[Samba] SID-UID mapping issue on Samba 3.0.4 in an AD Domain
Jason C. Waters
jwaters at h2os.com
Sat Jun 12 02:20:34 GMT 2004
Does "getent group" and "getent passwd" return the users and groups? If
it doesn't I'm guessing that you didn't copy the libnss_winbind.so to
your /lib directory and then create a symbolic link, ln -s
/lib/libnss_winbind.so /lib/libnss_winbind.so.x, where x is the version
of nss you use...I think. I put 2 and it works but you can try 0,1, or
2 I think. Hope this helps
fx.cormontagne at howen.be wrote:
>I have problems with SID to UID mapping using winbind on a FreeBSD 5.2/Samba
>3.0.4
> as a member server of a Win2k domain controller. I use heimdal-0.6.1 for
>kerberos.
>
>I would like my XP machines in the domain to use the share with the user
>accounts
>defined in Active Directory.
>
>At a first glance it seems to work: the connection to the share succeeds
>without a
>prompt for a password. Users may create, read, modify and delete files or
>folders.
>But the ACLs do not show domain accounts but local accounts: those accounts have
>the SAME NAME as the domain account BUT they bear the name of the SAMBA machine
>instead of the name of the domain.
>
>Here are my conf files:
>
>----- smb.conf -----
>[global]
> security = ADS
> realm = windom
> netbios name = SAMBA
> workgroup = WINDOM
> encrypt passwords=yes
> password server = *
> obey pam restrictions = yes
> winbind cache time = 120
> template shell = /sbin/nologin
> template homedir = /none
> idmap uid = 10000-19999
> idmap gid = 10000-19999
> winbind nested groups = yes
> winbind separator = +
>
>[theshare]
> path=/smbroot/theshare
> read only=no
>-----------------------
>
>------ nsswitch.conf ---
>passwd: files winbind
>group: files winbind
>------------------------
>
>------ pam.d/samba ----
>auth required pam_winbind.so debug
>account required pam_winbind.so
>-----------------------
>
> pam_winbind.so is only present in pam.d/samba
>
>wbinfo -u
>wbinfo -g
>
> work fine
>
>pw user show -a # this lists all the user account in a passwd format
>
> shows all local and domain accounts (WINDOM+domuser:*:10021:10010:...)
>
>Then I log into an XP machine as domuser at WINDOM
>I open the network location: \\samba\theshare
>I create some file, and I edit its properties I find in the ACL and as the owner
>of the file:
>
> domuser(SAMBA\domuser)
>
>Then I log on the console of the Samba server as root, and
>
>$ ls -ln /smbroot/theshare/dummyfile.txt
>
> gives a UID of 10034 as the owner
>
>pw user show -u 10034
>
> returns:
>
>domuser:*:10034:65534::0:0:domuser:/none/:/sbin/nologin
>
>again I type: pw user show -a
>
> all the domain users are present but domuser:*:10034 does not
> appear in the list
>
>When I turn on: winbind trusted domains only = yes
>
> I get a login screen when I want to connect to the share
> and log.smbd tells:
> smbd/sesssetup.c:reply_spnego_kerberos(248)
> Username WINDOM+domuser is invalid on this system
>
> while log.winbind says:
> nsswitch/winbindd_acct.c:winbindd_create_user(884)
> winbindd_create_user: Refusing to create user that already exists
>(domuser)
>
>It is not clear to me if it is a kerberos or a winbind problem.
>
>Has someone a clue?
>
>Thanks
>
>FX
>
>
>
More information about the samba
mailing list