.829311, 1, pid=1506, effective(0, 0),
> > > > > real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > > > > wbint_LookupName: struct wbint_LookupName
> > > > > out: struct wbint_LookupName
> > > > > type : *
> > > > > type : SID_NAME_USER (1)
> > > > > sid : *
> > > > > sid :
> > > > > S-1-5-21-2829196831-3808893492-1696772578-1105
> > > > > result : NT_STATUS_OK
> > > > > [2017/01/12 09:40:43.829435, 1, pid=1506, effective(0, 0),
> > > > > real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > > > > wbint_QueryUser: struct wbint_QueryUser
> > > > > in: struct wbint_QueryUser
> > > > > sid : *
> > > > > sid :
> > > > > S-1-5-21-2829196831-3808893492-1696772578-1105
> > > > > [2017/01/12 09:40:43.829619, 1, pid=1506, effective(0, 0),
> > > > > real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > > > > wbint_QueryUser: struct wbint_QueryUser
> > > > > out: struct wbint_QueryUser
> > > > > info : *
> > > > > info: struct wbint_userinfo
> > > > > acct_name : *
> > > > > acct_name : 'user1'
> > > > > full_name : *
> > > > > full_name : 'user1'
> > > > > homedir : *
> > > > > homedir : '/home/user1'
> > > > > shell : *
> > > > > shell : '/bin/bash'
> > > > > primary_gid :
> > > > > 0x00000000003d0901 (4000001)
> > > > > user_sid :
> > > > > S-1-5-21-2829196831-3808893492-1696772578-1105
> > > > > group_sid :
> > > > > S-1-5-21-2829196831-3808893492-1696772578-513
> > > > > result : NT_STATUS_OK
> > > > > [2017/01/12 09:40:43.829830, 10, pid=1506, effective(0, 0),
> > > > > real(0, 0),
> > > > > class=winbind] ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
> > > > > SID 0: S-1-5-21-2829196831-3808893492-1696772578-1105 [2017/01/12
> > > > > 09:40:43.829911, 10, pid=1506, effective(0, 0), real(0,
> > > > > 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
> > > > > Parsing value for key
> > > > > [IDMAP/SID2XID/S-1-5-21-2829196831-3808893492-1696772578-1105]:
> > > > > value=[4001001:U] [2017/01/12 09:40:43.829955, 10, pid=1506,
> > > > > effective(0, 0), real(0,
> > > > > 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
> > > > > Parsing value for key
> > > > > [IDMAP/SID2XID/S-1-5-21-2829196831-3808893492-1696772578-1105]:
> > > > > id=[4001001], endptr=[:U] [2017/01/12 09:40:43.830002, 10,
> > > > > pid=1506, effective(0, 0), real(0, 0),
> > > > > class=winbind] ../source3/winbindd/winbindd_util.c:1036(find_lookup_domain_from_sid)
> > > > >
> > > > > find_lookup_domain_from_sid(S-1-5-21-2829196831-3808893492-1696772578-513)
> > > > > [2017/01/12 09:40:43.830038, 10, pid=1506, effective(0, 0),
> > > > > real(0, 0),
> > > > > class=winbind] ../source3/winbindd/winbindd_util.c:1046(find_lookup_domain_from_sid)
> > > > > calling find_our_domain [2017/01/12 09:40:43.830071, 1, pid=1506,
> > > > > effective(0, 0), real(0,
> > > > > 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > > > > wbint_LookupSid: struct wbint_LookupSid in: struct wbint_LookupSid
> > > > > sid : *
> > > > > sid :
> > > > > S-1-5-21-2829196831-3808893492-1696772578-513
> > > > > [2017/01/12 09:40:43.830182, 1, pid=1506, effective(0, 0),
> > > > > real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > > > > wbint_LookupSid: struct wbint_LookupSid
> > > > > out: struct wbint_LookupSid
> > > > > type : *
> > > > > type : SID_NAME_DOM_GRP (2)
> > > > > domain : *
> > > > > domain : *
> > > > > domain : 'SAMDOM'
> > > > > name : *
> > > > > name : *
> > > > > name : 'Domain Users'
> > > > > result : NT_STATUS_OK
> > > > > [2017/01/12 09:40:43.830404, 10, pid=1506, effective(0, 0),
> > > > > real(0, 0),
> > > > > class=winbind] ../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
> > > > > SID 0: S-1-5-21-2829196831-3808893492-1696772578-513 [2017/01/12
> > > > > 09:40:43.830468, 10, pid=1506, effective(0, 0), real(0, 0),
> > > > > class=tdb] ../source3/lib/gencache.c:326(gencache_set_data_blob)
> > > > > Adding cache entry with
> > > > > key=[IDMAP/SID2XID/S-1-5-21-2829196831-3808893492-1696772578-513]
> > > > > and timeout=[Thu Jan 1 01:00:00 AM 1970 CET] (-1484210443
> > > > > seconds in the past) [2017/01/12 09:40:43.830548, 10, pid=1506,
> > > > > effective(0, 0), real(0, 0),
> > > > > class=winbind] ../source3/winbindd/winbindd_util.c:1036(find_lookup_domain_from_sid)
> > > > >
> > > > > find_lookup_domain_from_sid(S-1-5-21-2829196831-3808893492-1696772578-513)
> > > > > [2017/01/12 09:40:43.830582, 10, pid=1506, effective(0, 0),
> > > > > real(0, 0),
> > > > > class=winbind] ../source3/winbindd/winbindd_util.c:1046(find_lookup_domain_from_sid)
> > > > > calling find_our_domain [2017/01/12 09:40:43.830615, 1, pid=1506,
> > > > > effective(0, 0), real(0,
> > > > > 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > > > > wbint_LookupSids: struct wbint_LookupSids in: struct
> > > > > wbint_LookupSids sids : *
> > > > > sids: struct lsa_SidArray
> > > > > num_sids : 0x00000001 (1)
> > > > > sids : *
> > > > > sids: ARRAY(1)
> > > > > sids: struct lsa_SidPtr
> > > > > sid : *
> > > > > sid :
> > > > > S-1-5-21-2829196831-3808893492-1696772578-513
> > > > > [2017/01/12 09:40:43.830797, 1, pid=1506, effective(0, 0),
> > > > > real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > > > > wbint_LookupSids: struct wbint_LookupSids
> > > > > out: struct wbint_LookupSids
> > > > > domains : *
> > > > > domains: struct lsa_RefDomainList
> > > > > count : 0x00000001 (1)
> > > > > domains : *
> > > > > domains: ARRAY(1)
> > > > > domains: struct lsa_DomainInfo
> > > > > name: struct lsa_StringLarge
> > > > > length :
> > > > > 0x000c (12)
> > > > > size :
> > > > > 0x000e (14)
> > > > > string : *
> > > > > string :
> > > > > 'SAMDOM'
> > > > > sid : *
> > > > > sid :
> > > > > S-1-5-21-2829196831-3808893492-1696772578
> > > > > max_size : 0x00000020 (32)
> > > > > names : *
> > > > > names: struct lsa_TransNameArray
> > > > > count : 0x00000001 (1)
> > > > > names : *
> > > > > names: ARRAY(1)
> > > > > names: struct lsa_TranslatedName
> > > > > sid_type :
> > > > > SID_NAME_DOM_GRP (2)
> > > > > name: struct lsa_String
> > > > > length :
> > > > > 0x0018 (24)
> > > > > size :
> > > > > 0x0018 (24)
> > > > > string : *
> > > > > string :
> > > > > 'Domain Users'
> > > > > sid_index :
> > > > > 0x00000000 (0)
> > > > > result : NT_STATUS_OK
> > > > > [2017/01/12 09:40:43.831155, 1, pid=1506, effective(0, 0),
> > > > > real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > > > > wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
> > > > > in: struct wbint_Sids2UnixIDs
> > > > > domains : *
> > > > > domains: struct lsa_RefDomainList
> > > > > count : 0x00000001 (1)
> > > > > domains : *
> > > > > domains: ARRAY(1)
> > > > > domains: struct lsa_DomainInfo
> > > > > name: struct lsa_StringLarge
> > > > > length :
> > > > > 0x000c (12)
> > > > > size :
> > > > > 0x000e (14)
> > > > > string : *
> > > > > string :
> > > > > 'SAMDOM'
> > > > > sid : *
> > > > > sid :
> > > > > S-1-5-21-2829196831-3808893492-1696772578
> > > > > max_size : 0x00000001 (1)
> > > > > ids : *
> > > > > ids: struct wbint_TransIDArray
> > > > > num_ids : 0x00000001 (1)
> > > > > ids: ARRAY(1)
> > > > > ids: struct wbint_TransID
> > > > > type :
> > > > > ID_TYPE_GID (2) domain_index : 0x00000000 (0)
> > > > > rid :
> > > > > 0x00000201 (513)
> > > > > xid: struct unixid
> > > > > id :
> > > > > 0xffffffff (4294967295)
> > > > > type :
> > > > > ID_TYPE_GID (2)
> > > > > [2017/01/12 09:40:43.833824, 1, pid=1506, effective(0, 0),
> > > > > real(0, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug)
> > > > > wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
> > > > > out: struct wbint_Sids2UnixIDs
> > > > > ids : *
> > > > > ids: struct wbint_TransIDArray
> > > > > num_ids : 0x00000001 (1)
> > > > > ids: ARRAY(1)
> > > > > ids: struct wbint_TransID
> > > > > type :
> > > > > ID_TYPE_GID (2) domain_index : 0x00000000 (0)
> > > > > rid :
> > > > > 0x00000201 (513)
> > > > > xid: struct unixid
> > > > > id :
> > > > > 0xffffffff (4294967295)
> > > > > type :
> > > > > ID_TYPE_NOT_SPECIFIED (0)
> > > > > result : NT_STATUS_OK
> > > > > [2017/01/12 09:40:43.833902, 10, pid=1506, effective(0, 0),
> > > > > real(0, 0),
> > > > > class=tdb] ../source3/lib/gencache.c:326(gencache_set_data_blob)
> > > > > Adding cache entry with
> > > > > key=[IDMAP/SID2XID/S-1-5-21-2829196831-3808893492-1696772578-513]
> > > > > and timeout=[Thu Jan 12 09:42:43 AM 2017 CET] (120 seconds ahead)
> > > > > [2017/01/12 09:40:43.833937, 5, pid=1506, effective(0, 0),
> > > > > real(0, 0),
> > > > > class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
> > > > > Could not convert sid
> > > > > S-1-5-21-2829196831-3808893492-1696772578-1105:
> > > > > NT_STATUS_NONE_MAPPED [2017/01/12 09:40:43.833949, 10, pid=1506,
> > > > > effective(0, 0), real(0, 0),
> > > > > class=winbind] ../source3/winbindd/winbindd.c:795(wb_request_done)
> > > > > wb_request_done[1584:GETPWNAM]: NT_STATUS_NONE_MAPPED [2017/01/12
> > > > > 09:40:43.833975, 10, pid=1506, effective(0, 0), real(0, 0),
> > > > > class=winbind] ../source3/winbindd/winbindd.c:863(winbind_client_response_written)
> > > > > winbind_client_response_written[1584:GETPWNAM]: delivered
> > > > > response to client [2017/01/12 09:40:43.835011, 6, pid=1506,
> > > > > effective(0, 0), real(0, 0),
> > > > > class=winbind] ../source3/winbindd/winbindd.c:967(winbind_client_request_read)
> > > > > closing socket 33, client exited
> > > > >
> > > > > As far as I can see from logs, the problem is not that "user1" is
> > > > > not found but that it failed to convert SID to UID and googling I
> > > > > found some posts that point to wrong id mapping ranges. Could it
> > > > > be my problem or am I doing something else wrong?
> > > > >
> > > > > Best regards,
> > > > > Daniele.
> > > > >
> > > > >
> > > >
> > > > Did you miss this on the 'Idmap config ad' wiki page:
> > > >
> > > > https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites
> > > >
> > > > I am referring to the big fat warning ;-)
> > > >
> > > > This:
> > > >
> > > > [root at addc:~]# getent passwd user1
> > > > SAMDOM\user1:*:4001001:100::/home/SAMDOM/user1:/bin/bash
> > > >
> > > > Specifically '100' tells me you haven't given Domain Users a
> > > > gidNumber attribute, you need to add a gidNumber and it needs to be
> > > > between '10000-4999999' and not already in use as a gidNumber.
> > > >
> > > > Also you are quite correct, this isn't the right place to ask this
> > > > type of question, can you please use the Samba mailing list in
> > > > future ;-)
> > > >
> > > > Rowland
> > > >
> > >
> > > In fact I read it but later on I totally forgot about it :-(
> > >
> > > Just to be sure, which users/groups must have uidNumber/gidNumber set?
> > > All those that I can retrieve using wbinfo -u/-g that are part of the
> > > domain?
> > >
> > > [root at addc:~]# wbinfo -g
> > > SAMDOM\cert publishers
> > > SAMDOM\ras and ias servers
> > > SAMDOM\allowed rodc password replication group
> > > SAMDOM\denied rodc password replication group
> > > SAMDOM\dnsadmins
> > > SAMDOM\enterprise read-only domain controllers
> > > SAMDOM\domain admins
> > > SAMDOM\domain users
> > > SAMDOM\domain guests
> > > SAMDOM\domain computers
> > > SAMDOM\domain controllers
> > > SAMDOM\schema admins
> > > SAMDOM\enterprise admins
> > > SAMDOM\group policy creator owners
> > > SAMDOM\read-only domain controllers
> > > SAMDOM\dnsupdateproxy
> > > SAMDOM\group1
> > > SAMDOM\group2
> > >
> > > [root at addc:~]# wbinfo -u
> > > SAMDOM\administrator
> > > SAMDOM\krbtgt
> > > SAMDOM\guest
> > > SAMDOM\user1
> > > SAMDOM\user2
> > >
> > > A huge thanks,
> > > Daniele.
> > >
> >
> > You should only add a gidNumber to Domain Users and any group you
> > create that you want to be visible to Unix domain members.
> >
> > You should only add a uidNumber to users that you want to be visible to
> > Unix domain members, but do not give Administrator a uidNumber.
> >
> > Or to put it another way, from the users and groups you posted, these:
> >
> > [root at addc:~]# wbinfo -g
> > SAMDOM\domain users
> > SAMDOM\group1
> > SAMDOM\group2
> >
> > [root at addc:~]# wbinfo -u
> > SAMDOM\user1
> > SAMDOM\user2
> >
> > Rowland
> >
>
> Again thanks.
>
> Daniele.
Sorry for being back here.
Do also SAMDOM\Domain Admins need a gidNumber because if I have to set
permissions on some folders on member servers. If you look at
https://wiki.samba.org/index.php/Setting_up_Automatic_Printer_Driver_Downloads_for_Windows_Clients
it is stated to do this
chgrp -R "SAMDOM\Domain Admins" /srv/samba/Printer_drivers/
and it won't work if domain admins don't have a gidNumber.
Other thing, users I added to AD need just uidNumber or do I have to add
also gidNumber of Domain Users?
And somewhere I saw that when adding uidNumber/gidNumber using ldbmodify
there was this in the ldif
add: objectClass
objectClass: posixAccount/posixGroup
Is it needed or not? Is there a way to know if I have it or not?
TIA Daniele.
More information about the samba-technical
mailing list