[Samba] Help "Could not get unix ID"
Linux Addict
linuxaddict7 at gmail.com
Thu Feb 14 16:50:10 GMT 2008
On Thu, Feb 14, 2008 at 11:21 AM, Ross S. W. Walker
<rwalker at medallion.com> wrote:
> Linux Addict wrote:
> >
> > Greetings!!!
> >
> > I am using samba 3.0.28 clients authenticating AD R2 with SFU 3.5. I
> > have setup nss info to template, sfu get the uid, gid, home dir and
> > shell from AD.
>
> Whoa, slow down, your getting all ahead of yourself. You seem to need
> to pick a user authorization (passwd/group) method and a user
> authentication method.
My nsswitch configuration is passwd files winbind and group files winbind
My authentication method(PAM) reads unix local files, krb5 next and
then winbind. I want to keep winbind as I will be using a one way
trust in the future to our corp domain. I had some issues with only
having krb5 as by default it appended the username with our AD domain
only.
> User authorization can be nss_ldap or samba+winbind or samba+ldap or
> samba+ad (samba+ldap and samba+ad are really the same, but samba
> uses ad extensions when storing the attributes).
>
> I personnally like samba+winbind because with RID mapping I no
> longer have to worry about creating and maintaining UIDs and GIDs for
> every Windows user and group, which is a big pain.
I have around 200 RHEL hosts which will authenticate from AD. I want
uid/gid consistency across all the hosts. I wasn't sure if RID will
assign the same IDs on all 200 hosts for a specific user. Will it be
same if I use RID?
> As far as authentication goes, there is pam_ldap, pam_winbind, samba
> or kerberos.
>
> If you authenticating against a Windows AD domain I really don't see
> any point to not using Kerberos. It is straight forward, easy to
> setup, secure and provides single sign-on functionality. The others
> require additional setup procedures and don't do single sign-on.
>
>
> > The problem is it seems to be working for sometime, and then it says
> > could not get uid/gid pair. I am assuming some kind of caching is
> > causing this.
>
> It may be your initial setup.
It wasn't just initial. It worked for first few logins. Then If I try
again after an hour, you would get that error and the user will not be
able to login.
> > My understanding with SFU is that, there wont be any mappings and the
> > specific user will pull the uid,gid from AD Unix Attributes.
>
> Managing UIDs and GIDs under SFU is a big PITA. I would only use it
> under circumstances where winbind wasn't available, but even there
> I would probably setup a Linux VM that would dump winbind RID
> mappings into NIS maps and then use NIS to send them out.
>
>
> > The winbindd-idmap file throws the following error.
> >
> > nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(613)
> > Could not get unix ID
>
> Did you join the machine to the domain with a 'net ads join' ?
>
Yes. The host is part of AD.
> > This is testparam output.
> >
> > idmap backend = ad
> > idmap uid = 16777216-33554431
> > idmap gid = 16777216-33554431
> > template shell = /bin/bash
> > winbind separator = +
> > winbind enum users = Yes
> > winbind enum groups = Yes
> > winbind use default domain = Yes
> > winbind nss info = template, sfu
> >
> >
> >
> > Please someone help me to all linux clients authenticate
> > consistently from AD.
>
> Make sure you have these installed:
>
> samba-common
> samba-client
> cyrus-sasl-gssapi
> libgssapi
> cyrus-sasl-md5
> cyrus-sasl-lib
> cyrus-sasl
> cyrus-sasl-gssapi
> cyrus-sasl-ntlm
> cyrus-sasl-plain
> krb5-workstation
> pam_krb5
> krb5-libs
> krb5-auth-dialog
I dont have all, but have most of them.
[root at samba1 samba]# rpm -qa |egrep '(samba|cyrus|krb)'
krb5-libs-1.3.4-27
cyrus-sasl-md5-2.1.19-5.EL4
samba-common-3.0.28-1
cyrus-sasl-2.1.19-5.EL4
krbafs-1.2.2-6
pam_krb5-2.1.8-1
cyrus-sasl-plain-2.1.19-5.EL4
samba-client-3.0.28-1
krb5-devel-1.3.4-27
cyrus-sasl-devel-2.1.19-5.EL4
krb5-workstation-1.3.4-27
krbafs-devel-1.2.2-6
samba-3.0.28-1
[root at samba1 samba]#
> Try this simple starting smb.conf:
>
> [global]
> workgroup = EXAMPLE
> realm = EXAMPLE.COM
> security = ads
> password server = *
> use kerberos keytab = yes
> passdb backend = tdbsam
> allow trusted domains = no
> idmap backend = rid
> idmap uid = 100000-199999
> idmap gid = 100000-199999
> template homedir = /home/%U
> template shell = /bin/bash
> winbind use default domain = true
> winbind enum groups = yes
> winbind enum users = yes
> name resolve order = wins bcast host
>
> [homes]
> comment = Home Directories
> read only = no
> browseable = no
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> printable = yes
> browseable = no
>
> And this simple krb5.conf:
>
> logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = yes
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> krb4_convert = false
> }
>
> [realms]
> EXAMPLE.COM = {
> kdc = example.com
> admin_server = example.com
> }
>
> [domain_realm]
> example.com = EXAMPLE.COM
> .example.com = EXAMPLE.COM
>
> Then make sure your nsswitch.conf has these defined:
>
> passwd: files winbind
> shadow: files
> group: files winbind
>
> And your /etc/pam.d/system-auth is similar to:
>
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_krb5.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_krb5.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
> password sufficient pam_krb5.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
> session required pam_unix.so
> session optional pam_krb5.so
I have winbind coming after krb5 as I need it to leverage one-way trust.
> The modules to pay attention to are, pam_krb5.so and pam_mkhomedir.so.
>
> Then your Windows users should be able to single sign-on to Linux and access
> all the Windows shares and resources.
>
> -Ross
>
> ______________________________________________________________________
> This e-mail, and any attachments thereto, is intended only for use by
> the addressee(s) named herein and may contain legally privileged
> and/or confidential information. If you are not the intended recipient
> of this e-mail, you are hereby notified that any dissemination,
> distribution or copying of this e-mail, and any attachments thereto,
> is strictly prohibited. If you have received this e-mail in error,
> please immediately notify the sender and permanently delete the
> original and any copy or printout thereof.
>
>
More information about the samba
mailing list